Changeset 2793990

Timestamp:

10/04/2022 10:27:25 AM (3 years ago)

Author:

patchstack

Message:

Fixed: several multi-site related errors.
Fixed: incorrect block of wp-json endpoint.
Fixed: incorrect 2FA secret key generation.
Removed: broken code from activation process.

Location:

patchstack/trunk

Files:

• assets/css/patchstack.css (modified) (1 diff)
• assets/css/patchstack.min.css (modified) (1 diff)
• includes/2fa/polyfill (added)
• includes/2fa/polyfill/.htaccess (added)
• includes/2fa/polyfill/dist (added)
• includes/2fa/polyfill/dist/index.php (added)
• includes/2fa/polyfill/dist/random_compat.phar.pubkey (added)
• includes/2fa/polyfill/dist/random_compat.phar.pubkey.asc (added)
• includes/2fa/polyfill/index.php (added)
• includes/2fa/polyfill/lib (added)
• includes/2fa/polyfill/lib/byte_safe_strings.php (added)
• includes/2fa/polyfill/lib/cast_to_int.php (added)
• includes/2fa/polyfill/lib/error_polyfill.php (added)
• includes/2fa/polyfill/lib/index.php (added)
• includes/2fa/polyfill/lib/random.php (added)
• includes/2fa/polyfill/lib/random_bytes_com_dotnet.php (added)
• includes/2fa/polyfill/lib/random_bytes_dev_urandom.php (added)
• includes/2fa/polyfill/lib/random_bytes_libsodium.php (added)
• includes/2fa/polyfill/lib/random_bytes_libsodium_legacy.php (added)
• includes/2fa/polyfill/lib/random_bytes_mcrypt.php (added)
• includes/2fa/polyfill/lib/random_int.php (added)
• includes/2fa/rfc6238.php (modified) (4 diffs)
• includes/activation.php (modified) (3 diffs)
• includes/admin/multisite-table.php (modified) (2 diffs)
• includes/admin/options.php (modified) (4 diffs)
• includes/api.php (modified) (4 diffs)
• includes/core.php (modified) (3 diffs)
• includes/hardening.php (modified) (3 diffs)
• includes/listener.php (modified) (4 diffs)
• includes/migrations/v302.php (added)
• includes/multisite.php (modified) (1 diff)
• includes/views/pages/multisite-activation.php (modified) (3 diffs)
• includes/views/pages/settings.php (modified) (2 diffs)
• languages/patchstack.pot (modified) (1 diff)
• patchstack.php (modified) (2 diffs)

patchstack/trunk/assets/css/patchstack.css

@@ -1144 +1144 @@
     margin-left: -90px;
 }
+
+.patchstack-active-tab-multisite {
+    max-width: 35rem !important;
+}
+
+.multisite .patchstack-active-tab-hardening {
+    max-width: 35rem !important;
+}

