PageRenderTime 44ms CodeModel.GetById 17ms RepoModel.GetById 1ms app.codeStats 0ms

/src/icwp-optionshandler-firewall.php

https://github.com/stackgrinder/wp-simple-firewall
PHP | 304 lines | 263 code | 21 blank | 20 comment | 10 complexity | 2997d42adc50329f47f177685e55f85a MD5 | raw file
    

  1. <?php

    2. 

  2. /**

    3. 

  3.  * Copyright (c) 2014 iControlWP <support@icontrolwp.com>

    4. 

  4.  * All rights reserved.

    5. 

  5.  *

    6. 

  6.  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND

    7. 

  7.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

    8. 

  8.  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

    9. 

  9.  * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR

    10. 

  10.  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

    11. 

  11.  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

    12. 

  12.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON

    13. 

  13.  * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

    14. 

  14.  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

    15. 

  15.  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

    16. 

  16.  */

    17. 

  17. 

    18. 

  18. require_once( dirname(__FILE__).'/icwp-optionshandler-base.php' );

    19. 

  19. 

    20. 

  20. if ( !class_exists('ICWP_OptionsHandler_Firewall') ):

    21. 

  21. 

    22. 

  22. class ICWP_OptionsHandler_Firewall extends ICWP_OptionsHandler_Base_Wpsf {

    23. 

  23. 	

    24. 

  24. 	const StoreName = 'firewall_options';

    25. 

  25. 	

    26. 

  26. 	public function __construct( $oPluginVo ) {

    27. 

  27. 		parent::__construct( $oPluginVo, self::StoreName );

    28. 

  28. 

    29. 

  29. 		$this->sFeatureName = _wpsf__('Firewall');

    30. 

  30. 		$this->sFeatureSlug = 'firewall';

    31. 

  31. 	}

    32. 

  32. 

    33. 

  33. 	/**

    34. 

  34. 	 */

    35. 

  35. 	public function doPrePluginOptionsSave() {

    36. 

  36. 

    37. 

  37. 		$aIpWhitelist = $this->getOpt( 'ips_whitelist' );

    38. 

  38. 		if ( $aIpWhitelist === false ) {

    39. 

  39. 			$aIpWhitelist = '';

    40. 

  40. 			$this->setOpt( 'ips_whitelist', $aIpWhitelist );

    41. 

  41. 		}

    42. 

  42. 		$this->processIpFilter( 'ips_whitelist', 'icwp_simple_firewall_whitelist_ips' );

    43. 

  43. 		

    44. 

  44. 		$aIpBlacklist = $this->getOpt( 'ips_blacklist' );

    45. 

  45. 		if ( $aIpBlacklist === false ) {

    46. 

  46. 			$aIpBlacklist = '';

    47. 

  47. 			$this->setOpt( 'ips_blacklist', $aIpBlacklist );

    48. 

  48. 		}

    49. 

  49. 		$this->processIpFilter( 'ips_blacklist', 'icwp_simple_firewall_blacklist_ips' );

    50. 

  50. 		

    51. 

  51. 		$aPageWhitelist = $this->getOpt( 'page_params_whitelist' );

    52. 

  52. 		if ( $aPageWhitelist === false ) {

    53. 

  53. 			$aPageWhitelist = '';

    54. 

  54. 			$this->setOpt( 'page_params_whitelist', $aPageWhitelist );

    55. 

  55. 		}

    56. 

  56. 		

    57. 

  57. 		$sBlockResponse = $this->getOpt( 'block_response' );

    58. 

  58. 		if ( empty( $sBlockResponse ) ) {

    59. 

  59. 			$sBlockResponse = 'redirect_die_message';

    60. 

  60. 			$aIpWhitelist = $this->setOpt( 'block_response', $sBlockResponse );

    61. 

  61. 		}

    62. 

  62. 	}

    63. 

  63. 

    64. 

  64. 	/**

    65. 

  65. 	 * @return bool|void

    66. 

  66. 	 */

    67. 

  67. 	public function defineOptions() {

    68. 

  68. 		$aFirewallBase = 	array(

    69. 

  69. 			'section_title' => sprintf( _wpsf__( 'Enable Plugin Feature: %s' ), _wpsf__('WordPress Firewall') ),

    70. 

  70. 			'section_options' => array(

    71. 

  71. 				array(

    72. 

  72. 					'enable_firewall',

    73. 

  73. 					'',

    74. 

  74. 					'N',

    75. 

  75. 					'checkbox',

    76. 

  76. 					_wpsf__( 'Enable Firewall' ),

    77. 

