Bug(s) in Nginx config generation

I just noticed, that there is kind a major bug in Better WP Securitys code. That bug lies in part of code, which is responsible for nginx config generation.

I’m testing B-WP-S in my multi-install env, which is running with nginx; and I’m quite familiar with nginx. So I did B-WP-S configuration and copied nginx config (generated by it) to be part of my current conf. And I started to check what it does.

That code does, as a last thing an if-comparison:
if ($susquery = 4321) { return 403; }
but I can’t find how and when it sets number 4 to part os susquery variable. So I take a look to it’s source. And there is a major bug.

In file inc/admin/common.php line 635 last char of line is ; (semicolon). It should be . (dot). Because of this bug following line drops away from nginx conf and that if (mentioned above) newer succees:
if ($args !~ "^action=rp") { set $susquery 4$susquery; }

In otherhand, there is two myterious variables in nginx conf, $rule_2 and $rule_3. There is one situation when these get other value than their default, 0. And it is when there is no logged_in -cookie, but even then, neither of these two variables are used anywhere in conf…

And as last note. There are two rewrite rules, to deny requests to wp-includes and wp-admin/includes. These shoud not be rewrites; location -rules are way beter and faster, by returning 403 directly.

PS. Conf is also inconsistent. Some of “strings” are inside quotes (if ($rule_0 = “3210”)) and some not (if ($susquery = 4321)). 😉

http://wordpress.org/extend/plugins/better-wp-security/