Edit File by line

Deprecated: str_replace(): Passing null to parameter #2 ($replace) of type array|string is deprecated in /home/sportsfever/public_html/filemanger/function.php on line 93
/home/sportsfe.../httpdocs/clone/wp-conte.../plugins/wordfenc.../lib
File: wfCredentialsController.php
<?php
[0] Fix | Delete
[1] Fix | Delete
class wfCredentialsController {
[2] Fix | Delete
const UNCACHED = 'uncached';
[3] Fix | Delete
const NOT_LEAKED = 'not-leaked';
[4] Fix | Delete
const LEAKED = 'leaked';
[5] Fix | Delete
[6] Fix | Delete
const ALLOW_LEGACY_2FA_OPTION = 'allowLegacy2FA';
[7] Fix | Delete
const DISABLE_LEGACY_2FA_OPTION = 'disableLegacy2FA';
[8] Fix | Delete
[9] Fix | Delete
public static function allowLegacy2FA() {
[10] Fix | Delete
return wfConfig::get(self::ALLOW_LEGACY_2FA_OPTION, false);
[11] Fix | Delete
}
[12] Fix | Delete
[13] Fix | Delete
public static function useLegacy2FA() {
[14] Fix | Delete
if (!self::allowLegacy2FA()) {
[15] Fix | Delete
return false;
[16] Fix | Delete
}
[17] Fix | Delete
return !wfConfig::get(self::DISABLE_LEGACY_2FA_OPTION, false);
[18] Fix | Delete
}
[19] Fix | Delete
[20] Fix | Delete
public static function hasOld2FARecords() {
[21] Fix | Delete
$twoFactorUsers = wfConfig::get_ser('twoFactorUsers', array());
[22] Fix | Delete
if (is_array($twoFactorUsers) && !empty($twoFactorUsers)) {
[23] Fix | Delete
foreach ($twoFactorUsers as &$t) {
[24] Fix | Delete
if ($t[3] == 'activated') {
[25] Fix | Delete
$user = new WP_User($t[0]);
[26] Fix | Delete
if ($user instanceof WP_User && $user->exists()) {
[27] Fix | Delete
return true;
[28] Fix | Delete
}
[29] Fix | Delete
}
[30] Fix | Delete
}
[31] Fix | Delete
}
[32] Fix | Delete
return false;
[33] Fix | Delete
}
[34] Fix | Delete
[35] Fix | Delete
public static function hasNew2FARecords() {
[36] Fix | Delete
if (version_compare(phpversion(), '5.3', '>=') && class_exists('\WordfenceLS\Controller_DB')) {
[37] Fix | Delete
global $wpdb;
[38] Fix | Delete
$table = WFLSPHP52Compatability::secrets_table();
[39] Fix | Delete
return !!intval($wpdb->get_var("SELECT COUNT(*) FROM `{$table}`"));
[40] Fix | Delete
}
[41] Fix | Delete
return false;
[42] Fix | Delete
}
[43] Fix | Delete
[44] Fix | Delete
/**
[45] Fix | Delete
* Queries the API and returns whether or not the password exists in the breach database.
[46] Fix | Delete
*
[47] Fix | Delete
* @param string $login
[48] Fix | Delete
* @param string $password
[49] Fix | Delete
* @return bool
[50] Fix | Delete
*/
[51] Fix | Delete
public static function isLeakedPassword($login, $password) {
[52] Fix | Delete
$sha1 = strtoupper(hash('sha1', $password));
[53] Fix | Delete
$prefix = substr($sha1, 0, 5);
[54] Fix | Delete
[55] Fix | Delete
$ssl_verify = (bool) wfConfig::get('ssl_verify');
[56] Fix | Delete
$args = array(
[57] Fix | Delete
'timeout' => 5,
[58] Fix | Delete
'user-agent' => "Wordfence.com UA " . (defined('WORDFENCE_VERSION') ? WORDFENCE_VERSION : '[Unknown version]'),
[59] Fix | Delete
'sslverify' => $ssl_verify,
[60] Fix | Delete
'headers' => array('Referer' => false),
[61] Fix | Delete
);
[62] Fix | Delete
[63] Fix | Delete
if (!$ssl_verify) { // Some versions of cURL will complain that SSL verification is disabled but the CA bundle was supplied.
[64] Fix | Delete
$args['sslcertificates'] = false;
[65] Fix | Delete
}
[66] Fix | Delete
[67] Fix | Delete
$response = wp_remote_get(sprintf(WORDFENCE_BREACH_URL_BASE_SEC . "%s.txt", $prefix), $args);
[68] Fix | Delete
[69] Fix | Delete
if (!is_wp_error($response)) {
[70] Fix | Delete
$data = wp_remote_retrieve_body($response);
[71] Fix | Delete
$lines = explode("\n", $data);
[72] Fix | Delete
foreach ($lines as $l) {
[73] Fix | Delete
$components = explode(":", $l);
[74] Fix | Delete
$teshSHA1 = $prefix . strtoupper($components[0]);
[75] Fix | Delete
if (hash_equals($sha1, $teshSHA1)) {
[76] Fix | Delete
return true;
[77] Fix | Delete
}
[78] Fix | Delete
}
[79] Fix | Delete
}
[80] Fix | Delete
[81] Fix | Delete
return false;
[82] Fix | Delete
}
[83] Fix | Delete
[84] Fix | Delete
/**
[85] Fix | Delete
* Returns the transient key for the given user.
