WordPress.org
Get WordPress

Plugin Directory

Changeset 3366125


Ignore:
Timestamp:
09/23/2025 02:44:14 AM (6 months ago)
Author:
codeplusdev
Message:

Fixed: CSP bugs and optimized
Fixed: Prevented cache plugins from corrupting header assignments

Location:
secuplug/trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • secuplug/trunk/readme.txt

    r3366081 r3366125  
    44Requires at least: 4.9
    55Tested up to: 6.8
    6 Stable tag: 1.4.2
     6Stable tag: 1.4.3
    77License: GPLv3 or later
    88License URI: http://www.gnu.org/licenses/gpl-3.0.html
     
    9797
    9898== Changelog ==
     99= 1.4.3 =
     100* Fixed: CSP bugs and optimized
     101* Fixed: Prevented cache plugins from corrupting header assignments
     102
    99103= 1.4.2 =
    100104* Fixed: The issue that caused the 500 error in Apache 2.4 has been resolved. htaccess is no longer used.

  • secuplug/trunk/securefusion.php

    r3366081 r3366125  
    88 * Description: SecureFusion is a lightweight, robust security plugin for WordPress.
    99 *  It gives you the ability to disable specific XML-RPC services, alter the login page address, and force SSL on pages.
    10  * Version: 1.4.2
     10 * Version: 1.4.3
    1111 * Author: codeplusdev <contact@codeplus.dev>
    1212 * Author URI: https://profiles.wordpress.org/codeplusdev/
     
    2020
    2121if ( ! defined( 'SECUREFUSION_VERSION' ) ) {
    22     define( 'SECUREFUSION_VERSION', '1.4.2' );
     22    define( 'SECUREFUSION_VERSION', '1.4.3' );
    2323}
    2424

  • secuplug/trunk/src/Lib/Main.php

    r3366081 r3366125  
    4949        add_filter( 'wp_authenticate_user', array( $this->middleware, 'track_authenticate_user' ), 30, 2 );
    5050        add_action( 'wp_authenticate', array( $this->middleware, 'track_limit_login_attempts' ), 10, 2);
    51         add_action( 'send_headers', array( $this->middleware, 'headers' ) );
     51        add_action( 'init', array( $this->middleware, 'headers' ), 9 );
    5252    }
    5353
     
    8585                '\'unsafe-inline\'' . PHP_EOL .
    8686                'https://fonts.googleapis.com' . PHP_EOL .
    87                 'https://cdnjs.cloudflare.com'
     87                'https://cdnjs.cloudflare.com' . PHP_EOL .
     88                'https://www.googletagmanager.com'
    8889            ,
    8990            "csp_allowed_script_sources" => '\'self\'' . PHP_EOL .
    90                 '\'unsafe-inline\''
     91                '\'unsafe-inline\'' . PHP_EOL .
     92                'https://www.googletagmanager.com'
    9193            ,
    9294            "csp_allowed_font_sources" => '\'self\'' . PHP_EOL .

  • secuplug/trunk/src/Lib/Middleware.php

    r3366081 r3366125  
    6161        // CSP
    6262        $csp_allowed_style_sources  = $this->get_settings( 'csp_allowed_style_sources' );
     63        $csp_allowed_style_sources  = str_replace( array( "\r\n", "\n" ), ' ', $csp_allowed_style_sources );
    6364        $csp_allowed_script_sources = $this->get_settings( 'csp_allowed_script_sources' );
     65        $csp_allowed_script_sources = str_replace( array( "\r\n", "\n" ), ' ', $csp_allowed_script_sources );
    6466        $csp_allowed_font_sources   = $this->get_settings( 'csp_allowed_font_sources' );
     67        $csp_allowed_font_sources   = str_replace( array( "\r\n", "\n" ), ' ', $csp_allowed_font_sources );
    6568
    6669        if ( $bad_bots ) {
     
    98101            $csp_policy  = "default-src 'self'; ";
    99102            $csp_policy  = "frame-src 'self' https://www.google.com/ https://google.com/;";
    100             $csp_policy .= "worker-src 'self'; ";
    101             $csp_policy .= "script-src " . str_replace( PHP_EOL, ' ', $csp_allowed_script_sources ) . "; ";
    102             $csp_policy .= "style-src " . str_replace( PHP_EOL, ' ', $csp_allowed_style_sources ) . "; ";
     103            $csp_policy .= "worker-src 'self' blob:; ";
     104            $csp_policy .= "script-src " . $csp_allowed_script_sources . "; ";
     105            $csp_policy .= "style-src " . $csp_allowed_style_sources . "; ";
    103106            // Allows images from self, data URIs, and any HTTPS source. This is generally safe.
    104107            $csp_policy .= "img-src 'self' data: https:; ";
    105             $csp_policy .= "font-src " . str_replace( PHP_EOL, ' ', $csp_allowed_font_sources ) . "; ";
     108            $csp_policy .= "font-src " . $csp_allowed_font_sources . "; ";
    106109            // Disallows plugins like Flash.
    107110            $csp_policy .= "object-src 'none'; ";
     
    164167
    165168        if ( $custom_cookie_patterns ) {
    166             $custom_cookie_patterns = preg_split( '/' . PHP_EOL . '/', $custom_cookie_patterns );
     169            $custom_cookie_patterns = preg_split( '/\r\n|\n/', $custom_cookie_patterns );
    167170            $custom_cookie_patterns = array_map( function( $val ) use ( $pattern_arr, $replace_arr ) {
    168171                return preg_replace( $pattern_arr, $replace_arr, $val );
     
    171174
    172175        if ( $custom_request_patterns ) {
    173             $custom_request_patterns = preg_split( '/' . PHP_EOL . '/', $custom_request_patterns );
     176            $custom_request_patterns = preg_split( '/\r\n|\n/', $custom_request_patterns );
    174177            $custom_request_patterns = array_map( function( $val ) use ( $pattern_arr, $replace_arr ) {
    175178                return preg_replace( $pattern_arr, $replace_arr, $val );
Note: See TracChangeset for help on using the changeset viewer.