Changeset 3410794

Timestamp:

12/04/2025 11:28:25 AM (9 days ago)

Author:

ignatggeorgiev

Message:

Bump to 1.5.8

Location:

sg-security/trunk

Files:

• core/Activity_Log/Activity_Log.php (modified) (1 diff)
• core/Custom_Login_Url/Custom_Login_Url.php (modified) (16 diffs)
• core/Loader/Loader.php (modified) (1 diff)
• core/Login_Service/Login_Service.php (modified) (1 diff)
• readme.txt (modified) (2 diffs)
• sg-security.php (modified) (2 diffs)

sg-security/trunk/core/Activity_Log/Activity_Log.php

@@ -178 +178 @@
             1 === Helper_Service::is_cron_disabled()
         ) {
+            if ( ! current_user_can( 'manage_options' ) ) {
+                wp_die(
+                    esc_html__( 'You don’t have access to this page. Please contact the administrator of this website for further assistance.', 'sg-security' ),
+                    esc_html__( 'Restricted access', 'sg-security' ),
+                    array(
+                        'sgs_error' => true,
+                        'response'  => 403,
+                    )
+                );
+            }
+
             $this->delete_old_activity_logs();
         }

sg-security/trunk/core/Custom_Login_Url/Custom_Login_Url.php

@@ -25 +25 @@
      */
     private $options = array();
+
+    /**
+     * Flag for the ultimate-member plugin forms.
+     *
+     * @var boolean
+     */
+    private $um_form_detected_error = false;
 
     /**
@@ -41 +48 @@
 
     /**
-     * Change the site url to include the custom login url token,
+     * Change the site URL to include the custom login URL token,
      *
      * @param string $url  The URL to be filtered.
@@ -54 +61 @@
         $path = Helper::get_url_path( $path ); //phpcs:ignore
 
-        preg_match( '~^(.*)\/(wp-login.php)(?:.*)?[\?|&]action=(.*?)(?:\?|&|$)~', $path, $matches );
-
-        if ( empty( $matches[2] ) ) {
+        if ( strpos( $path, 'wp-login.php' ) === false ) {
             return $url;
         }
 
-        if ( empty( $matches[3] ) ) {
-            return $url;
-        }
-
-        switch ( $matches[3] ) {
-            case 'postpass':
-                return $url;
-            case 'register':
-                $token = 'register';
-                break;
-            case 'rp':
-                $token = 'login';
-                return $url;
-        }
-
-        // Add the token to the url if not empty.
+        if ( preg_match( '~[\?&]action=([^&]*)~', $path, $matches ) ) {
+            switch ( $matches[1] ) {
+                case 'postpass':
+                    return $url;
+                case 'register':
+                    $token = 'register';
+                    break;
+                case 'rp':
+                    return $url;
+            }
+        } else if (
+            isset( $_GET[ $this->token ] ) &&
+            $_GET[ $this->token ] === $this->options['new_slug']
+        ) {
+            $token = $this->options['new_slug'];
+        }
+
+        // Add the token to the URL if not empty.
         if ( empty( $token ) ) {
             return $url;
         }
 
-        // Return the url.
+        // Return the URL.
         return add_query_arg( $this->token, urlencode( $token ), $url );
     }
@@ -103 +110 @@
      */
     public function handle_request() {
+
         // Get the path.
         $path = Helper::get_url_path( $_SERVER['REQUEST_URI'] ); //phpcs:ignore
@@ -110 +118 @@
         }
 
+        // Check if we are redirected to the login page, by the LogIn button on the registration page.
+        if (
+            $this->is_valid( 'login' ) &&
+            isset( $_SERVER['HTTP_REFERER'] ) &&
+            false !== strpos( $_SERVER['HTTP_REFERER'], 'register' ) &&
+            false !== strpos( $path, 'wp-login.php' )
+        ) {
+            $this->redirect_with_token( 'login', 'wp-login.php' );
+        }
+
+        // Check if we are redirected to the registration page, by the Register button on the login page.
+        if (
+            $this->is_valid( 'login' ) &&
+            isset( $_SERVER['HTTP_REFERER'] ) &&
+            false !== strpos( $_SERVER['HTTP_REFERER'], $this->options['new_slug'] ) &&
+            isset( $_GET['action'] ) && 'register' === $_GET['action']
+        ) {
+            $this->handle_registration();
+        }
+
         if ( false !== strpos( $path, 'wp-login' ) || false !== strpos( $path, 'wp-login.php' ) ) {
             $this->handle_login();
@@ -117 +145 @@
             $this->handle_registration();
         }
-
     }
 
@@ -139 +166 @@
 
     /**
-     * Adds a token and redirect to the url.
+     * Adds a token and redirect to the URL.
      *
      * @since  1.1.0
@@ -155 +182 @@
 
