protected function sanitize_settings()
{
$this->sanitize_setting('bool', 'default', __('Default Blacklist', 'better-wp-security'));
$this->sanitize_setting('bool', 'enable_ban_lists', __('Ban Lists', 'better-wp-security'));
$this->sanitize_setting('newline-separated-ips', 'host_list', __('Ban Hosts', 'better-wp-security'));
if (is_array($this->settings['host_list'])) {
require_once ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-ip-tools.php';
$whitelisted_hosts = array();
$current_ip = ITSEC_Lib::get_ip();
foreach ($this->settings['host_list'] as $host) {
if (is_user_logged_in() && ITSEC_Lib_IP_Tools::intersect($current_ip, ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr($host))) {
$this->set_can_save(false);
/* translators: 1: input name, 2: invalid host */
$this->add_error(sprintf(__('The following host in %1$s matches your current IP and cannot be banned: %2$s', 'better-wp-security'), __('Ban Hosts', 'better-wp-security'), $host));
continue;
}
if (ITSEC_Lib::is_ip_whitelisted($host)) {
$whitelisted_hosts[] = $host;
}
}
if (!empty($whitelisted_hosts)) {
$this->set_can_save(false);
/* translators: 1: input name, 2: invalid host list */
$this->add_error(wp_sprintf(_n('The following IP in %1$s is whitelisted and cannot be banned: %2$l', 'The following IPs in %1$s are whitelisted and cannot be banned: %2$l', count($whitelisted_hosts), 'better-wp-security'), __('Ban Hosts', 'better-wp-security'), $whitelisted_hosts));
}
}
$this->sanitize_setting(array($this, 'sanitize_agent_list_entry'), 'agent_list', __('Ban User Agents', 'better-wp-security'));
}
/**
* Define host column
*
* @param array $item array of row data
*
* @return string formatted output
*
**/
function column_host($item)
{
require_once ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-ip-tools.php';
$r = array();
if (!is_array($item['host'])) {
$item['host'] = array($item['host']);
}
foreach ($item['host'] as $host) {
if (ITSEC_Lib_IP_Tools::validate($host)) {
$r[] = '<a href="http://www.traceip.net/?query=' . urlencode($host) . '" target="_blank">' . esc_html($host) . '</a>';
}
}
$return = implode('<br />', $r);
return $return;
}
/**
* Define host column
*
* @param array $item array of row data
*
* @return string formatted output
*
**/
function column_host($item)
{
if (!class_exists('ITSEC_Lib_IP_Tools')) {
$itsec_core = ITSEC_Core::get_instance();
require_once dirname($itsec_core->get_plugin_file()) . '/core/lib/class-itsec-lib-ip-tools.php';
}
$r = array();
if (!is_array($item['host'])) {
$item['host'] = array($item['host']);
}
foreach ($item['host'] as $host) {
if (ITSEC_Lib_IP_Tools::validate($host)) {
$r[] = '<a href="http://www.traceip.net/?query=' . urlencode($host) . '" target="_blank">' . esc_html($host) . '</a>';
}
}
$return = implode('<br />', $r);
return $return;
}
public function run($arguments)
{
global $itsec_globals;
$direction = isset($arguments['direction']) ? $arguments['direction'] : 'add';
if ($direction === 'add') {
if (get_site_option('itsec_temp_whitelist_ip') !== false || !isset($arguments['ip'])) {
return false;
}
$ip = sanitize_text_field($arguments['ip']);
if (!class_exists('ITSEC_Lib_IP_Tools')) {
$itsec_core = ITSEC_Core::get_instance();
require_once dirname($itsec_core->get_plugin_file()) . '/core/lib/class-itsec-lib-ip-tools.php';
}
if (ITSEC_Lib_IP_Tools::validate($ip)) {
$response = array('ip' => $ip, 'exp' => $itsec_globals['current_time'] + 86400);
add_site_option('itsec_temp_whitelist_ip', $response);
return true;
}
} elseif ($direction === 'remove') {
delete_site_option('itsec_temp_whitelist_ip');
return true;
}
return false;
}
/**
* Determines whether a given IP address is whitelisted
*
* @param string $ip_to_check ip to check (can be in CIDR notation)
* @param array $white_ips ip list to compare to if not yet saved to options
* @param boolean $current whether to whitelist the current ip or not (due to saving, etc)
*
* @return boolean true if whitelisted or false
*/
public static function is_ip_whitelisted($ip_to_check, $white_ips = null, $current = false)
{
if (!class_exists('ITSEC_Lib_IP_Tools')) {
$itsec_core = ITSEC_Core::get_instance();
require_once dirname($itsec_core->get_plugin_file()) . '/core/lib/class-itsec-lib-ip-tools.php';
}
if ($white_ips === null) {
$global_settings = get_site_option('itsec_global');
$white_ips = isset($global_settings['lockout_white_list']) ? $global_settings['lockout_white_list'] : array();
}
if ($current === true) {
$white_ips[] = ITSEC_Lib::get_ip();
//add current user ip to whitelist to check automatically
}
// Check to see if we have a temporarily white listed IP
$temp = get_site_option('itsec_temp_whitelist_ip');
if (false !== $temp) {
// If the temporary white list is expired, delete the option we store it in
if ($temp['exp'] < current_time('timestamp')) {
delete_site_option('itsec_temp_whitelist_ip');
} else {
// If the temporary white list is still valid, add the IP to our list of white IPs
$white_ips[] = $temp['ip'];
}
}
$white_ips = apply_filters('itsec_white_ips', $white_ips);
foreach ($white_ips as $white_ip) {
if (ITSEC_Lib_IP_Tools::intersect($ip_to_check, ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr($white_ip))) {
return true;
}
}
return false;
}
/**
* Process quick ban of host.
*
* Immediately adds the supplied host to the .htaccess file for banning.
