Changeset 906056

Timestamp:

05/01/2014 04:05:11 AM (12 years ago)

Author:

Faison

Message:

Uploading Version 0.6.0

Location:

project-force-field

Files:

• tags/0.6.0 (added)
• tags/0.6.0/classes (added)
• tags/0.6.0/classes/class-base-file-manager.php (added)
• tags/0.6.0/classes/class-base-system-manager.php (added)
• tags/0.6.0/classes/class-force-field-rewrite-manager.php (added)
• tags/0.6.0/classes/class-force-field.php (added)
• tags/0.6.0/classes/class-wordpress-file-manager.php (added)
• tags/0.6.0/classes/class-wordpress-system-manager.php (added)
• tags/0.6.0/project-force-field.php (added)
• tags/0.6.0/readme.txt (added)
• trunk/classes/class-force-field-rewrite-manager.php (modified) (8 diffs)
• trunk/classes/class-force-field.php (modified) (5 diffs)
• trunk/project-force-field.php (modified) (1 diff)
• trunk/readme.txt (modified) (4 diffs)

project-force-field/trunk/classes/class-force-field-rewrite-manager.php

@@ -49 +49 @@
         private $new_login;
 
-        function __construct( FZ_Base_File_Manager $file_manager, $filename, $new_login ) {
+        /**
+         * Are pretty permalinks enabled.
+         *
+         * @var boolean
+         */
+        private $permalinks_enabled;
+
+        function __construct( FZ_Base_File_Manager $file_manager, $filename, $new_login, $permalinks_enabled = true ) {
 
             if ( null == $filename ) {
@@ -64 +71 @@
 
             $this->new_login = $new_login;
+
+            $this->permalinks_enabled = $permalinks_enabled;
         }
 
@@ -74 +83 @@
          * @return bool True if successful.
          */
-        public function shields_up() {
+        public function shields_up( $optional_blocks = null ) {
 
             $file_contents = $this->file_manager->get_file_contents( $this->filename );
 
-            $file_contents = $this->add_force_field_section_to_contents( $file_contents );
+            $file_contents = $this->add_force_field_section_to_contents( $file_contents, $optional_blocks );
 
             if ( true === $file_contents ) {
@@ -110 +119 @@
 
             return $results;
+        }
+
+        /**
+         * An easy way to remove clear out and replace the Force Field lines in the .htaccess file.
+         *
+         * This function is particularly useful between version updates.
+         *
+         * @since 0.6.0
+         */
+        public function reset_shields( $optional_blocks = null ) {
+
+            $file_contents = $this->file_manager->get_file_contents( $this->filename );
+
+            $result_contents = $this->remove_force_field_section_from_contents( $file_contents );
+
+            if ( true === $result_contents ) {
+                $result_contents = $file_contents;
+            }
+            $file_contents = $result_contents;
+
+            $file_contents = $this->add_force_field_section_to_contents( $file_contents, $optional_blocks );
+
+            $result = $this->file_manager->put_file_contents( $this->filename, $file_contents );
+
+            return $result;
         }
 
@@ -130 +164 @@
             $line_position = array_search( $rewrite_line, $force_field_lines );
 
-            if ( false !== $line_position ) {
+            $anti_enum_line = 'RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)';
+            $anti_position  = array_search( $anti_enum_line, $force_field_lines );
+
+            $anti_enum_good = ( false !== $anti_position && $this->permalinks_enabled )
+                           || ( false === $anti_position && ! $this->permalinks_enabled );
+
+            if ( false !== $line_position && $anti_enum_good ) {
                 return true;
             }
@@ -151 +191 @@
         }
 
-        private function add_force_field_section_to_contents( $contents ) {
+        private function add_force_field_section_to_contents( $contents, $optional_blocks = null ) {
 
             $section_start = array_search( '# BEGIN ' . self::MARKER, $contents );
@@ -159 +199 @@
             }
 
-            $ogff_sections = $this->generate_force_field_section_content();
-
+            $ogff_sections = $this->generate_force_field_section_content( $optional_blocks );
+
+            if ( '' == $contents[0] ) {
+                array_shift( $contents );
+            }
+            
             array_splice( $contents, 0, 0, $ogff_sections );
 
