WP-Ban - Version 1.64

Version Description

N/A

Release Info

Developer	GamerZ
Plugin	WP-Ban
Version	1.64
Comparing to
See all releases

Code changes from version 1.63 to 1.64

Files changed (3) hide show

ban-options.php +32 -9
readme.txt +3 -1
wp-ban.php +63 -33

ban-options.php CHANGED Viewed

	@@ -18,8 +18,10 @@ $ban_settings = array('banned_ips', 'banned_hosts', 'banned_stats', 'banned_mess
18	if(!empty($_POST['Submit'])) {
19	check_admin_referer('wp-ban_templates');
20	$text = '';
21	- ~~$update_ban_queries = array();~~
22	- $~~update_ban_text~~ = array();


23	$banned_ips_post = explode("\n", trim($_POST['banned_ips']));
24	$banned_ips_range_post = explode("\n", trim($_POST['banned_ips_range']));
25	$banned_hosts_post = explode("\n", trim($_POST['banned_hosts']));
	@@ -27,10 +29,11 @@ if(!empty($_POST['Submit'])) {
27	$banned_user_agents_post = explode("\n", trim($_POST['banned_user_agents']));
28	$banned_exclude_ips_post = explode("\n", trim($_POST['banned_exclude_ips']));
29	$banned_message = trim($_POST['banned_template_message']);

30	if(!empty($banned_ips_post)) {
31	$banned_ips = array();
32	foreach($banned_ips_post as $banned_ip) {
33	- if($admin_login == 'admin' && ($banned_ip == ~~get_IP~~() \|\| is_admin_ip($banned_ip))) {
34	$text .= '<font color="blue">'.sprintf(__('This IP \'%s\' Belongs To The Admin And Will Not Be Added To Ban List', 'wp-ban'),$banned_ip).'</font><br />';
35	} else {
36	$banned_ips[] = trim($banned_ip);
	@@ -43,8 +46,8 @@ if(!empty($_POST['Submit'])) {
43	$range = explode('-', $banned_ip_range);
44	$range_start = trim($range[0]);
45	$range_end = trim($range[1]);
46	- if($admin_login == 'admin' && (check_ip_within_range(~~get_IP~~(), $range_start, $range_end))) {
47	- $text .= '<font color="blue">'.sprintf(__('The Admin\'s IP \'%s\' Fall Within This Range (%s - %s) And Will Not Be Added To Ban List', 'wp-ban'), ~~get_IP~~(), $range_start, $range_end).'</font><br />';
48	} else {
49	$banned_ips_range[] = trim($banned_ip_range);
50	}
	@@ -53,7 +56,7 @@ if(!empty($_POST['Submit'])) {
53	if(!empty($banned_hosts_post)) {
54	$banned_hosts = array();
55	foreach($banned_hosts_post as $banned_host) {
56	- if($admin_login == 'admin' && ($banned_host == @gethostbyaddr(~~get_IP~~()) \|\| is_admin_hostname($banned_host))) {
57	$text .= '<font color="blue">'.sprintf(__('This Hostname \'%s\' Belongs To The Admin And Will Not Be Added To Ban List', 'wp-ban'), $banned_host).'</font><br />';
58	} else {
59	$banned_hosts[] = trim($banned_host);
	@@ -86,6 +89,8 @@ if(!empty($_POST['Submit'])) {
86	$banned_exclude_ips[] = trim($banned_exclude_ip);
87	}
88	}


89	$update_ban_queries[] = update_option('banned_ips', $banned_ips);
90	$update_ban_queries[] = update_option('banned_ips_range', $banned_ips_range);
91	$update_ban_queries[] = update_option('banned_hosts', $banned_hosts);
	@@ -93,6 +98,8 @@ if(!empty($_POST['Submit'])) {
93	$update_ban_queries[] = update_option('banned_user_agents', $banned_user_agents);
94	$update_ban_queries[] = update_option('banned_exclude_ips', $banned_exclude_ips);
95	$update_ban_queries[] = update_option('banned_message', $banned_message);


