/** * Returns the contents of the file. * * @since 1.15.0 * @access protected * * @param string $file Config file to read. * @return string|WP_Error The contents of the file, an empty string if the file does not exist, or a WP_Error object on error. */ protected static function get_file_contents($file) { if (!ITSEC_Lib_File::exists($file)) { return ''; } $contents = ITSEC_Lib_File::read($file); if (is_wp_error($contents)) { return new WP_Error('itsec-lib-config-file-cannot-read-file', sprintf(__('Unable to read %1$s due to the following error: %2$s', 'it-l10n-better-wp-security'), $file, $contents->get_error_message())); } return $contents; }
protected final function sanitize_setting($type, $var, $name, $prevent_save_on_error = true, $trim_value = true) { $id = $this->get_id(); if (!isset($this->settings[$var])) { $this->add_error(new WP_Error("itsec-validator-missing-var-{$id}-{$var}", sprintf(__('A validation check for %1$s failed. The %2$s value is missing. This could be due to a problem with the iThemes Security installation or an invalid modification. Please reinstall iThemes Security and try again.', 'better-wp-security'), $id, $name))); return false; } if ($trim_value && is_string($this->settings[$var])) { $this->settings[$var] = trim($this->settings[$var]); } $error = false; if ('string' === $type) { $this->settings[$var] = (string) $this->settings[$var]; } else { if ('non-empty-string' === $type) { $this->settings[$var] = (string) $this->settings[$var]; if (empty($this->settings[$var])) { $error = sprintf(__('The %1$s value cannot be empty.', 'better-wp-security'), $name); } } else { if ('title' === $type) { $this->settings[$var] = sanitize_title($this->settings[$var]); } else { if ('non-empty-title' === $type) { $this->settings[$var] = sanitize_title($this->settings[$var]); if (empty($this->settings[$var])) { $error = sprintf(__('The %1$s value cannot be empty.', 'better-wp-security'), $name); } } else { if ('array' === $type) { if (!is_array($this->settings[$var])) { if (empty($this->settings[$var])) { $this->settings[$var] = array(); } else { $this->settings[$var] = array($this->settings[$var]); } } } else { if ('bool' === $type) { if ('false' === $this->settings[$var]) { $this->settings[$var] = false; } else { if ('true' === $this->settings[$var]) { $this->settings[$var] = true; } else { $this->settings[$var] = (bool) $this->settings[$var]; } } } else { if ('int' === $type) { $test_val = intval($this->settings[$var]); if ((string) $test_val === (string) $this->settings[$var]) { $this->settings[$var] = $test_val; } else { $error = sprintf(__('The %1$s value must be an integer.', 'better-wp-security'), $name); } } else { if ('positive-int' === $type) { $test_val = intval($this->settings[$var]); if ((string) $test_val === (string) $this->settings[$var] && $test_val >= 0) { $this->settings[$var] = $test_val; } else { $error = sprintf(__('The %1$s value must be a positive integer.', 'better-wp-security'), $name); } } else { if ('email' === $type) { $this->settings[$var] = sanitize_text_field($this->settings[$var]); if (empty($this->settings[$var]) || !is_email($this->settings[$var])) { $error = sprintf(__('The %1$s value must be a valid email address.', 'better-wp-security'), $name); } } else { if ('valid-username' === $type) { $this->settings[$var] = sanitize_text_field($this->settings[$var]); if (!empty($this->settings[$var]) && !validate_username($this->settings[$var])) { $error = sprintf(__('The %1$s value is not a valid username.', 'better-wp-security'), $name); } } else { if ('date' === $type) { $val = $this->settings[$var]; $separator = '[\\-/\\. ]'; if (preg_match("|^(\\d\\d\\d\\d){$separator}(\\d\\d?){$separator}(\\d\\d?)\$|", $val, $match)) { $year = intval($match[1]); $month = intval($match[2]); $day = intval($match[3]); if (!checkdate($month, $day, $year)) { $error = sprintf(__('The %1$s value must be a valid date.', 'better-wp-security'), $name); } } else { $error = sprintf(__('The %1$s value must be a valid date in the format of YYYY-MM-DD.', 'better-wp-security'), $name); } } else { if ('writable-directory' === $type) { if (!is_string($this->settings[$var])) { $error = sprintf(__('The %1$s value must be a string.', 'better-wp-security'), $name); } else { require_once ITSEC_Core::get_core_dir() . 