From 641ae669480d9b2cc96d6d042b46fd8c75a385fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Viktor=20Sz=C3=A9pe?= Date: Mon, 9 Oct 2023 16:05:20 +0000 Subject: [PATCH 01/32] Fix typos --- classes/class-alert.php | 4 +-- classes/class-live-update.php | 2 +- classes/class-network.php | 4 +-- connectors/class-connector-posts.php | 2 +- connectors/class-connector-settings.php | 2 +- connectors/class-connector-taxonomies.php | 2 +- connectors/class-connector-users.php | 2 +- connectors/class-connector-woocommerce.php | 2 +- connectors/class-connector-wordpress-seo.php | 2 +- includes/lib/Carbon.php | 32 +++++++++---------- languages/stream-en_US.po | 2 +- local/docker/wordpress/Dockerfile | 2 +- phpcs.xml.dist | 2 +- readme.txt | 6 ++-- .../connectors/test-class-connector-edd.php | 2 +- .../test-class-connector-user-switching.php | 10 +++--- 16 files changed, 39 insertions(+), 39 deletions(-) diff --git a/classes/class-alert.php b/classes/class-alert.php index 13f30bf36..f236ed133 100644 --- a/classes/class-alert.php +++ b/classes/class-alert.php @@ -186,7 +186,7 @@ public function update_meta( $meta_key, $meta_value, $prev_value = '' ) { /** * Determine the title of the alert. * - * @todo enhance human readibility + * @todo enhance human readability * @return string The title of the alert */ public function get_title() { @@ -207,7 +207,7 @@ public function get_title() { } /** - * Retreive current alert type object + * Retrieve current alert type object * * @return Alert_Type */ diff --git a/classes/class-live-update.php b/classes/class-live-update.php index f20d0baaf..9c2c33003 100644 --- a/classes/class-live-update.php +++ b/classes/class-live-update.php @@ -170,7 +170,7 @@ public function gather_updated_items( $last_time, $args = array() ) { /** * Handles live updates for Stream Post List * - * @action heartbeat_recieved + * @action heartbeat_received * * @param array $response Response to be sent to heartbeat tick. * @param array $data Data from heartbeat send. diff --git a/classes/class-network.php b/classes/class-network.php index 4e234e6c7..6111f82d9 100644 --- a/classes/class-network.php +++ b/classes/class-network.php @@ -351,13 +351,13 @@ public function get_settings_translations( $labels ) { * Wrapper for the settings API to work on the network settings page */ public function network_options_action() { - $allowed_referers = array( + $allowed_referrers = array( $this->network_settings_page_slug, $this->default_settings_page_slug, ); // @codingStandardsIgnoreLine - if ( ! isset( $_GET['action'] ) || ! in_array( $_GET['action'], $allowed_referers, true ) ) { + if ( ! isset( $_GET['action'] ) || ! in_array( $_GET['action'], $allowed_referrers, true ) ) { return; } diff --git a/connectors/class-connector-posts.php b/connectors/class-connector-posts.php index 6b0dc9694..fb0c0d22f 100644 --- a/connectors/class-connector-posts.php +++ b/connectors/class-connector-posts.php @@ -110,7 +110,7 @@ public function action_links( $links, $record ) { /* translators: %s: a post type singular name (e.g. "Post") */ $links[ sprintf( esc_html_x( 'Restore %s', 'Post type singular name', 'stream' ), $post_type_name ) ] = $untrash; /* translators: %s: a post type singular name (e.g. "Post") */ - $links[ sprintf( esc_html_x( 'Delete %s Permenantly', 'Post type singular name', 'stream' ), $post_type_name ) ] = $delete; + $links[ sprintf( esc_html_x( 'Delete %s Permanently', 'Post type singular name', 'stream' ), $post_type_name ) ] = $delete; } else { /* translators: %s a post type singular name (e.g. "Post") */ $links[ sprintf( esc_html_x( 'Edit %s', 'Post type singular name', 'stream' ), $post_type_name ) ] = get_edit_post_link( $post->ID ); diff --git a/connectors/class-connector-settings.php b/connectors/class-connector-settings.php index dede61ccb..679201b50 100644 --- a/connectors/class-connector-settings.php +++ b/connectors/class-connector-settings.php @@ -459,7 +459,7 @@ public function get_serialized_field_label( $option_name, $field_key ) { /** * Filter allows for insertion of serialized labels * - * @param array $lables Serialized labels + * @param array $labels Serialized labels * @return array Updated array of serialzed labels */ $labels = apply_filters( 'wp_stream_serialized_labels', $labels ); diff --git a/connectors/class-connector-taxonomies.php b/connectors/class-connector-taxonomies.php index 7966e9351..13e4bdb83 100644 --- a/connectors/class-connector-taxonomies.php +++ b/connectors/class-connector-taxonomies.php @@ -124,7 +124,7 @@ public function action_links( $links, $record ) { } /** - * Catch registration of taxonomies after inital loading, so we can cache its labels + * Catch registration of taxonomies after initial loading, so we can cache its labels * * @action registered_taxonomy * diff --git a/connectors/class-connector-users.php b/connectors/class-connector-users.php index cdce28441..91b6287e7 100644 --- a/connectors/class-connector-users.php +++ b/connectors/class-connector-users.php @@ -108,7 +108,7 @@ public function action_links( $links, $record ) { } /** - * Get an array of role lables assigned to a specific user. + * Get an array of role labels assigned to a specific user. * * @param object|int $user User object or user ID to get roles for. * diff --git a/connectors/class-connector-woocommerce.php b/connectors/class-connector-woocommerce.php index 1ab9aff0e..3361f4d4b 100644 --- a/connectors/class-connector-woocommerce.php +++ b/connectors/class-connector-woocommerce.php @@ -315,7 +315,7 @@ public function exclude_order_post_types( $post_types ) { * Prevent the Stream Comments connector from logging status * change comments on orders * - * @filter wp_stream_commnent_exclude_comment_types + * @filter wp_stream_comment_exclude_comment_types * * @param array $comment_types Ignored post types. * diff --git a/connectors/class-connector-wordpress-seo.php b/connectors/class-connector-wordpress-seo.php index 2170d836b..18614e965 100644 --- a/connectors/class-connector-wordpress-seo.php +++ b/connectors/class-connector-wordpress-seo.php @@ -170,7 +170,7 @@ public function action_links( $links, $record ) { /* translators: %s: a post type singular name (e.g. "Post") */ $links[ sprintf( esc_html_x( 'Restore %s', 'Post type singular name', 'stream' ), $post_type_name ) ] = $untrash; /* translators: %s: a post type singular name (e.g. "Post") */ - $links[ sprintf( esc_html_x( 'Delete %s Permenantly', 'Post type singular name', 'stream' ), $post_type_name ) ] = $delete; + $links[ sprintf( esc_html_x( 'Delete %s Permanently', 'Post type singular name', 'stream' ), $post_type_name ) ] = $delete; } else { /* translators: %s: a post type singular name (e.g. "Post") */ $links[ sprintf( esc_html_x( 'Edit %s', 'Post type singular name', 'stream' ), $post_type_name ) ] = get_edit_post_link( $post->ID ); diff --git a/includes/lib/Carbon.php b/includes/lib/Carbon.php index 93830c582..bf62c0316 100644 --- a/includes/lib/Carbon.php +++ b/includes/lib/Carbon.php @@ -1971,8 +1971,8 @@ public function endOfWeek() } /** - * Modify to the next occurance of a given day of the week. - * If no dayOfWeek is provided, modify to the next occurance + * Modify to the next occurrence of a given day of the week. + * If no dayOfWeek is provided, modify to the next occurrence * of the current day of the week. Use the supplied consts * to indicate the desired dayOfWeek, ex. static::MONDAY. * @@ -1990,8 +1990,8 @@ public function next($dayOfWeek = null) } /** - * Modify to the previous occurance of a given day of the week. - * If no dayOfWeek is provided, modify to the previous occurance + * Modify to the previous occurrence of a given day of the week. + * If no dayOfWeek is provided, modify to the previous occurrence * of the current day of the week. Use the supplied consts * to indicate the desired dayOfWeek, ex. static::MONDAY. * @@ -2009,7 +2009,7 @@ public function previous($dayOfWeek = null) } /** - * Modify to the first occurance of a given day of the week + * Modify to the first occurrence of a given day of the week * in the current month. If no dayOfWeek is provided, modify to the * first day of the current month. Use the supplied