96	$update_ban_text[] = __('Banned IPs', 'wp-ban');
97	$update_ban_text[] = __('Banned IP Range', 'wp-ban');
98	$update_ban_text[] = __('Banned Host Names', 'wp-ban');
	@@ -221,7 +228,8 @@ switch($mode) {
221	$banned_referers_display = trim($banned_referers_display);
222	$banned_user_agents_display = trim($banned_user_agents_display);
223	$banned_exclude_ips_display = trim($banned_exclude_ips_display);
224	- $banned_stats = get_option('banned_stats');

225	?>
226	<script type="text/javascript">
227	/* <![CDATA[*/
	@@ -290,11 +298,11 @@ switch($mode) {
290	</thead>
291	<tr>
292	<td><?php _e('IP', 'wp-ban'); ?>:</td>
293	- <td><strong><?php echo ~~get_IP~~(); ?></strong></td>
294	</tr>
295	<tr class="alternate">
296	<td><?php _e('Host Name', 'wp-ban'); ?>:</td>
297	- <td><strong><?php echo @gethostbyaddr(~~get_IP~~()); ?></strong></td>
298	</tr>
299	<tr>
300	<td><?php _e('User Agent', 'wp-ban'); ?>:</td>
	@@ -312,6 +320,21 @@ switch($mode) {
312	</table>
313	<p> </p>
314	<table class="form-table">















315	<tr>
316	<td valign="top">
317	<strong><?php _e('Banned IPs', 'wp-ban'); ?>:</strong><br />


18	if(!empty($_POST['Submit'])) {
19	check_admin_referer('wp-ban_templates');
20	$text = '';
21	+
22	+ $banned_options = array();
23	+ $banned_options['reverse_proxy'] = intval( $_POST['banned_option_reverse_proxy'] );
24	+
25	$banned_ips_post = explode("\n", trim($_POST['banned_ips']));
26	$banned_ips_range_post = explode("\n", trim($_POST['banned_ips_range']));
27	$banned_hosts_post = explode("\n", trim($_POST['banned_hosts']));

29	$banned_user_agents_post = explode("\n", trim($_POST['banned_user_agents']));
30	$banned_exclude_ips_post = explode("\n", trim($_POST['banned_exclude_ips']));
31	$banned_message = trim($_POST['banned_template_message']);
32	+
33	if(!empty($banned_ips_post)) {
34	$banned_ips = array();
35	foreach($banned_ips_post as $banned_ip) {
36	+ if($admin_login == 'admin' && ($banned_ip == ban_get_ip() \|\| is_admin_ip($banned_ip))) {
37	$text .= '<font color="blue">'.sprintf(__('This IP \'%s\' Belongs To The Admin And Will Not Be Added To Ban List', 'wp-ban'),$banned_ip).'</font><br />';
38	} else {
39	$banned_ips[] = trim($banned_ip);

46	$range = explode('-', $banned_ip_range);
47	$range_start = trim($range[0]);
48	$range_end = trim($range[1]);
49	+ if($admin_login == 'admin' && (check_ip_within_range(ban_get_ip(), $range_start, $range_end))) {
50	+ $text .= '<font color="blue">'.sprintf(__('The Admin\'s IP \'%s\' Fall Within This Range (%s - %s) And Will Not Be Added To Ban List', 'wp-ban'), ban_get_ip(), $range_start, $range_end).'</font><br />';
51	} else {
52	$banned_ips_range[] = trim($banned_ip_range);
53	}

56	if(!empty($banned_hosts_post)) {
57	$banned_hosts = array();
58	foreach($banned_hosts_post as $banned_host) {
59	+ if($admin_login == 'admin' && ($banned_host == @gethostbyaddr(ban_get_ip()) \|\| is_admin_hostname($banned_host))) {
60	$text .= '<font color="blue">'.sprintf(__('This Hostname \'%s\' Belongs To The Admin And Will Not Be Added To Ban List', 'wp-ban'), $banned_host).'</font><br />';
61	} else {
62	$banned_hosts[] = trim($banned_host);

89	$banned_exclude_ips[] = trim($banned_exclude_ip);
90	}
91	}
92	+ $update_ban_queries = array();
93	+ $update_ban_queries[] = update_option( 'banned_options', $banned_options );
94	$update_ban_queries[] = update_option('banned_ips', $banned_ips);
95	$update_ban_queries[] = update_option('banned_ips_range', $banned_ips_range);
96	$update_ban_queries[] = update_option('banned_hosts', $banned_hosts);

