/**
* Return regular expression to exclude files or false if
* there is no pattern
*
* @return string|boolean
*/
public static function getExcludeFilePattern()
{
if (self::$excludePattern !== NULL) {
return self::$excludePattern;
}
if (wfConfig::get('scan_exclude', false)) {
$exParts = explode("\n", wfUtils::cleanupOneEntryPerLine(wfConfig::get('scan_exclude')));
foreach ($exParts as &$exPart) {
$exPart = preg_quote(trim($exPart), '/');
$exPart = preg_replace('/\\\\\\*/', '.*', $exPart);
}
self::$excludePattern = '/^(?:' . implode('|', array_filter($exParts)) . ')$/i';
self::$excludePattern = '/(?:' . implode('|', array_filter($exParts)) . ')$/i';
} else {
self::$excludePattern = false;
}
return self::$excludePattern;
}
private function scan_fileContents_main()
{
$this->fileContentsResults = $this->scanner->scan($this);
}
private function processFile($realFile)
{
$file = substr($realFile, $this->striplen);
if (!$this->stoppedOnFile && microtime(true) - $this->startTime > $this->engine->maxExecTime) {
//max X seconds but don't allow fork if we're looking for the file we stopped on. Search mode is VERY fast.
$this->stoppedOnFile = $file;
wordfence::status(4, 'info', "Calling fork() from wordfenceHash::processFile with maxExecTime: " . $this->engine->maxExecTime);
$this->engine->fork();
//exits
}
$exclude = wordfenceScanner::getExcludeFilePattern(wordfenceScanner::EXCLUSION_PATTERNS_USER);
if ($exclude && preg_match($exclude, $realFile)) {
return;
}
//Put this after the fork, that way we will at least scan one more file after we fork if it takes us more than 10 seconds to search for the stoppedOnFile
if ($this->stoppedOnFile && $file != $this->stoppedOnFile) {
return;
} else {
if ($this->stoppedOnFile && $file == $this->stoppedOnFile) {
$this->stoppedOnFile = false;
//Continue scanning
}
}
if (wfUtils::fileTooBig($realFile)) {
wordfence::status(4, 'info', "Skipping file larger than max size: {$realFile}");
return;
}
if (function_exists('memory_get_usage')) {
wordfence::status(4, 'info', "Scanning: {$realFile} (Mem:" . sprintf('%.1f', memory_get_usage(true) / (1024 * 1024)) . "M)");
} else {
wordfence::status(4, 'info', "Scanning: {$realFile}");
}
wfUtils::beginProcessingFile($file);
$wfHash = self::wfHash($realFile);
if ($wfHash) {
$md5 = strtoupper($wfHash[0]);
$shac = strtoupper($wfHash[1]);
$knownFile = 0;
if ($this->malwareEnabled && $this->isMalwarePrefix($md5)) {
$this->possibleMalware[] = array($file, $md5);
}
$knownFileExclude = wordfenceScanner::getExcludeFilePattern(wordfenceScanner::EXCLUSION_PATTERNS_KNOWN_FILES);
$allowKnownFileScan = true;
if ($knownFileExclude) {
$allowKnownFileScan = !preg_match($knownFileExclude, $realFile);
}
if ($allowKnownFileScan) {
if ($this->coreUnknownEnabled && !$this->alertedOnUnknownWordPressVersion && empty($this->knownFiles['core'])) {
require ABSPATH . 'wp-includes/version.php';
//defines $wp_version
$this->alertedOnUnknownWordPressVersion = true;
$this->haveIssues['coreUnknown'] = true;
$this->engine->addIssue('coreUnknown', 2, 'coreUnknown' . $wp_version, 'coreUnknown' . $wp_version, 'Unknown WordPress core version: ' . $wp_version, "The core files scan will not be run because this version of WordPress is not currently indexed by Wordfence. This may be due to using a prerelease version or because the servers are still indexing a new release. If you are using an official WordPress release, this issue will automatically dismiss once the version is indexed and another scan is run.", array());
}
if (isset($this->knownFiles['core'][$file])) {
if (strtoupper($this->knownFiles['core'][$file]) == $shac) {
$knownFile = 1;
} else {
if ($this->coreEnabled) {