*
* @since 4.0.0
*
* @param string $host the host to ban
*
* @return bool true on success or false on failure
*/
public static function quick_ban($host)
{
$host = trim($host);
if (!class_exists('ITSEC_Lib_IP_Tools')) {
$itsec_core = ITSEC_Core::get_instance();
require_once dirname($itsec_core->get_plugin_file()) . '/core/lib/class-itsec-lib-ip-tools.php';
}
if (!ITSEC_Lib_IP_Tools::validate($host)) {
return false;
}
$host_rule = '# ' . __('Quick ban IP. Will be updated on next formal rules save.', 'better-wp-security') . "\n";
if ('nginx' === ITSEC_Lib::get_server()) {
$host_rule .= "\tdeny {$host};\n";
} else {
if ('apache' === ITSEC_Lib::get_server()) {
$dhost = str_replace('.', '\\.', $host);
//re-define $dhost to match required output for SetEnvIf-RegEX
$host_rule .= "SetEnvIF REMOTE_ADDR \"^{$dhost}\$\" DenyAccess\n";
//Ban IP
$host_rule .= "SetEnvIF X-FORWARDED-FOR \"^{$dhost}\$\" DenyAccess\n";
//Ban IP from Proxy-User
$host_rule .= "SetEnvIF X-CLUSTER-CLIENT-IP \"^{$dhost}\$\" DenyAccess\n";
//Ban IP for Cluster/Cloud-hosted WP-Installs
$host_rule .= "<IfModule mod_authz_core.c>\n";
$host_rule .= "\t<RequireAll>\n";
$host_rule .= "\t\tRequire all granted\n";
$host_rule .= "\t\tRequire not env DenyAccess\n";
$host_rule .= "\t\tRequire not ip {$host}\n";
$host_rule .= "\t</RequireAll>\n";
$host_rule .= "</IfModule>\n";
$host_rule .= "<IfModule !mod_authz_core.c>\n";
$host_rule .= "\tOrder allow,deny\n";
$host_rule .= "\tDeny from env=DenyAccess\n";
$host_rule .= "\tDeny from {$host}\n";
$host_rule .= "\tAllow from all\n";
$host_rule .= "</IfModule>\n";
}
}
require_once trailingslashit($GLOBALS['itsec_globals']['plugin_dir']) . 'core/lib/class-itsec-lib-config-file.php';
$result = ITSEC_Lib_Config_File::append_server_config($host_rule);
if (is_wp_error($result)) {
return false;
}
return true;
}
public static function get_server_config_ban_hosts_rules($server_type)
{
$host_list = ITSEC_Modules::get_setting('ban-users', 'host_list', array());
if (!is_array($host_list) || empty($host_list)) {
return '';
}
if (!class_exists('ITSEC_Lib_IP_Tools')) {
require_once ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-ip-tools.php';
}
$host_rules = '';
$set_env_rules = '';
$deny_rules = '';
$require_rules = '';
// process hosts list
foreach ($host_list as $host) {
$host = ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr(trim($host));
if (empty($host)) {
continue;
}
if (ITSEC_Lib::is_ip_whitelisted($host)) {
/**
* @todo warn the user the ip to be banned is whitelisted
*/
continue;
}
if (in_array($server_type, array('apache', 'litespeed'))) {
$converted_host = ITSEC_Lib_IP_Tools::ip_cidr_to_ip_regex($host);
if (empty($converted_host)) {
continue;
}
$set_env_rules .= "\tSetEnvIF REMOTE_ADDR \"^{$converted_host}\$\" DenyAccess\n";
// Ban IP
$set_env_rules .= "\tSetEnvIF X-FORWARDED-FOR \"^{$converted_host}\$\" DenyAccess\n";
// Ban IP from a proxy
$set_env_rules .= "\tSetEnvIF X-CLUSTER-CLIENT-IP \"^{$converted_host}\$\" DenyAccess\n";
// Ban IP from a load balancer
$set_env_rules .= "\n";
$require_rules .= "\t\t\tRequire not ip {$host}\n";
$deny_rules .= "\t\tDeny from {$host}\n";
} else {
if ('nginx' === $server_type) {
$host_rules .= "\tdeny {$host};\n";
}
}
}
$rules = '';
if ('apache' === $server_type) {
if (!empty($set_env_rules)) {
$rules .= "\n";
$rules .= "\t# " . __('Ban Hosts - Security > Settings > Banned Users', 'better-wp-security') . "\n";
$rules .= $set_env_rules;
$rules .= "\t<IfModule mod_authz_core.c>\n";
$rules .= "\t\t<RequireAll>\n";
$rules .= "\t\t\tRequire all granted\n";
$rules .= "\t\t\tRequire not env DenyAccess\n";
$rules .= $require_rules;
$rules .= "\t\t</RequireAll>\n";
$rules .= "\t</IfModule>\n";
$rules .= "\t<IfModule !mod_authz_core.c>\n";
$rules .= "\t\tOrder allow,deny\n";
$rules .= "\t\tAllow from all\n";
$rules .= "\t\tDeny from env=DenyAccess\n";
$rules .= $deny_rules;
$rules .= "\t</IfModule>\n";
}
} else {
if ('litespeed' === $server_type) {
if (!empty($set_env_rules)) {
$rules .= "\n";
$rules .= "\t# " . __('Ban Hosts - Security > Settings > Banned Users', 'better-wp-security') . "\n";
$rules .= $set_env_rules;
$rules .= "\t<IfModule mod_litespeed.c>\n";
$rules .= "\t\tOrder allow,deny\n";
$rules .= "\t\tAllow from all\n";
$rules .= "\t\tDeny from env=DenyAccess\n";
$rules .= $deny_rules;
$rules .= "\t</IfModule>\n";
}
} else {
if ('nginx' === $server_type) {
if (!empty($host_rules)) {
$rules .= "\n";
$rules .= "\t# " . __('Ban Hosts - Security > Settings > Banned Users', 'better-wp-security') . "\n";
$rules .= $host_rules;
}
}
}
}
return $rules;
}
/**
* Locks out given user or host
*
* @since 4.0
*
* @param string $type The type of lockout (for user reference)
* @param string $reason Reason for lockout, for notifications
* @param string $host Host to lock out
* @param int $user user id to lockout
* @param string $username username to lockout
*
* @return void
*/
private function lockout($type, $reason, $host = null, $user = null, $username = null)
{
global $wpdb, $itsec_logger, $itsec_globals, $itsec_files;
$host_expiration = null;
$user_expiration = null;
$username = sanitize_text_field(trim($username));
if ($itsec_files->get_file_lock('lockout_' . $host . $user . $username)) {
//Do we have a good host to lock out or not
if (!is_null($host) && ITSEC_Lib::is_ip_whitelisted(sanitize_text_field($host)) === false && ITSEC_Lib_IP_Tools::validate($host)) {
$good_host = sanitize_text_field($host);
} else {
$good_host = false;
}
//Do we have a valid user to lockout or not
if ($user !== null && ITSEC_Lib::user_id_exists(intval($user)) === true) {
$good_user = intval($user);
} else {
$good_user = false;
}
//Do we have a valid username to lockout or not
if ($username !== null && $username != '') {
$good_username = $username;
} else {
$good_username = false;
}
$blacklist_host = false;
//assume we're not permanently blcking the host
//Sanitize the data for later
$type = sanitize_text_field($type);
$reason = sanitize_text_field($reason);
//handle a permanent host ban (if needed)
if (isset($itsec_globals['settings']['blacklist']) && $itsec_globals['settings']['blacklist'] === true && $good_host !== false) {
//permanent blacklist
$blacklist_period = isset($itsec_globals['settings']['blacklist_period']) ? $itsec_globals['settings']['blacklist_period'] * 24 * 60 * 60 : 604800;
$host_count = 1 + $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM `" . $wpdb->base_prefix . "itsec_lockouts` WHERE `lockout_expire_gmt` > '%s' AND `lockout_host`='%s';", date('Y-m-d H:i:s', $itsec_globals['current_time_gmt'] - $blacklist_period), $host));