'lib/class-itsec-lib-directory.php'; $this->settings[$var] = rtrim($this->settings[$var], DIRECTORY_SEPARATOR); if (!ITSEC_Lib_Directory::is_dir($this->settings[$var])) { $result = ITSEC_Lib_Directory::create($this->settings[$var]); if (is_wp_error($result)) { $error = sprintf(_x('The directory supplied in %1$s cannot be used as a valid directory. %2$s', '%1$s is the input name. %2$s is the error message.', 'better-wp-security'), $name, $result->get_error_message()); } } if (empty($error) && !ITSEC_Lib_Directory::is_writable($this->settings[$var])) { $error = sprintf(__('The directory supplied in %1$s is not writable. Please select a directory that can be written to.', 'better-wp-security'), $name); } if (empty($error)) { ITSEC_Lib_Directory::add_file_listing_protection($this->settings[$var]); } } } else { if ('writable-file' === $type) { if (!is_string($this->settings[$var])) { $error = sprintf(__('The %1$s value must be a string.', 'better-wp-security'), $name); } else { require_once ITSEC_Core::get_core_dir() . 'lib/class-itsec-lib-directory.php'; if (!ITSEC_Lib_File::is_file($this->settings[$var]) && ITSEC_Lib_File::exists($this->settings[$var])) { $error = sprintf(__('The file path supplied in %1$s cannot be used as it already exists but is not a file. Please supply a valid file path.', 'better-wp-security'), $name); } else { $result = ITSEC_Lib_Directory::create(dirname($this->settings[$var])); if (is_wp_error($result)) { $error = sprintf(_x('The file path supplied in %1$s cannot be used as the parent directory cannot be created. %2$s', '%1$s is the input name. %2$s is the error message.', 'better-wp-security'), $name, $result->get_error_message()); } else { if (!ITSEC_Lib_File::exists($this->settings[$var])) { $result = ITSEC_Lib_File::write($this->settings[$var], ''); if (is_wp_error($result)) { $error = sprintf(__('The file path supplied in %1$s could not be created. Please supply a file path that can be written to.', 'better-wp-security'), $name); } else { if (!is_writable($this->settings[$var])) { $error = sprintf(__('The file path supplied in %1$s was successfully created, but it cannot be updated. Please supply a file path that can be written to.', 'better-wp-security'), $name); } } } else { if (!is_writable($this->settings[$var])) { $error = sprintf(__('The file path supplied in %1$s is not writable. Please supply a file path that can be written to.', 'better-wp-security'), $name); } } } } } } else { if (is_array($type) && 2 === count($type) && $this === $type[0]) { $this->settings[$var] = $this->convert_string_to_array($this->settings[$var]); if (!is_array($this->settings[$var])) { $error = sprintf(__('The %1$s value must be a string with each entry separated by a new line.', 'better-wp-security'), $name); } else { $invalid_entries = array(); foreach ($this->settings[$var] as $index => $entry) { $entry = sanitize_text_field(trim($entry)); $this->settings[$var][$index] = $entry; if (empty($entry)) { unset($this->settings[$var][$index]); } else { $result = call_user_func($type, $entry); if (false === $result) { $invalid_entries[] = $entry; } else { $this->settings[$var][$index] = $result; } } } $this->settings[$var] = array_unique($this->settings[$var]); if (!empty($invalid_entries)) { $error = wp_sprintf(_n('The following entry in %1$s is invalid: %2$l', 'The following entries in %1$s are invalid: %2$l', count($invalid_entries), 'better-wp-security'), $name, $invalid_entries); } } } else { if (is_array($type)) { if (is_array($this->settings[$var])) { $invalid_entries = array(); foreach ($this->settings[$var] as $index => $entry) { $entry = sanitize_text_field(trim($entry)); $this->settings[$var][$index] = $entry; if (empty($entry)) { unset($this->settings[$var][$index]); } else { if (!in_array($entry, $type, true)) { $invalid_entries[] = $entry; } } } $this->settings[$var] = array_unique($this->settings[$var]); if (!empty($invalid_entries)) { $error = wp_sprintf(_n('The following entry in %1$s is invalid: %2$l', 'The following entries in %1$s are invalid: %2$l', count($invalid_entries), 'better-wp-security'), $name, $invalid_entries); } } else { if (!in_array($this->settings[$var], $type, true)) { $error = wp_sprintf(_n('The valid value for %1$s is: %2$l.', 'The valid values for %1$s are: %2$l.', count($type), 'better-wp-security'), $name, $type); $type = 'array'; } } } else { if ('newline-separated-array' === $type) { $this->settings[$var] = $this->convert_string_to_array($this->settings[$var]); if (!is_array($this->settings[$var])) { $error = sprintf(__('The %1$s value must be a string with each entry separated by a new line.', 'better-wp-security'), $name); } } else { if ('newline-separated-emails' === $type) { $this->settings[$var] = $this->convert_string_to_array($this->settings[$var]); if (!is_array($this->settings[$var])) { $error = sprintf(__('The %1$s value must be a string with each entry separated by a new line.', 'better-wp-security'), $name); } else { $invalid_emails = array(); foreach ($this->settings[$var] as $index => $email) { $email = sanitize_text_field(trim($email)); $this->settings[$var][$index] = $email; if (empty($email)) { unset($this->settings[$var][$index]); } else { if (!is_email($email)) { $invalid_emails[] = $email; } } } $this->settings[$var] = array_unique($this->settings[$var]); if (!empty($invalid_emails)) { $error = wp_sprintf(_n('The following email in %1$s is invalid: %2$l', 'The following emails in %1$s are invalid: %2$l', count($invalid_emails), 'better-wp-security'), $name, $invalid_emails); } } } else { if ('newline-separated-ips' === $type) { $this->settings[$var] = $this->convert_string_to_array($this->settings[$var]); if (!is_array($this->settings[$var])) { $error = sprintf(__('The %1$s value must be a string with each entry separated by a new line.', 'better-wp-security'), $name); } else { require_once ITSEC_Core::get_core_dir() . 'lib/class-itsec-lib-ip-tools.php'; $invalid_ips = array(); foreach ($this->settings[$var] as $index => $ip) { $ip = trim($ip); if ('' === $ip) { unset($this->settings[$var][$index]); } else { $validated_ip = ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr($ip); if (false === $validated_ip) { $invalid_ips[] = $ip; } else { $this->settings[$var][$index] = $validated_ip; } } } $this->settings[$var] = array_unique($this->settings[$var]); if (!empty($invalid_ips)) { $error = wp_sprintf(_n('The following IP in %1$s is invalid: %2$l', 'The following IPs in %1$s are invalid: %2$l', count($invalid_ips), 'better-wp-security'), $name, $invalid_ips); } } } else { if ('newline-separated-extensions' === $type) { $this->settings[$var] = $this->convert_string_to_array($this->settings[$var]); if (!is_array($this->settings[$var])) { $error = sprintf(__('The %1$s value must be a string with each entry separated by a new line.', 'better-wp-security'), $name); } else { $invalid_extensions = array(); foreach ($this->settings[$var] as $index => $extension) { if (!preg_match('/^(\\.[^.]+)+$/', $extension)) { $invalid_extensions[] = $extension; } } $this->settings[$var] = array_unique($this->settings[$var]); if (!empty($invalid_extensions)) { $error = wp_sprintf(_n('The following extension in %1$s is invalid: %2$l', 'The following extensions in %1$s are invalid: %2$l', count($invalid_extensions), 'better-wp-security'), $name, $invalid_extensions); } } } else { /* translators: 1: sanitize type, 2: input name */ $error = sprintf(__('An invalid sanitize type of "%1$s" was received for the %2$s input.', 'better-wp-security'), $type, $name); } } } } } } } } } } } } } } } } } } } if (false !== $error) { $this->add_error(new WP_Error("itsec-validator-{$id}-invalid-type-{$var}-{$type}", $error)); $this->vars_to_skip_validate_matching_types[] = $var; if ($prevent_save_on_error) { $this->set_can_save(false); } return false; } return true; }
/** * Recursively remove the supplied directory. * * @since 1.15.0 * * @return bool|WP_Error Boolean true on success or a WP_Error object if an error occurs. */ public static function remove( $dir ) { if ( ! ITSEC_Lib_File::exists( $dir ) ) { return true; } if ( ! ITSEC_Lib_Utility::is_callable_function( 'rmdir' ) ) { return new WP_Error( 'itsec-lib-directory-remove-rmdir-is-disabled', sprintf( __( 'The directory %s could not be removed as the rmdir() function is disabled. This is a system configuration issue.', 'it-l10n-ithemes-security-pro' ), $dir ) ); } $files = self::read( $dir ); if ( is_wp_error( $files ) ) { return new WP_Error( 'itsec-lib-directory-remove-read-error', sprintf( __( 'Unable to remove %1$s due to the following error: %2$s', 'it-l10n-ithemes-security-pro' ), $dir, $files->get_error_message() ) ); } foreach ( $files as $file ) { if ( ITSEC_Lib_File::is_file( $file ) ) { ITSEC_Lib_File::remove( $file ); } else if ( self::is_dir( $file ) ) { self::remove( $file ); } } $result = rmdir( $dir ); @clearstatcache( true, $dir ); if ( $result ) { return true; } return new WP_Error( 'itsec-lib-directory-remove-unknown-error', sprintf( __( 'Unable to remove %s due to an unknown error.', 'it-l10n-ithemes-security-pro' ), $dir ) ); }
/** * Add an index.php file to the directory to prevent file listing. * * @since 2.3.0 * * @param string $dir Full path to the directory to protect. * @return bool|WP_Error Boolean true if the file could be created or already exists, WP_Error object otherwise. */ public static function add_file_listing_protection($dir) { $dir = rtrim($dir, '/'); if (!self::is_dir($dir)) { return new WP_Error('itsec-lib-directory-add-file-listing-protection-directory-does-not-exist', sprintf(__('The directory %s could not be protected from file listing as the directory does not exist.', 'better-wp-security'), $dir)); } if (ITSEC_Lib_File::exists("{$dir}/index.php")) { return true; } return ITSEC_Lib_File::write("{$dir}/index.php", "<?php\n// Silence is golden."); }