$localFile = ABSPATH . '/' . preg_replace('/^[\\.\\/]+/', '', $file);
$fileContents = @file_get_contents($localFile);
if ($fileContents && !preg_match('/<\\?' . 'php[\\r\\n\\s\\t]*\\/\\/[\\r\\n\\s\\t]*Silence is golden\\.[\\r\\n\\s\\t]*(?:\\?>)?[\\r\\n\\s\\t]*$/s', $fileContents)) {
//<?php
if (!$this->isSafeFile($shac)) {
$this->haveIssues['core'] = true;
$this->engine->addIssue('file', 1, 'coreModified' . $file . $md5, 'coreModified' . $file, 'WordPress core file modified: ' . $file, "This WordPress core file has been modified and differs from the original file distributed with this version of WordPress.", array('file' => $file, 'cType' => 'core', 'canDiff' => true, 'canFix' => true, 'canDelete' => false));
}
}
}
}
} else {
if (isset($this->knownFiles['plugins'][$file])) {
if (in_array($shac, $this->knownFiles['plugins'][$file])) {
$knownFile = 1;
} else {
if ($this->pluginsEnabled) {
if (!$this->isSafeFile($shac)) {
$itemName = $this->knownFiles['plugins'][$file][0];
$itemVersion = $this->knownFiles['plugins'][$file][1];
$cKey = $this->knownFiles['plugins'][$file][2];
$this->haveIssues['plugins'] = true;
$this->engine->addIssue('file', 2, 'modifiedplugin' . $file . $md5, 'modifiedplugin' . $file, 'Modified plugin file: ' . $file, "This file belongs to plugin \"{$itemName}\" version \"{$itemVersion}\" and has been modified from the file that is distributed by WordPress.org for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don't manage their code correctly. [See our FAQ on www.wordfence.com for more info]", array('file' => $file, 'cType' => 'plugin', 'canDiff' => true, 'canFix' => true, 'canDelete' => false, 'cName' => $itemName, 'cVersion' => $itemVersion, 'cKey' => $cKey));
}
}
}
} else {
if (isset($this->knownFiles['themes'][$file])) {
if (in_array($shac, $this->knownFiles['themes'][$file])) {
$knownFile = 1;
} else {
if ($this->themesEnabled) {
if (!$this->isSafeFile($shac)) {
$itemName = $this->knownFiles['themes'][$file][0];
$itemVersion = $this->knownFiles['themes'][$file][1];
$cKey = $this->knownFiles['themes'][$file][2];
$this->haveIssues['themes'] = true;
$this->engine->addIssue('file', 2, 'modifiedtheme' . $file . $md5, 'modifiedtheme' . $file, 'Modified theme file: ' . $file, "This file belongs to theme \"{$itemName}\" version \"{$itemVersion}\" and has been modified from the original distribution. It is common for site owners to modify their theme files, so if you have modified this file yourself you can safely ignore this warning.", array('file' => $file, 'cType' => 'theme', 'canDiff' => true, 'canFix' => true, 'canDelete' => false, 'cName' => $itemName, 'cVersion' => $itemVersion, 'cKey' => $cKey));
}
}
}
} else {
if ($this->coreUnknownEnabled && !$this->alertedOnUnknownWordPressVersion) {
//Check for unknown files in system directories
$restrictedWordPressFolders = array(ABSPATH . 'wp-admin/', ABSPATH . WPINC . '/');
foreach ($restrictedWordPressFolders as $path) {
if (strpos($realFile, $path) === 0) {
$this->haveIssues['coreUnknown'] = true;
$this->engine->addIssue('file', 2, 'coreUnknown' . $file . $md5, 'coreUnknown' . $file, 'Unknown file in WordPress core: ' . $file, "This file is in a WordPress core location but is not distributed with this version of WordPress. This is usually due to it being left over from a previous WordPress update, but it may also have been added by another plugin or a malicious file added by an attacker.", array('file' => $file, 'cType' => 'core', 'canDiff' => false, 'canFix' => false, 'canDelete' => true));
}
}
}
}
}
}
}
// knownFile means that the file is both part of core or a known plugin or theme AND that we recognize the file's hash.
