Skip to content

Commit

Permalink
Merge pull request #28 from erikyo/dev
Browse files Browse the repository at this point in the history
0.4.3
  • Loading branch information
erikyo authored Nov 18, 2022
2 parents a73f847 + 86acd53 commit 7746692
Show file tree
Hide file tree
Showing 8 changed files with 198 additions and 27 deletions.
4 changes: 2 additions & 2 deletions .wp-env.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@
"phpVersion": "7.4",
"core": "WordPress/WordPress",
"plugins": [
".",
"https://downloads.wordpress.org/plugin/contact-form-7.zip",
"https://downloads.wordpress.org/plugin/flamingo.zip",
"."
"https://downloads.wordpress.org/plugin/flamingo.zip"
],
"config": {
"WP_DEBUG": true,
Expand Down
57 changes: 54 additions & 3 deletions admin/admin-customizations.php
Original file line number Diff line number Diff line change
Expand Up @@ -398,7 +398,7 @@ public function cf7a_options_init() {
'cf7a_honeypot'
);

/* DNS Blacklist server list */
/* honeypot input name */
add_settings_field(
'honeypot_input_names',
__( 'Name for the honeypots inputs[*]', 'cf7-antispam' ),
Expand Down Expand Up @@ -433,6 +433,32 @@ public function cf7a_options_init() {
'cf7a_honeyform'
);

/* Identity Protection */
add_settings_section(
'cf7a_identity_protection',
__( 'Identity Protection', 'cf7-antispam' ),
array( $this, 'cf7a_print_identity_protection' ),
'cf7a-settings'
);

/* Enable identity_protection */
add_settings_field(
'identity_protection_user',
__( 'Enforce user protection', 'cf7-antispam' ),
array( $this, 'cf7a_identity_protection_user_callback' ),
'cf7a-settings',
'cf7a_identity_protection'
);

/* identity_protection position */
add_settings_field(
'identity_protection_wp',
__( 'Enforce Wordpress protection', 'cf7-antispam' ),
array( $this, 'cf7a_identity_protection_wp_callback' ),
'cf7a-settings',
'cf7a_identity_protection'
);

/* Section b8 */
add_settings_section(
'cf7a_b8',
Expand Down Expand Up @@ -763,6 +789,11 @@ public function cf7a_print_honeyform() {
printf( '<p>%s</p>', esc_html__( "I'm actually going to propose the honey-form for the first time! Instead of serving the bot a form with trap fields we directly serve it a form that is entirely a trap", 'cf7-antispam' ) );
}

/** It prints the user protection info text */
public function cf7a_print_identity_protection() {
printf( '<p>%s</p>', esc_html__( "After monitoring and analysing some bots, I noticed that it is necessary to block the way bots collect (user) data from the website, otherwise protecting the form may have no effect. This also blocks some registrations, spam comments and other attacks", 'cf7-antispam' ) );
}

/** It prints the b8 info text */
public function cf7a_print_b8() {
printf( '<p>%s</p>', esc_html__( 'Tells you whether a text is spam or not, using statistical text analysis of the text message', 'cf7-antispam' ) );
Expand Down Expand Up @@ -934,7 +965,7 @@ public function cf7a_sanitize_options( $input ) {

/* auto-unban delay */
$schedule = wp_get_schedules();
if ( ! empty( $input['unban_after'] ) && in_array( $input['unban_after'], array_keys( $schedule ) ) ) {
if ( ! empty( $input['unban_after'] ) && in_array( $input['unban_after'], array_keys( $schedule ), true ) ) {
if ( $this->options['unban_after'] !== $input['unban_after'] ) {
$new_input['unban_after'] = $input['unban_after'];
/* delete previous scheduled events */
Expand Down Expand Up @@ -1006,6 +1037,10 @@ public function cf7a_sanitize_options( $input ) {
$new_input['check_honeyform'] = isset( $input['check_honeyform'] ) ? 1 : 0;
$new_input['honeyform_position'] = ! empty( $input['honeyform_position'] ) ? sanitize_title( $input['honeyform_position'] ) : 'wp_body_open';

