rmast
Forum Replies Created
-
By the way, I also have the Heartbeat Control plugin active, with the settings
– Allow only on post edit pages.
– Use defaultIt does show the reject by SFS lookup and IP check
chkblip : Deny List IP:114.96.0.0/13
Good Cache:114.97.58.144JetPack doesn’t ring a bell. However I have some speed optimizations which can sometimes interfere with normal functioning of plugins, a combination of Varnish cache and Merge, Minify & Refresh.
I will experiment somewhat with my plugins, I had two Captcha plugins, one active, Really Simple CAPTCHA for Contact form 7, and one inactive which I deleted right away (from Bestwebsoft).
And still it isn’t working with the new version.
I have 114.96.0.0/13 in my block list.
Now two new entries have entered my log:
2016/07/16 18:40:11 uzjpyicv@gmail.com 114.97.58.144 fifa 17 points /wp-admin/admin-ajax.php Good Cache:114.97.58.144
2016/07/16 18:35:33 vmpoqxxceq@gmail.com 114.97.58.144 buy fifa 17 coins /wp-admin/admin-ajax.php allow admin-ajax.phpWhy is allow admin-ajax.php adding this blocked IP-address to my Good cache?
I guess you’re right.
However, when I modify this piece of code in the plugin it doesn’t work for the same address. On the prompt I tested it with this php-program:
<?php
list($subnet, $mask) = explode(‘/’, ‘114.96.0.0/19’ );
$x2=ip2long(‘114.97.201.8’) | ((1 << ($mask)) – 1);
$x3=ip2long($subnet)| ((1 << ($mask)) – 1);
if ($x2 == $x3){
echo “match”;
} else
{ echo “no match”;
}
?>Inspired by your previous version I would change the logic of the mask
& ~((1 << (32 – $mask)) – 1);
with
| ((1 << ($mask)) – 1);
That works on my prompt for this specific IP-check.
Still the diagnostics of this new version doesn’t recognize 114.97.201.8 as 114.96.0.0/19
I now look at this version:
// searching for an cidr in the list
list($subnet, $mask) = explode(‘/’, $search);
$x2=ip2long($needle) & ~((1 << (32 – $mask)) – 1);
$x3=ip2long($subnet)& ~((1 << (32 – $mask)) – 1);
if ($x2 == $x3){
return “$searchname:$reason”;
}The manually uploaded plugin does contain a difference. I am going to try the Diagnostics again.
The part of the code that seems to do this match, in stop-spammer-registrations-plugin/classes/be_module.class.php doesn’t differ between the productional and the beta version, so probably something is wrong with the beta updater, or we are looking at a different piece of code. I would expect line 89 to do the final match. The code above that line looks like it ought to.
By the way, the productional PHP-build of my provider we talk about is
PHP Version 7.0.3-5+deb.sury.org~trusty+1
Linux web20 3.16.0-59-generic #79~14.04.1-Ubuntu SMP Mon Jan 18 15:41:27 UTC 2016 x86_64which is freely available on a foreign site.
Diagnostics still only recognizes 114.97.201.8. 114.96.0.0/19 does not show up.
I did install the newest beta three times, and 114.97.201.8 is still ending up today in my good cache, even when it is already also hardcoded without a mask in my deny-list since yesterday by marking it bad in my good cache and not visible in my good cache today. Quite strange. I’ll try the Diagnostics this weekend myself to see whether the isolated routine works.
In the same file I also had to alter another reference to admin-ajax.php to just point to the default style. This way my site stops publishing that executable PHP which is a potential security-leak.
By the way, as there are many slideshow-plugins it is the 5 star Slideshow by StefanBoonstra.
As a workaround I just disabled the usage of this Ajax-script by the Slideshow. The plugin provides real css-files as ‘default’ when the style setting is missing. Clearing the style-setting in the wp_options-table however seems too tricky.
slideshow-jquery-image-gallery/classes/SlideshowPluginSlideshowStylesheet.php
// Enqueue stylesheet
if (0 /*$enqueueDynamicStylesheet*/)This doesn’t however solve the issue completely.
I think for these ‘local’ dynamic PHP-CSS-files the PHP-function file_get_contents is not sufficient.
I think of several possible ways to handle this:
– exclude some listed plugins from merge/minification by handling them as ‘not local’
– try to evaluate the contents as they are meant via a more expensive way. However as soon as websites start rewriting URL’s you can also not depend on .PHP in the middle of the URL. This could also be done via an exception list.So I think of list of all plugins with options of what to do with them.
I investigated the issue somewhat further.
Somehow the dynamic CSS via PHP is not generated when called from the MMR.
The unmerged script resulting from this entry in the MMR-log
http://www.tekenbeetziekten.nl/wp-admin/admin-ajax.php?action=slideshow_jquery_image_gallery_load_stylesheet&style=style-darkdoes look more like unprocessed PHP than CSS.