98	$update_ban_queries[] = update_option('banned_user_agents', $banned_user_agents);
99	$update_ban_queries[] = update_option('banned_exclude_ips', $banned_exclude_ips);
100	$update_ban_queries[] = update_option('banned_message', $banned_message);
101	+ $update_ban_text = array();
102	+ $update_ban_text[] = __( 'Banned Options', 'wp-ban' );
103	$update_ban_text[] = __('Banned IPs', 'wp-ban');
104	$update_ban_text[] = __('Banned IP Range', 'wp-ban');
105	$update_ban_text[] = __('Banned Host Names', 'wp-ban');

228	$banned_referers_display = trim($banned_referers_display);
229	$banned_user_agents_display = trim($banned_user_agents_display);
230	$banned_exclude_ips_display = trim($banned_exclude_ips_display);
231	+ $banned_stats = get_option( 'banned_stats' );
232	+ $banned_options = get_option( 'banned_options' );
233	?>
234	<script type="text/javascript">
235	/* <![CDATA[*/

298	</thead>
299	<tr>
300	<td><?php _e('IP', 'wp-ban'); ?>:</td>
301	+ <td><strong><?php echo ban_get_ip(); ?></strong></td>
302	</tr>
303	<tr class="alternate">
304	<td><?php _e('Host Name', 'wp-ban'); ?>:</td>
305	+ <td><strong><?php echo @gethostbyaddr(ban_get_ip()); ?></strong></td>
306	</tr>
307	<tr>
308	<td><?php _e('User Agent', 'wp-ban'); ?>:</td>

320	</table>
321	<p> </p>
322	<table class="form-table">
323	+ <tr>
324	+ <td width="40%" valign="top">
325	+ <strong><?php _e('Reverse Proxy Check', 'wp-ban'); ?>:</strong><br />
326	+ <?php _e( 'This will assume that incoming requests include the user\'s IP address in the HTTP_X_FORWARDED_FOR (and the request IP will be from your proxy).' ); ?>
327	+ </td>
328	+ <td width="60%">
329	+ <label>
330	+ <input type="checkbox" name="banned_option_reverse_proxy" value="1"<?php echo ( intval( $banned_options['reverse_proxy'] ) === 1 ) ? ' checked="checked"' : ''; ?> />
331	+ <?php _e( 'I am using a reverse proxy.' ); ?>
332	+ </label>
333	+ <p>
334	+ <?php _e( 'If you\'re not sure, leave this uncheck. Ticking this box when you don\'t have a reverse proxy will make it easy to bypass the IP ban.' ); ?>
335	+ </p>
336	+ </td>
337	+ </tr>
338	<tr>
339	<td valign="top">
340	<strong><?php _e('Banned IPs', 'wp-ban'); ?>:</strong><br />

readme.txt CHANGED Viewed

	@@ -4,7 +4,7 @@ Donate link: http://lesterchan.net/site/donation/
4	Tags: banned, ban, deny, denied, permission, ip, hostname, host, spam, bots, bot, exclude, referrer, url, referral, range
5	Requires at least: 2.8
6	Tested up to: 4.0
7	- Stable tag: 1.63
8
9	Ban users by IP, IP Range, host name, user agent and referrer url from visiting your WordPress's blog.
10
	@@ -27,6 +27,8 @@ It will display a custom ban message when the banned IP, IP range, host name or
27	* I spent most of my free time creating, updating, maintaining and supporting these plugins, if you really love my plugins and could spare me a couple of bucks, I will really appreciate it. If not feel free to use it without any obligations.
28
29	== Changelog ==


30
31	= Version 1.63 =
32	* FIXED: Notices


4	Tags: banned, ban, deny, denied, permission, ip, hostname, host, spam, bots, bot, exclude, referrer, url, referral, range
5	Requires at least: 2.8
6	Tested up to: 4.0
7	+ Stable tag: 1.64
8
9	Ban users by IP, IP Range, host name, user agent and referrer url from visiting your WordPress's blog.
10