/* honeyform */
$new_input['identity_protection_user'] = isset( $input['identity_protection_user'] ) ? 1 : 0;
$new_input['identity_protection_wp'] = isset( $input['identity_protection_wp'] ) ? 1 : 0;

/* b8 */
$new_input['enable_b8'] = isset( $input['enable_b8'] ) ? 1 : 0;
$threshold = floatval( $input['b8_threshold'] );
Expand Down Expand Up @@ -1190,7 +1225,7 @@ public function cf7a_geoip_key_callback() {
'<input type="text" id="geoip_dbkey" name="cf7a_options[geoip_dbkey]" %s %s/>',
empty( $this->options['geoip_dbkey'] ) ? '' : 'value="' . esc_attr( $this->options['geoip_dbkey'] ) . '"',
// phpcs:ignore WordPress.Security.EscapeOutput
empty( CF7ANTISPAM_GEOIP_KEY ) ? '' : 'disabled placeholder="KEY provided"'
empty( CF7ANTISPAM_GEOIP_KEY ) ? '' : 'disabled placeholder="' . esc_html__( 'KEY provided' ) . '"'
);
}

Expand Down Expand Up @@ -1362,6 +1397,22 @@ public function cf7a_honeyform_position_callback() {
);
}

/** It creates a checkbox with the id of "cf7a_identity_protection_user_callback" */
public function cf7a_identity_protection_user_callback() {
printf(
'<input type="checkbox" id="identity_protection_user" name="cf7a_options[identity_protection_user]" %s />',
! empty( $this->options['identity_protection_user'] ) ? 'checked="true"' : ''
);
}

/** It creates a checkbox with the id of "cf7a_identity_protection_user_callback" */
public function cf7a_identity_protection_wp_callback() {
printf(
'<input type="checkbox" id="identity_protection_wp" name="cf7a_options[identity_protection_wp]" %s />',
! empty( $this->options['identity_protection_wp'] ) ? 'checked="true"' : ''
);
}

/** It creates a checkbox with the id of "cf7a_enable_b8_callback" */
public function cf7a_enable_b8_callback() {
printf(
Expand Down
4 changes: 2 additions & 2 deletions cf7-antispam.php
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
* Author: Codekraft
* Text Domain: cf7-antispam
* Domain Path: /languages/
* Version: 0.4.2
* Version: 0.4.3
*
* @package cf7-antispam
*/
Expand All @@ -18,7 +18,7 @@
/* CONSTANTS */
define( 'CF7ANTISPAM_NAME', 'cf7-antispam' );

define( 'CF7ANTISPAM_VERSION', '0.4.2' );
define( 'CF7ANTISPAM_VERSION', '0.4.3' );

define( 'CF7ANTISPAM_PLUGIN', __FILE__ );

Expand Down
2 changes: 2 additions & 0 deletions includes/cf7a-activator.php
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ public static function init_vars() {
'check_refer' => true,
'check_honeypot' => true,
'check_honeyform' => false,
'identity_protection_user' => false,
'identity_protection_wp' => false,
'enable_geoip_download' => false,
'geoip_dbkey' => false,
'check_language' => false,
Expand Down
12 changes: 12 additions & 0 deletions includes/cf7a-core.php
Original file line number Diff line number Diff line change
Expand Up @@ -305,6 +305,18 @@ private function load_frontend() {
$this->loader->add_filter( 'the_content', $plugin_frontend, 'cf7a_honeyform', 99 );
}

/* Checking if the user has selected the option to protect the user's identity. If they have, it will call the function
to protect the user's identity. */
if ( isset( $this->options['identity_protection_user'] ) && intval( $this->options['identity_protection_user'] ) === 1 ) {
$plugin_frontend->cf7a_protect_user();
}

/* It removes the WordPress version from the header, removes the REST API link from the header,
removes headers that disposes information */
if ( isset( $this->options['identity_protection_wp'] ) && intval( $this->options['identity_protection_wp'] ) === 1 ) {
$this->loader->add_filter( 'wp_headers', $plugin_frontend, 'cf7a_protect_wp', 999 );
}