         $url = add_query_arg( $query_vars, site_url( $path ) );
+
+        // Get the current URL.
+        $current_url = ( isset( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http' ) . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
+
+        // Prevent redirect loop by checking if the current URL matches the redirect URL.
+        if ( true === $this->compare_urls( $url, $current_url ) ) {
+            return;
+        }
 
         wp_redirect( $url );
@@ -196 +231 @@
 
         if ( 'jetpack-sso' === $action && has_filter( 'login_form_jetpack-sso' ) ) {
-            // Jetpack's SSO redirects from wordpress.com to wp-login.php on the site. Only allow this process to
+            // Jetpack's SSO redirects from WordPress.com to wp-login.php on the site. Only allow this process to
             // continue if they successfully log in, which should happen by login_init in Jetpack which happens just
             // before this action fires.
@@ -293 +328 @@
 
     /**
-     * Handle regostration request.
+     * Handle registration request.
      *
      * @since  1.1.0
@@ -344 +379 @@
      */
     public function show_notices() {
-        // Bail if we shold not show the notice.
+        // Bail if we should not show the notice.
         if ( empty( get_option( 'sg_security_show_signup_notice', false ) ) ) {
             return;
@@ -391 +426 @@
 
     /**
-     * Adds the login token to the confirmation url.
+     * Adds the login token to the confirmation URL.
      *
      * @since  1.1.1
@@ -409 +444 @@
         }
 
-        // Add the login token to the GDPR confirmation url.
+        // Add the login token to the GDPR confirmation URL.
         $confirm_url = add_query_arg(
             $this->token,
@@ -451 +486 @@
      * @since 1.3.3
      *
-     * @param  \WP_User $user      \WP_User object of the user that is trying to login.
+     * @param  \WP_User |\WP_Error $user      \WP_User object of the user that is trying to login or \WP_Error object if a previous callback failed * authentication.
      * @return \WP_Error|\WP_User  If successful, the original \WP_User object, otherwise a \WP_Error object.
      */
     public function maybe_block_custom_login( $user ) {
-        // Check if the referer slug is set.
+        // Check if the referrer slug is set.
         if ( ! isset( $_SERVER['HTTP_REFERER'] ) ) {
+            return $user;
+        }
+
+        // Check if $user is a WP_Error object.
+        if ( is_wp_error( $user ) ) {
+            return $user;
+        }
+
+        // Check if the ultimate member plugin form has errors.
+        if ( true === $this->um_form_detected_error ) {
             return $user;
         }
@@ -470 +515 @@
         }
 
-        // Get referer parts by parsing its url.
+        // Get referrer parts by parsing its URL.
         $referer = str_replace(
             array( home_url(), '/' ),
@@ -500 +545 @@
         return $error;
     }
+
+    /**
+     * Adds our 'maybe_block_custom_login' error message, in the Ultimate Member plugin's errors filter.
+     *
+     * @param $err_codes Custom error codes array on the ultimate members plugin forms.
+     *
+     * @return $err_codes The updated error codes array.
+     */
+    public function add_um_form_error_code( $err_codes ) {
+        // Adds our error message code.
+        $err_codes[] = 'authentication_failed';
+
+        return $err_codes;
+    }
+
+    /**
+     * Sets the flag, if the ultimate member plugin find error on their forms.
+     *
+     * @param  $error The error message.
+     *
+     * @param  $key The error code.
+     *
+     * @return $error The error message.
+     */
+    public function set_um_form_flag( $error, $key ) {
+        // Check if the UM form has detected and error.
+        if ( $key ) {
+            $this->um_form_detected_error = true;
+        }
+
+        return $error;
+    }
+
+    /**
+     * Adds the 'sgs-token' query string after language change.
+     */
+    public function add_sgs_token_to_language_switcher() {
+        // Check if the language of the login/register pages is getting changed.
+        if (
+            $this->is_valid( 'login' ) &&
+            isset( $_SERVER['HTTP_REFERER'] ) &&
+            (
+                false !== strpos( $_SERVER['HTTP_REFERER'], $this->options['new_slug'] ) ||
+                false !== strpos( $_SERVER['HTTP_REFERER'], $this->options['register'] )
+            ) &&
+            isset( $_GET['wp_lang'] )
+        ) {
+
+            // Get the current URL.
+            $current_url = ( isset( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http' ) . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
+
+            $parsed_url = wp_parse_url( $current_url );
+
+            // Extract query parameters from the URL.
+            $query_params = array();
+            if ( isset( $parsed_url['query'] ) ) {
+                parse_str( $parsed_url['query'], $query_params );
+            }
+
+            // Determine which SGS token to add. Preset it to 'register'.
+            $query_params['sgs-token'] = $this->options['register'];
+
+            if ( false !== strpos( $_SERVER['HTTP_REFERER'], $this->options['new_slug'] ) ) {
+                $query_params['sgs-token'] = $this->options['new_slug'];
+            }
+
+            // Sanitize all query parameters.
+            foreach ( $query_params as $key => $value ) {
+                $query_params[ $key ] = sanitize_text_field( $value );
+            }
+
+            // Build the URL with all the parameters.
+            $redirect_url = add_query_arg( $query_params, site_url( 'wp-login.php' ) );
+
+            // Prevent redirect loop by checking if the current URL matches the redirect URL.
+            if ( true === $this->compare_urls( $current_url, $redirect_url ) ) {
+                return;
+            }
+
+            wp_safe_redirect( $redirect_url );
+            exit;
+        }
+    }
+
+    /**
+     * Compare two URLs if they are basically the same.
+     *
+     * @param $current_url First URL to compare.
+     *
+     * @param $redirect_url Second URL to compare.
+     *
+     * @return boolean True if the URLs are the same. False if they are different.
+     */
+    public function compare_urls( $current_url, $redirect_url ) {
+        // Parse the URLs
+        $current_url = parse_url( $current_url );
+        $redirect_url = parse_url( $redirect_url );
+
+        // Check if both URLs have the same domain.
+        if ( $current_url['host'] !== $redirect_url['host'] ) {
+            return false;
+        }
+
+        // Ensure both URLs include "wp-login.php" in the path.
+        if ( false === strpos( $current_url['path'], 'wp-login.php' ) || false === strpos( $redirect_url['path'], 'wp-login.php' ) ) {
+            return false;
+        }
+
+        // Parse query strings into arrays for comparison.
+        parse_str( $current_url['query'], $current_url_params );
+        parse_str( $redirect_url['query'], $redirect_url_params );
+
+        // Compare the total number of query parameters.
+        if ( count( $current_url_params ) !== count( $redirect_url_params ) ) {
+            return false;
+        }
+
+        // If a key is missing or a value is different, URLs are not equal.
+        foreach ( $current_url_params as $query_key => $query_value ) {
+            if (
+                    ! array_key_exists( $query_key, $redirect_url_params ) ||
+                    $redirect_url_params[ $query_key ] !== $query_value
+                ) {
+                return false;
+            }
+        }
+
+        return true;
+    }
 }

