wfConfig.php — Wordfence Security – Firewall, Malware Scan, and Login Security 3.2.5

wordfence / lib / wfConfig.php

wordfence / lib Last commit date

wfConfig.php

576 lines

1	<?php
2	class wfConfig {
3	private static $table = false;
4	private static $cache = array();
5	private static $DB = false;
6	private static $tmpFileHeader = "<?php\n/* Wordfence temporary file security header */\necho \"Nothing to see here!\\n\"; exit(0);\n?>";
7	private static $tmpDirCache = false;
8	public static $securityLevels = array(
9	array( //level 0
10	"checkboxes" => array(
11	"alertOn_critical" => false,
12	"alertOn_warnings" => false,
13	"alertOn_throttle" => false,
14	"alertOn_block" => false,
15	"alertOn_loginLockout" => false,
16	"alertOn_lostPasswdForm" => false,
17	"alertOn_adminLogin" => false,
18	"alertOn_nonAdminLogin" => false,
19	"liveTrafficEnabled" => true,
20	"liveTraf_ignorePublishers" => true,
21	"scheduledScansEnabled" => false,
22	"scansEnabled_core" => false,
23	"scansEnabled_themes" => false,
24	"scansEnabled_plugins" => false,
25	"scansEnabled_malware" => false,
26	"scansEnabled_fileContents" => false,
27	"scansEnabled_posts" => false,
28	"scansEnabled_comments" => false,
29	"scansEnabled_passwds" => false,
30	"scansEnabled_diskSpace" => false,
31	"scansEnabled_dns" => false,
32	"scansEnabled_oldVersions" => false,
33	"firewallEnabled" => false,
34	"blockFakeBots" => false,
35	"autoBlockScanners" => false,
36	"loginSecurityEnabled" => false,
37	"loginSec_lockInvalidUsers" => false,
38	"loginSec_maskLoginErrors" => false,
39	"other_hideWPVersion" => false,
40	"other_noAnonMemberComments" => false,
41	"other_scanComments" => false,
42	"other_pwStrengthOnUpdate" => false,
43	"other_WFNet" => true,
44	"other_scanOutside" => false,
45	"deleteTablesOnDeact" => false,
46	"debugOn" => false
47	),
48	"otherParams" => array(
49	'securityLevel' => '0',
50	"alertEmails" => "", "liveTraf_ignoreUsers" => "", "liveTraf_ignoreIPs" => "", "liveTraf_ignoreUA" => "", "apiKey" => "", "maxMem" => '256', 'whitelisted' => '',
51	"neverBlockBG" => "neverBlockVerified",
52	"loginSec_countFailMins" => "5",
53	"loginSec_lockoutMins" => "5",
54	'loginSec_maxFailures' => "500",
55	'loginSec_maxForgotPasswd' => "500",
56	'maxGlobalRequests' => "DISABLED",
57	'maxGlobalRequests_action' => "throttle",
58	'maxRequestsCrawlers' => "DISABLED",
59	'maxRequestsCrawlers_action' => "throttle",
60	'maxRequestsHumans' => "DISABLED",
61	'maxRequestsHumans_action' => "throttle",
62	'max404Crawlers' => "DISABLED",
63	'max404Crawlers_action' => "throttle",
64	'max404Humans' => "DISABLED",
65	'max404Humans_action' => "throttle",
66	'maxScanHits' => "DISABLED",
67	'maxScanHits_action' => "throttle",
68	'blockedTime' => "300"
69	)
70	),
71	array( //level 1
72	"checkboxes" => array(
73	"alertOn_critical" => true,
74	"alertOn_warnings" => false,
75	"alertOn_throttle" => false,
76	"alertOn_block" => false,
77	"alertOn_loginLockout" => false,
78	"alertOn_lostPasswdForm" => false,
79	"alertOn_adminLogin" => false,
80	"alertOn_nonAdminLogin" => false,
81	"liveTrafficEnabled" => true,
82	"liveTraf_ignorePublishers" => true,
83	"scheduledScansEnabled" => true,
84	"scansEnabled_core" => true,
85	"scansEnabled_themes" => false,
86	"scansEnabled_plugins" => false,
87	"scansEnabled_malware" => true,
88	"scansEnabled_fileContents" => true,
89	"scansEnabled_posts" => true,
90	"scansEnabled_comments" => true,
91	"scansEnabled_passwds" => true,
92	"scansEnabled_diskSpace" => true,
93	"scansEnabled_dns" => true,
94	"scansEnabled_oldVersions" => true,
