v2.2.4.1

defines.php

@@ -1,7 +1,7 @@
 <?php
 defined( 'ABSPATH' ) or die( 'Something went wrong.' );
 
-define( 'SECUPRESS_VERSION'                   , '2.2.3' );
+define( 'SECUPRESS_VERSION'                   , '2.2.4.1' );
 define( 'SECUPRESS_MAJOR_VERSION'             , '2.2' );
 define( 'SECUPRESS_PATH'                      , realpath( dirname( SECUPRESS_FILE ) ) . DIRECTORY_SEPARATOR );
 define( 'SECUPRESS_INC_PATH'                  , SECUPRESS_PATH . 'free' . DIRECTORY_SEPARATOR );

free/admin/functions/admin.php

@@ -288,3 +288,55 @@ function secupress_print_pro_advantages() {
 	</div>
 	<?php
 }
+
+
+/**
+ * Retrieve messages by their ID and format them by wrapping them in `<ul>` and `<li>` tags.
+ *
+ * @since 1.0
+ *
+ * @param (array)  $msgs      An array of messages.
+ * @param (string) $test_name The scanner name.
+ *
+ * @return (string) An HTML list of formatted messages.
+ */
+function secupress_format_message( $msgs, $test_name ) {
+	$classname = 'SecuPress_Scan_' . $test_name;
+	$messages  = $classname::get_instance()->get_messages();
+
+	$output = array();
+
+	if ( empty( $msgs ) ) {
+		return implode( '<br/>', $output );
+	}
+
+	foreach ( $msgs as $id => $atts ) {
+
+		if ( ! isset( $messages[ $id ] ) ) {
+
+			$string = __( 'Fix done.', 'secupress' );
+
+		} elseif ( is_array( $messages[ $id ] ) ) {
+
+			$count  = array_shift( $atts );
+			$string = translate_nooped_plural( $messages[ $id ], $count );
+
+		} else {
+
+			$string = $messages[ $id ];
+
+		}
+
+		if ( $atts ) {
+			foreach ( $atts as $i => $att ) {
+				if ( is_array( $att ) ) {
+					$atts[ $i ] = wp_sprintf_l( '%l', $att );
+				}
+			}
+		}
+
+		$output[] = ! empty( $atts ) ? vsprintf( $string, $atts ) : $string;
+	}
+
+	return implode( '<br/>', $output );
+}

free/admin/functions/ajax-post.php

@@ -165,54 +165,3 @@ function secupress_check_admin_referer( $action = -1, $query_arg = '_wpnonce' )
 	}
 }
 
-
-/**
- * Retrieve messages by their ID and format them by wrapping them in `<ul>` and `<li>` tags.
- *
- * @since 1.0
- *
- * @param (array)  $msgs      An array of messages.
- * @param (string) $test_name The scanner name.
- *
- * @return (string) An HTML list of formatted messages.
- */
-function secupress_format_message( $msgs, $test_name ) {
-	$classname = 'SecuPress_Scan_' . $test_name;
-	$messages  = $classname::get_instance()->get_messages();
-
-	$output = array();
-
-	if ( empty( $msgs ) ) {
-		return implode( '<br/>', $output );
-	}
-
-	foreach ( $msgs as $id => $atts ) {
-
-		if ( ! isset( $messages[ $id ] ) ) {
-
-			$string = __( 'Fix done.', 'secupress' );
-
-		} elseif ( is_array( $messages[ $id ] ) ) {
-
-			$count  = array_shift( $atts );
-			$string = translate_nooped_plural( $messages[ $id ], $count );
-
-		} else {
-
-			$string = $messages[ $id ];
-
-		}
-
-		if ( $atts ) {
-			foreach ( $atts as $i => $att ) {
-				if ( is_array( $att ) ) {
-					$atts[ $i ] = wp_sprintf_l( '%l', $att );
-				}
-			}
-		}
-
-		$output[] = ! empty( $atts ) ? vsprintf( $string, $atts ) : $string;
-	}
-
-	return implode( '<br/>', $output );
-}