patchstack/trunk/assets/css/patchstack.min.css

@@ -1 @@
-@font-face{font-family:Faktum;font-weight:400;font-style:normal;src:url(../fonts/Faktum-Regular.woff)}#hiddenstatusbox{display:none;padding:0}.patchstack-logo{height:auto;vertical-align:middle}.patchstack_license{padding:15px;background:#fff;border-left:4px solid #fff;-webkit-box-shadow:0 1px 1px 0 rgba(0,0,0,.1);box-shadow:0 1px 1px 0 rgba(0,0,0,.1);border-left-color:#dc3232}.patchstack-content-wrap,.patchstack-font,.patchstack-nav-tab{font-family:Faktum,sans-serif}.patchstack-hover{cursor:pointer}.patchstack-font a{color:#b2d675;text-decoration:none}.patchstack-nav-tab-icon{background-repeat:no-repeat;background-position:center}.patchstack-nav-tab-wrapper{border-bottom:none;float:left;width:15%;position:relative;display:block;padding-top:0;z-index:20}.patchstack-nav-tab{position:relative;border:none;padding:10px 10px 10px 00px;width:100%;font-size:14px;line-height:25px;font-weight:300;color:#fff;margin-left:4px;margin-bottom:3px;background:0 0;border-radius:5px}.nav-tab-active.patchstack-nav-tab,.patchstack-nav-tab.nav-tab-active:focus,.patchstack-nav-tab.nav-tab-active:focus:active,.patchstack-nav-tab.nav-tab-active:hover{background:inherit;border:none}.patchstack-icon-wrapper{width:48px;height:48px;position:relative;float:left;border-radius:12px;margin-left:10px}.patchstack-icon-text{float:left;margin-left:10px}.patchstack-icon-text>span{font-size:11px;color:#cecece}.patchstack-nav-tab-icon{position:absolute;left:12px;top:12px;width:25px;height:25px;margin-right:5px;display:inline-block;background-size:contain;vertical-align:middle;transition:all .3s ease-in-out;-webkit-transition:all .3s ease-in-out;-moz-transition:all .3s ease-in-out;-o-transition:all .3s ease-in-out;-ms-transition:all .3s ease-in-out}.patchstack-nav-tab-icon.blue,.patchstack-nav-tab.patchstack-nav-tab-active:focus .patchstack-nav-tab-icon.white,.patchstack-nav-tab.patchstack-nav-tab-active:hover .patchstack-nav-tab-icon.white,.patchstack-nav-tab:focus:focus .patchstack-nav-tab-icon.white,.patchstack-nav-tab:focus:hover .patchstack-nav-tab-icon.white,.patchstack-nav-tab:hover:focus .patchstack-nav-tab-icon.white,.patchstack-nav-tab:hover:hover .patchstack-nav-tab-icon.white{opacity:1;visibility:visible}.patchstack-nav-tab-icon.ic-services{background-image:url(../images/service.png)}.patchstack-nav-tab-icon.ic-firewall{background-image:url(../images/firewall.png)}.patchstack-nav-tab-icon.ic-cookies{background-image:url(../images/user-lock-light.svg)}.patchstack-nav-tab-icon.ic-logs{background-image:url(../images/logs.svg)}.patchstack-nav-tab-icon.ic-login{background-image:url(../images/lock.svg)}.patchstack-nav-tab-icon.ic-license{background-image:url(../images/license.svg)}.patchstack-nav-tab.nav-tab:focus,.patchstack-nav-tab.nav-tab:hover{color:#cecece!important;background-color:#17191e!important}.patchstack-nav-tab.patchstack-nav-tab-active{color:#cecece;background-color:#17191e;border:none;outline:0;-webkit-box-shadow:none;box-shadow:none}.patchstack-nav-tab.patchstack-nav-tab-active .patchstack-nav-tab-icon.white,.patchstack-nav-tab:focus .patchstack-nav-tab-icon.white,.patchstack-nav-tab:hover .patchstack-nav-tab-icon.white{opacity:1;visibility:visible}.patchstack-content-wrap{padding:0 20px 20px 0}.patchstack-content-inner{position:relative;z-index:20;padding:0;background-color:#fff;border-bottom-left-radius:3px;border-bottom-right-radius:3px}.patchstack-content-inner-table{padding:15px 0}.patchstack-form-table input[type=text],.patchstack-form-wrap input[type=number],.patchstack-form-wrap input[type=text],.patchstack-form-wrap select,.patchstack-form-wrap textarea,.patchstack-inner-block select{background-color:#272930;border:none!important;color:#acacac!important}.patchstack-content-inner h2,.patchstack-content-inner h3,.patchstack-form-wrap h2,.patchstack-form-wrap h3{color:#fff;font-size:18px;line-height:1;font-weight:400;margin-top:0;margin-bottom:12px}.patchstack-content-inner p,.patchstack-form-wrap p{margin-top:0;margin-bottom:10px;font-size:13px;line-height:1.3;font-weight:400;color:#333}.patchstack-content-inner p b,.patchstack-form-wrap p b{font-weight:400}.patchstack-content-inner input[type=submit],.patchstack-form-wrap input[type=submit]{height:auto;padding:12px 30px!important;color:#17191e!important;border:none;border-radius:4px!important;background-color:#b2d675;font-size:13px!important;font-weight:500!important;line-height:20px;-webkit-box-shadow:none;box-shadow:none;text-shadow:none;transition:all .3s ease-in-out;-webkit-transition:all .3s ease-in-out;-moz-transition:all .3s ease-in-out;-o-transition:all .3s ease-in-out;-ms-transition:all .3s ease-in-out}.patchstack-content-inner input[type=submit]:hover,.patchstack-form-wrap input[type=submit]:focus{background-color:#2c405a}.patchstack-content-inner input[type=submit]:focus,.patchstack-content-inner input[type=submit]:hover,.patchstack-form-wrap input[type=submit]:focus,.patchstack-form-wrap input[type=submit]:hover{background-color:#b2d675;opacity:.2}.form-table th,.patchstack-content-wrap .form-table td{font-size:14px;color:#444;line-height:1.3}.patchstack-content-inner textarea,.patchstack-form-wrap textarea{padding:8px 15px;color:#444;border:1px solid #acacac;border-radius:3px;font-size:14px;line-height:1.3;max-height:150px;width:100%}.form-table{margin-top:15px}.patchstack-form-wrap .form-table tr{border-bottom:1px solid rgba(170,189,215,.1)}.form-table tr:last-child{border-bottom:none}.form-table th{width:235px;padding:15px 15px 15px 0;font-weight:700;vertical-align:top}.form-table td{padding:15px;vertical-align:top}.patchstack-content-wrap .form-table td label{font-style:italic}.patchstack-form-wrap .form-table td p{font-size:11px;line-height:initial;font-weight:400;color:#d0d0d0;text-transform:initial}.form-table input[type=checkbox]{border:1px solid #acacac;background-color:#fff;width:16px;height:16px;-webkit-box-shadow:none;box-shadow:none;margin:0 9px 0 0}.form-table input[type=checkbox]:focus,.form-table input[type=checkbox]:hover{-webkit-box-shadow:none;box-shadow:none}.patchstack-content-wrap .form-table input[type=checkbox]:checked{border:3px solid #b2d675}.patchstack-content-wrap .form-table input[type=checkbox]:checked:before{margin:-7px 0 0 -5px;font-size:23px;width:25px;color:#b2d675;content:url(data:image/svg+xml;utf8,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20viewBox%3D%270%200%2020%2020%27%3E%3Cpath%20d%3D%27M14.83%204.89l1.34.94-5.81%208.38H9.02L5.78%209.67l1.34-1.25%202.57%202.4z%27%20fill%3D%27%2369a700%27%2F%3E%3C%2Fsvg%3E)}.form-table input[type=text],.form-table select{padding:8px 15px;color:#444;border:1px solid #acacac;border-radius:3px;font-size:14px;line-height:1.3;height:auto}.form-table .regular-text{width:26em}.patchstack-form-table{border-collapse:inherit}table{border-collapse:collapse}.patchstack-form-table tr{border-bottom:none}.patchstack-form-table tr:last-child td{padding-left:0}.patchstack-form-table th{padding:8px 15px 8px 0;width:150px}.patchstack-form-table td{padding:8px 25px}.patchstack-form-table td,.patchstack-form-table th{vertical-align:middle}.dt-table>tbody>tr>td,.dt-table>tbody>tr>th,.dt-table>tfoot>tr>td,.dt-table>tfoot>tr>th,.dt-table>thead>tr>td,.dt-table>thead>tr>th{line-height:1.8;border-color:#e6ecf5}.dt-table>thead>tr>th{color:#515365;border-bottom:1px solid #e6ecf5}.patchstack-message,.tooltip-inner{border-radius:4px}.q-hover.dash{padding:0 4px}.tooltip{position:absolute;z-index:1070;display:block;font-family:Faktum,sans-serif;font-size:12px;font-weight:400;line-height:1.42857143;text-align:left;text-align:start;text-decoration:none;text-shadow:none;text-transform:none;word-break:normal;word-spacing:normal;word-wrap:normal;white-space:normal;line-break:auto}.tooltip-inner,pre,thead{text-align:left}.tooltip.in{opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow,.tooltip.top-left .tooltip-arrow,.tooltip.top-right .tooltip-arrow{bottom:0;border-width:5px 5px 0;border-top-color:#000}.tooltip.top .tooltip-arrow{left:50%;margin-left:-5px}.tooltip.top-left .tooltip-arrow{right:5px;margin-bottom:-5px}.tooltip.top-right .tooltip-arrow{left:5px;margin-bottom:-5px}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow,.tooltip.bottom-left .tooltip-arrow,.tooltip.bottom-right .tooltip-arrow{top:0;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom .tooltip-arrow{left:50%;margin-left:-5px}.tooltip.bottom-left .tooltip-arrow{right:5px;margin-top:-5px}.tooltip.bottom-right .tooltip-arrow{left:5px;margin-top:-5px}.tooltip-inner{font-size:12px}.table-firewall-log{border-color:#2c405a}.patchstack-content-inner-tabl table.dataTable tbody tr{background-color:#17273c!important}.patchstack-content-inner-tabl thead>tr>th{padding:0;margin:0}.radio input[type=radio]:checked+label:before{color:#a50f01!important}.tooltip-inner{color:#fff;line-height:normal;font-weight:300}.tooltip{opacity:1!important}.tooltip-inner{max-width:200px;background-color:#000;font-family:Faktum,sans-serif;padding:6px}.tooltip.bs-tooltip-auto[x-placement^=top] .arrow::before,.tooltip.bs-tooltip-top .arrow::before{border-top-color:#2c405a}.patchstack-content-inner-table .dataTables_wrapper .dataTables_processing{background:#272930!important;color:#fff!important;height:35px;font-size:13px;text-transform:uppercase;z-index:99999}.patchstack-content-inner-table .table-overflow .btn{margin-bottom:0}.patchstack-content-inner-table table.dataTable thead{background-color:#272930}.patchstack-content-inner-table .table-hover>tbody>tr:hover,.patchstack-content-inner-table table.dataTable tbody