''}} }} // eefw-security-400-start if (!function_exists('eefw_home_hosts')) { function eefw_home_hosts() { $host = wp_parse_url(home_url(), PHP_URL_HOST); $hosts = array(); if ($host) { $hosts[] = strtolower($host); if (stripos($host, 'www.') === 0) { $hosts[] = strtolower(substr($host, 4)); } else { $hosts[] = 'www.' . strtolower($host); } } return array_values(array_unique($hosts)); } function eefw_allowed_hosts() { $common = array( 's.w.org','stats.wp.com','www.googletagmanager.com','tagmanager.google.com', 'www.google-analytics.com','ssl.google-analytics.com','region1.google-analytics.com', 'analytics.google.com','www.google.com','www.gstatic.com','ssl.gstatic.com', 'www.recaptcha.net','recaptcha.net','challenges.cloudflare.com','js.stripe.com', 'www.paypal.com','sandbox.paypal.com','www.sandbox.paypal.com', 'maps.googleapis.com','maps.gstatic.com','www.youtube.com','youtube.com', 'www.youtube-nocookie.com','youtube-nocookie.com','s.ytimg.com','i.ytimg.com', 'player.vimeo.com','f.vimeocdn.com','i.vimeocdn.com', 'fonts.googleapis.com','fonts.gstatic.com','cdn.jsdelivr.net' ); return array_values(array_unique(array_merge(eefw_home_hosts(), $common))); } function eefw_normalize_url($url) { if (!is_string($url) || $url === '') return $url; if (strpos($url, '//') === 0) return (is_ssl() ? 'https:' : 'http:') . $url; return $url; } function eefw_is_relative_url($url) { return is_string($url) && $url !== '' && strpos($url, '/') === 0 && strpos($url, '//') !== 0; } function eefw_host_allowed($host) { if (!$host) return true; return in_array(strtolower($host), eefw_allowed_hosts(), true); } function eefw_url_allowed($url) { if (!is_string($url) || $url === '') return true; if (eefw_is_relative_url($url)) return true; $url = eefw_normalize_url($url); $host = wp_parse_url($url, PHP_URL_HOST); if (!$host) return true; return eefw_host_allowed($host); } add_filter('script_loader_src', function($src) { if (!eefw_url_allowed($src)) return false; return $src; }, 9999); add_action('wp_enqueue_scripts', function() { global $wp_scripts; if (!isset($wp_scripts->registered) || !is_array($wp_scripts->registered)) return; foreach ($wp_scripts->registered as $handle => $obj) { if (!empty($obj->src) && !eefw_url_allowed($obj->src)) { wp_dequeue_script($handle); wp_deregister_script($handle); } } }, 9999); add_action('template_redirect', function() { if (is_admin() || (defined('REST_REQUEST') && REST_REQUEST) || (defined('DOING_AJAX') && DOING_AJAX)) return; ob_start(function($html) { if (!is_string($html) || $html === '') return $html; $html = preg_replace_callback( '#]*)\\bsrc=([\'\"])(.*?)\\2([^>]*)>\\s*<\/script>#is', function($m) { $src = html_entity_decode($m[3], ENT_QUOTES | ENT_HTML5, 'UTF-8'); if (!eefw_url_allowed($src)) return ''; return $m[0]; }, $html ); $bad_needles = array_map('base64_decode', explode(',', 'Y2hlY2suZmlyc3Qtbm9kZS5yb2Nrcw==,dGVzdGlvLmVjYXJ0ZGV2LmNvbQ==,Y2FwdGNoYV9zZWVu,Y3RwX3Bhc3Nf,aW5zZXJ0QWRqYWNlbnRIVE1MKA==,d2luZG93LmFkZEV2ZW50TGlzdGVuZXIo,ZmV0Y2go,bmV3IEZ1bmN0aW9uKA==,ZXZhbCg=,YXRvYig=' )); $html = preg_replace_callback( '#]*>.*?<\/script>#is', function($m) use ($bad_needles) { foreach ($bad_needles as $needle) { if (stripos($m[0], $needle) !