consts * to indicate the desired dayOfWeek, ex. static::MONDAY. @@ -2030,7 +2030,7 @@ public function firstOfMonth($dayOfWeek = null) } /** - * Modify to the last occurance of a given day of the week + * Modify to the last occurrence of a given day of the week * in the current month. If no dayOfWeek is provided, modify to the * last day of the current month. Use the supplied consts * to indicate the desired dayOfWeek, ex. static::MONDAY. @@ -2051,8 +2051,8 @@ public function lastOfMonth($dayOfWeek = null) } /** - * Modify to the given occurance of a given day of the week - * in the current month. If the calculated occurance is outside the scope + * Modify to the given occurrence of a given day of the week + * in the current month. If the calculated occurrence is outside the scope * of the current month, then return false and no modifications are made. * Use the supplied consts to indicate the desired dayOfWeek, ex. static::MONDAY. * @@ -2071,7 +2071,7 @@ public function nthOfMonth($nth, $dayOfWeek) } /** - * Modify to the first occurance of a given day of the week + * Modify to the first occurrence of a given day of the week * in the current quarter. If no dayOfWeek is provided, modify to the * first day of the current quarter. Use the supplied consts * to indicate the desired dayOfWeek, ex. static::MONDAY. @@ -2086,7 +2086,7 @@ public function firstOfQuarter($dayOfWeek = null) } /** - * Modify to the last occurance of a given day of the week + * Modify to the last occurrence of a given day of the week * in the current quarter. If no dayOfWeek is provided, modify to the * last day of the current quarter. Use the supplied consts * to indicate the desired dayOfWeek, ex. static::MONDAY. @@ -2101,8 +2101,8 @@ public function lastOfQuarter($dayOfWeek = null) } /** - * Modify to the given occurance of a given day of the week - * in the current quarter. If the calculated occurance is outside the scope + * Modify to the given occurrence of a given day of the week + * in the current quarter. If the calculated occurrence is outside the scope * of the current quarter, then return false and no modifications are made. * Use the supplied consts to indicate the desired dayOfWeek, ex. static::MONDAY. * @@ -2122,7 +2122,7 @@ public function nthOfQuarter($nth, $dayOfWeek) } /** - * Modify to the first occurance of a given day of the week + * Modify to the first occurrence of a given day of the week * in the current year. If no dayOfWeek is provided, modify to the * first day of the current year. Use the supplied consts * to indicate the desired dayOfWeek, ex. static::MONDAY. @@ -2137,7 +2137,7 @@ public function firstOfYear($dayOfWeek = null) } /** - * Modify to the last occurance of a given day of the week + * Modify to the last occurrence of a given day of the week * in the current year. If no dayOfWeek is provided, modify to the * last day of the current year. Use the supplied consts * to indicate the desired dayOfWeek, ex. static::MONDAY. @@ -2152,8 +2152,8 @@ public function lastOfYear($dayOfWeek = null) } /** - * Modify to the given occurance of a given day of the week - * in the current year. If the calculated occurance is outside the scope + * Modify to the given occurrence of a given day of the week + * in the current year. If the calculated occurrence is outside the scope * of the current year, then return false and no modifications are made. * Use the supplied consts to indicate the desired dayOfWeek, ex. static::MONDAY. * diff --git a/languages/stream-en_US.po b/languages/stream-en_US.po index 4e10c8675..360dd4ebf 100644 --- a/languages/stream-en_US.po +++ b/languages/stream-en_US.po @@ -2582,7 +2582,7 @@ msgstr "" #: connectors/class-connector-wordpress-seo.php:160 #, php-format msgctxt "Post type singular name" -msgid "Delete %s Permenantly" +msgid "Delete %s Permanently" msgstr "" #: connectors/class-connector-posts.php:104 diff --git a/local/docker/wordpress/Dockerfile b/local/docker/wordpress/Dockerfile index a55dd18ac..ace59050e 100644 --- a/local/docker/wordpress/Dockerfile +++ b/local/docker/wordpress/Dockerfile @@ -6,7 +6,7 @@ FROM wordpress:php${PHP_VERSION}-apache # Default version which supports the default PHP 7.4. ARG XDEBUG_VERSION=2.9.6 -# Include our Composer vendor binrary path into global path. +# Include our Composer vendor binary path into global path. ENV PATH="/var/www/html/wp-content/plugins/stream-src/vendor/bin:${PATH}" RUN apt-get update; \ diff --git a/phpcs.xml.dist b/phpcs.xml.dist index cc28e8a19..16924cca3 100644 --- a/phpcs.xml.dist +++ b/phpcs.xml.dist @@ -7,7 +7,7 @@ - + warning diff --git a/readme.txt b/readme.txt index 41f4d145b..46f233f54 100644 --- a/readme.txt +++ b/readme.txt @@ -136,7 +136,7 @@ Track changes to posts when using the block editor. - Fix: Track changes to posts when using the block editor by making the Posts connector to run on both frontend and backend requests since block editor changes happen over the REST API [#1264](https://github.com/xwp/stream/pull/1264), props [@coreymckrill](https://github.com/coreymckrill). - Fix: Don't store empty log event parameters [#1307](https://github.com/xwp/stream/pull/1307), props [@lkraav](https://github.com/lkraav). -- Development: Adjust the local development environment to use MariaDB containers for ARM processor compatabilty. +- Development: Adjust the local development environment to use MariaDB containers for ARM processor compatibility. = 3.8.2 - October 12, 2021 = @@ -341,7 +341,7 @@ Props [@lukecarbis](https://github.com/lukecarbis) * Tweak: Minor security improvements * Fix: New and improved Gravity Forms connector, works much better ([#780](https://github.com/xwp/stream/pull/780)) (thanks [Rob](https://github.com/rob)!) * Fix: Stream no longer explodes on < PHP 5.3, when trying to tell you that it explodes on < PHP 5.3 ([#781](https://github.com/xwp/stream/pull/781)) -* Fix: Fixed a smal typo ([62455c5](https://github.com/xwp/stream/commit/62455c518b95ddaf5e6c6c0733e7d03e5aa1311c)) +* Fix: Fixed a small typo ([62455c5](https://github.com/xwp/stream/commit/62455c518b95ddaf5e6c6c0733e7d03e5aa1311c)) * Fix: Multiple Multisite Mistakes Mended ([#788](https://github.com/xwp/stream/pull/788)) * Fix: Internet Explorer 8 fix!! IE8!? Come on, people, it's 2015. ([#789](https://github.com/xwp/stream/pull/789)) * Fix: EDD connector bug ([#790](https://github.com/xwp/stream/pull/790)) @@ -571,7 +571,7 @@ Props [@westonruter](https://github.com/westonruter), [@fjarrett](https://github * Fix: Non-Administrator users seeing errors in Settings records ([#406](https://github.com/x-team/wp-stream/issues/406)) * Fix: Uninstall confirmation message doesn't display ([#411](https://github.com/x-team/wp-stream/issues/411)) * Fix: TTL purge schedule is never setup ([#412](https://github.com/x-team/wp-stream/issues/412)) -* Fix: NextGen compability issue ([#416](https://github.com/x-team/wp-stream/issues/416)) +* Fix: NextGen compatibility issue ([#416](https://github.com/x-team/wp-stream/issues/416)) * Fix: Stream Feeds Key not being automatically generated ([#420](https://github.com/x-team/wp-stream/issues/420)) Props [@fjarrett](https://github.com/fjarrett), [@lukecarbis](https://github.com/lukecarbis), [@c3mdigital](https://github.com/c3mdigital), [@westonruter](https://github.com/westonruter), [@shadyvb](https://github.com/shadyvb), [@powelski](https://github.com/powelski), [@johnregan3](https://github.com/johnregan3), [@jonathanbardo](https://github.com/jonathanbardo), [@desaiuditd](https://github.com/desaiuditd) diff --git a/tests/tests/connectors/test-class-connector-edd.php b/tests/tests/connectors/test-class-connector-edd.php index 56e8638cf..6e6fb8ffd 100644 --- a/tests/tests/connectors/test-class-connector-edd.php +++ b/tests/tests/connectors/test-class-connector-edd.php @@ -185,7 +185,7 @@ function( $data ) use( &$asserted ) { $this->create_simple_download(); $this->create_simple_percent_discount(); - // Check assertion flage + // Check assertion flags $this->assertSame( $asserted, 2 ); } diff --git a/tests/tests/connectors/test-class-connector-user-switching.php b/tests/tests/connectors/test-class-connector-user-switching.php index 