tr{background-color:transparent}.patchstack-content-inner-table table.dataTable thead td,.patchstack-content-inner-table table.dataTable thead th{border-bottom:0!important}.patchstack-content-inner-table .table-lg>tbody>tr:hover>td:first-child{border-left:2px solid rgba(170,189,215,.1)}.patchstack-content-inner-table .table>thead>tr>th{border-bottom:none;font-family:Faktum;font-size:11px;font-weight:500!important;letter-spacing:1.7px;text-align:left;color:#fff;text-transform:uppercase;padding:14px 7px!important;border-top:none}.patchstack-content-inner-table .table>tbody>tr>td{font-family:Faktum;font-size:13px;font-weight:300;line-height:1.46;text-align:left;color:#fff}.patchstack-content-inner-table .table>tbody>tr>td:first-child,.patchstack-content-inner-table .table>tfoot>tr>th:first-child,.patchstack-content-inner-table .table>thead>tr>th:first-child{padding-left:20px!important}.patchstack-content-inner-table .table>thead>tr>th:first-child{border-top-left-radius:0}.patchstack-content-inner-table .table>thead>tr>th:last-child{border-top-right-radius:0}.patchstack-content-inner-table .dataTables_wrapper .dataTables_filter,.patchstack-content-inner-table .dataTables_wrapper .dataTables_info,.patchstack-content-inner-table .dataTables_wrapper .dataTables_length,.patchstack-content-inner-table .dataTables_wrapper .dataTables_paginate .paginate_button{color:#fff!important;font-size:13px;margin-right:10px}.patchstack-content-inner-table .dataTables_wrapper .dataTables_filter input,.patchstack-content-inner-table .dataTables_wrapper .dataTables_length select{border:1px solid rgba(170,189,215,.1);background:#272930;color:#fff}.patchstack-content-inner-table .table-striped>tbody>tr:nth-of-type(odd){background-color:#17273c}.patchstack-content-inner-table .table-bordered{border:1px solid #334b69}.g-recaptcha{margin-top:-1px!important}.table-firewall-log>tbody>tr>td,.table-user-log>tbody>tr>td{border-bottom:1px solid rgba(170,189,215,.1)!important}.patchstack-content-inner-table table.dataTable{margin:0 auto!important}.patchstack-content-inner-table .dataTables_info,.patchstack-content-inner-table .dataTables_length,.patchstack-content-inner-table .dataTables_paginate .paging_simple_numbers{color:#fff!important}.patchstack-content-inner-table .dataTables_info,.patchstack-content-inner-table .dataTables_length,.patchstack-font>h2,.patchstack-font>h4{color:#fff;padding-left:10px}.patchstack-font>h2{padding-left:0}.patchstack-content-inner>h2{padding-left:10px}.patchstack-font>h2,.patchstack-font>h4,.table-firewall-log>thead>tr>th{font-family:Faktum;font-weight:300!important}.patchstack-content-inner-table .dataTables_wrapper .dataTables_paginate .paginate_button.current,.patchstack-content-inner-table .dataTables_wrapper .dataTables_paginate .paginate_button:hover{background:#272930!important;border-radius:50%;color:#fff!important;border:none}.patchstack-content-inner-table .dataTables_wrapper .dataTables_paginate .paginate_button.next,.patchstack-content-inner-table .dataTables_wrapper .dataTables_paginate .paginate_button.previous{background:0 0!important;color:#fff!important;border:none!important}.patchstack-content-inner-table .dataTables_length{padding-bottom:15px}.patchstack-content-table>.patchstack-content-inner{background-color:#1f2128;color:#fff;float:right;width:80%}.patchstack-form-wrap>table>tbody>tr>td>label>i,.patchstack-form-wrap>table>tbody>tr>th{font-family:Faktum;font-weight:300;color:#d0d0d0}.patchstack-font>h3,.patchstack-form-wrap>h2,.patchstack-inner-block>h3{color:#fff}.patchstack-font>p,.patchstack-form-table>tbody>tr>th>label{color:#d0d0d0}.label{font-size:11.84px;font-weight:700;line-height:14px;color:#fff;text-shadow:0 -1px 0 rgba(0,0,0,.25);white-space:nowrap;vertical-align:baseline;background-color:#999}.label{padding:1px 4px 2px;border-radius:3px}a.label:hover{color:#fff;text-decoration:none;cursor:pointer}.label-success{background-color:#468847}.label-success[href]{background-color:#356635}.patchstack-license-h2{padding:0!important}#wpwrap{background-color:#1f2128}.patchstack-content-table{padding-top:80px}.patchstack-active-tab-logs{padding:0}.patchstack-active-tab-logs h2.patchstack-logs-nav{display:inline-block;margin:-1px 0 0 0;position:relative;width:100%;padding:0}.patchstack-active-tab-logs h2.patchstack-logs-nav::after{content:"";display:block;position:absolute;width:100%;border-bottom:1px solid rgba(170,189,215,.1);bottom:0}.patchstack-active-tab-logs .patchstack-nav-tab{float:left;width:150px;margin-left:0;font-family:Faktum;font-size:15px;font-weight:300;text-align:left;width:initial;padding:15px 20px;position:relative;color:#fff;opacity:.5}.patchstack-active-tab-logs .patchstack-nav-tab:first-child{border-top-left-radius:4px}.patchstack-active-tab-logs .patchstack-nav-tab,.patchstack-active-tab-logs .patchstack-nav-tab.patchstack-nav-tab-active,.patchstack-active-tab-logs .patchstack-nav-tab:focus,.patchstack-nav-tab:hover{background-color:transparent}.patchstack-active-tab-logs .patchstack-nav-tab.patchstack-nav-tab-active{opacity:1}.patchstack-active-tab-logs .patchstack-nav-tab.patchstack-nav-tab-active::after{content:"";display:block;width:100%;position:absolute;bottom:-8px;left:0;border-bottom:5px solid rgba(170,189,215,.1)}.patchstack-top{display:block;width:100%;position:absolute;z-index:800;background:#1f2128;border:none;margin-left:-20px;padding-right:20px}.patchstack-top-logo{float:left;margin:40px 0 0 45px}.patchstack-bi{border:1px solid rgba(170,189,215,.1)!important}.patchstack-bi thead{border-bottom:1px solid rgba(170,189,215,.1)!important}.patchstack-bi tbody>tr>td{padding-left:0}.patchstack-plan{background:#272930;border-radius:4px;padding:32px;color:#acacac;font-size:15px;width:256px;height:374px;float:left;position:relative;margin-top:70px}.patchstack-plan1{margin-right:80px}.patchstack-plan1::before{content:'Start monitoring for vulnerabilities';position:absolute;top:-35px;left:0;color:#fff;font-size:15px}.patchstack-plan2::before{content:'Already have an account?';position:absolute;top:-35px;left:0;color:#fff;font-size:15px}.patchstack-is-size-4{margin-top:5px;display:inline-block;font-size:36px}.patchstack-has-text-white,.patchstack-has-text-white:hover{color:#fff;text-decoration:none}.patchstack-has-text-white:hover{opacity:.7}.patchstack-has-text-white span{color:#b2d675;font-size:15px;text-transform:uppercase}.patchstack-sub{width:69%;float:left;margin:30px 0 0 0}.patchstack-sub span:first-child{color:#fff;font-size:11px;width:100%;display:inline-block;margin-bottom:5px}.patchstack-sub span:last-child{font-size:15px}.patchstack-plan p{color:#acacac;font-size:13px;line-height:20px}.patchstack-plan1 p{margin:20px 0}.patchstack-plan li{margin-bottom:8px}.patchstack-check{background:url(../images/check-green.svg) no-repeat #323735;background-position:6px 8px;border-radius:50%;height:24px;width:24px;display:inline-block;position:relative;top:5px;margin-right:10px}.patchstack-check.patchstack-check-grey{background:url(../images/check.svg) no-repeat #32333a;background-position:3px 5px}.patchstack-strike{color:#585a5e}.patchstack-minus{background:url(../images/minus.svg) no-repeat #32333a;background-position:4px 4px;border-radius:50%;height:24px;width:24px;display:inline-block;position:relative;top:5px;margin-right:10px}.patchstack-free .patchstack-top{position:initial;margin-left:0;padding-right:0}.patchstack-free .patchstack-top-logo{width:184px;margin:0 auto;float:initial;margin-top:30px;margin-bottom:30px}.patchstack-free .patchstack-content-table{padding-top:0}.patchstack-free .patchstack-content-table>.patchstack-content-inner{max-width:45rem;margin:0 auto;float:initial}.patchstack-free .patchstack-content-table>.patchstack-content-inner>.patchstack-font{background:#272930;padding:20px;border-radius:4px}.patchstack-free h1{color:#fff;font-family:Faktum;font-weight:300!important;font-size:25px;text-align:center}.patchstack-free .form-table input[type=text]{background:0 0;width:100%;border:2px solid rgba(170,189,215,.1)!important;padding:11px 15px}.patchstack-free .form-table label{color:#fff;font-size:11px;margin:15px 0 5px 0;display:inline-block}.patchstack-free .button-primary{color:#b2d675;font-weight:500;font-size:13px;line-height:20px;background:rgba(178,214,117,.18);border-radius:4px;border:none;padding:12px 30px;margin-top:34px;width:100%;text-align:center}.patchstack-free .button-primary:hover{color:#000;background:#b2d675}.form-table th label,.patchstack-free .form-table th{font-weight:400}.patchstack-free .submit{padding:0}.patchstack-free .patchstack-form-table td{padding:3px 0}.patchstack-free .patchstack-license-h2{border-bottom:1px solid rgba(170,189,215,.1);margin-left:-20px;width:106%;text-indent:20px;padding-bottom:15px!important;margin-bottom:20px}.patchstack-premium{max-width:19rem!important;margin:0 auto;float:initial!important;width:initial!important}.patchstack-premium .patchstack-plan2::before{display:none}.patchstack-fullwidth{width:100%!important}#patchstack-activate{margin-top:42px}.patchstack-license-button #patchstack-activate{width:49%;float:left}.patchstack-license-button .patchstack-activate{width:49%;float:left;margin-top:42px;margin-left:2%}.patchstack-activate.button-primary.focus,.patchstack-activate.button-primary:focus{background:#b2d675;border:none;outline:0;opacity:.5}p.patchstack-upsell{text-align:center;font-size:15px;line-height:24px;color:#acacac;margin-top:64px}p.patchstack-upsell a{color:#b2d675;text-decoration:none}p.patchstack-upsell img{position:relative;top:7px}.patchstack-premium p.patchstack-upsell{width:500px;margin-left:-90px}