95	"firewallEnabled" => false,
96	"blockFakeBots" => false,
97	"autoBlockScanners" => true,
98	"loginSecurityEnabled" => true,
99	"loginSec_lockInvalidUsers" => false,
100	"loginSec_maskLoginErrors" => true,
101	"other_hideWPVersion" => true,
102	"other_noAnonMemberComments" => true,
103	"other_scanComments" => true,
104	"other_pwStrengthOnUpdate" => true,
105	"other_WFNet" => true,
106	"other_scanOutside" => false,
107	"deleteTablesOnDeact" => false,
108	"debugOn" => false
109	),
110	"otherParams" => array(
111	'securityLevel' => '1',
112	"alertEmails" => "", "liveTraf_ignoreUsers" => "", "liveTraf_ignoreIPs" => "", "liveTraf_ignoreUA" => "", "apiKey" => "", "maxMem" => '256', 'whitelisted' => '',
113	"neverBlockBG" => "neverBlockVerified",
114	"loginSec_countFailMins" => "5",
115	"loginSec_lockoutMins" => "5",
116	'loginSec_maxFailures' => "50",
117	'loginSec_maxForgotPasswd' => "50",
118	'maxGlobalRequests' => "DISABLED",
119	'maxGlobalRequests_action' => "throttle",
120	'maxRequestsCrawlers' => "DISABLED",
121	'maxRequestsCrawlers_action' => "throttle",
122	'maxRequestsHumans' => "DISABLED",
123	'maxRequestsHumans_action' => "throttle",
124	'max404Crawlers' => "DISABLED",
125	'max404Crawlers_action' => "throttle",
126	'max404Humans' => "DISABLED",
127	'max404Humans_action' => "throttle",
128	'maxScanHits' => "DISABLED",
129	'maxScanHits_action' => "throttle",
130	'blockedTime' => "300"
131	)
132	),
133	array( //level 2
134	"checkboxes" => array(
135	"alertOn_critical" => true,
136	"alertOn_warnings" => true,
137	"alertOn_throttle" => false,
138	"alertOn_block" => false,
139	"alertOn_loginLockout" => false,
140	"alertOn_lostPasswdForm" => false,
141	"alertOn_adminLogin" => false,
142	"alertOn_nonAdminLogin" => false,
143	"liveTrafficEnabled" => true,
144	"liveTraf_ignorePublishers" => true,
145	"scheduledScansEnabled" => true,
146	"scansEnabled_core" => true,
147	"scansEnabled_themes" => false,
148	"scansEnabled_plugins" => false,
149	"scansEnabled_malware" => true,
150	"scansEnabled_fileContents" => true,
151	"scansEnabled_posts" => true,
152	"scansEnabled_comments" => true,
153	"scansEnabled_passwds" => true,
154	"scansEnabled_diskSpace" => true,
155	"scansEnabled_dns" => true,
156	"scansEnabled_oldVersions" => true,
157	"firewallEnabled" => false,
158	"blockFakeBots" => false,
159	"autoBlockScanners" => true,
160	"loginSecurityEnabled" => true,
161	"loginSec_lockInvalidUsers" => false,
162	"loginSec_maskLoginErrors" => true,
163	"other_hideWPVersion" => true,
164	"other_noAnonMemberComments" => true,
165	"other_scanComments" => true,
166	"other_pwStrengthOnUpdate" => true,
167	"other_WFNet" => true,
168	"other_scanOutside" => false,
169	"deleteTablesOnDeact" => false,
170	"debugOn" => false
171	),
172	"otherParams" => array(
173	'securityLevel' => '2',
174	"alertEmails" => "", "liveTraf_ignoreUsers" => "", "liveTraf_ignoreIPs" => "", "liveTraf_ignoreUA" => "", "apiKey" => "", "maxMem" => '256', 'whitelisted' => '',
175	"neverBlockBG" => "neverBlockVerified",
176	"loginSec_countFailMins" => "240",
177	"loginSec_lockoutMins" => "240",
178	'loginSec_maxFailures' => "20",
179	'loginSec_maxForgotPasswd' => "20",
180	'maxGlobalRequests' => "DISABLED",
181	'maxGlobalRequests_action' => "throttle",
182	'maxRequestsCrawlers' => "DISABLED",
183	'maxRequestsCrawlers_action' => "throttle",
184	'maxRequestsHumans' => "DISABLED",
185	'maxRequestsHumans_action' => "throttle",
186	'max404Crawlers' => "DISABLED",
187	'max404Crawlers_action' => "throttle",
188	'max404Humans' => "DISABLED",
189	'max404Humans_action' => "throttle",