free/classes/settings/class-secupress-settings.php

@@ -886,7 +886,7 @@ protected function field( $args ) {
 				} elseif ( method_exists( $this, $args['type'] ) ) {
 					call_user_func( array( $this, $args['type'] ), $args );
 				} else {
-					echo 'Missing or incorrect type'; // Do not translate.
+					echo '<!--// Missing or incorrect type //-->'; // Do not translate.
 				}
 		}
 

free/functions/files.php

@@ -690,7 +690,7 @@ function secupress_create_mu_plugin( $filename_part, $contents ) {
  * @return (string) The path with no heading slash and a trailing slash.
  */
 function secupress_trailingslash_only( $slug ) {
-	return ltrim( trim( $slug, '/' ) . '/', '/' );
+	return ! is_null( $slug ) ? ltrim( trim( $slug, '/' ) . '/', '/' ) : '';
 }
 
 

free/functions/ip.php

@@ -797,7 +797,7 @@ function secupress_is_ip_in_range( $ip, $ips ) {
 				$first_ip = str_replace( '0/255', '0', $mask );
 				$last_ip  = str_replace( '0/255', '255', $mask );
 
-				if ( secupress_ipv6_numeric( $ip ) >= secupress_ipv6_numeric( $first_ip ) && secupress_ipv6_numeric( $ip ) <= secupress_ipv6_numeric( $last_ip ) ) {
+				if ( ip2long( $ip ) >= ip2long( $first_ip ) && ip2long( $ip ) <= ip2long( $last_ip ) ) {
 					return true;
 				}
 				continue;

free/modules/antispam/callbacks.php

@@ -39,6 +39,7 @@ function secupress_antispam_settings_callback( $settings ) {
 	$settings['antispam_block-shortcodes']         = (int) ! empty( $settings['antispam_block-shortcodes'] );
 	$settings['antispam_better-blacklist-comment'] = (int) ! empty( $settings['antispam_better-blacklist-comment'] );
 	$settings['antispam_forbid-pings-trackbacks']  = (int) ! empty( $settings['antispam_forbid-pings-trackbacks'] );
+	$settings['antispam_comment-delay']            = (int) ! empty( $settings['antispam_comment-delay'] );
 
 	/**
 	 * Filter the settings before saving.

free/modules/antispam/plugins/fightspam.php

@@ -314,7 +314,7 @@ function secupress_fightspam_blacklist_as_spam_check( $approved, $commentdata )
 	}
 
 	// Test.
-	if ( wp_blacklist_check(
+	if ( wp_check_comment_disallowed_list(
 		$commentdata['comment_author'],
 		$commentdata['comment_author_email'],
 		$commentdata['comment_author_url'],
@@ -758,3 +758,148 @@ function secupress_fightspam_get_spam_status( $value ) {
 