// we could split this into files who's path we recognize and file's who's path we recognize AND who have a valid sig.
// But because we want to scan files who's sig we don't recognize, regardless of known path or not, we only need one "knownFile" field.
$this->db->queryWrite("insert into " . $this->db->prefix() . "wfFileMods (filename, filenameMD5, knownFile, oldMD5, newMD5) values ('%s', unhex(md5('%s')), %d, '', unhex('%s')) ON DUPLICATE KEY UPDATE newMD5=unhex('%s'), knownFile=%d", $file, $file, $knownFile, $md5, $md5, $knownFile);
//Now that we know we can open the file, lets update stats
if (preg_match('/\\.(?:js|html|htm|css)$/i', $realFile)) {
$this->linesOfJCH += sizeof(file($realFile));
} else {
if (preg_match('/\\.php$/i', $realFile)) {
$this->linesOfPHP += sizeof(file($realFile));
}
}
$this->totalFiles++;
$this->totalData += filesize($realFile);
//We already checked if file overflows int in the fileTooBig routine above
if ($this->totalFiles % 100 === 0) {
wordfence::status(2, 'info', "Analyzed " . $this->totalFiles . " files containing " . wfUtils::formatBytes($this->totalData) . " of data so far");
}
} else {
//wordfence::status(2, 'error', "Could not gen hash for file (probably because we don't have permission to access the file): $realFile");
}
wfUtils::endProcessingFile();
}
private function _shouldHashFile($fullPath)
{
$file = substr($fullPath, $this->striplen);
//Core File, return true
if (isset($this->knownFiles['core']) && isset($this->knownFiles['core'][$file]) || isset($this->knownFiles['plugins']) && isset($this->knownFiles['plugins'][$file]) || isset($this->knownFiles['themes']) && isset($this->knownFiles['themes'][$file])) {
return true;
}
//Excluded file, return false
$excludePattern = wordfenceScanner::getExcludeFilePattern(wordfenceScanner::EXCLUSION_PATTERNS_USER | wordfenceScanner::EXCLUSION_PATTERNS_MALWARE);
if ($excludePattern && preg_match($excludePattern, $file)) {
return false;
}
//Determine treatment
$fileExt = '';
if (preg_match('/\\.([a-zA-Z\\d\\-]{1,7})$/', $file, $matches)) {
$fileExt = strtolower($matches[1]);
}
$isPHP = false;
if (preg_match('/\\.(?:php(?:\\d+)?|phtml)(\\.|$)/i', $file)) {
$isPHP = true;
}
$isHTML = false;
if (preg_match('/\\.(?:html?)(\\.|$)/i', $file)) {
$isHTML = true;
}
$isJS = false;
if (preg_match('/\\.(?:js)(\\.|$)/i', $file)) {
$isJS = true;
}
//If scan images is disabled, only allow .js through
if (!$isPHP && preg_match('/^(?:jpg|jpeg|mp3|avi|m4v|mov|mp4|gif|png|tiff?|svg|sql|js|tbz2?|bz2?|xz|zip|tgz|gz|tar|log|err\\d+)$/', $fileExt)) {
if (!wfConfig::get('scansEnabled_scanImages') && !$isJS) {
return false;
}
}
//If high sensitivity is disabled, don't allow .sql
if (strtolower($fileExt) == 'sql') {
if (!wfConfig::get('scansEnabled_highSense')) {
return false;
}
}
//Treating as binary, return true
$treatAsBinary = $isPHP || $isHTML || wfConfig::get('scansEnabled_scanImages');
if ($treatAsBinary) {
return true;
}
//Will be malware scanned, return true
if (strpos($file, 'lib/wordfenceScanner.php') === false && $fileExt == 'js') {
return true;
}
return false;
}