/* It adds a CSS style to the page that hides the honeypot field */
if (
( isset( $this->options['check_honeypot'] ) && 1 === intval( $this->options['check_honeypot'] ) ) || ( isset( $this->options['check_honeyform'] ) && 1 === intval( $this->options['check_honeyform'] ) )
Expand Down
74 changes: 72 additions & 2 deletions includes/cf7a-frontend.php
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,8 @@ public function cf7a_honeypot_add( $form_elements ) {
try {
$html = new DOMDocument( '1.0', 'UTF-8' );
libxml_use_internal_errors( true );
$html->loadHTML( $form_elements, LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD );
// mb_convert_encoding is needed for non-latin font sets / LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD avoids auto-fixes for corrupted html code
$html->loadHTML( mb_convert_encoding( $form_elements, 'HTML-ENTITIES', 'UTF-8' ), LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD );
$xpath = new DOMXpath( $html );
$inputs = $xpath->query( '//input' );

Expand All @@ -73,6 +74,16 @@ public function cf7a_honeypot_add( $form_elements ) {
$options = get_option( 'cf7a_options', array() );
$input_names = get_honeypot_input_names( $options['honeypot_input_names'] );
$input_class = sanitize_html_class( $this->options['cf7a_customizations_class'] );
/**
* Controls the maximum number of honeypots.
*
* @example add_filter( 'cf7a_additional_max_honeypots', function() {return 42});
*
* @returns int $max_replacements - replacement count number
*
* @since 0.4.3
*/
$max_replacements = intval( apply_filters( 'cf7a_additional_max_honeypots', 5 ) );

/* get the inputs data */
if ( $inputs && $inputs->length > 0 ) {
Expand Down Expand Up @@ -101,7 +112,7 @@ public function cf7a_honeypot_add( $form_elements ) {
/* duplicate the inputs into honeypots */
$parent->insertBefore( $clone, $sibling );

if ( $i > 0 ) {
if ( $i > $max_replacements ) {
return $html->saveHTML();
}
}
Expand Down Expand Up @@ -324,6 +335,65 @@ public function cf7a_append_on_submit( $fields ) {
);
}

/**
* It disables the XML-RPC protocol and the REST API endpoints for users
*
*/
public function cf7a_protect_user() {
/* disables the XML-RPC */
add_filter( 'xmlrpc_enabled', '__return_false' );

/**
* Remove Rest user endpoints
* @return array $endpoints the value of the variable $endpoints.
*/
if (!is_user_logged_in()) add_filter('rest_endpoints', function($endpoints) {
if ( isset( $endpoints['/wp/v2/users'] ) ) {
unset( $endpoints['/wp/v2/users'] );
}
if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
}
return $endpoints;
});
}

/**
* It removes the WordPress version from the header, removes the REST API link from the header, removes the X-Pingback
* header, removes the X-Powered-By header, and adds a random server header
*
* @param array $headers The headers array that is passed to the function.
*
* @return array The headers are being returned.
*/
public function cf7a_protect_wp($headers) {

/* removes version number (WordPress/WooCommerce) */
remove_action( 'wp_head', 'wp_generator' );
remove_action('wp_head', 'woo_version');

remove_action( 'wp_head', 'rest_output_link_wp_head');
remove_action( 'template_redirect', 'rest_output_link_header', 20);

unset( $headers['X-Pingback'] );
unset( $headers['X-Powered-By'] );

if ( empty( $headers['X-Frame-Options'] )) {
$headers['X-Frame-Options'] = 'SAMEORIGIN';
}
if ( empty( $headers['X-Content-Type-Options'] )) {
$headers['X-Content-Type-Options'] = 'nosniff';
}
if ( empty( $headers['X-XSS-Protection'] )) {
$headers['X-XSS-Protection'] = '1; mode=block';
}
if ( empty( $headers['Strict-Transport-Security'] )) {
$headers['Strict-Transport-Security'] = 'max-age=31536000';
}

return $headers;
}

/**
* Register the JavaScript for the admin area.
*
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "cf7-antispam",
"author": "Erik Golinelli",
"license": "GPL-2.0-only",
"version": "0.4.2",
"version": "0.4.3",
"description": "AntiSpam for Contact Form 7",
"files": [
"admin/*",
Expand Down
Loading

0 comments on commit 7746692

Please sign in to comment.