if ($host_count >= $itsec_globals['settings']['blacklist_count'] && isset($itsec_globals['settings']['write_files']) && $itsec_globals['settings']['write_files'] === true) {
$host_expiration = false;
if (!class_exists('ITSEC_Ban_Users')) {
require trailingslashit($itsec_globals['plugin_dir']) . 'core/modules/ban-users/class-itsec-ban-users.php';
}
ITSEC_Ban_Users::insert_ip(sanitize_text_field($host));
//Send it to the Ban Users module for banning
$blacklist_host = true;
//flag it so we don't do a temp ban as well
}
}
//We have temp bans to perform
if ($good_host !== false || $good_user !== false || $good_username || $good_username !== false) {
if (ITSEC_Lib::is_ip_whitelisted(sanitize_text_field($host))) {
$whitelisted = true;
$expiration = date('Y-m-d H:i:s', 1);
$expiration_gmt = date('Y-m-d H:i:s', 1);
} else {
$whitelisted = false;
$exp_seconds = intval($itsec_globals['settings']['lockout_period']) * 60;
$expiration = date('Y-m-d H:i:s', $itsec_globals['current_time'] + $exp_seconds);
$expiration_gmt = date('Y-m-d H:i:s', $itsec_globals['current_time_gmt'] + $exp_seconds);
}
if ($good_host !== false && $blacklist_host === false) {
//temp lockout host
$host_expiration = $expiration;
$wpdb->insert($wpdb->base_prefix . 'itsec_lockouts', array('lockout_type' => $type, 'lockout_start' => date('Y-m-d H:i:s', $itsec_globals['current_time']), 'lockout_start_gmt' => date('Y-m-d H:i:s', $itsec_globals['current_time_gmt']), 'lockout_expire' => $expiration, 'lockout_expire_gmt' => $expiration_gmt, 'lockout_host' => sanitize_text_field($host)));
$itsec_logger->log_event(__('lockout', 'better-wp-security'), 10, array('expires' => $expiration, 'expires_gmt' => $expiration_gmt, 'type' => $type), sanitize_text_field($host));
}
if ($good_user !== false) {
//blacklist host and temp lockout user
$user_expiration = $expiration;
$wpdb->insert($wpdb->base_prefix . 'itsec_lockouts', array('lockout_type' => $type, 'lockout_start' => date('Y-m-d H:i:s', $itsec_globals['current_time']), 'lockout_start_gmt' => date('Y-m-d H:i:s', $itsec_globals['current_time_gmt']), 'lockout_expire' => $expiration, 'lockout_expire_gmt' => $expiration_gmt, 'lockout_host' => '', 'lockout_user' => intval($user)));
if ($whitelisted === false) {
$itsec_logger->log_event('lockout', 10, array('expires' => $expiration, 'expires_gmt' => $expiration_gmt, 'type' => $type), '', '', intval($user));
} else {
$itsec_logger->log_event('lockout', 10, array(__('White Listed', 'better-wp-security'), 'type' => $type), '', '', intval($user));
}
}
if ($good_username !== false) {
//blacklist host and temp lockout username
$user_expiration = $expiration;
$wpdb->insert($wpdb->base_prefix . 'itsec_lockouts', array('lockout_type' => $type, 'lockout_start' => date('Y-m-d H:i:s', $itsec_globals['current_time']), 'lockout_start_gmt' => date('Y-m-d H:i:s', $itsec_globals['current_time_gmt']), 'lockout_expire' => $expiration, 'lockout_expire_gmt' => $expiration_gmt, 'lockout_host' => '', 'lockout_username' => $username));
if ($whitelisted === false) {
$itsec_logger->log_event('lockout', 10, array('expires' => $expiration, 'expires_gmt' => $expiration_gmt, 'type' => $type), '', '', $username);
} else {
$itsec_logger->log_event('lockout', 10, array(__('White Listed', 'better-wp-security'), 'type' => $type), '', '', $username);
}
}
if ($whitelisted === false) {
if ($itsec_globals['settings']['email_notifications'] === true) {
//send email notifications
$this->send_lockout_email($good_host, $good_user, $good_username, $host_expiration, $user_expiration, $reason);
}
if ($good_host !== false) {
$itsec_files->release_file_lock('lockout_' . $host . $user . $username);
$this->execute_lock();
} else {
$itsec_files->release_file_lock('lockout_' . $host . $user . $username);
$this->execute_lock(true);
}
}
}
$itsec_files->release_file_lock('lockout_' . $host . $user . $username);
}
}
/**
* Determines whether a given IP address is whitelisted
*
* @param string $ip_to_check ip to check (can be in CIDR notation)
* @param array $white_ips ip list to compare to if not yet saved to options
* @param boolean $current whether to whitelist the current ip or not (due to saving, etc)
*
* @return boolean true if whitelisted or false
*/
public static function is_ip_whitelisted($ip_to_check, $white_ips = null, $current = false)
{
if (!class_exists('ITSEC_Lib_IP_Tools')) {
$itsec_core = ITSEC_Core::get_instance();
require_once dirname($itsec_core->get_plugin_file()) . '/core/lib/class-itsec-lib-ip-tools.php';
}
if ($white_ips === null) {
$global_settings = get_site_option('itsec_global');
$white_ips = isset($global_settings['lockout_white_list']) ? $global_settings['lockout_white_list'] : array();
}
if ($current === true) {
$white_ips[] = ITSEC_Lib::get_ip();
//add current user ip to whitelist to check automatically
}
foreach ($white_ips as $white_ip) {
if (ITSEC_Lib_IP_Tools::intersect($ip_to_check, ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr($white_ip))) {
return true;
}
}
return false;
}
/**
* Locks out given user or host
*
* @since 4.0
*
* @param string $type The type of lockout (for user reference)
* @param string $reason Reason for lockout, for notifications
* @param string $host Host to lock out
* @param int $user user id to lockout
* @param string $username username to lockout
*
* @return void
*/
private function lockout($type, $reason, $host = null, $user = null, $username = null)
{
global $wpdb, $itsec_logger, $itsec_globals;
$itsec_files = ITSEC_Core::get_itsec_files();
$host_expiration = null;
$user_expiration = null;
$username = sanitize_text_field(trim($username));
if ($itsec_files->get_file_lock('lockout_' . $host . $user . $username)) {
//Do we have a good host to lock out or not
if (!is_null($host) && ITSEC_Lib::is_ip_whitelisted(sanitize_text_field($host)) === false && ITSEC_Lib_IP_Tools::validate($host)) {
$good_host = sanitize_text_field($host);
} else {
$good_host = false;
}
//Do we have a valid user to lockout or not
if ($user !== null && ITSEC_Lib::user_id_exists(intval($user)) === true) {
$good_user = intval($user);
} else {
$good_user = false;
}
//Do we have a valid username to lockout or not
if ($username !== null && $username != '') {
$good_username = $username;
} else {
$good_username = false;
}
$blacklist_host = false;
//assume we're not permanently blcking the host
//Sanitize the data for later
$type = sanitize_text_field($type);
$reason = sanitize_text_field($reason);
//handle a permanent host ban (if needed)
