Multiple bug fixes and code cleanups #29
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WordPress plugins market place changed its design and now the line ending from the readme files are translated to HTML break tags, this causes some of the text in the current paragraphs to over-flow. This commit fixes this by merging the lines of each paragraph into one as normal Markdown file.
This procedure can break your website. The reset will not affect the database nor the settings of each plugin but depending on how they were written the reset action might break them. Be sure to create a backup of the plugins directory before the execution of this tool.
Searching for a file with certain pattern is currently causing some false positives because the code is matching the pattern in the entire file path including the parent directories. This commit fixes this by executing the pattern match against the file name instead of the file path.
As part of our plan to deprecate the Socket interface introduced a while ago to support websites without the CURL extension, we are going to start sending the name of the HTTP transport mechanism. After some time, if we detect that the number of websites using Sockets is too low to keep supporting that version of the code we will remove it. Also, we will report the status of the SSL certificate verification, we want to force every website to communicate via HTTPS.
The commit shortens the pagination buttons when the maximum number of pages is smaller than the number of items in the page. With this change, a pagination with 100 buttons will be reduced to 20 and when the user requests a page with a number higher than the middle the starting point will be moved to the left, so if the user goes to page 12 the starting point will be 3 instead of 1 and the final button will be moved forward too, in this case to 22 instead of 20.
Up until now the plugin has been providing some options to disable the SSL certificate verification in servers where the OpenSSL library is too old or the CURL extension was compiled without support for algorithms used in the SSL certificates installed in the API service. We will start enforcing HTTPS and display a warning to website owners when the SSL verification is not available.
The heartbeat section in the settings page was intended to help website owners to configure the intervals in which WordPress sends Ajax requests to control access to certain features when multiple accounts are doing the same things like editing the same page, post, file, comment, etc. This was necessary in older versions of the plugin because the XHR monitor was affecting the responsiveness of many websites since it runs a heavy filter against every Ajax request. Newer versions of the code have improved this filter so the heartbeat settings are now useless.
This will force the plugin to log the passwords during a failed login attempt. This is useful for the website owner if he suspects of a brute force attack and will let them know what technique is being used to attack the login page. Up until now the password logger was behind an option that was disabled by default, this was because if a legitimate user mistypes his password the plugin will still send it to the API which may become a security hole if a malicious user knows the API key as they can retrieve the audit logs and see the password there. After some thinking we decided to enable this feature by default and just log the password in the local database instead of the remote API service.
We will check if the constant was already set to allow developers to use their own API service. This is useful both for the execution of the tests as well as for website owners who do not want to send data to the Sucuri servers.
Every time a page or post is modified and saved into the database the plugin will send a HTTP request to the CloudProxy API service and except that, if the API key is valid, the cache is reset. Notice that the cache of certain files is going to stay as it is due to the configuration on the edge of the servers.
To prevent unwanted arbitrary writes into disk, the import and export feature will only process allowed option names, these options are selected manually by one of the developers. Any other option, valid or not will be ignored. Notice that the export function also ignores any option that is present in the JSON file by not whitelisted by the developer in the code.
The plugin will delete all the options from the database inserted by older versions of the code. It will also revert all the hardening applied to the core directories. And will delete all the cache files as well as any additional JSON-encoded data from the data storage folder.
For advanced users the plugin will allow them to view the differences found by the plugin during the execution of the WordPress integrity checks. This is done using the Unix diff utility, by comparing the content of the original code distributed with every installation package and the content of the file that is currently in the server. Notice that if the hosting provider has blocked the execution of external commands this tool will not work because it relies on the availability of the PHP exec method to execute diff against the two files.
Unless the website owners sets the constant SUCURI_DATA_STORAGE into the configuration file, the plugin will use a semi-hardcoded directory path to store its settings, security logs, cache and additional data. This was causing some issues with certain hosting providers because after a migration the directory path (which was being set as an additional option in the settings file) was not being changed dynamically. This commit fixes this by removing the static option from the settings file and instead generating the directory path dynamically.
If the website owner is receiving alerts for post types that are not listed in the "Ignore Post Changes" setting it may be because the theme or plugin that is making these changes is registering the custom post-type on runtime, in this case our plugin will not be able to detect these changes and consequently you will not be able to ignore those alerts. However, if the website owner knows the unique identifier of the post-type they can type it in this new form and our plugin will do its best to skip the alerts associated to that.