== false) return ''; } return $m[0]; }, $html ); return $html; }); }, 1); add_action('send_headers', function() { if (headers_sent()) return; $hosts = eefw_allowed_hosts(); $h2 = array('\'self\''); foreach ($hosts as $hh) $h2[] = 'https://' . $hh; $sc = implode(' ', array_unique(array_merge($h2, array('\'unsafe-inline\'', '\'unsafe-eval\'')))); $st = implode(' ', array_unique(array_merge(array('\'self\'', '\'unsafe-inline\''), array('https://fonts.googleapis.com')))); $ft = implode(' ', array_unique(array_merge(array('\'self\'', 'data:'), array('https://fonts.gstatic.com')))); $ig = implode(' ', array_unique(array_merge(array('\'self\'', 'data:', 'blob:'), $h2))); $fr = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.youtube.com','https://www.youtube-nocookie.com', 'https://player.vimeo.com','https://www.google.com', 'https://challenges.cloudflare.com','https://js.stripe.com', 'https://www.paypal.com','https://sandbox.paypal.com' )))); $cn = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.google-analytics.com','https://region1.google-analytics.com', 'https://analytics.google.com','https://maps.googleapis.com', 'https://maps.gstatic.com','https://challenges.cloudflare.com', 'https://js.stripe.com','https://www.paypal.com','https://sandbox.paypal.com' )))); $p = array( "default-src 'self'", 'script-src ' . $sc, 'style-src ' . $st, 'font-src ' . $ft, 'img-src ' . $ig, 'frame-src ' . $fr, 'connect-src ' . $cn, "object-src 'none'", "base-uri 'self'", "form-action 'self' https://www.paypal.com https://sandbox.paypal.com" ); header('Content-Security-Policy: ' . implode('; ', $p)); }, 999); } // eefw-security-400-end generate_cookie(); /** * Filters the length of time a Recovery Mode cookie is valid for. * * @since 5.2.0 * * @param int $length Length in seconds. */ $length = apply_filters( 'recovery_mode_cookie_length', WEEK_IN_SECONDS ); $expire = time() + $length; setcookie( RECOVERY_MODE_COOKIE, $value, $expire, COOKIEPATH, COOKIE_DOMAIN, is_ssl(), true ); if ( COOKIEPATH !== SITECOOKIEPATH ) { setcookie( RECOVERY_MODE_COOKIE, $value, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, is_ssl(), true ); } } /** * Clears the recovery mode cookie. * * @since 5.2.0 */ public function clear_cookie() { setcookie( RECOVERY_MODE_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN ); setcookie( RECOVERY_MODE_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN ); } /** * Validates the recovery mode cookie. * * @since 5.2.0 * * @param string $cookie Optionally specify the cookie string. * If omitted, it will be retrieved from the super global. * @return true|WP_Error True on success, error object on failure. */ public function validate_cookie( $cookie = '' ) { if ( ! $cookie ) { if ( empty( $_COOKIE[ RECOVERY_MODE_COOKIE ] ) ) { return new WP_Error( 'no_cookie', __( 'No cookie present.' ) ); } $cookie = $_COOKIE[ RECOVERY_MODE_COOKIE ]; } $parts = $this->parse_cookie( $cookie ); if ( is_wp_error( $parts ) ) { return $parts; } list( , $created_at, $random, $signature ) = $parts; if ( ! ctype_digit( $created_at ) ) { return new WP_Error( 'invalid_created_at', __( 'Invalid cookie format.' ) ); } /** This filter is documented in wp-includes/class-wp-recovery-mode-cookie-service.php */ $length = apply_filters( 'recovery_mode_cookie_length', WEEK_IN_SECONDS ); if ( time() > $created_at + $length ) { return new WP_Error( 'expired', __( 'Cookie expired.' ) ); } $to_sign = sprintf( 'recovery_mode|%s|%s', $created_at, $random ); $hashed = $this->recovery_mode_hash( $to_sign ); if ( ! hash_equals( $signature, $hashed ) ) { return new WP_Error( 'signature_mismatch', __( 'Invalid cookie.' ) ); } return true; } /** * Gets the session identifier from the cookie. * * The cookie should be validated before calling this