Server IP : 104.21.14.48 / Your IP : 3.145.8.176 [ Web Server : Apache System : Linux b70eb322-3aee-0c53-7c82-0db91281f2c6.secureserver.net 6.1.90-1.el9.elrepo.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 2 12:09:22 EDT 2024 x86_64 User : root ( 0) PHP Version : 8.0.30.2 Disable Function : NONE Domains : 0 Domains MySQL : ON | cURL : ON | WGET : ON | Perl : OFF | Python : OFF | Sudo : OFF | Pkexec : OFF Directory : /var/www/wp-content/plugins/defender-security/src/component/security-tweaks/servers/ |
Upload File : |
<?php /** * Responsible for managing server configurations related to security tweaks . * * @package WP_Defender\Component\Security_Tweaks\Servers */ namespace WP_Defender\Component\Security_Tweaks\Servers; use WP_Error; use DOMXPath; use DOMDocument; use DOMException; /** * Provides methods to apply and revert security rules on servers. */ class IIS_7 { /** * New htaccess file. * * @var array */ private $new_htaccess_config = array(); /** * Service type. * * @var string */ private $type = null; /** * Constructor for class. * * @param string $type The type of the security tweak. */ public function __construct( $type ) { $this->type = $type; } /** * Check whether the issue has been resolved or not. * * @return bool */ public function check() { $url = ''; if ( 'prevent-php-executed' === $this->type ) { $dir = wp_upload_dir(); $url = $dir['baseurl'] . '/wp-defender/index.php'; } if ( 'protect-information' === $this->type ) { $url = defender_asset_url( '/languages/' . WP_DEFENDER_POT_FILENAME ); } return Server::ping_test_failed( $url ); } /** * Process the rule. * * @return bool|WP_Error * @throws DOMException If invalid $localName. */ public function process() { global $wp_filesystem; // Initialize the WP filesystem, no more using 'file-put-contents' function. if ( empty( $wp_filesystem ) ) { require_once ABSPATH . '/wp-admin/includes/file.php'; WP_Filesystem(); } $path = WP_CONTENT_DIR . '/uploads'; $filename = 'web.config'; if ( ! file_exists( $path . '/' . $filename ) ) { $wp_filesystem->put_contents( $path . '/' . $filename, '<configuration/>' ); } $formatxml = PHP_EOL; $formatxml .= ' <handlers accessPolicy="Read" />'; $formatxml .= PHP_EOL; $doc = new DOMDocument(); // This property is belongs to DOMDocument. So we can ignore the warning. $doc->preserveWhiteSpace = true; // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase if ( $doc->load( $path . '/' . $filename ) === false ) { return new WP_Error( 'defender_file_not_editable', sprintf( /* translators: %s: File name. */ esc_html__( 'The file %s could not be loaded.', 'defender-security' ), $filename ) ); } $xpath = new DOMXPath( $doc ); $read_accesspolicy = $xpath->query( '/configuration/system.webServer/handlers[starts-with(@accessPolicy,\'Read\')]' ); if ( $read_accesspolicy->length > 0 ) { return true; } $xmlnodes = $xpath->query( '/configuration/system.webServer/handlers' ); if ( $xmlnodes->length > 0 ) { $handlers_node = $xmlnodes->item( 0 ); } else { $handlers_node = $doc->createElement( 'handlers' ); $xmlnodes = $xpath->query( '/configuration/system.webServer' ); if ( $xmlnodes->length > 0 ) { $system_web_server_node = $xmlnodes->item( 0 ); $handler_fragment = $doc->createDocumentFragment(); $handler_fragment->appendXML( $formatxml ); $system_web_server_node->appendChild( $handler_fragment ); } else { $system_web_server_node = $doc->createElement( 'system.webServer' ); $handler_fragment = $doc->createDocumentFragment(); $handler_fragment->appendXML( $formatxml ); $system_web_server_node->appendChild( $handler_fragment ); $xmlnodes = $xpath->query( '/configuration' ); if ( $xmlnodes->length > 0 ) { $config_node = $xmlnodes->item( 0 ); $config_node->appendChild( $system_web_server_node ); } else { $config_node = $doc->createElement( 'configuration' ); $doc->appendChild( $config_node ); $config_node->appendChild( $system_web_server_node ); } } } $rule_fragment = $doc->createDocumentFragment(); $rule_fragment->appendXML( $formatxml ); $handlers_node->appendChild( $rule_fragment ); $doc->encoding = 'UTF-8'; $doc->formatOutput = true; // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase saveDomDocument( $doc, $path . '/' . $filename ); $settings = array( 'new_htaccess_config' => $this->get_new_htaccess_config(), ); return update_site_option( "defender_security_tweeks_{$this->type}", $settings ); } /** * Revert the rule. * * @return bool */ public function revert() { $path = WP_CONTENT_DIR . '/uploads'; $filename = 'web.config'; if ( ! file_exists( $path . '/' . $filename ) ) { return true; } $doc = new DOMDocument(); $doc->preserveWhiteSpace = false; // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase if ( $doc->load( $path . '/' . $filename ) === false ) { return false; } $xpath = new DOMXPath( $doc ); $handlers = $xpath->query( '/configuration/system.webServer/handlers[contains(@accessPolicy,\'Read\')]' ); if ( $handlers->length > 0 ) { $child = $handlers->item( 0 ); $parent = $child->parentNode; // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase $parent->removeChild( $child ); $doc->formatOutput = true; // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase saveDomDocument( $doc, $path . '/' . $filename ); } return true; } /** * Get the new HT config. * * @return array */ public function get_new_htaccess_config() { return $this->new_htaccess_config; } }