190	'maxScanHits' => "DISABLED",
191	'maxScanHits_action' => "throttle",
192	'blockedTime' => "300"
193	)
194	),
195	array( //level 3
196	"checkboxes" => array(
197	"alertOn_critical" => true,
198	"alertOn_warnings" => true,
199	"alertOn_throttle" => false,
200	"alertOn_block" => false,
201	"alertOn_loginLockout" => false,
202	"alertOn_lostPasswdForm" => false,
203	"alertOn_adminLogin" => false,
204	"alertOn_nonAdminLogin" => false,
205	"liveTrafficEnabled" => true,
206	"liveTraf_ignorePublishers" => true,
207	"scheduledScansEnabled" => true,
208	"scansEnabled_core" => true,
209	"scansEnabled_themes" => false,
210	"scansEnabled_plugins" => false,
211	"scansEnabled_malware" => true,
212	"scansEnabled_fileContents" => true,
213	"scansEnabled_posts" => true,
214	"scansEnabled_comments" => true,
215	"scansEnabled_passwds" => true,
216	"scansEnabled_diskSpace" => true,
217	"scansEnabled_dns" => true,
218	"scansEnabled_oldVersions" => true,
219	"firewallEnabled" => true,
220	"blockFakeBots" => false,
221	"autoBlockScanners" => true,
222	"loginSecurityEnabled" => true,
223	"loginSec_lockInvalidUsers" => false,
224	"loginSec_maskLoginErrors" => true,
225	"other_hideWPVersion" => true,
226	"other_noAnonMemberComments" => true,
227	"other_scanComments" => true,
228	"other_pwStrengthOnUpdate" => true,
229	"other_WFNet" => true,
230	"other_scanOutside" => false,
231	"deleteTablesOnDeact" => false,
232	"debugOn" => false
233	),
234	"otherParams" => array(
235	'securityLevel' => '3',
236	"alertEmails" => "", "liveTraf_ignoreUsers" => "", "liveTraf_ignoreIPs" => "", "liveTraf_ignoreUA" => "", "apiKey" => "", "maxMem" => '256', 'whitelisted' => '',
237	"neverBlockBG" => "neverBlockVerified",
238	"loginSec_countFailMins" => "1440",
239	"loginSec_lockoutMins" => "1440",
240	'loginSec_maxFailures' => "10",
241	'loginSec_maxForgotPasswd' => "10",
242	'maxGlobalRequests' => "960",
243	'maxGlobalRequests_action' => "throttle",
244	'maxRequestsCrawlers' => "960",
245	'maxRequestsCrawlers_action' => "throttle",
246	'maxRequestsHumans' => "60",
247	'maxRequestsHumans_action' => "throttle",
248	'max404Crawlers' => "60",
249	'max404Crawlers_action' => "throttle",
250	'max404Humans' => "60",
251	'max404Humans_action' => "throttle",
252	'maxScanHits' => "30",
253	'maxScanHits_action' => "throttle",
254	'blockedTime' => "1800"
255	)
256	),
257	array( //level 4
258	"checkboxes" => array(
259	"alertOn_critical" => true,
260	"alertOn_warnings" => true,
261	"alertOn_throttle" => false,
262	"alertOn_block" => false,
263	"alertOn_loginLockout" => false,
264	"alertOn_lostPasswdForm" => false,
265	"alertOn_adminLogin" => false,
266	"alertOn_nonAdminLogin" => false,
267	"liveTrafficEnabled" => true,
268	"liveTraf_ignorePublishers" => true,
269	"scheduledScansEnabled" => true,
270	"scansEnabled_core" => true,
271	"scansEnabled_themes" => false,
272	"scansEnabled_plugins" => false,
273	"scansEnabled_malware" => true,
274	"scansEnabled_fileContents" => true,
275	"scansEnabled_posts" => true,
276	"scansEnabled_comments" => true,
277	"scansEnabled_passwds" => true,
278	"scansEnabled_diskSpace" => true,
279	"scansEnabled_dns" => true,
280	"scansEnabled_oldVersions" => true,
281	"firewallEnabled" => true,
282	"blockFakeBots" => true,
283	"autoBlockScanners" => true,
284	"loginSecurityEnabled" => true,
285	"loginSec_lockInvalidUsers" => true,
286	"loginSec_maskLoginErrors" => true,
287	"other_hideWPVersion" => true,
288	"other_noAnonMemberComments" => true,
289	"other_scanComments" => true,
290	"other_pwStrengthOnUpdate" => true,