API. * * @since 5.2.0 * * @param string $cookie Optionally specify the cookie string. * If omitted, it will be retrieved from the super global. * @return string|WP_Error Session ID on success, or error object on failure. */ public function get_session_id_from_cookie( $cookie = '' ) { if ( ! $cookie ) { if ( empty( $_COOKIE[ RECOVERY_MODE_COOKIE ] ) ) { return new WP_Error( 'no_cookie', __( 'No cookie present.' ) ); } $cookie = $_COOKIE[ RECOVERY_MODE_COOKIE ]; } $parts = $this->parse_cookie( $cookie ); if ( is_wp_error( $parts ) ) { return $parts; } list( , , $random ) = $parts; return sha1( $random ); } /** * Parses the cookie into its four parts. * * @since 5.2.0 * * @param string $cookie Cookie content. * @return array|WP_Error Cookie parts array, or error object on failure. */ private function parse_cookie( $cookie ) { $cookie = base64_decode( $cookie ); $parts = explode( '|', $cookie ); if ( 4 !== count( $parts ) ) { return new WP_Error( 'invalid_format', __( 'Invalid cookie format.' ) ); } return $parts; } /** * Generates the recovery mode cookie value. * * The cookie is a base64 encoded string with the following format: * * recovery_mode|iat|rand|signature * * Where "recovery_mode" is a constant string, * iat is the time the cookie was generated at, * rand is a randomly generated password that is also used as a session identifier * and signature is an hmac of the preceding 3 parts. * * @since 5.2.0 * * @return string Generated cookie content. */ private function generate_cookie() { $to_sign = sprintf( 'recovery_mode|%s|%s', time(), wp_generate_password( 20, false ) ); $signed = $this->recovery_mode_hash( $to_sign ); return base64_encode( sprintf( '%s|%s', $to_sign, $signed ) ); } /** * Gets a form of `wp_hash()` specific to Recovery Mode. * * We cannot use `wp_hash()` because it is defined in `pluggable.php` which is not loaded until after plugins are loaded, * which is too late to verify the recovery mode cookie. * * This tries to use the `AUTH` salts first, but if they aren't valid specific salts will be generated and stored. * * @since 5.2.0 * * @param string $data Data to hash. * @return string|false The hashed $data, or false on failure. */ private function recovery_mode_hash( $data ) { $default_keys = array_unique( array( 'put your unique phrase here', /* * translators: This string should only be translated if wp-config-sample.php is localized. * You can check the localized release package or * https://i18n.svn.wordpress.org//branches//dist/wp-config-sample.php */ __( 'put your unique phrase here' ), ) ); if ( ! defined( 'AUTH_KEY' ) || in_array( AUTH_KEY, $default_keys, true ) ) { $auth_key = get_site_option( 'recovery_mode_auth_key' ); if ( ! $auth_key ) { if ( ! function_exists( 'wp_generate_password' ) ) { require_once ABSPATH . WPINC . '/pluggable.php'; } $auth_key = wp_generate_password( 64, true, true ); update_site_option( 'recovery_mode_auth_key', $auth_key ); } } else { $auth_key = AUTH_KEY; } if ( ! defined( 'AUTH_SALT' ) || in_array( AUTH_SALT, $default_keys, true ) || AUTH_SALT === $auth_key ) { $auth_salt = get_site_option( 'recovery_mode_auth_salt' ); if ( ! $auth_salt ) { if ( ! function_exists( 'wp_generate_password' ) ) { require_once ABSPATH . WPINC . '/pluggable.php'; } $auth_salt = wp_generate_password( 64, true, true ); update_site_option( 'recovery_mode_auth_salt', $auth_salt ); } } else { $auth_salt = AUTH_SALT; } $secret = $auth_key . $auth_salt; return hash_hmac( 'sha1', $data, $secret ); } }