%PDF- %PDF-
Direktori : /home/kfvehpdt/musculation-relax.com/wp-content/plugins/sucuri-scanner/src/ |
Current File : /home/kfvehpdt/musculation-relax.com/wp-content/plugins/sucuri-scanner/src/hardening.lib.php |
<?php /** * Code related to the hardening.lib.php interface. * * PHP version 5 * * @category Library * @package Sucuri * @subpackage SucuriScanner * @author Daniel Cid <dcid@sucuri.net> * @copyright 2010-2018 Sucuri Inc. * @license https://www.gnu.org/licenses/gpl-2.0.txt GPL2 * @link https://wordpress.org/plugins/sucuri-scanner */ if (!defined('SUCURISCAN_INIT') || SUCURISCAN_INIT !== true) { if (!headers_sent()) { /* Report invalid access if possible. */ header('HTTP/1.1 403 Forbidden'); } exit(1); } /** * Project hardening library. * * In computing, hardening is usually the process of securing a system by * reducing its surface of vulnerability. A system has a larger vulnerability * surface the more functions it fulfills; in principle a single-method system * is more secure than a multipurpose one. Reducing available vectors of attack * typically includes the removal of unnecessary software, unnecessary usernames * or logins and the disabling or removal of unnecessary services. * * There are various methods of hardening Unix and Linux systems. This may * involve, among other measures, applying a patch to the kernel such as Exec * Shield or PaX; closing open network ports; and setting up intrusion-detection * systems, firewalls and intrusion-prevention systems. There are also hardening * scripts and tools like Bastille Linux, JASS for Solaris systems and * Apache/PHP Hardener that can, for example, deactivate unneeded features in * configuration files or perform various other protective measures. * * @category Library * @package Sucuri * @subpackage SucuriScanner * @author Daniel Cid <dcid@sucuri.net> * @copyright 2010-2018 Sucuri Inc. * @license https://www.gnu.org/licenses/gpl-2.0.txt GPL2 * @link https://wordpress.org/plugins/sucuri-scanner */ class SucuriScanHardening extends SucuriScan { /** * Returns a list of access control rules for the Apache web server that can be * used to deny and allow certain files to be accessed by certain network nodes. * Currently supports Apache 2.2 and 2.4 and denies access to all PHP files with * any mixed extension case. * * @return array List of access control rules. */ private static function getRules() { return array( '<FilesMatch "\.(?i:php)$">', ' <IfModule !mod_authz_core.c>', ' Order allow,deny', ' Deny from all', ' </IfModule>', ' <IfModule mod_authz_core.c>', ' Require all denied', ' </IfModule>', '</FilesMatch>', ); } /** * Adds some rules to an existing access control file (or creates it if does not * exists) to deny access to all files with certain extension in any mixed case. * The permissions to modify the file are checked before anything else, this * method is self-contained. * * @param string $directory Valid directory path where to place the access rules. * @return bool True if the rules are successfully added, false otherwise. */ public static function hardenDirectory($directory = '') { if (!is_dir($directory) || !is_writable($directory)) { return self::throwException(__('Directory is not usable', 'sucuri-scanner')); } if (SucuriScan::isNginxServer() || SucuriScan::isIISServer()) { return self::throwException(__('Access control file is not supported', 'sucuri-scanner')); } $fhandle = false; $target = self::htaccess($directory); if (file_exists($target)) { self::fixPreviousHardening($directory); $fhandle = @fopen($target, 'a'); } else { $fhandle = @fopen($target, 'w'); } if (!$fhandle) { return false; } $deny_rules = self::getRules(); $rules_text = implode("\n", $deny_rules); $written = @fwrite($fhandle, "\n" . $rules_text . "\n"); @fclose($fhandle); return (bool) ($written !== false); } /** * Deletes some rules from an existing access control file to allow access to * all files with certain extension in any mixed case. The file is truncated if * after the operation its size is equals to zero. * * @param string $directory Valid directory path where to access rules are. * @return bool True if the rules are successfully deleted, false otherwise. */ public static function unhardenDirectory($directory = '') { if (!self::isHardened($directory)) { return self::throwException(__('Directory is not hardened', 'sucuri-scanner')); } $fpath = self::htaccess($directory); $content = SucuriScanFileInfo::fileContent($fpath); $deny_rules = self::getRules(); $rules_text = implode("\n", $deny_rules); $content = str_replace($rules_text, '', $content); $written = @file_put_contents($fpath, $content); $trimmed = trim($content); if (!filesize($fpath) || empty($trimmed)) { @unlink($fpath); } return (bool) ($written !