291	"other_WFNet" => true,
292	"other_scanOutside" => false,
293	"deleteTablesOnDeact" => false,
294	"debugOn" => false
295	),
296	"otherParams" => array(
297	'securityLevel' => '4',
298	"alertEmails" => "", "liveTraf_ignoreUsers" => "", "liveTraf_ignoreIPs" => "", "liveTraf_ignoreUA" => "", "apiKey" => "", "maxMem" => '256', 'whitelisted' => '',
299	"neverBlockBG" => "neverBlockVerified",
300	"loginSec_countFailMins" => "1440",
301	"loginSec_lockoutMins" => "1440",
302	'loginSec_maxFailures' => "5",
303	'loginSec_maxForgotPasswd' => "5",
304	'maxGlobalRequests' => "960",
305	'maxGlobalRequests_action' => "throttle",
306	'maxRequestsCrawlers' => "960",
307	'maxRequestsCrawlers_action' => "throttle",
308	'maxRequestsHumans' => "30",
309	'maxRequestsHumans_action' => "block",
310	'max404Crawlers' => "30",
311	'max404Crawlers_action' => "block",
312	'max404Humans' => "60",
313	'max404Humans_action' => "block",
314	'maxScanHits' => "10",
315	'maxScanHits_action' => "block",
316	'blockedTime' => "7200"
317	)
318	)
319	);
320	public static function setDefaults(){
321	foreach(self::$securityLevels[2]['checkboxes'] as $key => $val){
322	if(self::get($key) === false){
323	self::set($key, $val ? '1' : '0');
324	}
325	}
326	foreach(self::$securityLevels[2]['otherParams'] as $key => $val){
327	if(self::get($key) === false){
328	self::set($key, $val);
329	}
330	}
331	self::set('encKey', substr(wfUtils::bigRandomHex(),0 ,16) );
332	if(self::get('maxMem', false) === false ){
333	self::set('maxMem', '256');
334	}
335	if(self::get('other_scanOutside', false) === false){
336	self::set('other_scanOutside', 0);
337	}
338	}
339	public static function parseOptions(){
340	$ret = array();
341	foreach(self::$securityLevels[2]['checkboxes'] as $key => $val){ //value is not used. We just need the keys for validation
342	$ret[$key] = isset($_POST[$key]) ? '1' : '0';
343	}
344	foreach(self::$securityLevels[2]['otherParams'] as $key => $val){
345	if(isset($_POST[$key])){
346	$ret[$key] = $_POST[$key];
347	} else {
348	error_log("Missing options param \"$key\" when parsing parameters.");
349	}
350	}
351	/* for debugging only:
352	foreach($_POST as $key => $val){
353	if($key != 'action' && $key != 'nonce' && (! array_key_exists($key, self::$checkboxes)) && (! array_key_exists($key, self::$otherParams)) ){
354	error_log("Unrecognized option: $key");
355	}
356	}
357	*/
358	return $ret;
359	}
360	public static function setArray($arr){
361	foreach($arr as $key => $val){
362	self::set($key, $val);
363	}
364	}
365	public static function clearCache(){
366	self::$cache = array();
367	}
368	public static function getHTML($key){
369	return htmlspecialchars(self::get($key));
370	}
371	public static function set($key, $val){
372	if(is_array($val)){
373	$msg = "wfConfig::set() got an array as second param with key: $key and value: " . var_export($val, true);
374	wordfence::status(1, 'error', $msg);
375	return;
376	}
377
378	self::getDB()->query("insert into " . self::table() . " (name, val) values ('%s', '%s') ON DUPLICATE KEY UPDATE val='%s'", $key, $val, $val);
379	self::$cache[$key] = $val;
380	}
381	public static function get($key, $default = false){
382	if(! isset(self::$cache[$key])){
383	$val = self::getDB()->querySingle("select val from " . self::table() . " where name='%s'", $key);
384	if(isset($val)){
385	self::$cache[$key] = $val;
386	} else {
387	self::$cache[$key] = $default;
388	}
389	}
390	return self::$cache[$key];
391	}
392	public static function get_ser($key, $default, $canUseDisk = false){ //When using disk, reading a value deletes it.