if (ITSEC_Modules::get_setting('global', 'blacklist') && $good_host !== false) {
//permanent blacklist
$blacklist_period = ITSEC_Modules::get_setting('global', 'blacklist_period', 7);
$blacklist_seconds = $blacklist_period * DAY_IN_SECONDS;
$host_count = 1 + $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM `" . $wpdb->base_prefix . "itsec_lockouts` WHERE `lockout_expire_gmt` > '%s' AND `lockout_host`='%s';", date('Y-m-d H:i:s', $itsec_globals['current_time_gmt'] - $blacklist_seconds), $host));
if ($host_count >= ITSEC_Modules::get_setting('global', 'blacklist_count') && ITSEC_Files::can_write_to_files()) {
$host_expiration = false;
$this->blacklist_ip(sanitize_text_field($host));
$blacklist_host = true;
//flag it so we don't do a temp ban as well
}
}
//We have temp bans to perform
if ($good_host !== false || $good_user !== false || $good_username || $good_username !== false) {
if (ITSEC_Lib::is_ip_whitelisted(sanitize_text_field($host))) {
$whitelisted = true;
$expiration = date('Y-m-d H:i:s', 1);
$expiration_gmt = date('Y-m-d H:i:s', 1);
} else {
$whitelisted = false;
$exp_seconds = ITSEC_Modules::get_setting('global', 'lockout_period') * MINUTE_IN_SECONDS;
$expiration = date('Y-m-d H:i:s', $itsec_globals['current_time'] + $exp_seconds);
$expiration_gmt = date('Y-m-d H:i:s', $itsec_globals['current_time_gmt'] + $exp_seconds);
}
if ($good_host !== false && $blacklist_host === false) {
//temp lockout host
$host_expiration = $expiration;
$wpdb->insert($wpdb->base_prefix . 'itsec_lockouts', array('lockout_type' => $type, 'lockout_start' => date('Y-m-d H:i:s', $itsec_globals['current_time']), 'lockout_start_gmt' => date('Y-m-d H:i:s', $itsec_globals['current_time_gmt']), 'lockout_expire' => $expiration, 'lockout_expire_gmt' => $expiration_gmt, 'lockout_host' => sanitize_text_field($host)));
$itsec_logger->log_event('lockout', 10, array('expires' => $expiration, 'expires_gmt' => $expiration_gmt, 'type' => $type), sanitize_text_field($host));
}
if ($good_user !== false) {
//blacklist host and temp lockout user
$user_expiration = $expiration;
$wpdb->insert($wpdb->base_prefix . 'itsec_lockouts', array('lockout_type' => $type, 'lockout_start' => date('Y-m-d H:i:s', $itsec_globals['current_time']), 'lockout_start_gmt' => date('Y-m-d H:i:s', $itsec_globals['current_time_gmt']), 'lockout_expire' => $expiration, 'lockout_expire_gmt' => $expiration_gmt, 'lockout_host' => '', 'lockout_user' => intval($user)));
if ($whitelisted === false) {
$itsec_logger->log_event('lockout', 10, array('expires' => $expiration, 'expires_gmt' => $expiration_gmt, 'type' => $type), '', '', intval($user));
} else {
$itsec_logger->log_event('lockout', 10, array(__('White Listed', 'better-wp-security'), 'type' => $type), '', '', intval($user));
}
}
if ($good_username !== false) {
//blacklist host and temp lockout username
$user_expiration = $expiration;
$wpdb->insert($wpdb->base_prefix . 'itsec_lockouts', array('lockout_type' => $type, 'lockout_start' => date('Y-m-d H:i:s', $itsec_globals['current_time']), 'lockout_start_gmt' => date('Y-m-d H:i:s', $itsec_globals['current_time_gmt']), 'lockout_expire' => $expiration, 'lockout_expire_gmt' => $expiration_gmt, 'lockout_host' => '', 'lockout_username' => $username));
if ($whitelisted === false) {
$itsec_logger->log_event('lockout', 10, array('expires' => $expiration, 'expires_gmt' => $expiration_gmt, 'type' => $type), '', '', $username);
} else {
$itsec_logger->log_event('lockout', 10, array(__('White Listed', 'better-wp-security'), 'type' => $type), '', '', $username);
}
}
if ($whitelisted === false) {
if (ITSEC_Modules::get_setting('global', 'email_notifications')) {
//send email notifications
$this->send_lockout_email($good_host, $good_user, $good_username, $host_expiration, $user_expiration, $reason);
}
if ($good_host !== false) {
$itsec_files->release_file_lock('lockout_' . $host . $user . $username);
$this->execute_lock();
} else {
$itsec_files->release_file_lock('lockout_' . $host . $user . $username);
$this->execute_lock(true);
}
}
}
$itsec_files->release_file_lock('lockout_' . $host . $user . $username);
}
}
/**
* Sanitize and validate input
*
* @param Array $input array of input fields
*
* @return Array Sanitized array
*/
public function sanitize_module_input($input)
{
if (!class_exists('ITSEC_Lib_IP_Tools')) {
$itsec_core = ITSEC_Core::get_instance();
require_once dirname($itsec_core->get_plugin_file()) . '/core/lib/class-itsec-lib-ip-tools.php';
}
global $itsec_globals;
$has_errors = false;
//Sanitize checkbox features
$input['enabled'] = isset($input['enabled']) && intval($input['enabled'] == 1) ? true : false;
$input['default'] = isset($input['default']) && intval($input['default'] == 1) ? true : false;
if (isset($input['agent_list']) && is_string($input['agent_list'])) {
$agents = preg_split('/(?<!\\r)\\n|\\r(?!\\n)|(?<!\\r)\\r\\n|\\r\\r\\n/', trim($input['agent_list']));
} else {
if (isset($input['agent_list']) && is_array($input['agent_list'])) {
$agents = $input['agent_list'];
} else {
$agents = array();
}
}
$good_agents = array();
foreach ($agents as $agent) {
$agent = trim(sanitize_text_field($agent));
if (!empty($agent)) {
$good_agents[] = $agent;
}
}
$input['agent_list'] = array_unique($good_agents);
if (isset($input['host_list']) && is_string($input['host_list'])) {
$addresses = preg_split('/(?<!\\r)\\n|\\r(?!\\n)|(?<!\\r)\\r\\n|\\r\\r\\n/', trim($input['host_list']));
} else {
if (isset($input['host_list']) && is_array($input['host_list'])) {
$addresses = $input['host_list'];
} else {
$addresses = array();
}
}
if (!class_exists('ITSEC_Ban_Users')) {
require dirname(__FILE__) . '/class-itsec-ban-users.php';
}
$bad_ips = array();
$white_ips = array();
$raw_ips = array();
foreach ($addresses as $index => $address) {
$address = trim($address);
if (empty($address)) {
continue;
}
//Store the original user supplied IP for use in error messages or to fill back into the list if invalid
$original_address = $address;
// This checks validity and converts wildcard notation to standard CIDR notation
$address = ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr($address);
if (!$address) {
// Put the address back to the original so it's not removed from the list
$address = $original_address;
$bad_ips[] = trim(filter_var($address, FILTER_SANITIZE_STRING));
}
if (ITSEC_Lib::is_ip_whitelisted($address, null, true)) {
$white_ips[] = trim(filter_var($address, FILTER_SANITIZE_STRING));
}
$raw_ips[] = trim(filter_var($address, FILTER_SANITIZE_STRING));
}
$raw_ips = array_unique($raw_ips);
