| Server IP : 104.21.14.48 / Your IP : 18.216.90.222 [ Web Server : Apache System : Linux b70eb322-3aee-0c53-7c82-0db91281f2c6.secureserver.net 6.1.90-1.el9.elrepo.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 2 12:09:22 EDT 2024 x86_64 User : root ( 0) PHP Version : 8.0.30.2 Disable Function : NONE Domains : 0 Domains MySQL : ON | cURL : ON | WGET : ON | Perl : OFF | Python : OFF | Sudo : OFF | Pkexec : OFF Directory : /var/www/wp-content/plugins/defender-security/src/component/ |
Upload File : |
<?php
/**
* Handles the logic for masking the login URL to enhance security by obscuring the default login paths.
*
* @package WP_Defender\Component
*/
namespace WP_Defender\Component;
use WP_Defender\Component;
use WP_Recovery_Mode_Link_Service;
/**
* Handles the logic for masking the login URL to enhance security by obscuring the default login paths.
*/
class Mask_Login extends Component {
/**
* Check if the current user is land on login page, then we can start the block.
*
* @param string $requested_path The path requested by the user.
*
* @return bool
*/
public function is_on_login_page( $requested_path ): bool {
// Decoded url path, e.g. for case 'wp-%61dmin'.
$requested_path = rawurldecode( strtolower( $requested_path ) );
$login_slugs = apply_filters(
'wd_login_strict_slugs',
array(
'wp-admin',
'wp-login',
'wp-login.php',
)
);
foreach ( $login_slugs as $slug ) {
if ( false !== stristr( $requested_path, "$slug" ) ) {
return true;
}
}
$login_slugs = apply_filters(
'wd_login_slugs',
array(
'login',
'dashboard',
'admin',
// Because WP redirects from 'login/' to the login page.
'login/',
)
);
// Check the request path contains default login text.
if ( in_array( $requested_path, $login_slugs, true ) ) {
return true;
}
return false;
}
/**
* Check if the request is land on masked URL.
*
* @param string $masked_url The custom masked URL set by the user.
*
* @return bool
*/
public function is_land_on_masked_url( $masked_url ): bool {
return ltrim( rtrim( $this->get_request_path(), '/' ), '/' ) === ltrim( rtrim( $masked_url, '/' ), '/' );
}
/**
* Get the current request URI.
*
* @param null|string $site_url This only need in unit test.
*
* @return mixed
*/
public function get_request_path( $site_url = null ) {
if ( null === $site_url ) {
$site_url = $this->get_site_url();
}
$request_uri = defender_get_data_from_request( 'REQUEST_URI', 's' );
// If parsed URL is null. PHP v8.1 displays it as deprecated.
$path = empty( wp_parse_url( $site_url, PHP_URL_PATH ) )
? ''
: wp_parse_url( $site_url, PHP_URL_PATH );
if ( strlen( $path ) && 0 === strpos( $request_uri, $path ) ) {
$request_uri = substr( $request_uri, strlen( $path ) );
}
$request_uri = '/' . ltrim( $request_uri, '/' );
return wp_parse_url( $request_uri, PHP_URL_PATH );
}
/**
* Copy cat from the function get_site_url without the filter.
*
* @param int|null $blog_id Optional. The blog ID in a multisite environment. Default is null.
* @param string $path Optional. Additional path to append to the site URL. Default is an empty string.
* @param string|null $scheme Optional. The scheme to use. Default is null.
*
* @return string The unfiltered site URL.
*/
private function get_site_url( $blog_id = null, $path = '', $scheme = null ) {
if ( empty( $blog_id ) || ! is_multisite() ) {
$url = get_option( 'siteurl' );
} else {
switch_to_blog( $blog_id );
$url = get_option( 'siteurl' );
restore_current_blog();
}
$url = set_url_scheme( $url, $scheme );
if ( $path && is_string( $path ) ) {
$url .= '/' . ltrim( $path, '/' );
}
return $url;
}
/**
* Redeems a ticket that allows bypassing the masked login.
*
* @param string $ticket The ticket to redeem.
*
* @return bool Returns true if the ticket is successfully redeemed, false if the ticket is invalid or expired.
*/
public function redeem_ticket( $ticket ): bool {
$settings = wd_di()->get( \WP_Defender\Model\Setting\Mask_Login::class );
$detail = $settings->express_tickets[ $ticket ] ?? false;
if ( false === $detail ) {
return false;
}
// Ticket expired.
if ( $detail['expiry'] < time() ) {
unset( $settings->express_tickets[ $ticket ] );
$settings->save();
return false;
}
$detail['used'] += 1;
$settings->express_tickets[ $ticket ] = $detail;
$settings->save();
return true;
}
/**
* Check if locale should be set.
*
* @param string $mask_url The Mask URL slug.
*
* @return bool
* @since 3.12.0
*/
public function is_set_locale( string $mask_url ): bool {
return $this->is_land_on_masked_url( $mask_url ) && ! empty( defender_get_data_from_request( 'wp_lang', 'g' ) );
}
/**
* Set locale on Mask Login page.
*
* @return void
* @since 3.12.0
*/
public function set_locale(): void {
$wp_lang = defender_get_data_from_request( 'wp_lang', 'g' );
if ( ! empty( $wp_lang ) ) {
switch_to_locale( $wp_lang );
}
}
/**
* Check if this is a login page.
*
* @return bool
* @since 4.1.0
*/
public function is_login_url(): bool {
$is_login_path = wp_parse_url( wp_login_url(), PHP_URL_PATH );
$requested_path = $this->get_request_path();
return trim( $requested_path, '/' ) === trim( $is_login_path, '/' );
}
/**
* Provides the login URL, which might be masked if the feature is active.
*
* @return string The login URL, potentially masked.
*/
public static function maybe_masked_login_url(): string {
$settings = wd_di()->get( \WP_Defender\Model\Setting\Mask_Login::class );
if ( $settings->is_active() ) {
return $settings->get_new_login_url();
} else {
return wp_login_url();
}
}
/**
* Is user hit the recovery link?
*
* @return bool
*/
public function is_recovery_mode(): bool {
return WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTER === defender_get_data_from_request( 'action', 'r' );
}
}