two-fa
4 weeks ago
vulnerabilities
4 weeks ago
block-code-execution-uploads.php
4 weeks ago
disable-xmlrpc.php
4 weeks ago
display-name-is-login-name.php
4 weeks ago
file-editing.php
4 weeks ago
hide-wp-version.php
4 weeks ago
index.php
4 weeks ago
prevent-login-info-leakage.php
4 weeks ago
rename-admin-user.php
4 weeks ago
rest-api.php
4 weeks ago
user-enumeration.php
4 weeks ago
user-registration.php
4 weeks ago
block-code-execution-uploads.php
93 lines
| 1 | <?php defined( 'ABSPATH' ) or die(); |
| 2 | |
| 3 | /** |
| 4 | * @param $notices |
| 5 | * @return mixed |
| 6 | * Notice function |
| 7 | */ |
| 8 | function rsssl_code_execution_errors_notice( $notices ) { |
| 9 | $notices['code-execution-uploads'] = array( |
| 10 | 'callback' => 'rsssl_code_execution_allowed', |
| 11 | 'score' => 5, |
| 12 | 'output' => array( |
| 13 | 'file-not-found' => array( |
| 14 | 'msg' => __("Could not find code execution test file.", "really-simple-ssl"), |
| 15 | 'icon' => 'open', |
| 16 | 'dismissible' => true, |
| 17 | ), |
| 18 | 'uploads-folder-not-writable' => array( |
| 19 | 'msg' => __("Uploads folder not writable.", "really-simple-ssl"), |
| 20 | 'icon' => 'open', |
| 21 | 'dismissible' => true, |
| 22 | ), |
| 23 | 'could-not-create-test-file' => array( |
| 24 | 'msg' => __("Could not copy code execution test file.", "really-simple-ssl"), |
| 25 | 'icon' => 'open', |
| 26 | 'dismissible' => true, |
| 27 | ), |
| 28 | ), |
| 29 | ); |
| 30 | |
| 31 | if ( rsssl_get_server() === 'nginx') { |
| 32 | $notices['code-execution-uploads-nginx'] = array( |
| 33 | 'callback' => 'rsssl_code_execution_allowed', |
| 34 | 'score' => 5, |
| 35 | 'output' => array( |
| 36 | 'true' => array( |
| 37 | 'msg' => __("The code to block code execution in the uploads folder cannot be added automatically on nginx. Add the following code to your nginx.conf file:", "really-simple-ssl") |
| 38 | . "<br>" . rsssl_get_nginx_code_code_execution_uploads(), |
| 39 | 'icon' => 'open', |
| 40 | 'dismissible' => true, |
| 41 | ), |
| 42 | ), |
| 43 | ); |
| 44 | } |
| 45 | return $notices; |
| 46 | } |
| 47 | add_filter('rsssl_notices', 'rsssl_code_execution_errors_notice'); |
| 48 | |
| 49 | |
| 50 | /** |
| 51 | * Block code execution |
| 52 | * @param array $rules |
| 53 | * |
| 54 | * @return [] |
| 55 | * |
| 56 | */ |
| 57 | function rsssl_disable_code_execution_rules($rules) |
| 58 | { |
| 59 | if ( !rsssl_get_option('block_code_execution_uploads')) { |
| 60 | return $rules; |
| 61 | } |
| 62 | |
| 63 | // Use IfModule to let Apache decide which syntax to use based on loaded modules. |
| 64 | // mod_authz_core is available in Apache 2.4+, mod_access in Apache 2.2. |
| 65 | $rule = <<<HTACCESS |
| 66 | |
| 67 | <Files *.php> |
| 68 | <IfModule mod_authz_core.c> |
| 69 | Require all denied |
| 70 | </IfModule> |
| 71 | <IfModule !mod_authz_core.c> |
| 72 | Order deny,allow |
| 73 | Deny from all |
| 74 | </IfModule> |
| 75 | </Files> |
| 76 | HTACCESS; |
| 77 | |
| 78 | $rules[] = ['rules' => $rule, 'identifier' => 'Require all denied']; |
| 79 | return $rules; |
| 80 | } |
| 81 | add_filter('rsssl_htaccess_security_rules_uploads', 'rsssl_disable_code_execution_rules'); |
| 82 | |
| 83 | |
| 84 | |
| 85 | function rsssl_get_nginx_code_code_execution_uploads() { |
| 86 | $code = '<code>location ~* /uploads/.*\.php$ {' . "<br>"; |
| 87 | $code .= ' return 503;' . "<br>"; |
| 88 | $code .= '}</code>' . "<br>"; |
| 89 | |
| 90 | return $code; |
| 91 | } |
| 92 | |
| 93 |