Changeset 3082676
- Timestamp:
- 05/07/2024 03:12:17 PM (2 years ago)
- Location:
- zero-spam/trunk
- Files:
-
- 3 edited
-
core/class-user.php (modified) (4 diffs)
-
readme.txt (modified) (2 diffs)
-
wordpress-zero-spam.php (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
zero-spam/trunk/core/class-user.php
r3049258 r3082676 22 22 */ 23 23 public static function get_ip() { 24 $trusted_proxies = apply_filters( 'zerospam_trusted_proxies', array() ); 25 24 26 $ip_sources = [ 27 'REMOTE_ADDR', 25 28 'HTTP_CF_CONNECTING_IP', 26 29 'HTTP_CLIENT_IP', … … 30 33 'HTTP_FORWARDED_FOR', 31 34 'HTTP_FORWARDED', 32 'REMOTE_ADDR',33 35 ]; 34 36 … … 37 39 $ip = sanitize_text_field( wp_unslash( $_SERVER[ $source ] ) ); 38 40 39 // Handle multiple IP addresses in X-Forwarded-Forby taking the first valid IP.40 if ( $source === 'HTTP_X_FORWARDED_FOR' &&strpos( $ip, ',' ) !== false ) {41 // Handle multiple IP addresses in headers by taking the first valid IP. 42 if ( strpos( $ip, ',' ) !== false ) { 41 43 $ip_list = explode( ',', $ip ); 42 44 foreach ( $ip_list as $potential_ip ) { 43 45 $potential_ip = trim( $potential_ip ); 44 46 if ( rest_is_ip_address( $potential_ip ) ) { 45 return apply_filters( 'zerospam_get_ip', $potential_ip ); 47 // Validate IP only if it's from a trusted proxy or it's directly from REMOTE_ADDR. 48 if ( in_array( $_SERVER['REMOTE_ADDR'], $trusted_proxies ) || $source === 'REMOTE_ADDR' ) { 49 return apply_filters( 'zerospam_get_ip', $potential_ip ); 50 } 46 51 } 47 52 } … … 49 54 // Validate single IP address. 50 55 if ( rest_is_ip_address( $ip ) ) { 51 return apply_filters( 'zerospam_get_ip', $ip ); 56 // Directly return the IP if it's from REMOTE_ADDR or a trusted proxy. 57 if ( in_array( $_SERVER['REMOTE_ADDR'], $trusted_proxies ) || $source === 'REMOTE_ADDR' ) { 58 return apply_filters( 'zerospam_get_ip', $ip ); 59 } 52 60 } 53 61 } -
zero-spam/trunk/readme.txt
r3079553 r3082676 6 6 Tested up to: 6.5.2 7 7 Requires PHP: 7.4 8 Stable tag: 5.5. 68 Stable tag: 5.5.7 9 9 License: GNU GPLv3 10 10 License URI: https://choosealicense.com/licenses/gpl-3.0/ … … 107 107 108 108 == Changelog == 109 110 = v5.5.7 = 111 112 * fix(bypass vulnerability): see https://patchstack.com/database/database/vulnerability/zero-spam/wordpress-zero-spam-for-wordpress-plugin-5-5-5-bypass-spam-protection-vulnerability 109 113 110 114 = v5.5.6 = -
zero-spam/trunk/wordpress-zero-spam.php
r3079549 r3082676 14 14 * Plugin URI: https://www.highfivery.com/projects/zero-spam/ 15 15 * Description: Tired of all the ineffective WordPress anti-spam & security plugins? Zero Spam for WordPress makes blocking spam & malicious activity a cinch. <strong>Just activate, configure, and say goodbye to spam.</strong> 16 * Version: 5.5. 616 * Version: 5.5.7 17 17 * Requires at least: 5.2 18 18 * Requires PHP: 7.3 … … 32 32 define( 'ZEROSPAM_PATH', plugin_dir_path( ZEROSPAM ) ); 33 33 define( 'ZEROSPAM_PLUGIN_BASE', plugin_basename( ZEROSPAM ) ); 34 define( 'ZEROSPAM_VERSION', '5.5. 6' );34 define( 'ZEROSPAM_VERSION', '5.5.7' ); 35 35 36 36 if ( defined( 'ZEROSPAM_DEVELOPMENT_URL' ) ) {
Note: See TracChangeset
for help on using the changeset viewer.