Merge Develop (#231)

.docker/config/nginx/default.conf

@@ -2,44 +2,44 @@ server {
 	listen 80 default_server;
 	listen 443 ssl;
 
-	ssl_certificate /etc/nginx/certs/localhost.crt;
+ 	ssl_certificate /etc/nginx/certs/localhost.crt;
 	ssl_certificate_key /etc/nginx/certs/localhost.key;
 
-	# Doesn't really matter because default server, but this way email doesn't throw errors
+ 	# Doesn't really matter because default server, but this way email doesn't throw errors
 	server_name localhost;
 
-	access_log   /var/log/nginx/access.log;
+ 	access_log   /var/log/nginx/access.log;
 	error_log    /var/log/nginx/error.log;
 
-	root /var/www/html;
+ 	root /var/www/html;
 	index index.php;
 
-	if (!-e $request_filename) {
+ 	if (!-e $request_filename) {
 		rewrite /wp-admin$ $scheme://$host$uri/ permanent;
 		rewrite ^(/[^/]+)?(/wp-.*) $2 last;
 		rewrite ^(/[^/]+)?(/.*\.php) $2 last;
 	}
 
-	location / {
+ 	location / {
 		try_files $uri $uri/ /index.php?$args;
 	}
 
-	location ~ \.php$ {
+ 	location ~ \.php$ {
 		try_files $uri =404;
 		fastcgi_split_path_info ^(.+\.php)(/.+)$;
 
-		include /etc/nginx/fastcgi_params;
+ 		include /etc/nginx/fastcgi_params;
 		fastcgi_pass wordpress:9000;
 		fastcgi_index index.php;
 		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 	}
 
-	location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
+ 	location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
 		access_log off; log_not_found off; expires max;
 
-		add_header Access-Control-Allow-Origin *;
+ 		add_header Access-Control-Allow-Origin *;
 	}
 
-	# This should match upload_max_filesize in php.ini
+ 	# This should match upload_max_filesize in php.ini
 	client_max_body_size 100m;
-}
+}

.docker/config/php-fpm/php.ini

@@ -8,4 +8,4 @@ upload_max_filesize = 100M
 post_max_size = 100M
 
 [mail function]
-sendmail_path = /usr/sbin/sendmail -S mail:1025
+sendmail_path = /usr/sbin/sendmail -S mail:1025

.github/CONTRIBUTING.md

@@ -56,12 +56,12 @@ execute the following commands:
 - `npm install` This will install node modules that we use, as defined in the `package.json` file.
 
 #### Docker setup
-To make it easier to test your code on the go, a [Docker](https://www.docker.com/) configuration is prepared for you.
-Just run `docker-compose up` and wait for things to finish setting up. Once setup is complete, the following tools are available:
-- `http://localhost` the main WordPress site install
-- `http://localhost:8080` Adminer, a lightweight MSQL editor
-- `http://localhost:8025` MailHog, captures emails so you don't need ot worry about spamming inboxes during testing.
-
+ To make it easier to test your code on the go, a [Docker](https://www.docker.com/) configuration is prepared for you.
+ Just run `docker-compose up` and wait for things to finish setting up. Once setup is complete, the following tools are available:
+ - `http://localhost` the main WordPress site install
+ - `http://localhost:8080` Adminer, a lightweight MSQL editor
+ - `http://localhost:8025` MailHog, captures emails so you don't need ot worry about spamming inboxes during testing.
+ 
 The Health Check plugin will also be automatically added to the test site, although deactivated initially. Running the `grunt watch` task during development also guarantees your test site is always showing your latest changes.
 