27	* I spent most of my free time creating, updating, maintaining and supporting these plugins, if you really love my plugins and could spare me a couple of bucks, I will really appreciate it. If not feel free to use it without any obligations.
28
29	== Changelog ==
30	+ = Version 1.64 =
31	+ * NEW: Added a new ban option 'reverse proxy' to allow user to choose whether to check against HTTP_X_FORWARDED_FOR header for IP. Props Tom Adams at dxw. This fixes CVE-2014-6230
32
33	= Version 1.63 =
34	* FIXED: Notices

wp-ban.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	Plugin Name: WP-Ban
4	Plugin URI: http://lesterchan.net/portfolio/programming/php/
5	Description: Ban users by IP, IP Range, host name, user agent and referer url from visiting your WordPress's blog. It will display a custom ban message when the banned IP, IP range, host name, user agent or referer url tries to visit you blog. You can also exclude certain IPs from being banned. There will be statistics recordered on how many times they attemp to visit your blog. It allows wildcard matching too.
6	- Version: 1.63
7	Author: Lester 'GaMerZ' Chan
8	Author URI: http://lesterchan.net
9	Text Domain: wp-ban
	@@ -43,24 +43,31 @@ function ban_menu() {
43	}
44
45
46	- ### Function: Get IP Address
47	- if(~~!function_exists('get_IP'~~)) {
48	- ~~function~~ ~~get_IP~~() {
49	- ~~if(!empty($_SERVER['HTTP_CLIENT_IP'])) {~~
50	- ~~$ip_address~~ = $~~_SERVER~~['~~HTTP_CLIENT_IP~~'];
51	- } ~~else~~ if(~~!empty($_SERVER[~~'HTTP_X_FORWARDED_FOR'])) {
52	- ~~$ip_address~~ = $_SERVER~~['HTTP_X_FORWARDED_FOR'];~~
53	- } ~~else~~ if(~~!empty(~~$_SERVER[~~'REMOTE_ADDR'~~])) {
54	- $~~ip_address~~ = $~~_SERVER['REMOTE_ADDR']~~;
55	- } ~~else~~ {
56	- $~~ip_address~~ ~~= ''~~;



57	}
58	- if(~~strpos~~($~~ip_address,~~ ',') ~~!== false~~) {
59	- $~~ip_address~~ = ~~explode(~~','~~, $ip_address)~~;
60	- $~~ip_address~~ = ~~$ip_address[0];~~