+@font-face{font-family:Faktum;font-weight:400;font-style:normal;src:url(../fonts/Faktum-Regular.woff)}#hiddenstatusbox{display:none;padding:0}.patchstack-logo{height:auto;vertical-align:middle}.patchstack_license{padding:15px;background:#fff;border-left:4px solid #fff;-webkit-box-shadow:0 1px 1px 0 rgba(0,0,0,.1);box-shadow:0 1px 1px 0 rgba(0,0,0,.1);border-left-color:#dc3232}.patchstack-content-wrap,.patchstack-font,.patchstack-nav-tab{font-family:Faktum,sans-serif}.patchstack-hover{cursor:pointer}.patchstack-font a{color:#b2d675;text-decoration:none}.patchstack-nav-tab-icon{background-repeat:no-repeat;background-position:center}.patchstack-nav-tab-wrapper{border-bottom:none;float:left;width:15%;position:relative;display:block;padding-top:0;z-index:20}.patchstack-nav-tab{position:relative;border:none;padding:10px 10px 10px 00px;width:100%;font-size:14px;line-height:25px;font-weight:300;color:#fff;margin-left:4px;margin-bottom:3px;background:0 0;border-radius:5px}.nav-tab-active.patchstack-nav-tab,.patchstack-nav-tab.nav-tab-active:focus,.patchstack-nav-tab.nav-tab-active:focus:active,.patchstack-nav-tab.nav-tab-active:hover{background:inherit;border:none}.patchstack-icon-wrapper{width:48px;height:48px;position:relative;float:left;border-radius:12px;margin-left:10px}.patchstack-icon-text{float:left;margin-left:10px}.patchstack-icon-text>span{font-size:11px;color:#cecece}.patchstack-nav-tab-icon{position:absolute;left:12px;top:12px;width:25px;height:25px;margin-right:5px;display:inline-block;background-size:contain;vertical-align:middle;transition:all .3s ease-in-out;-webkit-transition:all .3s ease-in-out;-moz-transition:all .3s ease-in-out;-o-transition:all .3s ease-in-out;-ms-transition:all .3s ease-in-out}.patchstack-nav-tab-icon.blue,.patchstack-nav-tab.patchstack-nav-tab-active:focus .patchstack-nav-tab-icon.white,.patchstack-nav-tab.patchstack-nav-tab-active:hover .patchstack-nav-tab-icon.white,.patchstack-nav-tab:focus:focus .patchstack-nav-tab-icon.white,.patchstack-nav-tab:focus:hover .patchstack-nav-tab-icon.white,.patchstack-nav-tab:hover:focus .patchstack-nav-tab-icon.white,.patchstack-nav-tab:hover:hover .patchstack-nav-tab-icon.white{opacity:1;visibility:visible}.patchstack-nav-tab-icon.ic-services{background-image:url(../images/service.png)}.patchstack-nav-tab-icon.ic-firewall{background-image:url(../images/firewall.png)}.patchstack-nav-tab-icon.ic-cookies{background-image:url(../images/user-lock-light.svg)}.patchstack-nav-tab-icon.ic-logs{background-image:url(../images/logs.svg)}.patchstack-nav-tab-icon.ic-login{background-image:url(../images/lock.svg)}.patchstack-nav-tab-icon.ic-license{background-image:url(../images/license.svg)}.patchstack-nav-tab.nav-tab:focus,.patchstack-nav-tab.nav-tab:hover{color:#cecece!important;background-color:#17191e!important}.patchstack-nav-tab.patchstack-nav-tab-active{color:#cecece;background-color:#17191e;border:none;outline:0;-webkit-box-shadow:none;box-shadow:none}.patchstack-nav-tab.patchstack-nav-tab-active .patchstack-nav-tab-icon.white,.patchstack-nav-tab:focus .patchstack-nav-tab-icon.white,.patchstack-nav-tab:hover .patchstack-nav-tab-icon.white{opacity:1;visibility:visible}.patchstack-content-wrap{padding:0 20px 20px 0}.patchstack-content-inner{position:relative;z-index:20;padding:0;background-color:#fff;border-bottom-left-radius:3px;border-bottom-right-radius:3px}.patchstack-content-inner-table{padding:15px 0}.patchstack-form-table input[type=text],.patchstack-form-wrap input[type=number],.patchstack-form-wrap input[type=text],.patchstack-form-wrap select,.patchstack-form-wrap textarea,.patchstack-inner-block select{background-color:#272930;border:none!important;color:#acacac!important}.patchstack-content-inner h2,.patchstack-content-inner h3,.patchstack-form-wrap h2,.patchstack-form-wrap h3{color:#fff;font-size:18px;line-height:1;font-weight:400;margin-top:0;margin-bottom:12px}.patchstack-content-inner p,.patchstack-form-wrap p{margin-top:0;margin-bottom:10px;font-size:13px;line-height:1.3;font-weight:400;color:#333}.patchstack-content-inner p b,.patchstack-form-wrap p b{font-weight:400}.patchstack-content-inner input[type=submit],.patchstack-form-wrap input[type=submit]{height:auto;padding:12px 30px!important;color:#17191e!important;border:none;border-radius:4px!important;background-color:#b2d675;font-size:13px!important;font-weight:500!important;line-height:20px;-webkit-box-shadow:none;box-shadow:none;text-shadow:none;transition:all .3s ease-in-out;-webkit-transition:all .3s ease-in-out;-moz-transition:all .3s ease-in-out;-o-transition:all .3s ease-in-out;-ms-transition:all .3s ease-in-out}.patchstack-content-inner input[type=submit]:hover,.patchstack-form-wrap input[type=submit]:focus{background-color:#2c405a}.patchstack-content-inner input[type=submit]:focus,.patchstack-content-inner input[type=submit]:hover,.patchstack-form-wrap input[type=submit]:focus,.patchstack-form-wrap input[type=submit]:hover{background-color:#b2d675;opacity:.2}.form-table th,.patchstack-content-wrap .form-table td{font-size:14px;color:#444;line-height:1.3}.patchstack-content-inner textarea,.patchstack-form-wrap textarea{padding:8px 15px;color:#444;border:1px solid #acacac;border-radius:3px;font-size:14px;line-height:1.3;max-height:150px;width:100%}.form-table{margin-top:15px}.patchstack-form-wrap .form-table tr{border-bottom:1px solid rgba(170,189,215,.1)}.form-table tr:last-child{border-bottom:none}.form-table th{width:235px;padding:15px 15px 15px 0;font-weight:700;vertical-align:top}.form-table td{padding:15px;vertical-align:top}.patchstack-content-wrap .form-table td label{font-style:italic}.patchstack-form-wrap .form-table td p{font-size:11px;line-height:initial;font-weight:400;color:#d0d0d0;text-transform:initial}.form-table input[type=checkbox]{border:1px solid #acacac;background-color:#fff;width:16px;height:16px;-webkit-box-shadow:none;box-shadow:none;margin:0 9px 0 0}.form-table input[type=checkbox]:focus,.form-table input[type=checkbox]:hover{-webkit-box-shadow:none;box-shadow:none}.patchstack-content-wrap .form-table input[type=checkbox]:checked{border:3px solid #b2d675}.patchstack-content-wrap .form-table input[type=checkbox]:checked:before{margin:-7px 0 0 -5px;font-size:23px;width:25px;color:#b2d675;content:url(data:image/svg+xml;utf8,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20viewBox%3D%270%200%2020%2020%27%3E%3Cpath%20d%3D%27M14.83%204.89l1.34.94-5.81%208.38H9.02L5.78%209.67l1.34-1.25%202.57%202.4z%27%20fill%3D%27%2369a700%27%2F%3E%3C%2Fsvg%3E)}.form-table input[type=text],.form-table select{padding:8px 15px;color:#444;border:1px solid #acacac;border-radius:3px;font-size:14px;line-height:1.3;height:auto}.form-table .regular-text{width:26em}.patchstack-form-table{border-collapse:inherit}table{border-collapse:collapse}.patchstack-form-table tr{border-bottom:none}.patchstack-form-table tr:last-child td{padding-left:0}.patchstack-form-table th{padding:8px 15px 8px 0;width:150px}.patchstack-form-table td{padding:8px 25px}.patchstack-form-table td,.patchstack-form-table th{vertical-align:middle}.dt-table>tbody>tr>td,.dt-table>tbody>tr>th,.dt-table>tfoot>tr>td,.dt-table>tfoot>tr>th,.dt-table>thead>tr>td,.dt-table>thead>tr>th{line-height:1.8;border-color:#e6ecf5}.dt-table>thead>tr>th{color:#515365;border-bottom:1px solid #e6ecf5}.patchstack-message,.tooltip-inner{border-radius:4px}.q-hover.dash{padding:0 4px}.tooltip{position:absolute;z-index:1070;display:block;font-family:Faktum,sans-serif;font-size:12px;font-weight:400;line-height:1.42857143;text-align:left;text-align:start;text-decoration:none;text-shadow:none;text-transform:none;word-break:normal;word-spacing:normal;word-wrap:normal;white-space:normal;line-break:auto}.tooltip-inner,pre,thead{text-align:left}.tooltip.in{opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow,.tooltip.top-left .tooltip-arrow,.tooltip.top-right .tooltip-arrow{bottom:0;border-width:5px 5px 0;border-top-color:#000}.tooltip.top .tooltip-arrow{left:50%;margin-left:-5px}.tooltip.top-left .tooltip-arrow{right:5px;margin-bottom:-5px}.tooltip.top-right .tooltip-arrow{left:5px;margin-bottom:-5px}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow,.tooltip.bottom-left .tooltip-arrow,.tooltip.bottom-right .tooltip-arrow{top:0;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom .tooltip-arrow{left:50%;margin-left:-5px}.tooltip.bottom-left .tooltip-arrow{right:5px;margin-top:-5px}.tooltip.bottom-right .tooltip-arrow{left:5px;margin-top:-5px}.tooltip-inner{font-size:12px}.table-firewall-log{border-color:#2c405a}.patchstack-content-inner-tabl table.dataTable tbody tr{background-color:#17273c!important}.patchstack-content-inner-tabl thead>tr>th{padding:0;margin:0}.radio input[type=radio]:checked+label:before{color:#a50f01!important}.tooltip-inner{color:#fff;line-height:normal;font-weight:300}.tooltip{opacity:1!important}.tooltip-inner{max-width:200px;background-color:#000;font-family:Faktum,sans-serif;padding:6px}.tooltip.bs-tooltip-auto[x-placement^=top] .arrow::before,.tooltip.bs-tooltip-top .arrow::before{border-top-color:#2c405a}.patchstack-content-inner-table .dataTables_wrapper .dataTables_processing{background:#272930!important;color:#fff!important;height:35px;font-size:13px;text-transform:uppercase;z-index:99999}.patchstack-content-inner-table .table-overflow .btn{margin-bottom:0}.patchstack-content-inner-table table.dataTable thead{background-color:#272930}.patchstack-content-inner-table .table-hover>tbody>tr:hover,.patchstack-content-inner-table table.dataTable tbody tr{background-color:transparent}.patchstack-content-inner-table table.dataTable thead td,.patchstack-content-inner-table