if (!empty($bad_ips)) {
$input['enabled'] = false;
//disable ban users list
$type = 'error';
if (!$has_errors) {
$message = sprintf('%s<br /><br />', __('Note that the ban users feature has been disabled until the following errors are corrected:', 'better-wp-security'));
}
foreach ($bad_ips as $bad_ip) {
$message .= sprintf('%s %s<br />', $bad_ip, __('is not a valid address in the ban users box.', 'better-wp-security'));
}
add_settings_error('itsec', esc_attr('settings_updated'), $message, $type);
$has_errors = true;
}
if (sizeof($white_ips) > 0) {
$input['enabled'] = false;
//disable ban users list
$type = 'error';
if (!$has_errors) {
$message = sprintf('%s<br /><br />', __('Note that the ban users feature has been disabled until the following errors are corrected:', 'better-wp-security'));
}
foreach ($white_ips as $white_ip) {
$message .= sprintf('%s %s<br />', $white_ip, __('is not a valid address as it has been white listed.', 'better-wp-security'));
}
add_settings_error('itsec', esc_attr('settings_updated'), $message, $type);
$has_errors = true;
}
$input['host_list'] = $raw_ips;
if (!$has_errors) {
if (!isset($type) && ($input['host_list'] !== $this->settings['host_list'] || $input['enabled'] !== $this->settings['enabled'] || $input['default'] !== $this->settings['default'] || $input['agent_list'] !== $this->settings['agent_list']) || isset($itsec_globals['settings']['write_files']) && true === $itsec_globals['settings']['write_files']) {
add_site_option('itsec_rewrites_changed', true);
}
}
if (is_multisite()) {
if (isset($type)) {
$error_handler = new WP_Error();
$error_handler->add($type, $message);
$this->core->show_network_admin_notice($error_handler);
} else {
$this->core->show_network_admin_notice(false);
}
$this->settings = $input;
}
return $input;
}
/**
* Execute module upgrade
*
* @return void
*/
public function execute_upgrade($itsec_old_version)
{
if ($itsec_old_version < 4000) {
global $itsec_bwps_options;
$current_options = get_site_option('itsec_ban_users');
// Don't do anything if settings haven't already been set, defaults exist in the module system and we prefer to use those
if (false !== $current_options) {
$current_options['enabled'] = isset($itsec_bwps_options['bu_enabled']) && $itsec_bwps_options['bu_enabled'] == 1 ? true : false;
$current_options['default'] = isset($itsec_bwps_options['bu_blacklist']) && $itsec_bwps_options['bu_blacklist'] == 1 ? true : false;
if (isset($itsec_bwps_options['bu_banlist']) && !is_array($itsec_bwps_options['bu_banlist']) && strlen($itsec_bwps_options['bu_banlist']) > 1) {
$raw_hosts = explode(PHP_EOL, $itsec_bwps_options['bu_banlist']);
foreach ($raw_hosts as $host) {
if (strlen($host) > 1) {
$current_options['host_list'][] = $host;
}
}
}
if (isset($itsec_bwps_options['bu_banagent']) && !is_array($itsec_bwps_options['bu_banagent']) && strlen($itsec_bwps_options['bu_banagent']) > 1) {
$current_options['agent_list'] = explode(PHP_EOL, $itsec_bwps_options['bu_banagent']);
$raw_agents = explode(PHP_EOL, $itsec_bwps_options['bu_banagent']);
foreach ($raw_agents as $agent) {
if (strlen($agent) > 1) {
$current_options['agent_list'][] = $agent;
}
}
}
update_site_option('itsec_ban_users', $current_options);
ITSEC_Response::regenerate_server_config();
}
}
if ($itsec_old_version < 4027) {
ITSEC_Response::regenerate_server_config();
}
if ($itsec_old_version < 4041) {
$current_options = get_site_option('itsec_ban_users');
// If there are no current options, go with the new defaults by not saving anything
if (is_array($current_options)) {
$itsec_modules = ITSEC_Modules::get_instance();
// 'enable_ban_lists' was previously just 'enabled'
// Make sure the new module is properly activated or deactivated
if ($current_options['enabled']) {
ITSEC_Modules::activate('backup');
$current_options['enable_ban_lists'] = true;
} else {
ITSEC_Modules::deactivate('backup');
$current_options['enable_ban_lists'] = false;
}
unset($current_options['enabled']);
// Filter out invalid IPs
$current_options['host_list'] = array_map('trim', $current_options['host_list']);
if (!class_exists('ITSEC_Lib_IP_Tools')) {
require_once ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-ip-tools.php';
}
foreach ($current_options['host_list'] as $index => $ip) {
if ('' === $ip || false === ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr($ip)) {
unset($current_options['host_list'][$index]);
}
}
$itsec_modules->set_settings('ban-users', $current_options);
}
}
}
/**
* Send offending IP to IPCheck API
*
* @since 4.5
*
* @param string|null $ip ip to report
* @param int $type type of behavior to report
*
* @return int -1 on failure, 0 if report successful and IP not blocked, 1 if IP successful and IP blocked
*/
public function report_ip($ip = null, $type = 1)
{
global $itsec_globals, $itsec_logger;
$action = 'report-ip';
/**
* Switch types or return false if no valid type
*
* Valid types:
* 1 = invalid/failed login
*
*/
switch ($type) {
case 1:
$behavior = 'brute-force-login';
break;
default:
return -1;
}
//get current IP if needed
if ($ip === null) {
$ip = ITSEC_Lib::get_ip();
} else {
$ip = trim(sanitize_text_field($ip));
}
if (ITSEC_Lib::is_ip_whitelisted($ip)) {
return 0;
}
if (ITSEC_Lib_IP_Tools::validate($ip)) {
//verify IP address is valid
if (!isset($this->settings['api_key']) || !isset($this->settings['api_secret'])) {
return -1;
//invalid key or secret
}
$args = json_encode(array('apikey' => $this->settings['api_key'], 'behavior' => $behavior, 'ip' => $ip, 'site' => home_url('', 'http'), 'timestamp' => $itsec_globals['current_time_gmt']));
//Build the request parameters
$request = array('body' => array('request' => $args, 'signature' => $this->hmac_SHA1($this->settings['api_secret'], $action . $args)));
$response = wp_remote_post($this->endpoint . $action, $request);
//Make sure the request was valid and has a valid body
if (!is_wp_error($response) && isset($response['body'])) {
$response = json_decode($response['body'], true);
if (is_array($response) && isset($response['success']) && $response['success'] == true) {
if (isset($response['block']) && $response['block'] == true) {
$cache = isset($response['cache_ttl']) ? absint($response['cache_ttl']) : 3600;
$expiration = date('Y-m-d H:i:s', $itsec_globals['current_time'] + $cache);
$expiration_gmt = date('Y-m-d H:i:s', $itsec_globals['current_time_gmt'] + $cache);
$itsec_logger->log_event('lockout', 10, array('expires' => $expiration, 'expires_gmt' => $expiration_gmt, 'type' => 'host'), $ip);