  77. 					_wpsf__( 'Enable (or Disable) The WordPress Firewall Feature' ),

    78. 

  78. 					sprintf( _wpsf__( 'Checking/Un-Checking this option will completely turn on/off the whole %s feature.' ), _wpsf__('WordPress Firewall') ),

    79. 

  79. 					'<a href="http://icwp.io/43" target="_blank">'._wpsf__( 'more info' ).'</a>'

    80. 

  80. 					.' | <a href="http://icwp.io/wpsf01" target="_blank">'._wpsf__( 'blog' ).'</a>'

    81. 

  81. 				)

    82. 

  82. 			)

    83. 

  83. 		);

    84. 

  84. 		$aBlockTypesSection =  array(

    85. 

  85. 			'section_title' => _wpsf__( 'Firewall Blocking Options' ),

    86. 

  86. 			'section_options' => array(

    87. 

  87. 				array(

    88. 

  88. 					'include_cookie_checks',

    89. 

  89. 					'',

    90. 

  90. 					'N',

    91. 

  91. 					'checkbox',

    92. 

  92. 					_wpsf__( 'Include Cookies' ),

    93. 

  93. 					_wpsf__( 'Also Test Cookie Values In Firewall Tests' ),

    94. 

  94. 					_wpsf__( 'The firewall tests GET and POST, but with this option checked it will also COOKIE values.' )

    95. 

  95. 				),

    96. 

  96. 				array(

    97. 

  97. 					'block_dir_traversal',

    98. 

  98. 					'',

    99. 

  99. 					'Y',

    100. 

  100. 					'checkbox',

    101. 

  101. 					_wpsf__( 'Directory Traversals' ),

    102. 

  102. 					_wpsf__( 'Block Directory Traversals' ),

    103. 

  103. 					_wpsf__( 'This will block directory traversal paths in in application parameters (e.g. ../, ../../etc/passwd, etc.).' )

    104. 

  104. 				),

    105. 

  105. 				array(

    106. 

  106. 					'block_sql_queries',

    107. 

  107. 					'',

    108. 

  108. 					'Y',

    109. 

  109. 					'checkbox',

    110. 

  110. 					_wpsf__( 'SQL Queries' ),

    111. 

  111. 					_wpsf__( 'Block SQL Queries' ),

    112. 

  112. 					_wpsf__( 'This will block sql in application parameters (e.g. union select, concat(, /**/, etc.).' )

    113. 

  113. 				),

    114. 

  114. 				array(

    115. 

  115. 					'block_wordpress_terms',

    116. 

  116. 					'',

    117. 

  117. 					'N',

    118. 

  118. 					'checkbox',

    119. 

  119. 					_wpsf__( 'WordPress Terms' ),

    120. 

  120. 					_wpsf__( 'Block WordPress Specific Terms' ),

    121. 

  121. 					_wpsf__( 'This will block WordPress specific terms in application parameters (wp_, user_login, etc.).' )

    122. 

  122. 				),

    123. 

  123. 				array(

    124. 

  124. 					'block_field_truncation',

    125. 

  125. 					'',

    126. 

  126. 					'Y',

    127. 

  127. 					'checkbox',

    128. 

  128. 					_wpsf__( 'Field Truncation' ),

    129. 

  129. 					_wpsf__( 'Block Field Truncation Attacks' ),

    130. 

  130. 					_wpsf__( 'This will block field truncation attacks in application parameters.' )

    131. 

  131. 				),

    132. 

  132. 				array(

    133. 

  133. 					'block_php_code',

    134. 

  134. 					'',

    135. 

  135. 					'N',

    136. 

  136. 					'checkbox',

    137. 

  137. 					_wpsf__( 'PHP Code' ),

    138. 

  138. 					sprintf( _wpsf__( 'Block %s' ), _wpsf__( 'PHP Code Includes' ) ),

    139. 

  139. 					_wpsf__( 'This will block any data that appears to try and include PHP files.' )

    140. 

  140. 					.'<br />'. _wpsf__( 'Will probably block saving within the Plugin/Theme file editors.' )

    141. 

  141. 				),

    142. 

  142. 				array(

    143. 

  143. 					'block_exe_file_uploads',

    144. 

  144. 					'',

    145. 

  145. 					'N',

    146. 

  146. 					'checkbox',

    147. 

  147. 					_wpsf__( 'Exe File Uploads' ),

    148. 

  148. 					_wpsf__( 'Block Executable File Uploads' ),

    149. 

  149. 					_wpsf__( 'This will block executable file uploads (.php, .exe, etc.).' )

    150. 

  150. 				),

    151. 

  151. 				array(

    152. 