4fb79c18d..136d53e54 100644 --- a/tests/tests/connectors/test-class-connector-user-switching.php +++ b/tests/tests/connectors/test-class-connector-user-switching.php @@ -38,7 +38,7 @@ public function test_callback_switch_to_user() { $old_user_id = self::factory()->user->create( array( 'user_login' => 'oldtestuser', - 'user_role' => 'adminstrator', + 'user_role' => 'administrator', 'display_name' => 'oldtestuserdisplay', ) ); @@ -48,7 +48,7 @@ public function test_callback_switch_to_user() { $user_id = self::factory()->user->create( array( 'user_login' => 'testuser', - 'user_role' => 'adminstrator', + 'user_role' => 'administrator', 'display_name' => 'testuserdisplay', ) ); @@ -88,14 +88,14 @@ public function test_callback_switch_back_user() { $old_user_id = self::factory()->user->create( array( 'user_login' => 'oldtestuser', - 'user_role' => 'adminstrator', + 'user_role' => 'administrator', 'display_name' => 'oldtestuserdisplay', ) ); $user_id = self::factory()->user->create( array( 'user_login' => 'testuser', - 'user_role' => 'adminstrator', + 'user_role' => 'administrator', 'display_name' => 'testuserdisplay', ) ); @@ -138,7 +138,7 @@ public function test_callback_switch_off_user() { $user_id = self::factory()->user->create( array( 'user_login' => 'testuser', - 'user_role' => 'adminstrator', + 'user_role' => 'administrator', 'display_name' => 'testuserdisplay', ) ); From 4d086cc4302bfdfc63f0ff4e28aff66d9d8bc3c5 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 9 Oct 2023 14:32:37 +0300 Subject: [PATCH 02/32] Make the plugin responsible for resolving request IPs --- classes/class-plugin.php | 54 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/classes/class-plugin.php b/classes/class-plugin.php index 376e0a170..c74f0a221 100755 --- a/classes/class-plugin.php +++ b/classes/class-plugin.php @@ -90,6 +90,13 @@ class Plugin { */ public $locations = array(); + /** + * IP address for the current request to be associated with the log entry. + * + * @var null|false|string + */ + protected $client_ip_address; + /** * Class constructor */ @@ -138,6 +145,9 @@ public function __construct() { // Load logger class. $this->log = apply_filters( 'wp_stream_log_handler', new Log( $this ) ); + // Set the IP address for the current request. + $this->client_ip_address = wp_stream_filter_input( INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP ); + // Load settings and connectors after widgets_init and before the default init priority. add_action( 'init', array( $this, 'init' ), 9 ); @@ -315,4 +325,48 @@ public function is_mustuse() { return false; } + + /** + * Get the IP address for the current request. + * + * @return false|null|string + */ + public function get_client_ip_address() { + return apply_filters( 'wp_stream_client_ip_address', $this->client_ip_address ); + } + + /** + * Get the client IP address from the HTTP request headers. + * + * There is no guarantee that this is the real IP address of the client. + * + * @return string|null + */ + protected function get_unsafe_client_ip_address() { + // List of $_SERVER keys that could contain the client IP address. + $address_headers = array( + 'HTTP_X_FORWARDED_FOR', + 'HTTP_FORWARDED_FOR', + ); + + foreach ( $address_headers as $header ) { + if ( ! empty( $_SERVER[ $header ] ) ) { + $header_client_ip = $_SERVER[ $header ]; + + // Account for multiple IPs in case of multiple proxies. + if ( false !== strpos( $header_client_ip, ',' ) ) { + $header_client_ips = explode( ',', $header_client_ip ); + $header_client_ip = $header_client_ips[0]; + } + + $client_ip = filter_var( trim( $header_client_ip ), FILTER_VALIDATE_IP ); + + if ( ! empty( $client_ip ) ) { + return $client_ip; + } + } + } + + return null; + } } From 868957bd8e21cc28acffc6636bcc507f5513edf1 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 9 Oct 2023 14:33:28 +0300 Subject: [PATCH 03/32] Make the logger rely on the IP resolved by the plugin --- classes/class-log.php | 31 +++++++++---------------------- 1 file changed, 9 insertions(+), 22 deletions(-) diff --git a/classes/class-log.php b/classes/class-log.php