$this->cache_ip($ip, array('status' => true), $cache);
return 1;
//ip report success. Just return true for now
} else {
return 0;
}
}
}
}
return -1;
}
protected final function sanitize_setting($type, $var, $name, $prevent_save_on_error = true, $trim_value = true)
{
$id = $this->get_id();
if (!isset($this->settings[$var])) {
$this->add_error(new WP_Error("itsec-validator-missing-var-{$id}-{$var}", sprintf(__('A validation check for %1$s failed. The %2$s value is missing. This could be due to a problem with the iThemes Security installation or an invalid modification. Please reinstall iThemes Security and try again.', 'better-wp-security'), $id, $name)));
return false;
}
if ($trim_value && is_string($this->settings[$var])) {
$this->settings[$var] = trim($this->settings[$var]);
}
$error = false;
if ('string' === $type) {
$this->settings[$var] = (string) $this->settings[$var];
} else {
if ('non-empty-string' === $type) {
$this->settings[$var] = (string) $this->settings[$var];
if (empty($this->settings[$var])) {
$error = sprintf(__('The %1$s value cannot be empty.', 'better-wp-security'), $name);
}
} else {
if ('title' === $type) {
$this->settings[$var] = sanitize_title($this->settings[$var]);
} else {
if ('non-empty-title' === $type) {
$this->settings[$var] = sanitize_title($this->settings[$var]);
if (empty($this->settings[$var])) {
$error = sprintf(__('The %1$s value cannot be empty.', 'better-wp-security'), $name);
}
} else {
if ('array' === $type) {
if (!is_array($this->settings[$var])) {
if (empty($this->settings[$var])) {
$this->settings[$var] = array();
} else {
$this->settings[$var] = array($this->settings[$var]);
}
}
} else {
if ('bool' === $type) {
if ('false' === $this->settings[$var]) {
$this->settings[$var] = false;
} else {
if ('true' === $this->settings[$var]) {
$this->settings[$var] = true;
} else {
$this->settings[$var] = (bool) $this->settings[$var];
}
}
} else {
if ('int' === $type) {
$test_val = intval($this->settings[$var]);
if ((string) $test_val === (string) $this->settings[$var]) {
$this->settings[$var] = $test_val;
} else {
$error = sprintf(__('The %1$s value must be an integer.', 'better-wp-security'), $name);
}
} else {
if ('positive-int' === $type) {
$test_val = intval($this->settings[$var]);
if ((string) $test_val === (string) $this->settings[$var] && $test_val >= 0) {
$this->settings[$var] = $test_val;
} else {
$error = sprintf(__('The %1$s value must be a positive integer.', 'better-wp-security'), $name);
}
} else {
if ('email' === $type) {
$this->settings[$var] = sanitize_text_field($this->settings[$var]);
if (empty($this->settings[$var]) || !is_email($this->settings[$var])) {
$error = sprintf(__('The %1$s value must be a valid email address.', 'better-wp-security'), $name);
}
} else {
if ('valid-username' === $type) {
$this->settings[$var] = sanitize_text_field($this->settings[$var]);
if (!empty($this->settings[$var]) && !validate_username($this->settings[$var])) {
$error = sprintf(__('The %1$s value is not a valid username.', 'better-wp-security'), $name);
}
} else {
if ('date' === $type) {
$val = $this->settings[$var];
$separator = '[\\-/\\. ]';
if (preg_match("|^(\\d\\d\\d\\d){$separator}(\\d\\d?){$separator}(\\d\\d?)\$|", $val, $match)) {
$year = intval($match[1]);
$month = intval($match[2]);
$day = intval($match[3]);
if (!checkdate($month, $day, $year)) {
$error = sprintf(__('The %1$s value must be a valid date.', 'better-wp-security'), $name);
}
} else {
$error = sprintf(__('The %1$s value must be a valid date in the format of YYYY-MM-DD.', 'better-wp-security'), $name);
}
} else {
if ('writable-directory' === $type) {
if (!is_string($this->settings[$var])) {
$error = sprintf(__('The %1$s value must be a string.', 'better-wp-security'), $name);
} else {
require_once ITSEC_Core::get_core_dir() . 'lib/class-itsec-lib-directory.php';
$this->settings[$var] = rtrim($this->settings[$var], DIRECTORY_SEPARATOR);
if (!ITSEC_Lib_Directory::is_dir($this->settings[$var])) {
$result = ITSEC_Lib_Directory::create($this->settings[$var]);
if (is_wp_error($result)) {
$error = sprintf(_x('The directory supplied in %1$s cannot be used as a valid directory. %2$s', '%1$s is the input name. %2$s is the error message.', 'better-wp-security'), $name, $result->get_error_message());
}
}
if (empty($error) && !ITSEC_Lib_Directory::is_writable($this->settings[$var])) {
$error = sprintf(__('The directory supplied in %1$s is not writable. Please select a directory that can be written to.', 'better-wp-security'), $name);
}
if (empty($error)) {
ITSEC_Lib_Directory::add_file_listing_protection($this->settings[$var]);
}
}
} else {
if ('writable-file' === $type) {
if (!is_string($this->settings[$var])) {
$error = sprintf(__('The %1$s value must be a string.', 'better-wp-security'), $name);
} else {
require_once ITSEC_Core::get_core_dir() . 'lib/class-itsec-lib-directory.php';
if (!ITSEC_Lib_File::is_file($this->settings[$var]) && ITSEC_Lib_File::exists($this->settings[$var])) {
$error = sprintf(__('The file path supplied in %1$s cannot be used as it already exists but is not a file. Please supply a valid file path.', 'better-wp-security'), $name);
} else {
$result = ITSEC_Lib_Directory::create(dirname($this->settings[$var]));
if (is_wp_error($result)) {
$error = sprintf(_x('The file path supplied in %1$s cannot be used as the parent directory cannot be created. %2$s', '%1$s is the input name. %2$s is the error message.', 'better-wp-security'), $name, $result->get_error_message());
} else {
if (!ITSEC_Lib_File::exists($this->settings[$var])) {
$result = ITSEC_Lib_File::write($this->settings[$var], '');
if (is_wp_error($result)) {
$error = sprintf(__('The file path supplied in %1$s could not be created. Please supply a file path that can be written to.', 'better-wp-security'), $name);
} else {
if (!is_writable($this->settings[$var])) {
$error = sprintf(__('The file path supplied in %1$s was successfully created, but it cannot be updated. Please supply a file path that can be written to.', 'better-wp-security'), $name);
}
}
} else {
if (!is_writable($this->settings[$var])) {
$error = sprintf(__('The file path supplied in %1$s is not writable. Please supply a file path that can be written to.', 'better-wp-security'), $name);
}
}
}
}
}
} else {
if (is_array($type) && 2 === count($type) && $this === $type[0]) {
$this->settings[$var] = $this->convert_string_to_array($this->settings[$var]);
if (!is_array($this->settings[$var])) {
$error = sprintf(__('The %1$s value must be a string with each entry separated by a new line.', 'better-wp-security'), $name);
