YES) { $adminurl = strtolower(get_settings('siteurl')).'/wp-admin'; $referer = strtolower($_SERVER['HTTP_REFERER']); if (!strstr($referer, $adminurl) && !($referer === "")) { die(__('You did not come from an admin page or you are using a proxy. WordPress cannot verify your identity.')); } } // Everywhere that the admin check is done, the nonce is verified. verify_user_nonce(); do_action('check_admin_referer'); } endif; // Clear the nonce if the user logs out. if ( !function_exists('wp_clearcookie') ) : function wp_clearcookie() { global $user_ID; // Clear all nonce info update_user_option($user_ID, 'lastpageviewed', ''); update_user_option($user_ID, 'curpageviewed', ''); update_user_option($user_ID, 'nonce', ''); if (DEBUGGING == YES) update_user_option($user_ID, 'noncedecoded', ''); setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); } endif; // *************************************************************************************** // Helper Functions // *************************************************************************************** // *************************************************************************************** // SN4WP_config_page() // // Adds the config page to the plugin submenu. // // *************************************************************************************** function SN4WP_config_page() { global $wpdb; if ( function_exists('add_submenu_page') ) add_submenu_page('plugins.php', __('SN4WP for Wordpress Configuration'), __('SN4WP Configuration'), 1, __FILE__, 'SN4WP_config'); } // SN4WP_config_page // *************************************************************************************** // SN4WP_config // // Displays and stores the values from a form that allows all plugin options to be // configured. // // *************************************************************************************** function SN4WP_config() { if ( isset($_POST['submit']) ) { check_admin_referer(); $timeout = $_POST['timeout']; update_option('sn4wp_timeout', $timeout); $posttimeout = $_POST['posttimeout']; update_option('sn4wp_posttimeout', $posttimeout); $disablereferer = $_POST['disablereferer']; update_option('sn4wp_disablereferer', $disablereferer); $onlyoneip = $_POST['onlyoneip']; update_option('sn4wp_onlyoneip', $onlyoneip); // Pump through two more nonce assignments in order to clear and // revalidate the current nonce structure. assign_user_nonce(); assign_user_nonce(); } else { $timeout = get_option('sn4wp_timeout'); if ($timeout <= 0) $timeout = DEFAULT_TIMEOUT; $posttimeout = get_option('sn4wp_posttimeout'); if ($posttimeout <= 0) $posttimeout = DEFAULT_POSTTIMEOUT; $disablereferer = $_POST['disablereferer']; $onlyoneip = $_POST['onlyoneip']; } ?>
This plugin adds security to your site by providing an admin user time out and several other security checks.
".__('You must save your post at least once every ' . $posttimeout . ' minutes or all changes will be lost.')."
"; } // SN4WP_warning // *************************************************************************************** // assign_user_nonce // // Creates a user level nonce and records it, and all relevant information in the user // options. // // *************************************************************************************** function assign_user_nonce() { global $pagenow, $user_ID, $user_pass_md5; $curtime = time(); // (in seconds) $lastpageviewed = get_user_option( 'curpageviewed', $user_ID ); $curpageviewed = $pagenow; $onlyoneip = get_option( 'sn4wp_onlyoneip'); if (($lastpageviewed === 'post.php') && ($curpageviewed === 'post.php')) { $timeout = get_option('sn4wp_posttimeout'); if ($timeout <= 0) $timeout = DEFAULT_POSTTIMEOUT; } else { $timeout = get_option('sn4wp_timeout'); if ($timeout <= 0) $timeout = DEFAULT_TIMEOUT; } $timeout = $timeout * 60; // Convert time out to seconds. if ($onlyoneip == YES) { $salt = $_SERVER['REMOTE_ADDR']; } else { $salt = $user_pass_md5; } $oldnonce = get_user_option( 'nonce', $user_ID ); // Degrade the cur page to the last pageviewed at this point $noncetime = get_user_option( 'noncetime', $user_ID ); if (DEBUGGING == YES) $noncedecoded = get_user_option( 'noncedecoded', $user_ID ); // This routine is called from every display of the admin menu. // EVERY admin action in WP results in an admin menu display. // That means a faked request from off site, hits this assign_user_nonce and then // it hits verify_user_nonce. Without any special checking in the nonce creation, // the verify nonce would always succeed. // Therefore we must make certain that previous screen/nonce was also valid, and // otherwise create a nonce that cannot succeed. If we did come from an adminpage // then a valid nonce should be created for the current page. // This if statement translates to: // If we have expired or the nonce is invalid, do our thing - UNLESS we already got in here last time around. if ((($curtime - $noncetime) > $timeout) || ((!(substr(md5($noncetime . DB_PASSWORD . $salt . $lastpageviewed), -20, 20) === $oldnonce))) && (!($curpageviewed === INVALID_MESSAGE2))) { // If the previous nonce is expired or invalid, force new nonce to fail to evaluate too. // This enforces that you came from a valid admin context. if (DEBUGGING == YES) { echo "Creation check failed: Time Passed: ". ($curtime - $noncetime)." timeout: $timeout, curtime: $curtime, NonceTime: $noncetime