@@ -193 +237 @@
             );
 
+            if ( $this->permalinks_enabled ) {
+                $anti_enum = array(
+                    'RewriteCond %{REQUEST_URI}  ^/$',
+                    'RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)',
+                    'RewriteRule ^(.*)$ - [F]'
+                );
+                array_splice( $lines, 5, 0, $anti_enum );
+            }
+
             if ( is_array( $optional_blocks ) && 0 < count( $optional_blocks ) ) {
                 $optional_lines = array();

project-force-field/trunk/classes/class-force-field.php

@@ -18 +18 @@
     class OG_Force_Field {
 
+        const VERSION = '0.6.0';
+
+        const VERSION_OPTION = 'ogff_version';
+
         const DEFAULT_NEW_LOGIN = 'safe-entrance.php';
 
@@ -54 +58 @@
 
                 $this->new_login = $new_login;
+
+                // Add action to check for updates
+                add_action( 'plugins_loaded', array( $this, 'update_force_field' ) );
 
                 // Add filters to fix the login url
@@ -69 +76 @@
 
             }
+        }
+
+        /**
+         * Run upgrade scripts if needed.
+         *
+         * @since 0.6.0
+         */
+        function update_force_field() {
+            $last_version = get_option( self::VERSION_OPTION );
+
+            if ( self::VERSION == $last_version ) {
+                return;
+            }
+
+            if ( false === $last_version ) {
+                // Update for versions pre-0.6.0
+                $this->setup_rewrite_manager();
+                $this->rewrite_manager->reset_shields();
+            }
+
+            update_option( self::VERSION_OPTION, self::VERSION );
         }
 
@@ -198 +226 @@
             }
 
+            global $wp_rewrite;
+
             $filename     = $this->system_manager->get_htaccess_path();
             $file_manager = $this->system_manager->get_file_manager();
             $login        = $this->get_new_login();
-
-            $this->rewrite_manager = new OG_Force_Field_Rewrite_Manager( $file_manager, $filename, $login );
+            $permalinks   = ( '' !== $wp_rewrite->permalink_structure );
+
+            $this->rewrite_manager = new OG_Force_Field_Rewrite_Manager( $file_manager, $filename, $login, $permalinks );
         }
 
@@ -362 +393 @@
             delete_option( self::REVERSE_POLARITY_OPTION );
             delete_option( self::OPTIONAL_BLOCKS );
+            delete_option( self::VERSION_OPTION );
 
             $timestamp = wp_next_scheduled( self::CHECK_ATTACK_TASK );

project-force-field/trunk/project-force-field.php

@@ -5 +5 @@
  * Author: Faison Zutavern
  * Author URI: http://www.orionweb.net/
- * Version: 0.5.1
+ * Version: 0.6.0
  */
 

project-force-field/trunk/readme.txt

@@ -4 +4 @@
 Requires at least: 3.8
 Tested up to: 3.9
-Stable tag: 0.5.1
+Stable tag: 0.6.0
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -26 +26 @@
 * **Unlimited polarity shifts** - If a Brute Force Attacker gets smart and writes a script to check for the new login url, Project Force Field will continue to detect the attack and change the login.
 * **Define the login yourself** - By defining `OGFF_LOGIN` in your wp-config.php, you can set the login to be *almost* anything you want.
+* **Stops WordPress User Enumeration Exploit** - Many brute force attacks use the WordPress User Enumeration exploit to easily figure out valid usernames. We stop that to protect your site, and respond with a 403 to save your server.
 
 = Future Features! =
@@ -77 +78 @@
 == Changelog ==
 
+= 0.6.0 =
+* **Enhancement**: Added protection from WordPress User Enumeration.
+* **Enhancement**: Added code to handle upgrades to Project Force Field.
+
 = 0.5.1 =
 * **Bugfix**: Prefixed the variable `$new_login` in the file `project-force-field.php` with `ogff_` to avoid potential conflicts with other plugins, themes, or custom code.
@@ -86 +91 @@
 
 == Upgrade Notice ==
+= 0.6.0 =
+This version adds protection against WordPress User Enumeration, which hackers tend to use before attempting a brute force attack.
 
 = 0.5.1 =