 ### Submitting Pull Requests

assets/javascript/site-status/loopback.js

@@ -3,7 +3,8 @@ jQuery( document ).ready(function( $ ) {
 	function testDefaultTheme() {
 		var $parent = $( '.individual-loopback-test-status', '#test-single-no-theme' ),
 			data = {
-				action: 'health-check-loopback-default-theme'
+				'action': 'health-check-loopback-default-theme',
+				'_wpnonce': HealthCheck.nonce.loopback_default_theme
 			};
 
 		$.post(
@@ -33,8 +34,9 @@ jQuery( document ).ready(function( $ ) {
 
 		$testLine = $testLines.first();
 		data = {
-			action: 'health-check-loopback-individual-plugins',
-			plugin: $testLine.data( 'test-plugin' )
+			'action': 'health-check-loopback-individual-plugins',
+			'plugin': $testLine.data( 'test-plugin' ),
+			'_wpnonce': HealthCheck.nonce.loopback_individual_plugins
 		};
 
 		$parentField = $( '.individual-loopback-test-status', $testLine );
@@ -61,7 +63,8 @@ jQuery( document ).ready(function( $ ) {
 		var $trigger = $( this ),
 			$parent = $( this ).closest( 'td' ),
 			data = {
-				action: 'health-check-loopback-no-plugins'
+				'action': 'health-check-loopback-no-plugins',
+				'_wpnonce': HealthCheck.nonce.loopback_no_plugins
 			};
 
 		e.preventDefault();

assets/javascript/site-status/site-status-tests.js

@@ -1,33 +1,19 @@
-/* global ajaxurl */
+/* global ajaxurl, HealthCheck */
 jQuery( document ).ready(function( $ ) {
-	function runNextSiteStatusTest() {
-		var $test = $( '.health-check-site-status-test' ),
-			data;
-
-		// If there are no more tests to run, stop processing.
-		if ( $test.length < 1 ) {
-			return;
-		}
-
-		$test = $test.first();
-
-		data = {
-			action: 'health-check-site-status',
-			feature: $test.data( 'site-status' )
-		};
-
-		$test.removeClass( 'health-check-site-status-test' );
+	$( '.health-check-site-status-test' ).each( function() {
+		var $check = $( this ),
+            data = {
+                'action': 'health-check-site-status',
+                'feature': $( this ).data( 'site-status' ),
+                '_wpnonce': HealthCheck.nonce.site_status
+            };
 
 		$.post(
 			ajaxurl,
 			data,
 			function( response ) {
-				$test.html( response );
-                $( document ).trigger( 'health-check:site-status-classification' );
-				runNextSiteStatusTest();
+				$check.html( response );
 			}
 		);
-	}
-
-	runNextSiteStatusTest();
+	});
 });

assets/javascript/tools/check-file-integrity.js

@@ -1,8 +1,9 @@
-/* global ajaxurl */
+/* global ajaxurl, HealthCheck */
 jQuery( document ).ready(function( $ ) {
 	$( '#health-check-file-integrity' ).submit( function( e ) {
 		var data = {
-			'action': 'health-check-files-integrity-check'
+			'action': 'health-check-files-integrity-check',
+			'_wpnonce': HealthCheck.nonce.files_integrity_check
 		};
 
 		e.preventDefault();
@@ -32,7 +33,8 @@ jQuery( document ).ready(function( $ ) {
 
 		data = {
 			'action': 'health-check-view-file-diff',
-			'file': file
+			'file': file,
+			'_wpnonce': HealthCheck.nonce.view_file_diff
 		};
 
 		$.post(

assets/javascript/tools/email-test.js

@@ -1,4 +1,4 @@
-/* global ajaxurl */
+/* global ajaxurl, HealthCheck */
 jQuery( document ).ready(function( $ ) {
 	$( '#health-check-mail-check' ).submit( function( e ) {
 		var email = $( '#health-check-mail-check #email' ).val(),
@@ -13,7 +13,8 @@ jQuery( document ).ready(function( $ ) {
 		data = {
 			'action': 'health-check-mail-check',
 			'email': email,
-			'email_message': emailMessage
+			'email_message': emailMessage,
+			'_wpnonce': HealthCheck.nonce.mail_check
 		};
 
 		$.post(

docs/plugin/readme.txt

@@ -2,8 +2,8 @@
 Tags: health check
 Contributors: wordpressdotorg, westi, pento, Clorith
 Requires at least: 4.0
-Tested up to: 4.9
-Stable tag: 1.2.1
+Tested up to: 5.0
+Stable tag: 1.2.4
 License: GPLv2
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -39,6 +39,22 @@ Are you unfamiliar with how to clear your cookies? No worries, you may also clos
 
