WP fail2ban - Version 4.3.0.8

Version Description

Workaround issue with user enumeration blocking being triggered by Gutenberg pre-loading Author list. (h/t @brrrrrrrt) [WordPress only]

Files changed (7) hide show

constants.php CHANGED Viewed

	@@ -13,7 +13,7 @@ namespace org\lecklider\charles\wordpress\wp_fail2ban;
13	// @codeCoverageIgnoreStart
14
15	if (!defined('WP_FAIL2BAN_VER')) {
16	- define('WP_FAIL2BAN_VER', '4.3.0.7');
17	}
18	if (!defined('WP_FAIL2BAN_VER_SHORT')) {
19	define('WP_FAIL2BAN_VER_SHORT', '4.3');


13	// @codeCoverageIgnoreStart
14
15	if (!defined('WP_FAIL2BAN_VER')) {
16	+ define('WP_FAIL2BAN_VER', '4.3.0.8');
17	}
18	if (!defined('WP_FAIL2BAN_VER_SHORT')) {
19	define('WP_FAIL2BAN_VER_SHORT', '4.3');

feature/user-enum.php CHANGED Viewed

@@ -84,11 +84,42 @@ function parse_request($query)
              */
             function rest_user_query($prepared_args, $request)
+            {
-            -
                if (!current_user_can('edit_others_posts')) {
                     return _log_bail_user_enum();
+                }
-            -
                return $prepared_args;
+            }
             /**


84	*/
85	function rest_user_query($prepared_args, $request)
86	{
87	+ /**
88	+ * ClassicPress and pre-WP 5.4: this is all that's needed
89	+ */
90	+ if (current_user_can('edit_others_posts')) {
91	+ return $prepared_args;
92	+ }
93	+
94	+ /**
95	+ * ClassicPress or pre-5.4 Wordpress - bail
96	+ */
97	+ if (function_exists('classicpress_version') \|\|
98	+ version_compare(get_bloginfo('version'), '5.4', '<'))
99	+ {
100	return _log_bail_user_enum();
101	}
102
103	+ /**
104	+ * >= 5.x WordPress tries to pre-load the list of Authors,
105	+ * regardless of the current user's role or capabilities.
106	+ *
107	+ * Returning 403 seems not to break anything, but we don't
108	+ * want to trigger fail2ban.
109	+ */
110	+ if (is_user_logged_in() &&
111	+ array_key_exists('who', $prepared_args) &&
112	+ 'authors' == $prepared_args['who'])
113	+ {
114	+ if (openlog()) {
115	+ syslog(LOG_DEBUG, 'Blocked authors enumeration');
116	+ closelog();
117	+ }
118	+
119	+ return bail();
120	+ }
121	+
122	+ return _log_bail_user_enum();
123	}
124
125	/**

filters.d/wordpress-extra.conf CHANGED Viewed

	@@ -1,5 +1,5 @@
1	# Fail2Ban filter for WordPress extra failures
2	- # Auto-generated: 2020-08-~~15T14~~:54:36+00:00
3	#
4
5	[INCLUDES]


1	# Fail2Ban filter for WordPress extra failures
2	+ # Auto-generated: 2020-09-22T17:08:50+00:00
3	#
4
5	[INCLUDES]

filters.d/wordpress-hard.conf CHANGED Viewed

	@@ -1,5 +1,5 @@
1	# Fail2Ban filter for WordPress hard failures
2	- # Auto-generated: 2020-08-~~15T14~~:54:36+00:00
3	#
4
5	[INCLUDES]


1	# Fail2Ban filter for WordPress hard failures
2	+ # Auto-generated: 2020-09-22T17:08:50+00:00
3	#
4
5	[INCLUDES]

filters.d/wordpress-soft.conf CHANGED Viewed

	@@ -1,5 +1,5 @@
1	# Fail2Ban filter for WordPress soft failures
2	- # Auto-generated: 2020-08-~~15T14~~:54:36+00:00
3	#
4
5	[INCLUDES]


1	# Fail2Ban filter for WordPress soft failures
2	+ # Auto-generated: 2020-09-22T17:08:50+00:00
3	#
4
5	[INCLUDES]

readme.txt CHANGED Viewed

	@@ -5,8 +5,8 @@ Author URI: https://invis.net/?utm_source=wordpress.org&utm_medium=readme&utm_ca
5	Plugin URI: https://wp-fail2ban.com/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=wp-fail2ban-4.3.0
6	Tags: fail2ban, login, security, syslog, brute force, protection, classicpress
7	Requires at least: 4.2
8	- Tested up to: 5.5
9	- Stable tag: 4.3.0.7
10	Requires PHP: 5.6
11	License: GPLv2 or later
12	License URI: http://www.gnu.org/licenses/gpl-2.0.html
	@@ -78,6 +78,9 @@ Write a myriad of WordPress events to syslog for integration with fail2ban.
78
79	== Changelog ==
80



81	= 4.3.0.7 =
82	* Finish refactoring to allow inclusion of constants in `wp-config.php` (h/t @iCounsellor).
83	* Fix MaxMind database update. [Premium only]
	@@ -263,6 +266,9 @@ Write a myriad of WordPress events to syslog for integration with fail2ban.
263
264	== Upgrade Notice ==
265



266	= 4.3.0.7 =
267	This is a bugfix release. You do not need to update your filters from 4.3.0. Premium users: Please update your MaxMind database.
268


5	Plugin URI: https://wp-fail2ban.com/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=wp-fail2ban-4.3.0
6	Tags: fail2ban, login, security, syslog, brute force, protection, classicpress
7	Requires at least: 4.2
8	+ Tested up to: 5.6
9	+ Stable tag: 4.3.0.8
10	Requires PHP: 5.6
11	License: GPLv2 or later
12	License URI: http://www.gnu.org/licenses/gpl-2.0.html

78
79	== Changelog ==
80
81	+ = 4.3.0.8 =
82	+ * Workaround issue with user enumeration blocking being triggered by Gutenberg pre-loading Author list. (h/t @brrrrrrrt) [WordPress only]
83	+
84	= 4.3.0.7 =
85	* Finish refactoring to allow inclusion of constants in `wp-config.php` (h/t @iCounsellor).
86	* Fix MaxMind database update. [Premium only]

266
267	== Upgrade Notice ==
268
269	+ = 4.3.0.8 =
270	+ This is a bugfix (workaround) release. You do not need to update your filters from 4.3.0.
271	+
272	= 4.3.0.7 =
273	This is a bugfix release. You do not need to update your filters from 4.3.0. Premium users: Please update your MaxMind database.
274

wp-fail2ban.php CHANGED Viewed

	@@ -4,7 +4,7 @@
4	* Plugin URI: https://wp-fail2ban.com/
5	* Description: Write a myriad of WordPress events to syslog for integration with fail2ban.
6	* Text Domain: wp-fail2ban
7	- * Version: 4.3.0.7
8	* Author: Charles Lecklider
9	* Author URI: https://invis.net/
10	* License: GPLv2


4	* Plugin URI: https://wp-fail2ban.com/
5	* Description: Write a myriad of WordPress events to syslog for integration with fail2ban.
6	* Text Domain: wp-fail2ban
7	+ * Version: 4.3.0.8
8	* Author: Charles Lecklider
9	* Author URI: https://invis.net/
10	* License: GPLv2