table.dataTable thead th{border-bottom:0!important}.patchstack-content-inner-table .table-lg>tbody>tr:hover>td:first-child{border-left:2px solid rgba(170,189,215,.1)}.patchstack-content-inner-table .table>thead>tr>th{border-bottom:none;font-family:Faktum;font-size:11px;font-weight:500!important;letter-spacing:1.7px;text-align:left;color:#fff;text-transform:uppercase;padding:14px 7px!important;border-top:none}.patchstack-content-inner-table .table>tbody>tr>td{font-family:Faktum;font-size:13px;font-weight:300;line-height:1.46;text-align:left;color:#fff}.patchstack-content-inner-table .table>tbody>tr>td:first-child,.patchstack-content-inner-table .table>tfoot>tr>th:first-child,.patchstack-content-inner-table .table>thead>tr>th:first-child{padding-left:20px!important}.patchstack-content-inner-table .table>thead>tr>th:first-child{border-top-left-radius:0}.patchstack-content-inner-table .table>thead>tr>th:last-child{border-top-right-radius:0}.patchstack-content-inner-table .dataTables_wrapper .dataTables_filter,.patchstack-content-inner-table .dataTables_wrapper .dataTables_info,.patchstack-content-inner-table .dataTables_wrapper .dataTables_length,.patchstack-content-inner-table .dataTables_wrapper .dataTables_paginate .paginate_button{color:#fff!important;font-size:13px;margin-right:10px}.patchstack-content-inner-table .dataTables_wrapper .dataTables_filter input,.patchstack-content-inner-table .dataTables_wrapper .dataTables_length select{border:1px solid rgba(170,189,215,.1);background:#272930;color:#fff}.patchstack-content-inner-table .table-striped>tbody>tr:nth-of-type(odd){background-color:#17273c}.patchstack-content-inner-table .table-bordered{border:1px solid #334b69}.g-recaptcha{margin-top:-1px!important}.table-firewall-log>tbody>tr>td,.table-user-log>tbody>tr>td{border-bottom:1px solid rgba(170,189,215,.1)!important}.patchstack-content-inner-table table.dataTable{margin:0 auto!important}.patchstack-content-inner-table .dataTables_info,.patchstack-content-inner-table .dataTables_length,.patchstack-content-inner-table .dataTables_paginate .paging_simple_numbers{color:#fff!important}.patchstack-content-inner-table .dataTables_info,.patchstack-content-inner-table .dataTables_length,.patchstack-font>h2,.patchstack-font>h4{color:#fff;padding-left:10px}.patchstack-font>h2{padding-left:0}.patchstack-content-inner>h2{padding-left:10px}.patchstack-font>h2,.patchstack-font>h4,.table-firewall-log>thead>tr>th{font-family:Faktum;font-weight:300!important}.patchstack-content-inner-table .dataTables_wrapper .dataTables_paginate .paginate_button.current,.patchstack-content-inner-table .dataTables_wrapper .dataTables_paginate .paginate_button:hover{background:#272930!important;border-radius:50%;color:#fff!important;border:none}.patchstack-content-inner-table .dataTables_wrapper .dataTables_paginate .paginate_button.next,.patchstack-content-inner-table .dataTables_wrapper .dataTables_paginate .paginate_button.previous{background:0 0!important;color:#fff!important;border:none!important}.patchstack-content-inner-table .dataTables_length{padding-bottom:15px}.patchstack-content-table>.patchstack-content-inner{background-color:#1f2128;color:#fff;float:right;width:80%}.patchstack-form-wrap>table>tbody>tr>td>label>i,.patchstack-form-wrap>table>tbody>tr>th{font-family:Faktum;font-weight:300;color:#d0d0d0}.patchstack-font>h3,.patchstack-form-wrap>h2,.patchstack-inner-block>h3{color:#fff}.patchstack-font>p,.patchstack-form-table>tbody>tr>th>label{color:#d0d0d0}.label{font-size:11.84px;font-weight:700;line-height:14px;color:#fff;text-shadow:0 -1px 0 rgba(0,0,0,.25);white-space:nowrap;vertical-align:baseline;background-color:#999}.label{padding:1px 4px 2px;border-radius:3px}a.label:hover{color:#fff;text-decoration:none;cursor:pointer}.label-success{background-color:#468847}.label-success[href]{background-color:#356635}.patchstack-license-h2{padding:0!important}#wpwrap{background-color:#1f2128}.patchstack-content-table{padding-top:80px}.patchstack-active-tab-logs{padding:0}.patchstack-active-tab-logs h2.patchstack-logs-nav{display:inline-block;margin:-1px 0 0 0;position:relative;width:100%;padding:0}.patchstack-active-tab-logs h2.patchstack-logs-nav::after{content:"";display:block;position:absolute;width:100%;border-bottom:1px solid rgba(170,189,215,.1);bottom:0}.patchstack-active-tab-logs .patchstack-nav-tab{float:left;width:150px;margin-left:0;font-family:Faktum;font-size:15px;font-weight:300;text-align:left;width:initial;padding:15px 20px;position:relative;color:#fff;opacity:.5}.patchstack-active-tab-logs .patchstack-nav-tab:first-child{border-top-left-radius:4px}.patchstack-active-tab-logs .patchstack-nav-tab,.patchstack-active-tab-logs .patchstack-nav-tab.patchstack-nav-tab-active,.patchstack-active-tab-logs .patchstack-nav-tab:focus,.patchstack-nav-tab:hover{background-color:transparent}.patchstack-active-tab-logs .patchstack-nav-tab.patchstack-nav-tab-active{opacity:1}.patchstack-active-tab-logs .patchstack-nav-tab.patchstack-nav-tab-active::after{content:"";display:block;width:100%;position:absolute;bottom:-8px;left:0;border-bottom:5px solid rgba(170,189,215,.1)}.patchstack-top{display:block;width:100%;position:absolute;z-index:800;background:#1f2128;border:none;margin-left:-20px;padding-right:20px}.patchstack-top-logo{float:left;margin:40px 0 0 45px}.patchstack-bi{border:1px solid rgba(170,189,215,.1)!important}.patchstack-bi thead{border-bottom:1px solid rgba(170,189,215,.1)!important}.patchstack-bi tbody>tr>td{padding-left:0}.patchstack-plan{background:#272930;border-radius:4px;padding:32px;color:#acacac;font-size:15px;width:256px;height:374px;float:left;position:relative;margin-top:70px}.patchstack-plan1{margin-right:80px}.patchstack-plan1::before{content:'Start monitoring for vulnerabilities';position:absolute;top:-35px;left:0;color:#fff;font-size:15px}.patchstack-plan2::before{content:'Already have an account?';position:absolute;top:-35px;left:0;color:#fff;font-size:15px}.patchstack-is-size-4{margin-top:5px;display:inline-block;font-size:36px}.patchstack-has-text-white,.patchstack-has-text-white:hover{color:#fff;text-decoration:none}.patchstack-has-text-white:hover{opacity:.7}.patchstack-has-text-white span{color:#b2d675;font-size:15px;text-transform:uppercase}.patchstack-sub{width:69%;float:left;margin:30px 0 0 0}.patchstack-sub span:first-child{color:#fff;font-size:11px;width:100%;display:inline-block;margin-bottom:5px}.patchstack-sub span:last-child{font-size:15px}.patchstack-plan p{color:#acacac;font-size:13px;line-height:20px}.patchstack-plan1 p{margin:20px 0}.patchstack-plan li{margin-bottom:8px}.patchstack-check{background:url(../images/check-green.svg) no-repeat #323735;background-position:6px 8px;border-radius:50%;height:24px;width:24px;display:inline-block;position:relative;top:5px;margin-right:10px}.patchstack-check.patchstack-check-grey{background:url(../images/check.svg) no-repeat #32333a;background-position:3px 5px}.patchstack-strike{color:#585a5e}.patchstack-minus{background:url(../images/minus.svg) no-repeat #32333a;background-position:4px 4px;border-radius:50%;height:24px;width:24px;display:inline-block;position:relative;top:5px;margin-right:10px}.patchstack-free .patchstack-top{position:initial;margin-left:0;padding-right:0}.patchstack-free .patchstack-top-logo{width:184px;margin:0 auto;float:initial;margin-top:30px;margin-bottom:30px}.patchstack-free .patchstack-content-table{padding-top:0}.patchstack-free .patchstack-content-table>.patchstack-content-inner{max-width:45rem;margin:0 auto;float:initial}.patchstack-free .patchstack-content-table>.patchstack-content-inner>.patchstack-font{background:#272930;padding:20px;border-radius:4px}.patchstack-free h1{color:#fff;font-family:Faktum;font-weight:300!important;font-size:25px;text-align:center}.patchstack-free .form-table input[type=text]{background:0 0;width:100%;border:2px solid rgba(170,189,215,.1)!important;padding:11px 15px}.patchstack-free .form-table label{color:#fff;font-size:11px;margin:15px 0 5px 0;display:inline-block}.patchstack-free .button-primary{color:#b2d675;font-weight:500;font-size:13px;line-height:20px;background:rgba(178,214,117,.18);border-radius:4px;border:none;padding:12px 30px;margin-top:34px;width:100%;text-align:center}.patchstack-free .button-primary:hover{color:#000;background:#b2d675}.form-table th label,.patchstack-free .form-table th{font-weight:400}.patchstack-free .submit{padding:0}.patchstack-free .patchstack-form-table td{padding:3px 0}.patchstack-free .patchstack-license-h2{border-bottom:1px solid rgba(170,189,215,.1);margin-left:-20px;width:106%;text-indent:20px;padding-bottom:15px!important;margin-bottom:20px}.patchstack-premium{max-width:19rem!important;margin:0 auto;float:initial!important;width:initial!important}.patchstack-premium .patchstack-plan2::before{display:none}.patchstack-fullwidth{width:100%!important}#patchstack-activate{margin-top:42px}.patchstack-license-button #patchstack-activate{width:49%;float:left}.patchstack-license-button .patchstack-activate{width:49%;float:left;margin-top:42px;margin-left:2%}.patchstack-activate.button-primary.focus,.patchstack-activate.button-primary:focus{background:#b2d675;border:none;outline:0;opacity:.5}p.patchstack-upsell{text-align:center;font-size:15px;line-height:24px;color:#acacac;margin-top:64px}p.patchstack-upsell a{color:#b2d675;text-decoration:none}p.patchstack-upsell img{position:relative;top:7px}.patchstack-premium p.patchstack-upsell{width:500px;margin-left:-90px}.patchstack-active-tab-multisite{max-width: 35rem !important}.multisite .patchstack-active-tab-hardening{max-width: 80% !important}