Every time a post or page is deleted WordPress triggers an action called delete_post, this action is caught by the event monitor. However, at this point the page or post has already been deleted, which means we cannot send enough information about the event to the API. To fix this, we will also monitor the before_delete_post action which is triggered before the post is deleted but after the user has executed the action. We will store some information related to the post in a temporary data structure. Then, when the delete_post action is triggered we will extract this informaiton to send it to the API. We will delete the temporary data after the operation has succeeded.
|
Anyone interested in the optimized implementation of protection against unknown AJAX actions including a whitelist |
Up until now the code was writing an index.html file into the directory where the plugin stores all its data. This was happening all the time no matter if the file was already there nor if the file contained the same code. File monitors were flagging these modifications so we decided to stop them by checking if the file exists before its creation.
From now on the plugin will ignore just a handful of files that we consider irrelevant during the execution of the core integrity checks, the rest of the files that were previously being ignored by default are going to be added to a cache file at startup, then the website owner can delete one or more of these files if he prefers from the scanner section of the settings page.
Up until now the creation of the storage folder has been triggered by the access of any of the admin pages. However, for some power users who need to manage multiple websites using tools like WPCLI this process is unavailable as they never access the admin dashboard. This commit fixes this by allowing them to trigger the creation of the storage folder by sending a HTTP request to the login page with invalid credentials, this will trigger the log for the failed login event and subsequently the creation of the storage folder.
Some plugins might create their own scheduled frequencies, we have to support them to allow the user to modify them at will and to revert to their oritinal value. For this we will use a built-in method provided by WordPress.
D3.js upgraded to version 3.5.17 C3.js upgraded to version 0.4.11 The latest version of the C3.js library is not compatible with D3.js branch 4.x.x so we are upgrading to the latest stable version in branch 3.x.x; otherwise we will face issues with the b.time.format method.
Up until now the plugin allowed the website owner to choose which algorithm would be used to scan the directory tree, the options included the SPL library, OpenDIR and Glob. With the pass of the years and the release of PHP 7 many hosting providers upgraded their systems to newer versionf of PHP to get advantage of the performance boost of the latest features. This means that most of the biggest hosting providers in the market are using at least PHP5 which includes SPL so there is no need to choose between the other algorithms with less performance. A warning will appear in the plugin dashboard if the SPL library is not available.
For every fresh installation of the plugin we will send a one-time email to the website owner with an invitation to subscribe to our security related newsletter where they can learn about better security practices and get alerts from public vulnerabilities disclosures. The plugin will set a hidden (non-modifiable) option in the settings file to let it know that we already sent this email. In most cases this will be enough to avoid unnecessary spam, but if the website owner decides to reset the plugin settings, or for some reason, the settings file is not writable.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix format of the README file with new WordPress design
WordPress plugins market place changed its design and now the line
ending from the readme files are translated to HTML break tags, this
causes some of the text in the current paragraphs to over-flow. This
commit fixes this by merging the lines of each paragraph into one as
normal Markdown file.
Add warning message in the reset plugin tool page
This procedure can break your website. The reset will not affect the
database nor the settings of each plugin but depending on how they were
written the reset action might break them. Be sure to create a backup of
the plugins directory before the execution of this tool.
Add support for redirections in requests using sockets
CURL allows to set the number of redirections to follow per request.
However, when the request is built manually using raw sockets we have to
handle this operation manually. This change adds support to follow redirections
when the HTTP requests are executed using the socket interface.
Fix file search by name when the directory is passed
Searching for a file with certain pattern is currently causing some
false positives because the code is matching the pattern in the entire
file path including the parent directories. This commit fixes this by
executing the pattern match against the file name instead of the file
path.
Add HTTP request parameters to track some settings
As part of our plan to deprecate the Socket interface introduced a while
ago to support websites without the CURL extension, we are going to
start sending the name of the HTTP transport mechanism. After some time,
if we detect that the number of websites using Sockets is too low to
keep supporting that version of the code we will remove it. Also, we
will report the status of the SSL certificate verification, we want to
force every website to communicate via HTTPS.
Fix reset plugin tool with the new WordPress API
Fix length of the pagination helper with many pages
The commit shortens the pagination buttons when the maximum number of
pages is smaller than the number of items in the page. With this change,
a pagination with 100 buttons will be reduced to 20 and when the user
requests a page with a number higher than the middle the starting point
will be moved to the left, so if the user goes to page 12 the starting
point will be 3 instead of 1 and the final button will be moved forward
too, in this case to 22 instead of 20.
Fix deactivation of all the scheduled tasks from settings
When you are changing the frequency to "Never" the plugin is actually
deleting the cronjob but another part of the code is re-installing it because
it detects that it doesn't exists, this should only happen during the installation
process.