sg-security/trunk/core/Loader/Loader.php

@@ -292 +292 @@
         add_filter( 'wpdiscuz_login_link', array( $this->custom_login_url, 'custom_login_for_wpdiscuz' ) );
         add_action( 'wp_authenticate_user', array( $this->custom_login_url, 'maybe_block_custom_login' ) );
+        add_action( 'login_init', array( $this->custom_login_url, 'add_sgs_token_to_language_switcher' ) );
+        add_filter( 'um_custom_authenticate_error_codes', array( $this->custom_login_url, 'add_um_form_error_code' ) );
+        add_filter( 'um_submit_form_error', array( $this->custom_login_url, 'set_um_form_flag' ), 100, 2 );
     }
 

sg-security/trunk/core/Login_Service/Login_Service.php

@@ -42 +42 @@
      */
     public function restrict_login_to_ips() {
+        // Bail if the user is trying to access password protected page.
+        if ( isset( $_POST['post_password'] ) && ! is_admin() ) { //phpcs:ignore
+            return true;
+        }
+
         // Get the list of allowed IP addresses.
         $allowed_ips = get_option( 'sg_login_access', array() );

sg-security/trunk/readme.txt

@@ -3 +3 @@
 Tags: security, firewall, malware scanner, web application firewall, login
 Requires at least: 4.7
-Tested up to: 6.8
+Tested up to: 6.9
 Requires PHP: 7.0
-Stable tag: 1.5.7
+Stable tag: 1.5.8
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
@@ -144 +144 @@
 
 == Changelog ==
+= Version 1.5.8 = 
+Release Date Dec 4th, 2025
+
+* Custom Login improvements
+* Login Security improvements
+* Security improvements
+
 = Version 1.5.7 = 
 Release Date Nov 21st, 2024

sg-security/trunk/sg-security.php

@@ -11 +11 @@
  * Plugin URI:        https://siteground.com
  * Description:       Security Optimizer by SiteGround is the all-in-one security solution for your WordPress website. With the carefully selected and easy to configure functions the plugin provides everything you need to secure your website and prevent a number of threats such as brute-force attacks, compromised login, data leaks and more.
- * Version:           1.5.7
+ * Version:           1.5.8
  * Author:            SiteGround
  * Author URI:        https://www.siteground.com
@@ -33 +33 @@
 // Define version constant.
 if ( ! defined( __NAMESPACE__ . '\VERSION' ) ) {
-    define( __NAMESPACE__ . '\VERSION', '1.5.7' );
+    define( __NAMESPACE__ . '\VERSION', '1.5.8' );
 }