 	return $status;
 }
+
+add_action( 'wp_footer', 'secupress_fightspam_dont_comment_too_soon_timer' );
+/**
+ * Add a timer to change and disabled the submit button on the comment form
+ *
+ * @author Julio Potier
+ * @since 2.3
+ **/
+function secupress_fightspam_dont_comment_too_soon_timer() {
+	// Do not do it if the setting is not set
+	if ( ! secupress_get_module_option( 'antispam_comment-delay', 1, 'antispam' ) ) {
+		return;
+	}
+	// Only do this if we are on a post type page which supports comments with a non logged in user
+	if ( is_user_logged_in() || ! get_post_type() || ! post_type_supports( get_post_type(), 'comments' ) ) {
+		return;
+	}
+	// Set our timer in PHP with a filter
+	/**
+	 * Filter the default timer, 30 by default
+	 */
+	$secupress_dcts_timer = (int) apply_filters( 'secupress.plugins.fightspam.comment_timer', 30 );
+	// Just check if it's correct (>0)
+	if ( $secupress_dcts_timer <= 0 ) {
+		return;
+	}
+	// Get the 2 filtered IDs for the form
+	$comment_form_defaults = [ 'id_form' => 'commentform', 'id_submit' => 'submit' ];
+	$comment_form_defaults = wp_parse_args( $comment_form_defaults, apply_filters( 'comment_form_defaults', $comment_form_defaults ) );
+	?>
+	<script>
+	//<![CDATA[
+	// Get the submit from the WP comment form
+	var secupress_dcts_submit = document.getElementById('<?php echo esc_js( $comment_form_defaults['id_form'] ); ?>').querySelectorAll('#<?php echo esc_js( $comment_form_defaults['id_submit'] ); ?>');
+	// If there is not, bail.
+	if ( secupress_dcts_submit.length ) {
+		// Get the button label
+		var secupress_dcts_submit_value = secupress_dcts_submit[0].value;
+		// Set our timer in JS from our filter
+		var secupress_dcts_timer = <?php echo esc_js( $secupress_dcts_timer ); ?>;
+		// Disable the button and make it alpha 50%
+		secupress_dcts_submit[0].setAttribute("disabled", "");
+		secupress_dcts_submit[0].style.opacity = 0.5;
+		// Change the label to include the timer at max value
+		secupress_dcts_submit[0].value = secupress_dcts_submit[0].value + ' (' + secupress_dcts_timer + ')';
+		// Every second, reduce the timer by 1 and print it in the button
+		secupress_dcts_submit_interval = setInterval(
+			function() {
+				secupress_dcts_timer--;
+				secupress_dcts_submit[0].value = secupress_dcts_submit_value + ' (' + secupress_dcts_timer + ')';
+			},
+		1000 );
+		// When the timer is done, rset the label, alpha, disabled status of the button
+		setTimeout(
+			function() { 
+				clearInterval( secupress_dcts_submit_interval );
+				secupress_dcts_submit[0].value = secupress_dcts_submit_value;
+				secupress_dcts_submit[0].removeAttribute("disabled");
+				secupress_dcts_submit[0].style.opacity = 1;
+			},
+		secupress_dcts_timer * 1000 );
+
+	var xmlhttp = new XMLHttpRequest();
+	// Do the AJAX request, vanilla style
+    xmlhttp.onreadystatechange = function() {
+        if (xmlhttp.readyState == XMLHttpRequest.DONE) { // XMLHttpRequest.DONE == 4
+           if (xmlhttp.status == 200) {
+               document.getElementById("secupress_dcts_timer").value = xmlhttp.responseText;
+           }
+        }
+    };
+
+    xmlhttp.open("GET", "<?php echo esc_js( esc_url( admin_url( 'admin-ajax.php?action=secupress_dcts_timer' ) ) ); ?>", true);
+    xmlhttp.send();
+	}
+	//]]>
+	</script>
+	<?php
+}
+
+add_action( 'comment_form_top', 'secupress_fightspam_dont_comment_too_soon_field' );
+/**
+ * Add our field at the top of the form
+ *
+ * @since 2.3
+ * @author Julio Potier
+ **/
+function secupress_fightspam_dont_comment_too_soon_field() {
+	// Do not do it if the setting is not set
+	if ( ! secupress_get_module_option( 'antispam_comment-delay', 1, 'antispam' ) ) {
+		return;
+	}
+	// Trust the logged in users.
+	if ( is_user_logged_in() ) {
+		return;
+	}
+	// Our timer field
+	echo '<input type="hidden" name="secupress_dcts_timer" id="secupress_dcts_timer" value="' . time() . '" />';
+}
+
+add_action( 'pre_comment_on_post', 'secupress_fightspam_dont_comment_too_soon_check', 9 );
+/**
+ * Early block the comment if the timer is too short
+ *
+ * @author Julio Potier
+ * @return void
+ **/
+function secupress_fightspam_dont_comment_too_soon_check() {
+	// Do not do it if the setting is not set
+	if ( ! secupress_get_module_option( 'antispam_comment-delay', 1, 'antispam' ) ) {
+		return;
+	}
+	// Trust the logged in users.
+	if ( is_user_logged_in() ) {
+		return;
+	}
+	/**
+	 * Filter the deffault timer, 30 by default
+	 */
+	$secupress_dcts_timer = (int) apply_filters( 'secupress.plugins.fightspam.comment_timer', 30 );
+	// Bad timer? Bail!
+	if ( $secupress_dcts_timer <= 0 ) {
+		return;
+	}
+	// Timer is too short, block!
+	if ( ! isset( $_POST['secupress_dcts_timer'] ) || ( time() - $_POST['secupress_dcts_timer'] ) < ( $secupress_dcts_timer + 1 ) ) { // +1sec because of page load + AJAX call.
+		secupress_block( 'ATS', __( 'Sorry, you cannot send that now.', 'secupress' ) );
+	}
+}
+
+add_action( 'wp_ajax_nopriv_secupress_dcts_timer', 'secupress_dcts_timer_cb' );
+/**
+ * Get a timer with AJAX
+ *
+ * @author Julio Potier
+ * @since 2.3
+ **/
+function secupress_dcts_timer_cb() {
+	// Do not do it if the setting is not set
+	if ( ! secupress_get_module_option( 'antispam_comment-delay', 1, 'antispam' ) ) {
+		return;
+	}
+	echo time();
+	die();
+}