  152. 					'block_leading_schema',

    153. 

  153. 					'',

    154. 

  154. 					'N',

    155. 

  155. 					'checkbox',

    156. 

  156. 					_wpsf__( 'Leading Schemas' ),

    157. 

  157. 					_wpsf__( 'Block Leading Schemas (HTTPS / HTTP)' ),

    158. 

  158. 					_wpsf__( 'This will block leading schemas http:// and https:// in application parameters (off by default; may cause problems with other plugins).' )

    159. 

  159. 				)

    160. 

  160. 			),

    161. 

  161. 		);

    162. 

  162. 		$aRedirectOptions = array( 'select',

    163. 

  163. 			array( 'redirect_die_message',	_wpsf__( 'Die With Message' ) ),

    164. 

  164. 			array( 'redirect_die', 			_wpsf__( 'Die' ) ),

    165. 

  165. 			array( 'redirect_home',			_wpsf__( 'Redirect To Home Page' ) ),

    166. 

  166. 			array( 'redirect_404',			_wpsf__( 'Return 404' ) ),

    167. 

  167. 		);

    168. 

  168. 		$aBlockSection = array(

    169. 

  169. 			'section_title' => _wpsf__( 'Choose Firewall Block Response' ),

    170. 

  170. 			'section_options' => array(

    171. 

  171. 				array(

    172. 

  172. 					'block_response',

    173. 

  173. 					'',

    174. 

  174. 					'none',

    175. 

  175. 					$aRedirectOptions,

    176. 

  176. 					_wpsf__( 'Block Response' ),

    177. 

  177. 					_wpsf__( 'Choose how the firewall responds when it blocks a request' ),

    178. 

  178. 					_wpsf__( 'We recommend dying with a message so you know what might have occurred when the firewall blocks you' )

    179. 

  179. 				),

    180. 

  180. 				array(

    181. 

  181. 					'block_send_email',

    182. 

  182. 					'',

    183. 

  183. 					'N',

    184. 

  184. 					'checkbox',

    185. 

  185. 					_wpsf__( 'Send Email Report' ),

    186. 

  186. 					_wpsf__( 'When a visitor is blocked the firewall will send an email to the configured email address' ),

    187. 

  187. 					_wpsf__( 'Use with caution - if you get hit by automated bots you may send out too many emails and you could get blocked by your host' )

    188. 

  188. 				)

    189. 

  189. 			)

    190. 

  190. 		);

    191. 

  191. 		

    192. 

  192. 		$aWhitelistSection = array(

    193. 

  193. 			'section_title' => _wpsf__( 'Whitelists - IPs, Pages, Parameters, and Users that by-pass the Firewall' ),

    194. 

  194. 			'section_options' => array(

    195. 

  195. 				array(

    196. 

  196. 					'ips_whitelist',

    197. 

  197. 					'',

    198. 

  198. 					'',

    199. 

  199. 					'ip_addresses',

    200. 

  200. 					_wpsf__( 'Whitelist IP Addresses' ),

    201. 

  201. 					_wpsf__( 'Choose IP Addresses that are never subjected to Firewall Rules' ),

    202. 

  202. 					sprintf( _wpsf__( 'Take a new line per address. Your IP address is: %s' ), '<span class="code">'.$this->getVisitorIpAddress( false ).'</span>' )

    203. 

  203. 				),

    204. 

  204. 				array(

    205. 

  205. 					'page_params_whitelist',

    206. 

  206. 					'',

    207. 

  207. 					'',

    208. 

  208. 					'comma_separated_lists',

    209. 

  209. 					_wpsf__( 'Whitelist Parameters' ),

    210. 

  210. 					_wpsf__( 'Detail pages and parameters that are whitelisted (ignored by the firewall)' ),

    211. 

  211. 					_wpsf__( 'This should be used with caution and you should only provide parameter names that you must have excluded' )

    212. 

  212. 						.' '.sprintf( _wpsf__( '%sHelp%s' ), '[<a href="http://icwp.io/2a" target="_blank">', '</a>]' )

    213. 

  213. 				),

    214. 

  214. 				array(

    215. 

  215. 					'whitelist_admins',

    216. 

  216. 					'',

    217. 

  217. 					'Y',

    218. 

  218. 					'checkbox',

    219. 

  219. 					sprintf( _wpsf__( 'Ignore %s' ), _wpsf__( 'Administrators' ) ),

    220. 

  220. 					_wpsf__( 'Ignore users logged in as Administrator' ),

    221. 

  221. 					_wpsf__( 'Authenticated administrator users will not be processed by the firewall' )

    222. 