61	}
62	- return esc_attr($~~ip_address~~);
63	}


64	}
65
66
	@@ -72,9 +79,9 @@ function preview_banned_message()
72	$banned_message = stripslashes(get_option('banned_message'));
73	$banned_message = str_replace("%SITE_NAME%", get_option('blogname'), $banned_message);
74	$banned_message = str_replace("%SITE_URL%", get_option('siteurl'), $banned_message);
75	- $banned_message = str_replace("%USER_ATTEMPTS_COUNT%", number_format_i18n($banned_stats['users'][~~get_IP~~()]), $banned_message);
76	- $banned_message = str_replace("%USER_IP%", ~~get_IP~~(), $banned_message);
77	- $banned_message = str_replace("%USER_HOSTNAME%", @gethostbyaddr(~~get_IP~~()), $banned_message);
78	$banned_message = str_replace("%TOTAL_ATTEMPTS_COUNT%", number_format_i18n($banned_stats['count']), $banned_message);
79	echo $banned_message;
80	exit();
	@@ -86,14 +93,14 @@ function print_banned_message() {
86	// Credits To Joe (Ttech) - http://blog.fileville.net/
87	$banned_stats = get_option('banned_stats');
88	$banned_stats['count'] = intval($banned_stats['count']) + 1;
89	- $banned_stats['users'][~~get_IP~~()] = intval($banned_stats['users'][~~get_IP~~()]) + 1;
90	update_option('banned_stats', $banned_stats);
91	$banned_message = stripslashes(get_option('banned_message'));
92	$banned_message = str_replace("%SITE_NAME%", get_option('blogname'), $banned_message);
93	$banned_message = str_replace("%SITE_URL%", get_option('siteurl'), $banned_message);
94	- $banned_message = str_replace("%USER_ATTEMPTS_COUNT%", number_format_i18n($banned_stats['users'][~~get_IP~~()]), $banned_message);
95	- $banned_message = str_replace("%USER_IP%", ~~get_IP~~(), $banned_message);
96	- $banned_message = str_replace("%USER_HOSTNAME%", @gethostbyaddr(~~get_IP~~()), $banned_message);
97	$banned_message = str_replace("%TOTAL_ATTEMPTS_COUNT%", number_format_i18n($banned_stats['count']), $banned_message);
98	echo $banned_message;
99	exit();
	@@ -120,7 +127,7 @@ function process_ban_ip_range($banned_ips_range) {
120	$range = explode('-', $banned_ip_range);
121	$range_start = trim($range[0]);
122	$range_end = trim($range[1]);
123	- if(check_ip_within_range(~~get_IP~~(), $range_start, $range_end)) {
124	print_banned_message();
125	break;
126	}
	@@ -132,7 +139,7 @@ function process_ban_ip_range($banned_ips_range) {
132	### Function: Banned
133	add_action('init', 'banned');
134	function banned() {
135	- $ip = ~~get_IP~~();
136	if($ip == 'unknown') {
137	return;
138	}
	@@ -187,7 +194,7 @@ function banned() {
187
188	### Function: Check Whether Or Not The IP Address Belongs To Admin
189	function is_admin_ip($check) {
190	- return preg_match_wildcard($check, ~~get_IP~~());
191	}
192
193
	@@ -205,7 +212,7 @@ function check_ip_within_range($ip, $range_start, $range_end) {
205
206	### Function: Check Whether Or Not The Hostname Belongs To Admin
207	function is_admin_hostname($check) {
208	- return preg_match_wildcard($check, @gethostbyaddr(~~get_IP~~()));
209	}
210
211
	@@ -252,10 +259,32 @@ function preg_match_wildcard($regex, $subject) {
252	}
253
254
255	- ### Function: ~~Create~~ ~~Ban Options~~
256	- ~~add_action~~(~~'activate_wp-ban/wp-ban.php'~~, '~~ban_init~~');
257	- function ~~ban_init~~() {
258	- ~~ban_textdomain();~~






















259	add_option('banned_ips', array());
260	add_option('banned_hosts',array());
261	add_option('banned_stats', array('users' => array(), 'count' => 0));
	@@ -277,5 +306,6 @@ function ban_init() {
277	add_option('banned_ips_range', array());
278	// Database Upgrade For WP-Ban 1.30
279	add_option('banned_user_agents', array());
280	- }
281	- ?>


3	Plugin Name: WP-Ban
4	Plugin URI: http://lesterchan.net/portfolio/programming/php/
5	Description: Ban users by IP, IP Range, host name, user agent and referer url from visiting your WordPress's blog. It will display a custom ban message when the banned IP, IP range, host name, user agent or referer url tries to visit you blog. You can also exclude certain IPs from being banned. There will be statistics recordered on how many times they attemp to visit your blog. It allows wildcard matching too.
6	+ Version: 1.64
7	Author: Lester 'GaMerZ' Chan
8	Author URI: http://lesterchan.net
9	Text Domain: wp-ban

43	}
44
45
46	+ ### Function: Get IP Address (http://stackoverflow.com/a/2031935)
47	+ function ban_get_ip() {
48	+ $banned_options = get_option( 'banned_options' );
49	+
50	+ if( intval( $banned_options['reverse_proxy'] ) === 1 ) {
51	+ foreach ( array( 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR' ) as $key ) {
52	+ if ( array_key_exists( $key, $_SERVER ) === true ) {
53	+ foreach ( explode( ',', $_SERVER[$key] ) as $ip ) {
54	+ $ip = trim( $ip );
55	+ if ( filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE \| FILTER_FLAG_NO_RES_RANGE) !== false ) {
56	+ return esc_attr( $ip );
57	+ }
58	+ }
59	+ }
60	}
61	+ } else if( !empty( $_SERVER['REMOTE_ADDR'] ) ) {
62	+ $ip = $_SERVER['REMOTE_ADDR'];
63	+ if( strpos( $ip, ',' ) !== false ) {
64	+ $ip = explode( ',', $ip );
65	+ $ip = $ip[0];
66	}
67	+ return esc_attr( $ip );
68	}
69	+
70	+ return '';
71	}
72
73