} else {
$invalid_entries = array();
foreach ($this->settings[$var] as $index => $entry) {
$entry = sanitize_text_field(trim($entry));
$this->settings[$var][$index] = $entry;
if (empty($entry)) {
unset($this->settings[$var][$index]);
} else {
$result = call_user_func($type, $entry);
if (false === $result) {
$invalid_entries[] = $entry;
} else {
$this->settings[$var][$index] = $result;
}
}
}
$this->settings[$var] = array_unique($this->settings[$var]);
if (!empty($invalid_entries)) {
$error = wp_sprintf(_n('The following entry in %1$s is invalid: %2$l', 'The following entries in %1$s are invalid: %2$l', count($invalid_entries), 'better-wp-security'), $name, $invalid_entries);
}
}
} else {
if (is_array($type)) {
if (is_array($this->settings[$var])) {
$invalid_entries = array();
foreach ($this->settings[$var] as $index => $entry) {
$entry = sanitize_text_field(trim($entry));
$this->settings[$var][$index] = $entry;
if (empty($entry)) {
unset($this->settings[$var][$index]);
} else {
if (!in_array($entry, $type, true)) {
$invalid_entries[] = $entry;
}
}
}
$this->settings[$var] = array_unique($this->settings[$var]);
if (!empty($invalid_entries)) {
$error = wp_sprintf(_n('The following entry in %1$s is invalid: %2$l', 'The following entries in %1$s are invalid: %2$l', count($invalid_entries), 'better-wp-security'), $name, $invalid_entries);
}
} else {
if (!in_array($this->settings[$var], $type, true)) {
$error = wp_sprintf(_n('The valid value for %1$s is: %2$l.', 'The valid values for %1$s are: %2$l.', count($type), 'better-wp-security'), $name, $type);
$type = 'array';
}
}
} else {
if ('newline-separated-array' === $type) {
$this->settings[$var] = $this->convert_string_to_array($this->settings[$var]);
if (!is_array($this->settings[$var])) {
$error = sprintf(__('The %1$s value must be a string with each entry separated by a new line.', 'better-wp-security'), $name);
}
} else {
if ('newline-separated-emails' === $type) {
$this->settings[$var] = $this->convert_string_to_array($this->settings[$var]);
if (!is_array($this->settings[$var])) {
$error = sprintf(__('The %1$s value must be a string with each entry separated by a new line.', 'better-wp-security'), $name);
} else {
$invalid_emails = array();
foreach ($this->settings[$var] as $index => $email) {
$email = sanitize_text_field(trim($email));
$this->settings[$var][$index] = $email;
if (empty($email)) {
unset($this->settings[$var][$index]);
} else {
if (!is_email($email)) {
$invalid_emails[] = $email;
}
}
}
$this->settings[$var] = array_unique($this->settings[$var]);
if (!empty($invalid_emails)) {
$error = wp_sprintf(_n('The following email in %1$s is invalid: %2$l', 'The following emails in %1$s are invalid: %2$l', count($invalid_emails), 'better-wp-security'), $name, $invalid_emails);
}
}
} else {
if ('newline-separated-ips' === $type) {
$this->settings[$var] = $this->convert_string_to_array($this->settings[$var]);
if (!is_array($this->settings[$var])) {
$error = sprintf(__('The %1$s value must be a string with each entry separated by a new line.', 'better-wp-security'), $name);
} else {
require_once ITSEC_Core::get_core_dir() . 'lib/class-itsec-lib-ip-tools.php';
$invalid_ips = array();
foreach ($this->settings[$var] as $index => $ip) {
$ip = trim($ip);
if ('' === $ip) {
unset($this->settings[$var][$index]);
} else {
$validated_ip = ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr($ip);
if (false === $validated_ip) {
$invalid_ips[] = $ip;
} else {
$this->settings[$var][$index] = $validated_ip;
}
}
}
$this->settings[$var] = array_unique($this->settings[$var]);
if (!empty($invalid_ips)) {
$error = wp_sprintf(_n('The following IP in %1$s is invalid: %2$l', 'The following IPs in %1$s are invalid: %2$l', count($invalid_ips), 'better-wp-security'), $name, $invalid_ips);
}
}
} else {
if ('newline-separated-extensions' === $type) {
$this->settings[$var] = $this->convert_string_to_array($this->settings[$var]);
if (!is_array($this->settings[$var])) {
$error = sprintf(__('The %1$s value must be a string with each entry separated by a new line.', 'better-wp-security'), $name);
} else {
$invalid_extensions = array();
foreach ($this->settings[$var] as $index => $extension) {
if (!preg_match('/^(\\.[^.]+)+$/', $extension)) {
$invalid_extensions[] = $extension;
}
}
$this->settings[$var] = array_unique($this->settings[$var]);
if (!empty($invalid_extensions)) {
$error = wp_sprintf(_n('The following extension in %1$s is invalid: %2$l', 'The following extensions in %1$s are invalid: %2$l', count($invalid_extensions), 'better-wp-security'), $name, $invalid_extensions);
}
}
} else {
/* translators: 1: sanitize type, 2: input name */
$error = sprintf(__('An invalid sanitize type of "%1$s" was received for the %2$s input.', 'better-wp-security'), $type, $name);
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
if (false !== $error) {
$this->add_error(new WP_Error("itsec-validator-{$id}-invalid-type-{$var}-{$type}", $error));
$this->vars_to_skip_validate_matching_types[] = $var;
if ($prevent_save_on_error) {
$this->set_can_save(false);
}
return false;
}
return true;
}
/**
* Determines whether a given IP address is blacklisted
*
* @param string $ip ip to check (can be in CIDR notation)
* @param array $blacklisted_ips ip list to compare to if not yet saved to options
*
* @return boolean true if blacklisted or false
*/
public static function is_ip_blacklisted($ip = null, $blacklisted_ips = null)
{
$ip = sanitize_text_field($ip);
if (empty($ip)) {
$ip = ITSEC_Lib::get_ip();
}
if (!class_exists('ITSEC_Lib_IP_Tools')) {
require_once ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-ip-tools.php';
}
if (is_null($blacklisted_ips)) {
$blacklisted_ips = self::get_blacklisted_ips();
}
foreach ($blacklisted_ips as $blacklisted_ip) {
if (ITSEC_Lib_IP_Tools::intersect($ip, ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr($blacklisted_ip))) {
return true;
}
}
return false;
}
/**
* Sanitize and validate input
*
* @since 4.0
*
* @param Array $input array of input fields
*
* @return Array Sanitized array
*/
public function sanitize_module_input($input)
{
global $itsec_globals;
$input['did_upgrade'] = isset($this->settings['did_upgrade']) ? $this->settings['did_upgrade'] : false;
if (isset($input['backup_email'])) {
$bad_emails = array();
$emails_to_save = array();
if (isset($input['backup_email']) && !is_array($input['backup_email'])) {
$emails = explode(PHP_EOL, $input['backup_email']);
} elseif (isset($input['backup_email'])) {
$emails = $input['backup_email'];