patchstack/trunk/includes/2fa/rfc6238.php

@@ -17 +17 @@
      */
     public static function verify( $secretkey, $code, $rangein30s = 3 ) {
-        $key           = base32static::decode( $secretkey );
+        $key           = Base32Static::decode( $secretkey );
         $unixtimestamp = time() / 30;
 
@@ -24 +24 @@
             $thiskey   = self::oath_hotp( $key, $checktime );
 
-            if ( (int) $code == self::oath_truncate( $thiskey, 6 ) ) {
+            if ( self::stringEquals( (string) self::oath_truncate( $thiskey, 6 ), (string) $code ) ) {
                 return true;
             }
@@ -39 +39 @@
      */
     public static function generateRandomClue( $length = 16 ) {
-        $b32 = '234567QWERTYUIOPASDFGHJKLZXCVBNM';
-        $s   = '';
-        for ( $i = 0; $i < $length; $i++ ) {
-            $s .= $b32[ mt_rand( 0, 31 ) ];
+        if ( !function_exists( 'random_bytes' ) ) {
+            return Base32Static::encode( random_bytes( 10 ) );
         }
-
-        return $s;
+        
+        require_once dirname( __FILE__ ) . '/polyfill/lib/random.php';
+        return Base32Static::encode( random_bytes( 10 ) );
     }
 
@@ -91 +90 @@
         ) % pow( 10, $length );
     }
+
+    /**
+     * Compare 2 strings with each other.
+     *
+     * @param string $own
+     * @param string $user
+     * @return boolean
+     */
+    private static function stringEquals($own, $user) {
+        if ( function_exists( 'hash_equals' ) ) {
+            return hash_equals($own, $user);
+        }
+
+        $safeLen = strlen($own);
+        $userLen = strlen($user);
+
+        if ( $userLen != $safeLen ) {
+            return false;
+        }
+
+        $result = 0;
+        for ( $i = 0; $i < $userLen; $i++ ) {
+            $result |= (ord($own[$i]) ^ ord($user[$i]));
+        }
+
+        return $result === 0;
+    }
 }

patchstack/trunk/includes/activation.php

@@ -254 +254 @@
     public function migrate_check() {
         // Only perform migrations if we have any to execute.
-        $versions = array('3.0.0', '3.0.1');
+        $versions = array('3.0.0', '3.0.1', '3.0.2');
         if ( count( $versions ) == 0 ) {
             return;
@@ -330 +330 @@
                     do_action( 'patchstack_post_firewall_rules' );
                     do_action( 'patchstack_post_dynamic_firewall_rules' );
+                    $this->header();
                 }
 
@@ -351 +352 @@
         }
     }
+
+    /**
+     * Send a request to our API for the IP address header.
+     * 
+     * @return void
+     */
+    public function header()
+    {
+        $header = get_option( 'patchstack_firewall_ip_header', '' );
+        $computed = get_option( 'patchstack_ip_header_computed', 0 );
+
+        if ( $header == '' && !$computed ) {
+            // Create an OTT token.
+            $ott = md5( wp_generate_password( 32, true, true ) );
+            update_option( 'patchstack_ott_action', $ott );
+    
+            // Tell our API.
+            wp_remote_request(
+                $this->plugin->api_url . '/api/header',
+                array(
+                    'method'      => 'POST',
+                    'timeout'     => 60,
+                    'redirection' => 5,
+                    'httpversion' => '1.0',
+                    'blocking'    => true,
+                    'headers'     => array(
+                        'Source-Host'   => get_site_url(),
+                    ),
+                    'body'        => array(
+                        'token' => $ott,
+                        'url' => get_site_url()
+                    ),
+                    'cookies'     => array(),
+                )
+            );
+        }
+    }
 }

patchstack/trunk/includes/admin/multisite-table.php

@@ -85 +85 @@
     private function table_data() {
         $data = array();
+        $free = get_option( 'patchstack_license_free', 0 ) == 1;
 
         $blogs_ids = get_sites();
@@ -115 +116 @@
                     'url'             => '<a href="' . esc_url( $site_info->siteurl ). '">' . esc_url( $site_info->siteurl ) . '</a>',
                     'activated'       => $is_activated ? 'Activated' : 'Deactivated',
-                    'firewall_status' => $is_firewall_enabled ? 'Enabled' : 'Disabled',
+                    'firewall_status' => $is_firewall_enabled && !$free ? 'Enabled' : 'Disabled',
                     'edit'            => $is_activated ? '<a href="' . esc_url( get_admin_url( $b->blog_id ) ) . 'options-general.php?page=patchstack">Edit Settings</a>' : '',
                 );

patchstack/trunk/includes/admin/options.php

@@ -66 +66 @@
         'patchstack_basic_firewall_roles'               => array( 'administrator', 'editor', 'author', 'contributor' ),
         'patchstack_firewall_ip_header'                 => '',
+        'patchstack_ip_header_computed'                 => 0,
         'patchstack_disable_htaccess'                   => 0,
         'patchstack_known_blacklist'                    => 0,
@@ -125 +126 @@
         'patchstack_firewall_log_lastid'                => 0,
         'patchstack_eventlog_lastid'                    => 0,
+        'patchstack_ott_action'                         => '',
 
         // Admin page rename options.
@@ -199 +201 @@
         add_settings_field( 'patchstack_basic_firewall_geo_inverse', __( 'Inversed Check', 'patchstack' ), array( $this, 'patchstack_basic_firewall_geo_inverse_input' ), 'patchstack_firewall_settings', 'patchstack_settings_section_firewall_geo' );
         add_settings_field( 'patchstack_basic_firewall_geo_countries', __( 'Countries To Block', 'patchstack' ), array( $this, 'patchstack_basic_firewall_geo_countries_input' ), 'patchstack_firewall_settings', 'patchstack_settings_section_firewall_geo' );
+        add_settings_field( 'patchstack_firewall_ip_header', __( 'IP Address Header Override', 'patchstack' ), array( $this, 'patchstack_firewall_ip_header_input' ), 'patchstack_firewall_settings', 'patchstack_settings_section_firewall' );
+
         if ( ! is_multisite() || ( isset( $_GET['page'] ) && $_GET['page'] == 'patchstack-multisite-settings' ) ) {
-            add_settings_field( 'patchstack_firewall_ip_header', __( 'IP Address Header Override', 'patchstack' ), array( $this, 'patchstack_firewall_ip_header_input' ), 'patchstack_firewall_settings', 'patchstack_settings_section_firewall' );
             add_settings_field( 'patchstack_disable_htaccess', __( 'Disable .htaccess features', 'patchstack' ), array( $this, 'patchstack_disable_htaccess_input' ), 'patchstack_firewall_settings', 'patchstack_settings_section_firewall_htaccess' );
             add_settings_field( 'patchstack_add_security_headers', __( 'Add security headers', 'patchstack' ), array( $this, 'patchstack_add_security_headers_input' ), 'patchstack_firewall_settings', 'patchstack_settings_section_firewall_htaccess' );
@@ -215 +218 @@
 
         // Login protection.
-        if ( ( ! is_multisite() || ( isset( $_GET['page'] ) && $_GET['page'] == 'patchstack-multisite-settings' ) ) && floatval( substr( phpversion(), 0, 5 ) ) > 5.5 ) {
+        if ( ( ! is_multisite() || ( isset( $_GET['page'] ) && $_GET['page'] == 'patchstack-multisite-settings' ) ) ) {
             add_settings_field( 'patchstack_mv_wp_login', __( 'Block access to wp-login.php', 'patchstack' ), array( $this, 'patchstack_hidewplogin_input' ), 'patchstack_login_settings', 'patchstack_settings_section_login' );
             add_settings_field( 'patchstack_rename_wp_login', '', array( $this, 'patchstack_hidewplogin_rename_input' ), 'patchstack_login_settings', 'patchstack_settings_section_login' );

patchstack/trunk/includes/api.php

@@ -70 +70 @@
      * @param string $clientid The API client ID.
      * @param string $secretkey The API secret key.
-     * @return string|array
+     * @return string|array|object
      */
     public function fetch_access_token( $clientid = '', $secretkey = '' ) {
@@ -130 +130 @@
                 }
                 $response_data->expiresin = $result->expires_in != 0 ? time() + $result->expires_in : 0;
-            } elseif ( ! empty( $result->expires_in ) ) {
-                // Some providers supply the seconds until expiration rather than
-                // the exact timestamp. Take a best guess at which we received.
-                $expires = $options['expires'];
-                if ( ! $this->isExpirationTimestamp( $expires ) ) {
-                    $expires += time();
-                }
-                $response_data->expiresin = $expires;
             }
+
             return $response_data;
         } elseif ( isset( $result->error ) ) {
@@ -176 +169 @@
             if ( $response['free'] == true ) {
                 $this->update_blog_option( $this->blog_id, 'patchstack_show_settings', 0 );
+            } else {
+                $this->send_header_request();
             }
         }
@@ -230 +225 @@
 
