|
1 | 1 | <?php |
2 | 2 |
|
| 3 | +use CleantalkSP\Variables\Get; |
| 4 | +use CleantalkSP\Variables\Post; |
| 5 | +use CleantalkSP\Variables\Request; |
3 | 6 | use CleantalkSP\Variables\Server; |
4 | 7 | use CleantalkSP\SpbctWP\DB; |
5 | 8 | use CleantalkSP\SpbctWP\Firewall; |
|
8 | 11 | use CleantalkSP\SpbctWP\Firewall\TC; |
9 | 12 | use CleantalkSP\SpbctWP\Firewall\WAF; |
10 | 13 | use CleantalkSP\SpbctWP\Firewall\WafBlocker; |
| 14 | +use CleantalkSP\SpbctWP\Firewall\UploadChecker; |
11 | 15 | use CleantalkSP\SpbctWP\Helpers\IP; |
12 | 16 | use CleantalkSP\SpbctWP\Variables\Cookie; |
13 | 17 | use CleantalkSP\SpbctWP\RenameLoginPage; |
@@ -152,7 +156,60 @@ function spbc_upload_checker__check() |
152 | 156 | { |
153 | 157 | global $spbc; |
154 | 158 | if ( $spbc->settings['upload_checker__file_check'] && !empty($_FILES) ) { |
155 | | - $upload_checker = new Firewall\UploadChecker(array( |
| 159 | + /** @var WP_Error|null $run_checker_error */ |
| 160 | + $run_checker_error = null; |
| 161 | + if (is_user_logged_in()) { |
| 162 | + if (is_admin()) { |
| 163 | + $action = Post::getString('action') ?: Get::getString('action') ?: ''; |
| 164 | + if ($action === 'upload-plugin' || $action === 'upload-theme') { |
| 165 | + if ($action === 'upload-plugin') { |
| 166 | + if (!wp_verify_nonce(Request::getString('_wpnonce') ?: '', 'plugin-upload')) { |
| 167 | + // Install plugins interface - exit if nonce is wrong |
| 168 | + $run_checker_error = new WP_Error(403, __('You do not have sufficient permissions to upload files.', 'security-malware-firewall')); |
| 169 | + } |
| 170 | + if (!current_user_can('install_plugins')) { |
| 171 | + // Install plugins interface - exit if no permission to do that |
| 172 | + $run_checker_error = new WP_Error(403, __('You do not have sufficient permissions to upload files.', 'security-malware-firewall')); |
| 173 | + } |
| 174 | + } |
| 175 | + if ($action === 'upload-theme') { |
| 176 | + if (!wp_verify_nonce(Request::getString('_wpnonce') ?: '', 'theme-upload')) { |
| 177 | + // Install themes interface - exit if nonce is wrong |
| 178 | + $run_checker_error = new WP_Error(403, __('You do not have sufficient permissions to upload files.', 'security-malware-firewall')); |
| 179 | + } |
| 180 | + if (!current_user_can('install_themes')) { |
| 181 | + // Install themes interface - exit if no permission to do that |
| 182 | + $run_checker_error = new WP_Error(403, __('You do not have sufficient permissions to upload files.', 'security-malware-firewall')); |
| 183 | + } |
| 184 | + } |
| 185 | + if (!current_user_can('install_plugins')) { |
| 186 | + // Install plugins/themes interface - exit if no permission to do that |
| 187 | + $run_checker_error = new WP_Error(403, __('You do not have sufficient permissions to upload files.', 'security-malware-firewall')); |
| 188 | + } |
| 189 | + } elseif (!current_user_can('upload_files') || !wp_verify_nonce(Request::getString('_wpnonce') ?: '', 'media-form')) { |
| 190 | + // Media interface - exit if no permission to uploading |
| 191 | + $run_checker_error = new WP_Error(403, __('You do not have sufficient permissions to upload files.', 'security-malware-firewall')); |
| 192 | + } |
| 193 | + } elseif (!current_user_can('upload_files')) { |
| 194 | + // Not admin area - exit if no permission to uploading |
| 195 | + $run_checker_error = new WP_Error(403, __('You do not have sufficient permissions to upload files.', 'security-malware-firewall')); |
| 196 | + } |
| 197 | + } |
| 198 | + |
| 199 | + // RateLimit for all uploads, but permission check only for logged-in users |
| 200 | + if ( ! $run_checker_error && UploadChecker::hasRateOverlimit() ) { |
| 201 | + $run_checker_error = new WP_Error(429, __('You have exceeded the upload limit. Please try again later.', 'security-malware-firewall')); |
| 202 | + } |
| 203 | + |
| 204 | + if ( $run_checker_error ) { |
| 205 | + wp_die( |
| 206 | + $run_checker_error->get_error_message(), |
| 207 | + __('Upload Checker Exceeded', 'security-malware-firewall'), |
| 208 | + array('response' => $run_checker_error->get_error_code()) |
| 209 | + ); |
| 210 | + } |
| 211 | + |
| 212 | + $upload_checker = new UploadChecker(array( |
156 | 213 | 'upload_checker__do_check_wordpress_modules' => $spbc->settings['upload_checker__do_check_wordpress_modules'], |
157 | 214 | 'api_key' => $spbc->api_key, |
158 | 215 | )); |
|
0 commit comments