 == Changelog ==
 
+= v1.2.4 =
+* Security: Prevent arbitrary file viewing through the integrity file actions. Independently reported by Julien Legras of [https://synacktiv.com](Synacktiv) and siliconforks.
+* Security: Site status was available to any user with a subscriber role or higher on a site. Reported by Julien Legras of [https://synacktiv.com](Synacktiv).
+* Security: Hardened the troubleshooting mode session so it is lock to the users location when active.
+* New enhancement: Check that various PHP extensions exist, as recommended by the WordPress Hosting Community.
+* New enhancement: Check if update APIs are being manipulated by plugins or themes.
+* Fix: Copying debug information had the wrong indentation for easier readability.
+* Fix: Toggling plugins and themes from the troubleshooting widget on in the dashboard now lets you expand/collapse them as intended.
+* Fix: When debugging was enabled in WordPress, disabling a plugin in troubleshooting mode would cause a WSOD if the disabled plugin caused a fatal error.
+
+= v1.2.3 =
+* Added REST API availability test to the Site Status
+
+= v 1.2.2 =
+* Added Twenty Nineteen as a recognized core theme.
+
 = v 1.2.1 =
 * Make sure only those with access to the plugin see the backup encouragement notice.
 * Make sure the `is_troubleshooting()` checks are available to the Site Status tester when the MU plugin may not have updated yet.

gruntfile.js

@@ -111,7 +111,7 @@ module.exports = function( grunt ) {
 			},
 			healthcheck: {
 				expand: true,
-				src: [ 'build/assets/css/health-check.css', 'build/assets/css/health-check-troubleshooting-mode.css' ]
+				src: [ 'build/assets/css/health-check.css', 'build/assets/css/health-check-troubleshooting-mods.css' ]
 			}
 		},
 		sass: {

src/assets/mu-plugin/health-check-troubleshooting-mode.php

@@ -2,15 +2,15 @@
 /*
 	Plugin Name: Health Check Troubleshooting Mode
 	Description: Conditionally disabled themes or plugins on your site for a given session, used to rule out conflicts during troubleshooting.
-	Version: 1.5.0
+	Version: 1.5.1
  */
 
 if ( ! defined( 'ABSPATH' ) ) {
 	die( 'We\'re sorry, but you can not directly access this file.' );
 }
 
 // Set the MU plugin version.
-define( 'HEALTH_CHECK_TROUBLESHOOTING_MODE_PLUGIN_VERSION', '1.5.0' );
+define( 'HEALTH_CHECK_TROUBLESHOOTING_MODE_PLUGIN_VERSION', '1.5.1' );
 
 class Health_Check_Troubleshooting_MU {
 	private $disable_hash    = null;
@@ -278,7 +278,7 @@ public function get_unfiltered_plugin_list() {
 	public function is_troubleshooting() {
 		// Check if a session cookie to disable plugins has been set.
 		if ( isset( $_COOKIE['health-check-disable-plugins'] ) ) {
-			$_GET['health-check-disable-plugin-hash'] = $_COOKIE['health-check-disable-plugins'];
+			$_GET['health-check-disable-plugin-hash'] = $_COOKIE['health-check-disable-plugins'] . md5( $_SERVER['REMOTE_ADDR'] );
 		}
 
 		// If the disable hash isn't set, no need to interact with things.
@@ -548,7 +548,7 @@ function health_check_troubleshoot_get_captures() {
 					sprintf(
 						// translators: %s: The plugin slug that was disabled.
 						__( 'When disabling the plugin, %s, a site failure occurred. Because of this the change was automatically reverted.', 'health-check' ),
-						$_GET['health-check-troubleshoot-enable-plugin']
+						$_GET['health-check-troubleshoot-disable-plugin']
 					),
 					'warning'
 				);
@@ -1007,7 +1007,7 @@ public function display_dashboard_widget() {
 											<?php esc_html_e( 'Show all themes', 'health-check' ); ?> <span class="icon"></span>
 										</button>
 