393	//If we can use disk, check if there are any values stored on disk first and read them instead of the DB if there are values
394	if($canUseDisk){
395	$filename = 'wordfence_tmpfile_' . $key . '.php';
396	$dir = self::getTempDir();
397	if($dir){
398	$obj = false;
399	$foundFiles = false;
400	$fullFile = $dir . $filename;
401	if(file_exists($fullFile)){
402	wordfence::status(4, 'info', "Loading serialized data from file $fullFile");
403	$obj = unserialize(substr(file_get_contents($fullFile), strlen(self::$tmpFileHeader))); //Strip off security header and unserialize
404	if(! $obj){
405	wordfence::status(2, 'error', "Could not unserialize file $fullFile");
406	}
407	self::deleteOldTempFile($fullFile);
408	}
409	if($obj){ //If we managed to deserialize something, clean ALL tmp dirs of this file and return obj
410	return $obj;
411	}
412	}
413	}
414	self::getDB()->reconnect();
415	//We do our own query handling here because we are dealing with some very big strings
416	$dbh = self::getDB()->getDBH();
417	$res = mysql_query("select val from " . self::table() . " where name='" . mysql_real_escape_string($key) . "'", $dbh);
418	$err = mysql_error();
419	if($err){
420	$trace=debug_backtrace();
421	$caller=array_shift($trace);
422	wordfence::status(2, 'error', "Wordfence DB error in " . $caller['file'] . " line " . $caller['line'] . ": $err");
423	return false;
424	}
425
426	if(mysql_num_rows($res) > 0){
427	$row = mysql_fetch_row($res);
428	return unserialize($row[0]);
429	}
430	return $default;
431	}
432	public static function set_ser($key, $val, $canUseDisk = false){
433	//We serialize some very big values so this is ultra-memory efficient. We don't make any copies of $val and don't use ON DUPLICATE KEY UPDATE
434	// because we would have to concatenate $val twice into the query which could also exceed max packet for the mysql server
435	self::getDB()->reconnect();
436	$dbh = self::getDB()->getDBH();
437	$serialized = serialize($val);
438	$tempFilename = 'wordfence_tmpfile_' . $key . '.php';
439	if((strlen($serialized) * 1.1) > self::getDB()->getMaxAllowedPacketBytes()){ //If it's greater than max_allowed_packet + 10% for escaping and SQL
440	if($canUseDisk){
441	$dir = self::getTempDir();
442	if($dir){
443	$fh = false;
444	$fullFile = $dir . $tempFilename;
445	self::deleteOldTempFile($fullFile);
446	$fh = fopen($fullFile, 'w');
447	if($fh){
448	wordfence::status(4, 'info', "Serialized data for $key is " . strlen($serialized) . " bytes and is greater than max_allowed packet so writing it to disk file: " . $fullFile);
449	} else {
450	wordfence::status(1, 'error', "Your database doesn't allow big packets so we have to use files to store temporary data and Wordfence can't find a place to write them. Either ask your admin to increase max_allowed_packet on your MySQL database, or make one of the following directories writable by your web server: " . implode(', ', $dirs));
451	return false;
452	}
453	fwrite($fh, self::$tmpFileHeader);
454	fwrite($fh, $serialized);
455	fclose($fh);
456	return true;
457	} else {
458	wordfence::status(1, 'error', "Wordfence tried to save a variable with name '$key' and your database max_allowed_packet is set to be too small. We then tried to save it to disk, but you don't have a temporary directory that is writable. You can fix this by making the /wp-content/plugins/wordfence/tmp/ directory writable by your web server. Or by increasing your max_allowed_packet configuration variable in your mysql database.");
459	return false;
460	}
461
462	} else {
