Upgrade to 11.5 broke WAF

[Ipstenu]

Impacted plugin

Protect

Steps to Reproduce

My site is set to auto update Jetpack. Today it did so at 9:58am, and immediately my site went down.

The error log was full of
PHP Fatal error: require(): Failed opening required '/home/wp_w9hpj2/lezwatchtv.com/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-waf/src/../rules/allow-ip.php' (include_path='.:') in /home/wp_w9hpj2/lezwatchtv.com/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-waf/rules/rules.php on line 2', referer: https://lezwatchtv.com/

I went into that file and found these:

//if ( require('/home/wp_w9hpj2/lezwatchtv.com/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-waf/src/../rules/allow-ip.php') ) { return; }
//if ( require('/home/wp_w9hpj2/lezwatchtv.com/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-waf/src/../rules/block-ip.php') ) { return $waf->block('block', -1, 'ip block list'); }

So I commented them out and the site came back.

A clear and concise description of what you expected to happen.

An upgrade shouldn't break things.

What actually happened

Upgrade caused a white screen of death.

Browser

Google Chrome/Chromium, Mozilla Firefox, Apple Safari

Other information

No response

Platform (Simple, Atomic, or both?)

Simple

Reproducibility

Consistent

Severity

Some (< 50%)

Available workarounds?

Yes, easy to implement

Workaround details

Comment out the top lines:

//if ( require('/home/wp_w9hpj2/lezwatchtv.com/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-waf/src/../rules/allow-ip.php') ) { return; }
//if ( require('/home/wp_w9hpj2/lezwatchtv.com/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-waf/src/../rules/block-ip.php') ) { return $waf->block('block', -1, 'ip block list'); }

[Prof9]

Same issue here. Our WordPress install became completely non-functional following an auto-update from Jetpack 11.4 to 11.5.

Commenting out those two lines fixed the issue here also.

EDIT: It looks like WAF writes its lists of allowed IPs and blocked IPs into allow-list.php and block-list.php respectively. Performing an auto-update removes those two files, causing the includes in rules.php to break.

I found that you can re-generate the allow-list.php and block-list.php files by disabling and re-enabling the "Protect your site with Jetpack's Web Application Firewall" option in Jetpack settings. Otherwise, the IP lists probably won't be applied if you only comment out the lines in rules.php.

[samiff]

Thanks for the detailed reports! Our team is investigating this at the moment.

Related references:

• https://wordpress.org/support/topic/jetpack-fatal-error-15/
• Internal: p1667327980352779-slack-C01U2KGS2PQ

[anomiex]

I found that you can re-generate the allow-list.php and block-list.php files by disabling and re-enabling the "Protect your site with Jetpack's Web Application Firewall" option in Jetpack settings. Otherwise, the IP lists probably won't be applied if you only comment out the lines in rules.php.

Also, if your site is already down due to this issue, you could try deleting that rules.php file which should (temporarily) let you back in. You can then toggle the option in the settings to regenerate all three files.

Or, if you have WP CLI access, you can do wp jetpack module deactivate waf and then wp jetpack module activate waf to toggle it without going through the web interface.