== false); } /** * Remove the hardening applied in previous versions. * * @param string $directory Valid directory path. * @return bool True if the access control file was fixed. */ private static function fixPreviousHardening($directory = '') { $fpath = self::htaccess($directory); $content = SucuriScanFileInfo::fileContent($fpath); $rules = "<Files *.php>\ndeny from all\n</Files>"; /* no previous hardening rules exist */ if (strpos($content, $rules) === false) { return true; } $content = str_replace($rules, '', $content); $written = @file_put_contents($fpath, $content); return (bool) ($written !== false); } /** * Check whether a directory is hardened or not. * * @param string $directory Valid directory path. * @return bool True if the directory is hardened, false otherwise. */ public static function isHardened($directory = '') { if (!is_dir($directory)) { return false; } $fpath = self::htaccess($directory); $content = SucuriScanFileInfo::fileContent($fpath); $deny_rules = self::getRules(); $rules_text = implode("\n", $deny_rules); return (bool) (strpos($content, $rules_text) !== false); } /** * Returns the path to the Apache access control file. * * @param string $folder Folder where the htaccess file is supposed to be. * @return string Path to the htaccess file in the specified folder. */ private static function htaccess($folder = '') { if (!function_exists('get_home_path')) { require_once ABSPATH . 'wp-admin/includes/file.php'; } $folder = str_replace(get_home_path(), '', $folder); $bpath = rtrim(get_home_path(), DIRECTORY_SEPARATOR); return $bpath . '/' . $folder . '/.htaccess'; } /** * Generates Apache access control rules for a file. * * Assumming that the directory hosting the specified file is hardened, this * method will generate the necessary rules to allowlist such file so anyone * can send a direct request to it. The method will generate both the rules * for Apache 2.4 and a compatibility conditional for older versions. * * @param string $file File to be ignored by the hardening. * @return string Access control rules to allowlist the file. */ private static function allowlistRule($file = '') { $file = str_replace('/', '', $file); $file = str_replace('<', '', $file); $file = str_replace('>', '', $file); return sprintf( "<Files %s>\n" . " <IfModule !mod_authz_core.c>\n" . " Allow from all\n" . " </IfModule>\n" . " <IfModule mod_authz_core.c>\n" . " Require all granted\n" . " </IfModule>\n" . "</Files>\n", $file ); } /** * Adds file in the specified folder to the allowlist. * * If the website owner has applied the hardening to the folder where the * specified file is located, all the requests sent directly to the file * will be blocked by the web server using its access control module. An * admin can ignore this hardening in one or more files if direct access to * it is required, as is the case with some 3rd-party plugins and themes. * * @param string $file File to be ignored by the hardening. * @param string $folder Folder hosting the specified file. * @return bool True if the file has been added to the allowlist, false otherwise. */ public static function allow($file = '', $folder = '') { if (SucuriScan::isNginxServer() || SucuriScan::isIISServer()) { throw new Exception(__('Access control file is not supported', 'sucuri-scanner')); } $htaccess = self::htaccess($folder); if (!file_exists($htaccess)) { throw new Exception(__('Access control file does not exists', 'sucuri-scanner')); } if (!is_writable($htaccess)) { throw new Exception(__('Access control file is not writable', 'sucuri-scanner')); } return (bool) @file_put_contents( $htaccess, "\n" . self::allowlistRule($file), FILE_APPEND ); } /** * Blocks a file in the specified folder. * * If the website owner has applied the hardening to the folder where the * specified file is located, all the requests sent directly to the file * will be blocked by the web server using its access control module. If an * admin has added a file to the allowlist in this folder because a 3rd-party plugin or * theme required it, they can decide to remove this file from the allowlist using this * method which is executed by one of the tools in the settings page. * * @param string $file File to stop ignoring from the hardening. * @param string $folder Folder hosting the specified file. * @return bool True if the file has been removed from the allowlist, false otherwise. */ public static function removeFromAllowlist($file = '', $folder = '') { $htaccess = self::htaccess($folder); $content = SucuriScanFileInfo::fileContent($htaccess); if (!$content || !is_writable($htaccess)) { return self::throwException(__('Cannot remove file from the allowlist; no permissions.', 'sucuri-scanner')); } $rules = self::allowlistRule($file); $content = str_replace($rules, '', $content); $content = rtrim($content) . "\n"; return (bool) @file_put_contents($htaccess, $content); } /** * Returns a list of files in the allowlist in folder. * * @param string $folder Directory to scan for files in the allowlist. * @return array List of files in the allowlist, false on failure. */ public static function getAllowlist($folder = '') { $htaccess = self::htaccess($folder); $content = SucuriScanFileInfo::fileContent($htaccess); @preg_match_all('/<Files (\S+)>/', $content, $matches); return $matches[1]; } }