463	wordfence::status(1, 'error', "Wordfence tried to save a variable with name '$key' and your database max_allowed_packet is set to be too small. This particular variable can't be saved to disk. Please ask your administrator to increase max_allowed_packet and also report this in the Wordfence forums because it may be a bug. Thanks.");
464	return false;
465	}
466	} else {
467	//Delete temp files on disk or else the DB will be written to but get_ser will see files on disk and read them instead
468	$tempDir = self::getTempDir();
469	if($tempDir){
470	self::deleteOldTempFile($tempDir . $tempFilename);
471	}
472	$exists = self::getDB()->querySingle("select name from " . self::table() . " where name='%s'", $key);
473	if($exists){
474	$res = mysql_query("update " . self::table() . " set val='" . mysql_real_escape_string($serialized) . "' where name='" . mysql_real_escape_string($key) . "'", $dbh);
475	} else {
476	$res = mysql_query("insert IGNORE into " . self::table() . " (name, val) values ('" . mysql_real_escape_string($key) . "', '" . mysql_real_escape_string($serialized) . "')", $dbh);
477	}
478	$err = mysql_error();
479	if($err){
480	$trace=debug_backtrace();
481	$caller=array_shift($trace);
482	wordfence::status(2, 'error', "Wordfence DB error in " . $caller['file'] . " line " . $caller['line'] . ": $err");
483	return false;
484	}
485	}
486	return true;
487	}
488	private static function deleteOldTempFile($filename){
489	if(file_exists($filename)){
490	unlink($filename);
491	}
492	}
493	private static function getTempDir(){
494	if(! self::$tmpDirCache){
495	$dirs = array(wfUtils::getPluginBaseDir() . 'wordfence/tmp/', sys_get_temp_dir(), ABSPATH . 'wp-content/uploads/');
496	$finalDir = 'notmp';
497	wfUtils::errorsOff();
498	foreach($dirs as $dir){
499	$dir = rtrim($dir, '/') . '/';
500	$fh = @fopen($dir . 'wftmptest.txt', 'w');
501	if(! $fh){ continue; }
502	$bytes = @fwrite($fh, 'test');
503	if($bytes != 4){ @fclose($fh); continue; }
504	@fclose($fh);
505	if(! @unlink($dir . 'wftmptest.txt')){ continue; }
506	$finalDir = $dir;
507	break;
508	}
509	wfUtils::errorsOn();
510	self::$tmpDirCache = $finalDir;
511	}
512	if(self::$tmpDirCache == 'notmp'){
513	return false;
514	} else {
515	return self::$tmpDirCache;
516	}
517	}
518	public static function f($key){
519	echo esc_attr(self::get($key));
520	}
521	public static function cb($key){
522	if(self::get($key)){
523	echo ' checked ';
524	}
525	}
526	public static function sel($key, $val, $isDefault = false){
527	if((! self::get($key)) && $isDefault){ echo ' selected '; }
528	if(self::get($key) == $val){ echo ' selected '; }
529	}
530	public static function getArray(){
531	$ret = array();
532	$q = self::getDB()->query("select name, val from " . self::table());
533	while($row = mysql_fetch_assoc($q)){
534	self::$cache[$row['name']] = $row['val'];
535	}
536	return self::$cache;
537	}
538	private static function getDB(){
539	if(! self::$DB){
540	self::$DB = new wfDB();
541	}
542	return self::$DB;
543	}
544	private static function table(){
545	if(! self::$table){
546	global $wpdb;
547	self::$table = $wpdb->base_prefix . 'wfConfig';
548	}
549	return self::$table;
550	}
551	public static function haveAlertEmails(){
552	$emails = self::getAlertEmails();
553	return sizeof($emails) > 0 ? true : false;
554	}
555	public static function getAlertEmails(){
556	$dat = explode(',', self::get('alertEmails'));
557	$emails = array();
558	foreach($dat as $email){
559	if(preg_match('/\@/', $email)){
560	$emails[] = trim($email);
561	}
562	}
563	return $emails;
564	}
565	public static function getAlertLevel(){
566	if(self::get('alertOn_warnings')){
567	return 2;
568	} else if(self::get('alertOn_critical')){
569	return 1;
570	} else {
571	return 0;
572	}
573	}
574	}
575	?>
576