}
foreach ($emails as $email) {
$email = sanitize_text_field(trim($email));
if (strlen($email) > 0) {
if (is_email($email) === false) {
$bad_emails[] = $email;
}
$emails_to_save[] = $email;
}
}
if (sizeof($bad_emails) > 0) {
$bad_addresses = implode(', ', $bad_emails);
$type = 'error';
$message = __('The following backup email address(es) do not appear to be valid: ', 'better-wp-security') . $bad_addresses;
add_settings_error('itsec', esc_attr('settings_updated'), $message, $type);
}
$input['backup_email'] = $emails_to_save;
}
if (isset($input['notification_email'])) {
$bad_emails = array();
$emails_to_save = array();
if (isset($input['notification_email']) && !is_array($input['notification_email'])) {
$emails = explode(PHP_EOL, $input['notification_email']);
} else {
$emails = $input['notification_email'];
}
foreach ($emails as $email) {
$email = sanitize_text_field(trim($email));
if (strlen($email) > 0) {
if (is_email($email) === false) {
$bad_emails[] = $email;
}
$emails_to_save[] = $email;
}
}
if (sizeof($bad_emails) > 0) {
$bad_addresses = implode(', ', $bad_emails);
$type = 'error';
$message = __('The following notification email address(es) do not appear to be valid: ', 'better-wp-security') . $bad_addresses;
add_settings_error('itsec', esc_attr('settings_updated'), $message, $type);
}
$input['notification_email'] = $emails_to_save;
}
$input['lockout_message'] = isset($input['lockout_message']) ? trim(wp_kses($input['lockout_message'], $this->allowed_tags)) : '';
$input['user_lockout_message'] = isset($input['user_lockout_message']) ? trim(wp_kses($input['user_lockout_message'], $this->allowed_tags)) : '';
$input['community_lockout_message'] = isset($input['community_lockout_message']) ? trim(wp_kses($input['community_lockout_message'], $this->allowed_tags)) : '';
$input['blacklist'] = isset($input['blacklist']) && intval($input['blacklist'] == 1) ? true : false;
$input['blacklist_count'] = isset($input['blacklist_count']) ? absint($input['blacklist_count']) : 3;
$input['blacklist_period'] = isset($input['blacklist_period']) ? absint($input['blacklist_period']) : 7;
$input['email_notifications'] = isset($input['email_notifications']) && intval($input['email_notifications'] == 1) ? true : false;
$input['lockout_period'] = isset($input['lockout_period']) ? absint($input['lockout_period']) : 15;
$input['log_rotation'] = isset($input['log_rotation']) ? absint($input['log_rotation']) : 14;
$input['allow_tracking'] = isset($input['allow_tracking']) && intval($input['allow_tracking'] == 1) ? true : false;
$input['write_files'] = isset($input['write_files']) && intval($input['write_files'] == 1) ? true : false;
$input['nginx_file'] = isset($input['nginx_file']) ? sanitize_text_field($input['nginx_file']) : ABSPATH . 'nginx.conf';
$input['infinitewp_compatibility'] = isset($input['infinitewp_compatibility']) && intval($input['infinitewp_compatibility'] == 1) ? true : false;
$input['log_info'] = $itsec_globals['settings']['log_info'];
$input['lock_file'] = isset($input['lock_file']) && intval($input['lock_file'] == 1) ? true : false;
$input['digest_email'] = isset($input['digest_email']) && intval($input['digest_email'] == 1) ? true : false;
$input['proxy_override'] = isset($input['proxy_override']) && intval($input['proxy_override'] == 1) ? true : false;
$input['hide_admin_bar'] = isset($input['hide_admin_bar']) && intval($input['hide_admin_bar'] == 1) ? true : false;
//Set a fresh message queue if we're just turning on the digest.
if ($input['digest_email'] === true && (!isset($this->settings['digest_email']) || $this->settings['digest_email'] === false)) {
$digest_queue = array('last_sent' => $itsec_globals['current_time_gmt'], 'messages' => array());
update_site_option('itsec_message_queue', $digest_queue);
}
$input['log_location'] = isset($input['log_location']) ? sanitize_text_field($input['log_location']) : $itsec_globals['ithemes_log_dir'];
//Process white list
if (isset($input['lockout_white_list']) && !is_array($input['lockout_white_list'])) {
$white_listed_addresses = explode(PHP_EOL, $input['lockout_white_list']);
} elseif (isset($input['lockout_white_list'])) {
$white_listed_addresses = $input['lockout_white_list'];
} else {
$white_listed_addresses = array();
}
$bad_white_listed_ips = array();
$raw_white_listed_ips = array();
if (!class_exists('ITSEC_Lib_IP_Tools')) {
$itsec_core = ITSEC_Core::get_instance();
require_once dirname($itsec_core->get_plugin_file()) . '/core/lib/class-itsec-lib-ip-tools.php';
}
foreach ($white_listed_addresses as $index => $address) {
// Convert wildcard IPs to CIDR notation
$address = ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr(trim($address));
if (strlen(trim($address)) > 0) {
if (ITSEC_Lib_IP_Tools::validate($address) === false) {
$bad_white_listed_ips[] = filter_var($address, FILTER_SANITIZE_STRING);
}
$raw_white_listed_ips[] = filter_var($address, FILTER_SANITIZE_STRING);
} else {
unset($white_listed_addresses[$index]);
}
}
$raw_white_listed_ips = array_unique($raw_white_listed_ips);
if (sizeof($bad_white_listed_ips) > 0) {
$type = 'error';
$message = __('There is a problem with an IP address in the white list:', 'better-wp-security') . '<br /><br />';
foreach ($bad_white_listed_ips as $bad_ip) {
$message .= sprintf(__('%s is not a valid address in the white list users box.', 'better-wp-security'), $bad_ip) . '<br />';
}
add_settings_error('itsec', esc_attr('settings_updated'), $message, $type);
}
$input['lockout_white_list'] = $raw_white_listed_ips;
if ($input['log_location'] != $itsec_globals['ithemes_log_dir']) {
$good_path = ITSEC_Lib::validate_path($input['log_location']);
} else {
$good_path = true;
}
if ($good_path !== true) {
$input['log_location'] = $itsec_globals['ithemes_log_dir'];
$type = 'error';
$message = __('The file path entered for the log location does not appear to be valid. it has been reset to: ' . $itsec_globals['ithemes_log_dir'], 'better-wp-security');
add_settings_error('itsec', esc_attr('settings_updated'), $message, $type);
}
$input['log_type'] = isset($input['log_type']) ? intval($input['log_type']) : 0;
if (!isset($type) && $input['write_files'] === true && $this->settings['write_files'] === false) {
add_site_option('itsec_rewrites_changed', true);
}
if (is_multisite()) {
if (isset($type)) {
$error_handler = new WP_Error();
$error_handler->add($type, $message);
$this->core->show_network_admin_notice($error_handler);
} else {
$this->core->show_network_admin_notice(false);
}
$this->settings = $input;
}
return $input;
}