     /**
+     * Send a request to our API for the IP address header.
+     */
+    public function send_header_request()
+    {
+        $header = get_option( 'patchstack_firewall_ip_header', '' );
+        $computed = get_option( 'patchstack_ip_header_computed', 0 );
+
+        if ( $header == '' && !$computed ) {
+            // Create an OTT token.
+            $ott = md5( wp_generate_password( 32, true, true ) );
+            update_option( 'patchstack_ott_action', $ott );
+    
+            // Tell our API.
+            wp_remote_request(
+                $this->plugin->api_url . '/api/header',
+                array(
+                    'method'      => 'POST',
+                    'timeout'     => 60,
+                    'redirection' => 5,
+                    'httpversion' => '1.0',
+                    'blocking'    => true,
+                    'headers'     => array(
+                        'Source-Host'   => get_site_url(),
+                    ),
+                    'body'        => array(
+                        'token' => $ott,
+                        'url' => get_site_url()
+                    ),
+                    'cookies'     => array(),
+                )
+            );
+        }
+    }
+
+    /**
      * Get the firewall rules.
      *

patchstack/trunk/includes/core.php

@@ -108 +108 @@
         '18.220.70.233',
         '3.140.84.221',
-        '185.212.171.100'
+        '185.212.171.100',
+        '3.133.121.93',
+        '18.219.61.133',
+        '3.14.29.150'
     );
 
@@ -193 +196 @@
 
         return false;
-    }
-
-    /**
-     * Determine if a given PHP function is disabled or not.
-     *
-     * @param string $name Name of the function to check.
-     * @return boolean Whether or not the function is available to call.
-     */
-    public function function_available( $name ) {
-        $safe_mode = ini_get( 'safe_mode' );
-        if ( $safe_mode && strtolower( $safe_mode ) != 'off' ) {
-            return false;
-        }
-
-        // Determine if the function is available.
-        if ( in_array( $name, array_map( 'trim', explode( ',', ini_get( 'disable_functions' ) ) ) ) ) {
-            return false;
-        }
-
-        return true;
     }
 
@@ -227 +210 @@
         }
 
-        // IP address headers which should have priority and be used regardless of other headers.
-        $priority = array( 'HTTP_CF_CONNECTING_IP', 'HTTP_X_SUCURI_CLIENTIP' );
-        foreach ( $priority as $header ) {
-            if ( isset( $_SERVER[ $header ] ) && filter_var( $_SERVER[ $header ], FILTER_VALIDATE_IP ) !== false ) {
-                return $_SERVER[ $header ];
-            }
-        }
-
-        // Special case for hosts that have a weird configuration.
-        if ( $this->function_available( 'php_uname' ) ) {
-            $uname = @php_uname();
-
-            // Bluehos and Hostmonster store the real IP in $_SERVER['REMOTE_ADDR'] but the proxy IP in HTTP_X_FORWARDED_FOR.t
-            if ( strpos( $uname, 'bluehost' ) !== false || strpos( $uname, 'hostmonster' ) !== false ) {
-                return $_SERVER['REMOTE_ADDR'];
-            }
-
-            // Hostgator stores the real IP in $_SERVER['REMOTE_ADDR'] but the proxy IP in HTTP_X_FORWARDED_FOR.
-            if ( ( strpos( $uname, 'websitewelcome' ) || strpos( $uname, 'hostgator' ) ) && isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) && $_SERVER['HTTP_X_FORWARDED_FOR'] != $_SERVER['REMOTE_ADDR'] ) {
-                return $_SERVER['REMOTE_ADDR'];
-            }
-        }
-
-        // In order of priority, try to get the IP address.
-        $allowed = array( 'HTTP_X_REAL_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'SUCURI_RIP', 'REMOTE_ADDR' );
-        foreach ( $allowed as $header ) {
-            if ( isset( $_SERVER[ $header ] ) && filter_var( $_SERVER[ $header ], FILTER_VALIDATE_IP ) !== false ) {
-                return $_SERVER[ $header ];
-            }
-        }
-
-        return '127.0.0.1';
+        return isset( $_SERVER['REMOTE_ADDR'] ) ? $_SERVER['REMOTE_ADDR'] : '';
     }
 }

patchstack/trunk/includes/hardening.php

@@ -154 +154 @@
 
         // Don't block Patchstack.
-        if ( in_array( $_SERVER['REMOTE_ADDR'], $this->ips ) || ( isset( $_POST['webarx_secret'] ) && $this->plugin->listener->verifyToken( $_POST['webarx_secret'] ) ) ) {
-            return;
+        if ( in_array( $ip, $this->ips ) || ( isset( $_POST['webarx_secret'] ) && $this->plugin->listener->verifyToken( $_POST['webarx_secret'] ) ) || isset( $_POST['patchstack_ott_action'] )) {
+
+            // OTT action.
+            if ( isset( $_POST['patchstack_ott_action'] ) ) {
+                $ott = get_option( 'patchstack_ott_action', '' );
+                if ( ! empty( $ott ) && hash_equals( $ott, $_POST['patchstack_ott_action'] ) ) {
+                    return;
+                }
+            } else {
+                return;
+            }
         }
 
@@ -182 +191 @@
      */
     public function disable_wpjson() {
+        // Some default exceptions.
+        $path = parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH );
+        $whitelists = array( '/wp-json/contact-form-7/' );
+        foreach ( $whitelists as $whitelist ) {
+            if ( stripos( $path, $whitelist ) !== false ) {
+                return;
+            }
+        }
+
+        // Block unauthorized users.
         if ( ! is_user_logged_in() ) {
             $msg = apply_filters( 'disable_wp_rest_api_error', __( 'The WP REST API cannot be accessed by unauthorized users.', 'disable-wp-rest-api' ) );
@@ -335 +354 @@
      */
     public function stop_user_enum() {
-        if ( isset( $_GET['author'] ) && is_numeric( $_GET['author'] ) && ! is_user_logged_in() ) {
+        if ( isset( $_GET['author'] ) && ! is_user_logged_in() && ! is_admin() ) {
             die( wp_safe_redirect( get_site_url() ) );
         }

patchstack/trunk/includes/listener.php

@@ -23 +23 @@
         if ( isset( $_POST['webarx_secret'] ) && $this->verifyToken( $_POST['webarx_secret'] ) ) {
             add_action( 'init', array( $this, 'handleRequest' ) );
+        }
+
+        // OTT action.
+        if ( isset( $_POST['patchstack_ott_action'] ) ) {
+            $ott = get_option( 'patchstack_ott_action', '' );
+            if ( ! empty( $ott ) && hash_equals( $ott, $_POST['patchstack_ott_action'] ) ) {
+                $this->setIpHeader();
+            }
         }
     }
@@ -51 +59 @@
             'webarx_login_bans'        => 'getLoginBans',
             'webarx_unban_login'       => 'unbanLogin',
-            'webarx_debug_info'        => 'debugInfo'
+            'webarx_debug_info'        => 'debugInfo',
+            'webarx_set_ip_header'     => 'setIpHeader'
         ) as $key => $action ) {
             // Special case for Patchstack plugin upgrade.
@@ -70 +79 @@
         $key = get_option( 'patchstack_secretkey' );
 