[86] Fix | Delete
*
[87] Fix | Delete
* @param WP_User $user
[88] Fix | Delete
* @return string
[89] Fix | Delete
*/
[90] Fix | Delete
protected static function _cachedCredentialStatusKey($user) {
[91] Fix | Delete
$key = 'wfcredentialstatus_' . $user->ID;
[92] Fix | Delete
return $key;
[93] Fix | Delete
}
[94] Fix | Delete
[95] Fix | Delete
/**
[96] Fix | Delete
* Returns the cached credential status for the given user: self::UNCACHED, self::NOT_LEAKED, or self::LEAKED.
[97] Fix | Delete
*
[98] Fix | Delete
* @param WP_User $user
[99] Fix | Delete
* @return string
[100] Fix | Delete
*/
[101] Fix | Delete
public static function cachedCredentialStatus($user) {
[102] Fix | Delete
$key = self::_cachedCredentialStatusKey($user);
[103] Fix | Delete
$value = get_transient($key);
[104] Fix | Delete
if ($value === false) {
[105] Fix | Delete
return self::UNCACHED;
[106] Fix | Delete
}
[107] Fix | Delete
[108] Fix | Delete
$status = substr($value, 0, 1);
[109] Fix | Delete
if (strlen($value) > 1) {
[110] Fix | Delete
if (!hash_equals(substr($value, 1), hash('sha256', $user->user_pass))) { //Different hash but our clear function wasn't called so treat it as uncached
[111] Fix | Delete
return self::UNCACHED;
[112] Fix | Delete
}
[113] Fix | Delete
}
[114] Fix | Delete
[115] Fix | Delete
if ($status) {
[116] Fix | Delete
return self::LEAKED;
[117] Fix | Delete
}
[118] Fix | Delete
return self::NOT_LEAKED;
[119] Fix | Delete
}
[120] Fix | Delete
[121] Fix | Delete
/**
[122] Fix | Delete
* Stores a cached leak value for the given user.
[123] Fix | Delete
*
[124] Fix | Delete
* @param WP_User $user
[125] Fix | Delete
* @param bool $isLeaked
[126] Fix | Delete
*/
[127] Fix | Delete
public static function setCachedCredentialStatus($user, $isLeaked) {
[128] Fix | Delete
$key = self::_cachedCredentialStatusKey($user);
[129] Fix | Delete
set_transient($key, ($isLeaked ? '1' : '0') . hash('sha256', $user->user_pass), 3600);
[130] Fix | Delete
}
[131] Fix | Delete
[132] Fix | Delete
/**
[133] Fix | Delete
* Clears the cache for the given user.
[134] Fix | Delete
*
[135] Fix | Delete
* @param WP_User $user
[136] Fix | Delete
*/
[137] Fix | Delete
public static function clearCachedCredentialStatus($user) {
[138] Fix | Delete
$key = self::_cachedCredentialStatusKey($user);
[139] Fix | Delete
delete_transient($key);
[140] Fix | Delete
}
[141] Fix | Delete
[142] Fix | Delete
/**
[143] Fix | Delete
* Returns whether or not we've seen a successful login from $ip for the given user.
[144] Fix | Delete
*
[145] Fix | Delete
* @param WP_User $user
[146] Fix | Delete
* @param string $ip
[147] Fix | Delete
* @return bool
[148] Fix | Delete
*/
[149] Fix | Delete
public static function hasPreviousLoginFromIP($user, $ip) {
[150] Fix | Delete
global $wpdb;
[151] Fix | Delete
$table_wfLogins = wfDB::networkTable('wfLogins');
[152] Fix | Delete
[153] Fix | Delete
$id = property_exists($user, 'ID') ? $user->ID : 0;
[154] Fix | Delete
if ($id == 0) {
[155] Fix | Delete
return false;
[156] Fix | Delete
}
[157] Fix | Delete
[158] Fix | Delete
$ipHex = wfDB::binaryValueToSQLHex(wfUtils::inet_pton($ip));
[159] Fix | Delete
$result = $wpdb->get_row($wpdb->prepare("SELECT id FROM {$table_wfLogins} WHERE action = 'loginOK' AND userID = %d AND IP = {$ipHex} LIMIT 0,1", $id), ARRAY_A);
[160] Fix | Delete
if (is_array($result)) {
[161] Fix | Delete
return true;
[162] Fix | Delete
}
[163] Fix | Delete
[164] Fix | Delete
$lastAdminLogin = wfConfig::get_ser('lastAdminLogin');
[165] Fix | Delete
if (is_array($lastAdminLogin) && isset($lastAdminLogin['userID']) && isset($lastAdminLogin['IP'])) {
[166] Fix | Delete
if ($lastAdminLogin['userID'] == $id && wfUtils::inet_pton($lastAdminLogin['IP']) == wfUtils::inet_pton($ip)) {
[167] Fix | Delete
return true;
[168] Fix | Delete
}
[169] Fix | Delete
return false;
[170] Fix | Delete
}
[171] Fix | Delete
[172] Fix | Delete
//Final check -- if the IP recorded at plugin activation matches, let it through. This is __only__ checked when we don't have any other record of an admin login.
[173] Fix | Delete
$activatingIP = wfConfig::get('activatingIP');
[174] Fix | Delete
if (wfUtils::isValidIP($activatingIP)) {
[175] Fix | Delete
if (wfUtils::inet_pton($activatingIP) == wfUtils::inet_pton($ip)) {
[176] Fix | Delete
return true;
[177] Fix | Delete
}
[178] Fix | Delete
}
[179] Fix | Delete
[180] Fix | Delete
return false;
[181] Fix | Delete
}
[182] Fix | Delete
}
[183] Fix | Delete
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
Function