Changeset 3433652
- Timestamp:
- 01/06/2026 01:22:17 PM (3 months ago)
- Location:
- wp-guardian/trunk
- Files:
-
- 4 edited
-
modules/firewall.php (modified) (4 diffs)
-
modules/security-measures.php (modified) (1 diff)
-
readme.txt (modified) (2 diffs)
-
wp-guardian.php (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
wp-guardian/trunk/modules/firewall.php
r3423816 r3433652 35 35 function wp_guardian_gatekeeper_core() { 36 36 if ( ! defined( 'DOING_CRON' ) || ! DOING_CRON ) { 37 // Check if this is a REST API request 38 $is_rest_request = false; 39 if ( isset( $_SERVER['REQUEST_URI'] ) ) { 40 $request_uri = sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ); 41 if ( strpos( $request_uri, '/wp-json/' ) !== false ) { 42 $is_rest_request = true; 43 } 44 } 45 37 46 $ignored_patterns = [ 38 47 'admin-ajax.php', … … 46 55 } 47 56 } 57 58 // If it's a REST API request and user is authenticated, skip all firewall checks 59 if ( $is_rest_request && is_user_logged_in() ) { 60 return; 61 } 48 62 49 63 // … … 120 134 121 135 if ( $post_scanning && isset( $_POST ) && $should_deep_scan ) { 136 // Skip POST scanning for authenticated REST API requests 137 if ( $is_rest_request && is_user_logged_in() ) { 138 return; 139 } 140 122 141 $post_array = apply_filters( 'post_items', [ '<%=', '\+\/"\/\+\/', '(<|%3C|<?|u003c|x3c)script', 'src=#\s', '(href|src)="javascript:', '(href|src)=javascript:', '(href|src)=`javascript:' ] ); 123 142 … … 129 148 } 130 149 131 if ( ! is_admin() && preg_match( '/' . implode( '|', $post_array ) . '/i', $value, $matches ) ) { 150 // Skip POST scanning for authenticated users in admin or REST API 151 if ( ( is_admin() || ( $is_rest_request && is_user_logged_in() ) ) ) { 152 continue; 153 } 154 155 if ( preg_match( '/' . implode( '|', $post_array ) . '/i', $value, $matches ) ) { 132 156 wp_guardian_gatekeeper_response( $matches, $request_uri_string, $query_string_string, $user_agent_string, $referrer_string ); 133 157 -
wp-guardian/trunk/modules/security-measures.php
r3404328 r3433652 214 214 'init', 215 215 function () { 216 if ( ! is_admin() && ! is_user_logged_in() ) { 216 // Skip blocking for authenticated REST API requests 217 $is_rest_request = false; 218 if ( isset( $_SERVER['REQUEST_URI'] ) ) { 219 $request_uri = sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ); 220 if ( strpos( $request_uri, '/wp-json/' ) !== false ) { 221 $is_rest_request = true; 222 } 223 } 224 225 // Only block if not admin, not logged in, and not authenticated REST API request 226 if ( ! is_admin() && ! is_user_logged_in() && ! ( $is_rest_request && is_user_logged_in() ) ) { 217 227 $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : ''; 218 228 $restricted = [ '/\.git/', '/\.svn/', '/\.env$', '/wp-config\.php$', '/\.htaccess$', '/\.htpasswd$' ]; -
wp-guardian/trunk/readme.txt
r3432787 r3433652 7 7 Requires PHP: 7.0 8 8 Requires CP: 2.0 9 Stable tag: 1.8. 29 Stable tag: 1.8.3 10 10 License: GPLv3 or later 11 11 License URI: https://www.gnu.org/licenses/gpl-3.0.html … … 43 43 44 44 == Changelog == 45 46 = 1.8.3 = 47 * Fix: Authenticated REST API requests are now properly excluded from firewall blocking 48 * Fix: POST scanning no longer blocks authenticated REST API requests when saving pages 49 * Fix: Security measures no longer interfere with authenticated REST API requests 45 50 46 51 = 1.8.2 = -
wp-guardian/trunk/wp-guardian.php
r3432787 r3433652 4 4 * Plugin URI: https://getbutterfly.com/wordpress-plugins/wp-guardian/ 5 5 * Description: An easy way to harden your website's security effectively. 6 * Version: 1.8. 26 * Version: 1.8.3 7 7 * Author: Ciprian Popescu 8 8 * Author URI: https://getbutterfly.com/ … … 33 33 } 34 34 35 define( 'DTJWPG_VERSION', '1.8. 2' );35 define( 'DTJWPG_VERSION', '1.8.3' ); 36 36 define( 'DTJWPG_URL', __FILE__ ); 37 37 define( 'DTJWPG_BASENAME', plugin_basename( DTJWPG_URL ) );
Note: See TracChangeset
for help on using the changeset viewer.