79	$banned_message = stripslashes(get_option('banned_message'));
80	$banned_message = str_replace("%SITE_NAME%", get_option('blogname'), $banned_message);
81	$banned_message = str_replace("%SITE_URL%", get_option('siteurl'), $banned_message);
82	+ $banned_message = str_replace("%USER_ATTEMPTS_COUNT%", number_format_i18n($banned_stats['users'][ban_get_ip()]), $banned_message);
83	+ $banned_message = str_replace("%USER_IP%", ban_get_ip(), $banned_message);
84	+ $banned_message = str_replace("%USER_HOSTNAME%", @gethostbyaddr(ban_get_ip()), $banned_message);
85	$banned_message = str_replace("%TOTAL_ATTEMPTS_COUNT%", number_format_i18n($banned_stats['count']), $banned_message);
86	echo $banned_message;
87	exit();

93	// Credits To Joe (Ttech) - http://blog.fileville.net/
94	$banned_stats = get_option('banned_stats');
95	$banned_stats['count'] = intval($banned_stats['count']) + 1;
96	+ $banned_stats['users'][ban_get_ip()] = intval($banned_stats['users'][ban_get_ip()]) + 1;
97	update_option('banned_stats', $banned_stats);
98	$banned_message = stripslashes(get_option('banned_message'));
99	$banned_message = str_replace("%SITE_NAME%", get_option('blogname'), $banned_message);
100	$banned_message = str_replace("%SITE_URL%", get_option('siteurl'), $banned_message);
101	+ $banned_message = str_replace("%USER_ATTEMPTS_COUNT%", number_format_i18n($banned_stats['users'][ban_get_ip()]), $banned_message);
102	+ $banned_message = str_replace("%USER_IP%", ban_get_ip(), $banned_message);
103	+ $banned_message = str_replace("%USER_HOSTNAME%", @gethostbyaddr(ban_get_ip()), $banned_message);
104	$banned_message = str_replace("%TOTAL_ATTEMPTS_COUNT%", number_format_i18n($banned_stats['count']), $banned_message);
105	echo $banned_message;
106	exit();

127	$range = explode('-', $banned_ip_range);
128	$range_start = trim($range[0]);
129	$range_end = trim($range[1]);
130	+ if(check_ip_within_range(ban_get_ip(), $range_start, $range_end)) {
131	print_banned_message();
132	break;
133	}

139	### Function: Banned
140	add_action('init', 'banned');
141	function banned() {
142	+ $ip = ban_get_ip();
143	if($ip == 'unknown') {
144	return;
145	}

194
195	### Function: Check Whether Or Not The IP Address Belongs To Admin
196	function is_admin_ip($check) {
197	+ return preg_match_wildcard($check, ban_get_ip());
198	}
199
200

212
213	### Function: Check Whether Or Not The Hostname Belongs To Admin
214	function is_admin_hostname($check) {
215	+ return preg_match_wildcard($check, @gethostbyaddr(ban_get_ip()));
216	}
217
218

259	}
260
261
262	+ ### Function: Activate Plugin
263	+ register_activation_hook( __FILE__, 'ban_activation' );
264	+ function ban_activation( $network_wide )
265	+ {
266	+ if ( is_multisite() && $network_wide )
267	+ {
268	+ $ms_sites = wp_get_sites();
269	+
270	+ if( 0 < sizeof( $ms_sites ) )
271	+ {
272	+ foreach ( $ms_sites as $ms_site )
273	+ {
274	+ switch_to_blog( $ms_site['blog_id'] );
275	+ ban_activate();
276	+ }
277	+ }
278	+
279	+ restore_current_blog();
280	+ }
281	+ else
282	+ {
283	+ ban_activate();
284	+ }
285	+ }
286	+
287	+ function ban_activate() {
288	add_option('banned_ips', array());
289	add_option('banned_hosts',array());
290	add_option('banned_stats', array('users' => array(), 'count' => 0));

306	add_option('banned_ips_range', array());
307	// Database Upgrade For WP-Ban 1.30
308	add_option('banned_user_agents', array());
309	+ // Database Upgrade For WP-Ban 1.64
310	+ add_option( 'banned_options', array( 'reverse_proxy' => 0 ) );
311	+ }