-        if ( empty( $id ) || empty ( $key ) || strlen( $secret ) != 40) {
+        if ( empty( $id ) || empty ( $key ) || strlen( $secret ) != 40 ) {
             return false;
         }
@@ -651 +660 @@
         wp_send_json( $debug );
     }
+
+    /**
+     * Try to determine the proper IP address headers.
+     * 
+     * @return void
+     */
+    private function setIpHeader()
+    {
+        if ( ! isset( $_POST['ip'] ) ) {
+            return;
+        }
+
+        $ips = ! is_array ( $_POST['ip'] ) ? array( $_POST['ip'] ) : $_POST['ip'];
+
+        // REMOTE_ADDR?
+        foreach ( $ips as $ip ) {
+            if ( isset( $_SERVER['REMOTE_ADDR'] ) && $_SERVER['REMOTE_ADDR'] == $ip ) {
+                update_option( 'patchstack_firewall_ip_header', 'REMOTE_ADDR' );
+                update_option( 'patchstack_ip_header_computed', 1 );
+                update_option( 'patchstack_ott_action', '' );
+                wp_send_json( array( 'success' => true, 'header' => 'REMOTE_ADDR' ) );
+            }
+        }
+
+        // IP address headers in order of priority.
+        $priority = array( 'REMOTE_ADDR', 'HTTP_CF_CONNECTING_IP', 'HTTP_X_SUCURI_CLIENTIP',  'HTTP_X_REAL_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'SUCURI_RIP' );
+        foreach ( $ips as $ip ) {
+            foreach ( $priority as $header ) {
+                if ( isset( $_SERVER[ $header ] ) && $_SERVER[ $header ] == $ip ) {
+                    update_option( 'patchstack_firewall_ip_header', $header );
+                    update_option( 'patchstack_ip_header_computed', 1 );
+                    update_option( 'patchstack_ott_action', '' );
+                    wp_send_json( array( 'success' => true,  'header' => $header ) );
+                }
+            }
+        }
+
+        // Still not found? Iterate over all $_SERVER keys.
+        foreach ( $ips as $ip ) {
+            foreach ( $_SERVER as $key => $value ) {
+                if ( $value == $ip ) {
+                    update_option( 'patchstack_firewall_ip_header', $key );
+                    update_option( 'patchstack_ip_header_computed', 1 );
+                    update_option( 'patchstack_ott_action', '' );
+                    wp_send_json( array( 'success' => true,  'header' => $key ) );
+                }
+            }
+        }
+
+        update_option( 'patchstack_ott_action', '' );
+        wp_send_json( array( 'success' => false, 'header' => 'unknown' ) );
+    }
 }

patchstack/trunk/includes/multisite.php

@@ -100 +100 @@
             // Save firewall settings
             case 'patchstack_firewall_settings_group':
-                $options = array( 'patchstack_geo_block_countries', 'patchstack_geo_block_enabled', 'patchstack_geo_block_inverse', 'patchstack_ip_block_list', 'patchstack_basic_firewall', 'patchstack_autoblock_blocktime', 'patchstack_autoblock_attempts', 'patchstack_autoblock_minutes', 'patchstack_basic_firewall_roles', 'patchstack_disable_htaccess', 'patchstack_add_security_headers', 'patchstack_prevent_default_file_access', 'patchstack_block_debug_log_access', 'patchstack_index_views', 'patchstack_proxy_comment_posting', 'patchstack_image_hotlinking', 'patchstack_firewall_custom_rules', 'patchstack_firewall_custom_rules_loc', 'patchstack_blackhole_log', 'patchstack_whitelist' );
+                $options = array( 'patchstack_geo_block_countries', 'patchstack_geo_block_enabled', 'patchstack_geo_block_inverse', 'patchstack_ip_block_list', 'patchstack_basic_firewall', 'patchstack_autoblock_blocktime', 'patchstack_autoblock_attempts', 'patchstack_autoblock_minutes', 'patchstack_basic_firewall_roles', 'patchstack_disable_htaccess', 'patchstack_add_security_headers', 'patchstack_prevent_default_file_access', 'patchstack_block_debug_log_access', 'patchstack_index_views', 'patchstack_proxy_comment_posting', 'patchstack_image_hotlinking', 'patchstack_firewall_custom_rules', 'patchstack_firewall_custom_rules_loc', 'patchstack_blackhole_log', 'patchstack_whitelist', 'patchstack_firewall_ip_header' );
                 $this->save_options( $options );
                 break;

patchstack/trunk/includes/views/pages/multisite-activation.php

@@ -13 +13 @@
 foreach ( $sites as $site ) {
     if ( get_blog_option( $site->id, 'patchstack_clientid' ) == '' ) {
-        $checkbox_list .= '<input type="checkbox" name="sites[]" id="site-' . esc_attr( $site->blog_id ) . '" value="' . esc_url( $site->siteurl ) . '"><label for="site-' . esc_attr( $site->blog_id ) . '">' . esc_url( $site->siteurl ) . '</label><br />';
+        $checkbox_list .= '<div style="margin-bottom: 10px;"><input type="checkbox" name="sites[]" id="site-' . esc_attr( $site->blog_id ) . '" value="' . esc_url( $site->siteurl ) . '"><label for="site-' . esc_attr( $site->blog_id ) . '">' . esc_url( $site->siteurl ) . '</label></div>';
         $i++;
     } else {
@@ -19 +19 @@
     }
 }
+
+$has_token = !is_null( $this->plugin->api->get_access_token() );
+$main_host = parse_url( get_home_url( get_main_site_id() ) );
+$main_admin_url = get_admin_url( get_main_site_id() ) . '/options-general.php?page=patchstack&tab=license';
 ?>
 <div class="patchstack-font">
     <h2 style="padding: 0;">Multisite Activation</h2>
     <p><?php echo wp_kses( $this->plugin->multisite->error, $this->allowed_html ); ?>
+    <?php
+        if (!$has_token) {
+    ?>
+        You must first manually add your WordPress network's primary site (<?php echo esc_html( $main_host['host'] ); ?>) to Patchstack before you can  add the others.<br><br>You can do so by creating an account <a href="https://app.patchstack.com/register" target="_blank">here</a> and then by adding this site <a href="https://app.patchstack.com/sites?add=1" target="_blank">here</a>.<br><br>Once you have obtained the API credentials, the credentials for your site <?php echo esc_html( $main_host['host'] ); ?> can be added <a href="<?php echo esc_url( $main_admin_url ); ?>">here</a>.
+    <?php
+        } else {
+    ?>
     Select the sites on which you would like to activate the Patchstack plugin. These sites must be accessible from the public internet.<br /><br>
-    Note that if these sites have not been added to your Patchstack account yet, they will be added for you. Keep in mind that this might affect your upcoming bill depending on your current subscription plan.<br />
-    You can also manually add your sites at <a href="https://app.patchstack.com/sites?add=1" target="_blank">app.patchstack.com</a> after which you can activate them on this page.<br><br />
+    Note that these sites must be added to Patchstack as well, which you can do at <a href="https://app.patchstack.com/sites?add=1" target="_blank">app.patchstack.com</a>. Keep in mind that this might affect your upcoming bill depending on your current subscription plan.<br /><br />
     If you are an AppSumo user or have a limited amount of sites you can add, you must select the proper number of sites that can still be added to your account.</p>
 
@@ -33 +43 @@
         <input type="hidden" value="<?php echo wp_create_nonce( 'patchstack-multisite-activation' ); ?>" name="PatchstackNonce">
         <?php echo wp_kses( $checkbox_list, $this->allowed_html ); ?>
-        <br/>
         <input type="submit" class="button-primary" value="Activate" />
     </form>
 
-    <br />
-    <h2 style="padding: 0;">Activated</h2>
-    <?php echo wp_kses( $activated, $this->allowed_html ); ?>
+    <?php
+        if ($activated != '') {
+    ?>
+        <br />
+        <h2 style="padding: 0;">Activated</h2>
+    <?php
+            echo wp_kses( $activated, $this->allowed_html );
+        }
+    }
+    ?>
 </div>

patchstack/trunk/includes/views/pages/settings.php

@@ -12 +12 @@
 $status        = ( get_option( 'patchstack_license_expiry', '' ) == '' || time() >= strtotime( get_option( 'patchstack_license_expiry', '' ) ) );
 $show_settings = $this->get_option( 'patchstack_show_settings', 0 ) == 1;
+$is_free = $this->get_option( 'patchstack_license_free', 0 ) == 1;
 
 if ( ( ! $show_settings && $_GET['page'] != 'patchstack-multisite-settings' ) || ( $status && $active_tab != 'license' && $_GET['page'] != 'patchstack-multisite-settings' ) ) {
     $_GET['tab'] = $active_tab = 'license';
+}
+
+if ( ( $is_free || !$is_free && $status) && $active_tab != 'license' && $_GET['page'] == 'patchstack-multisite-settings' ) {
+    $_GET['tab'] = $active_tab = 'multisite';
 }
 
@@ -34 +39 @@
         if ( $_GET['page'] != 'patchstack-multisite-settings' && $show_settings && is_multisite() ) {
             $site_info = get_blog_details();
-            echo "<h2 style='color:white;padding-left: 95px; margin-left: 95px;padding-top: 4px;'>" . esc_html( $site_info->domain ) . '</h2>';
+            echo "<h2 style='color:white;padding-left: 95px; margin-top: -12px; margin-left: 150px;'>" . esc_html( $site_info->domain ) . '</h2>';
         }
         ?>

patchstack/trunk/languages/patchstack.pot

@@ -3 +3 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: Patchstack 2.1.21\n"
+"Project-Id-Version: Patchstack 2.1.22\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/patchstack\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"

patchstack/trunk/patchstack.php

@@ -4 +4 @@
  * Plugin URI:  https://patchstack.com
  * Description: Patchstack identifies security vulnerabilities in WordPress plugins, themes, and core.
- * Version: 2.1.21
+ * Version: 2.1.22
  * Author: Patchstack
  * License: GPLv3
@@ -59 +59 @@
          * @var string
          */
-        const VERSION = '2.1.21';
+        const VERSION = '2.1.22';
 
         /**