free/modules/antispam/settings/antispam.php

@@ -118,3 +118,19 @@
 		),
 	),
 ) );
+
+$this->add_field( array(
+	'title'        => __( 'Delay before posting a comment', 'secupress' ),
+	'description'  => __( 'A human has to read the post then write a comment before posting. Let them wait 30 secondes before posting.', 'secupress' ),
+	'depends'      => $main_field_name,
+	'label_for'    => $this->get_field_name( 'comment-delay' ),
+	'type'         => 'checkbox',
+	'default'      => 1,
+	'label'        => __( '<strong>Wait 30 seconds</strong> before posting a comment', 'secupress' ),
+	'helpers' => array(
+		array(
+			'type'        => 'description',
+			'description' => __( 'If someone tries to post before that, we consider it a bot and block it.', 'secupress' ),
+		),
+	),
+) );

free/modules/firewall/tools.php

@@ -117,6 +117,7 @@ function secupress_block_bad_content_but_what( $function, $server, $block_id ) {
 /**
  * Translate block IDs into understandable things.
  *
+ * @since 2.3   ATS
  * @since 2.1   NOUSER
  * @since 2.0   BRU
  * @since 1.4.9 BHC, BRC
@@ -132,6 +133,7 @@ function secupress_firewall_block_id( $module ) {
 	$block_ids = array(
 		// Antispam.
 		'AAU'  => __( 'Antispam, Anti-Usurpation', 'secupress' ),
+		'ATS'  => __( 'Antispam, Too soon', 'secupress' ),
 		// Firewall.
 		'BRU'  => __( 'Bad Referer URL', 'secupress' ),
 		// URL Contents.

free/modules/users-login/settings/blacklist-logins.php

@@ -74,6 +74,10 @@
 							[ 'type' => 'warning',     'description' => $is_plugin_active ? __( 'You have to deactivate the module first to change the default role.', 'secupress' ) : '', ],
 						]
 ) );
+$this->add_field( array(
+	'type'              => 'html',
+	'value'             => $is_plugin_active ? '<input type="hidden" name="secupress_users-login_settings[blacklist-logins_default-role]" value="' . esc_attr( get_option( 'default_role' ) ) . '" ' . disabled( $is_plugin_active, false, false ) . '/>' : '',
+) );
 
 $usable            = get_option( 'users_can_register' );
 $main_field_name   = $this->get_field_name( 'membership-activated' );