  222. 				),

    223. 

  223. 				array(

    224. 

  224. 					'ignore_search_engines',

    225. 

  225. 					'',

    226. 

  226. 					'N',

    227. 

  227. 					'checkbox',

    228. 

  228. 					sprintf( _wpsf__( 'Ignore %s' ), _wpsf__( 'Search Engines' ) ),

    229. 

  229. 					_wpsf__( 'Ignore Search Engine Bots' ),

    230. 

  230. 					_wpsf__( 'When selected, the firewall will try to recognise search engine spiders/bots and not apply firewall rules to them' )

    231. 

  231. 				)

    232. 

  232. 			)

    233. 

  233. 		);

    234. 

  234. 		

    235. 

  235. 		$aBlacklistSection = array(

    236. 

  236. 			'section_title' => _wpsf__( 'Choose IP Addresses To Blacklist' ),

    237. 

  237. 			'section_options' => array(

    238. 

  238. 				array(

    239. 

  239. 					'ips_blacklist',

    240. 

  240. 					'',

    241. 

  241. 					'',

    242. 

  242. 					'ip_addresses',

    243. 

  243. 					_wpsf__( 'Blacklist IP Addresses' ),

    244. 

  244. 					_wpsf__( 'Choose IP Addresses that are always blocked from accessing the site' ),

    245. 

  245. 					_wpsf__( 'Take a new line per address. Each IP Address must be valid and will be checked' )

    246. 

  246. 				)

    247. 

  247. 			)

    248. 

  248. 		);

    249. 

  249. 		$aMisc = array(

    250. 

  250. 			'section_title' => _wpsf__( 'Miscellaneous Plugin Options' ),

    251. 

  251. 			'section_options' => array(

    252. 

  252. 				array(

    253. 

  253. 					'enable_firewall_log',

    254. 

  254. 					'',

    255. 

  255. 					'N',

    256. 

  256. 					'checkbox',

    257. 

  257. 					_wpsf__( 'Firewall Logging' ),

    258. 

  258. 					_wpsf__( 'Turn on a detailed Firewall Log' ),

    259. 

  259. 					_wpsf__( 'Will log every visit to the site and how the firewall processes it. Not recommended to leave on unless you want to debug something and check the firewall is working as you expect' )

    260. 

  260. 				)

    261. 

  261. 			)

    262. 

  262. 		);

    263. 

  263. 

    264. 

  264. 		$this->m_aOptions = array(

    265. 

  265. 			$aFirewallBase,

    266. 

  266. 			$aBlockSection,

    267. 

  267. 			$aWhitelistSection,

    268. 

  268. 			$aBlacklistSection,

    269. 

  269. 			$aBlockTypesSection,

    270. 

  270. 			$aMisc

    271. 

  271. 		);

    272. 

  272. 	}

    273. 

  273. 

    274. 

  274. 	public function addRawIpsToFirewallList( $insListName, $inaNewIps ) {

    275. 

  275. 		if ( empty( $inaNewIps ) ) {

    276. 

  276. 			return;

    277. 

  277. 		}

    278. 

  278. 		

    279. 

  279. 		$aIplist = $this->getOpt( $insListName );

    280. 

  280. 		if ( empty( $aIplist ) ) {

    281. 

  281. 			$aIplist = array();

    282. 

  282. 		}

    283. 

  283. 		$aNewList = array();

    284. 

  284. 		foreach( $inaNewIps as $sAddress ) {

    285. 

  285. 			$aNewList[ $sAddress ] = '';

    286. 

  286. 		}

    287. 

  287. 		$this->setOpt( $insListName, ICWP_WPSF_DataProcessor::Add_New_Raw_Ips( $aIplist, $aNewList ) );

    288. 

  288. 	}

    289. 

  289. 

    290. 

  290. 	public function removeRawIpsFromFirewallList( $insListName, $inaRemoveIps ) {

    291. 

  291. 		if ( empty( $inaRemoveIps ) ) {

    292. 

  292. 			return;

    293. 

  293. 		}

    294. 

  294. 		

    295. 

  295. 		$aIplist = $this->getOpt( $insListName );

    296. 

  296. 		if ( empty( $aIplist ) || empty( $inaRemoveIps ) ) {

    297. 

  297. 			return;

    298. 

  298. 		}

    299. 

  299. 		$this->setOpt( $insListName, ICWP_WPSF_DataProcessor::Remove_Raw_Ips( $aIplist, $inaRemoveIps ) );

    300. 

  300. 	}

    301. 

  301. 	

    302. 

  302. }

    303. 

  303. 

    304. 

  304. endif;
    305.