-										<button type="button" class="button button-link health-check-toggle-visibility toggle-visibility" aria-hidden="true" data-element="health-check-themes">
+										<button type="button" class="button button-link health-check-toggle-visibility toggle-visibility" aria-hidden="true"  data-element="health-check-themes">
 											<?php esc_html_e( 'Show fewer themes', 'health-check' ); ?> <span class="icon icon-up"></span>
 										</button>
 									</p>

src/health-check.php

@@ -9,7 +9,7 @@
  * Plugin URI: https://wordpress.org/plugins/health-check/
  * Description: Checks the health of your WordPress install.
  * Author: The WordPress.org community
- * Version: 1.2.1
+ * Version: 1.2.4
  * Author URI: https://wordpress.org/plugins/health-check/
  * Text Domain: health-check
  */
@@ -35,7 +35,7 @@
 define( 'HEALTH_CHECK_MYSQL_REC_VERSION', '5.6' );
 
 // Set the plugin version.
-define( 'HEALTH_CHECK_PLUGIN_VERSION', '1.2.1' );
+define( 'HEALTH_CHECK_PLUGIN_VERSION', '1.2.4' );
 
 // Set the absolute path for the plugin.
 define( 'HEALTH_CHECK_PLUGIN_DIRECTORY', plugin_dir_path( __FILE__ ) );
@@ -63,8 +63,3 @@
 
 // Initialize our plugin.
 new Health_Check();
-
-// If WP-CLI is being used, we include our own commands as well.
-if ( defined( 'WP_CLI' ) && WP_CLI ) {
-	include_once( dirname( __FILE__ ) . '/includes/class-health-check-wp-cli.php' );
-}

src/includes/class-health-check-files-integrity.php

@@ -17,6 +17,7 @@ class Health_Check_Files_Integrity {
 	 * @return void
 	 */
 	static function run_files_integrity_check() {
+		check_ajax_referer( 'health-check-files-integrity-check' );
 
 		$checksums = Health_Check_Files_Integrity::call_checksum_api();
 
@@ -160,9 +161,20 @@ static function create_the_response( $files ) {
 	* @return void
 	*/
 	static function view_file_diff() {
-		$filepath         = ABSPATH;
-		$file             = $_POST['file'];
-		$wpversion        = get_bloginfo( 'version' );
+		check_ajax_referer( 'health-check-view-file-diff' );
+
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error();
+		}
+
+		$filepath  = ABSPATH;
+		$file      = $_POST['file'];
+		$wpversion = get_bloginfo( 'version' );
+
+		if ( 0 !== validate_file( $filepath . $file ) ) {
+			wp_send_json_error();
+		}
+
 		$local_file_body  = file_get_contents( $filepath . $file, FILE_USE_INCLUDE_PATH );
 		$remote_file      = wp_remote_get( 'https://core.svn.wordpress.org/tags/' . $wpversion . '/' . $file );
 		$remote_file_body = wp_remote_retrieve_body( $remote_file );
@@ -190,7 +202,7 @@ static function view_file_diff() {
 	 *
 	 * @param array $tabs
 	 *
-	 * return array
+	 * @return array
 	 */
 	static function tools_tab( $tabs ) {
 		ob_start();

src/includes/class-health-check-loopback.php

@@ -119,6 +119,12 @@ static function can_perform_loopback( $disable_plugin_hash = null, $allowed_plug
 	 * @return void
 	 */
 	static function loopback_no_plugins() {
+		check_ajax_referer( 'health-check-loopback-no-plugins' );
+
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error();
+		}
+
 		ob_start();
 
 		$needs_creds = false;
@@ -228,6 +234,12 @@ static function loopback_no_plugins() {
 	 * @return void
 	 */
 	static function loopback_test_individual_plugins() {
+		check_ajax_referer( 'health-check-loopback-individual-plugins' );
+
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error();
+		}
+
 		ob_start();
 
 		$needs_creds = false;
@@ -273,6 +285,12 @@ static function loopback_test_individual_plugins() {
 	}
 
 	static function loopback_test_default_theme() {
+		check_ajax_referer( 'health-check-loopback-default-theme' );
+
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error();
+		}
+
 		ob_start();
 
 		$needs_creds = false;