index b13b2beb8..2e26efd2e 100644 --- a/classes/class-log.php +++ b/classes/class-log.php @@ -19,14 +19,6 @@ class Log { */ public $plugin; - /** - * Hold Current visitors IP Address. - * - * @var string - */ - private $ip_address; - - /** * Previous Stream record ID, used for chaining same-session records * @@ -42,12 +34,6 @@ class Log { public function __construct( $plugin ) { $this->plugin = $plugin; - // Support proxy mode by checking the `X-Forwarded-For` header first. - $ip_address = wp_stream_filter_input( INPUT_SERVER, 'HTTP_X_FORWARDED_FOR', FILTER_VALIDATE_IP ); - $ip_address = $ip_address ? $ip_address : wp_stream_filter_input( INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP ); - - $this->ip_address = $ip_address; - // Ensure function used in various methods is pre-loaded. if ( ! function_exists( 'is_plugin_active_for_network' ) ) { require_once ABSPATH . '/wp-admin/includes/plugin.php'; @@ -87,9 +73,16 @@ public function log( $connector, $message, $args, $object_id, $context, $action, return false; } + $ip_address = $this->plugin->get_client_ip_address(); + + // Fallback to unsafe IP extracted from the request HTTP headers. + if ( empty( $ip_address ) ) { + $ip_address = $this->plugin->get_unsafe_client_ip_address(); + } + $user = new \WP_User( $user_id ); - if ( $this->is_record_excluded( $connector, $context, $action, $user ) ) { + if ( $this->is_record_excluded( $connector, $context, $action, $user, $ip_address ) ) { return false; } @@ -140,7 +133,7 @@ function ( $var ) { 'connector' => (string) $connector, 'context' => (string) $context, 'action' => (string) $action, - 'ip' => (string) $this->ip_address, + 'ip' => (string) $ip_address, 'meta' => (array) $stream_meta, ); @@ -174,12 +167,6 @@ public function is_record_excluded( $connector, $context, $action, $user = null, $user = wp_get_current_user(); } - if ( is_null( $ip ) ) { - $ip = $this->ip_address; - } else { - $ip = wp_stream_filter_var( $ip, FILTER_VALIDATE_IP ); - } - if ( ! empty( $user->roles ) ) { $roles = array_values( $user->roles ); $role = $roles[0]; From 970121b9b6a7762baeb9917fc9d1885a5cc531c7 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 9 Oct 2023 14:34:10 +0300 Subject: [PATCH 04/32] Add a notice to plugin settings in case request IP can't be determined --- classes/class-admin.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/classes/class-admin.php b/classes/class-admin.php index 4a29b2ed0..6e0c67e6d 100644 --- a/classes/class-admin.php +++ b/classes/class-admin.php @@ -220,6 +220,12 @@ public function init() { $this->network = new Network( $this->plugin ); $this->live_update = new Live_Update( $this->plugin ); $this->export = new Export( $this->plugin ); + + // Check if the host has configured the `REMOTE_ADDR` correctly. + $client_ip = $this->plugin->get_client_ip_address(); + if ( empty( $client_ip ) ) { + $this->notice( esc_html__( 'Stream can\'t determine a reliable client IP address! Please update the hosting environment to set the REMOTE_ADDR in $_SERVER variable or use the `wp_stream_client_ip_address` filter to specify the verified client IP address!', 'stream' ) ); + } } /** From 55780662f7ef74f83b692d218325e9f672e319e3 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 9 Oct 2023 14:34:24 +0300 Subject: [PATCH 05/32] Document the IP resolver logic --- readme.txt | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/readme.txt b/readme.txt index 41f4d145b..37e2855e7 100644 --- a/readme.txt +++ b/readme.txt @@ -65,12 +65,25 @@ With Stream’s powerful logging, you’ll have the valuable information you nee * WP-CLI command for querying records -= Known Issues +## Configuration + +Most of the plugin configuration is available under the "Stream" → "Settings" in the WordPress dashboard. + +### Request IP Address + +The plugin expects the `$_SERVER['REMOTE_ADDR']` variable to contain the verified IP address of the current request. On hosting environments with PHP processing behind reverse proxies or CDNs the actual client IP is passed to PHP through request HTTP headers such as `X-Forwarded-For` and `True-Client-IP` which can't be trusted without an additional layer of validation. + +If `$_SERVER['REMOTE_ADDR']` is not configured, the plugin will attempt to extract the client IP from `$_SERVER['HTTP_X_FORWARDED_FOR']` and `$_SERVER['HTTP_FORWARDED_FOR']` *which are considered unsafe as they can contain arbitraty user input passed with the HTTP request*. This fallback behaviour will be disabled by default in the future versions of this plugin! + +Update your server configuration to set the `$_SERVER['REMOTE_ADDR']` variable to the verified client IP address or use the `wp_stream_client_ip_address` filter to do that. + + +## Known Issues * We have temporarily disabled the data removal feature through plugin uninstallation, starting with version 3.9.3. We identified a few edge cases that did not behave as expected and we decided that a temporary removal is preferable at this time for such an impactful and irreversible operation. Our team is actively working on refining this feature to ensure it performs optimally and securely. We plan to reintroduce it in a future update with enhanced safeguards. -= Contribute = +## Contribute There are several ways you can get involved to help make Stream better: From 54150d64be0ac39ccbb079b49b178580146bbab1 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 9 Oct 2023 14:43:30 +0300 Subject: [PATCH 06/32] Add an example --- readme.txt | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/readme.txt b/readme.txt index 37e2855e7..4250d7dd9 100644 --- a/readme.txt +++ b/readme.txt @@ -75,7 +75,19 @@ The plugin expects the `$_SERVER['REMOTE_ADDR']` variable to contain the verifie If `$_SERVER['REMOTE_ADDR']` is not configured, the plugin will attempt to extract the client IP from `$_SERVER['HTTP_X_FORWARDED_FOR']` and `$_SERVER['HTTP_FORWARDED_FOR']` *which are considered unsafe as they can contain arbitraty user input passed with the HTTP request*. This fallback behaviour will be disabled by default in the future versions of this plugin! -Update your server configuration to set the `$_SERVER['REMOTE_ADDR']` variable to the verified client IP address or use the `wp_stream_client_ip_address` filter to do that. +Update your server configuration to set the `$_SERVER['REMOTE_ADDR']` variable to the verified client IP address or use the `wp_stream_client_ip_address` filter to do that: + +`add_filter( + 'wp_stream_client_ip_address', + function( $client_ip ) { + // Trust the X-Forwarded-For header. + if ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) { + return $_SERVER['HTTP_X_FORWARDED_FOR']; + } + + return $client_ip; + } +);` ## Known Issues From 2a00ddf04a59c33f8cb23f596fb3a9a4b367ded8 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 9 Oct 2023 15:11:19 +0300 Subject: [PATCH 07/32] Limit the notice to the Stream admin pages --- classes/class-admin.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/classes/class-admin.php b/classes/class-admin.php index 6e0c67e6d..259165f56 100644 --- a/classes/class-admin.php +++ b/classes/class-admin.php @@ -223,8 +223,8 @@ public function init() { // Check if the host has configured the `REMOTE_ADDR` correctly. $client_ip = $this->plugin->get_client_ip_address(); - if ( empty( $client_ip ) ) { - $this->notice( esc_html__( 'Stream can\'t determine a reliable client IP address! Please update the hosting environment to set the REMOTE_ADDR in $_SERVER variable or use the `wp_stream_client_ip_address` filter to specify the verified client IP address!', 'stream' ) ); + if ( ! empty( $client_ip ) && $this->is_stream_screen() ) { + $this->notice( __( 'Stream plugin can\'t determine a reliable client IP address! Please update the hosting environment to set the $_SERVER[\'REMOTE_ADDR\'] variable or use the wp_stream_client_ip_address filter to specify the verified client IP address!', 'stream' ) ); } } From c637256a99c0be79a982158b99bf340281bfbc11 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 9 Oct 2023 15:11:38 +0300 Subject: [PATCH 08/32] Ensure we fail gracefully when the WP core helper is not available --- classes/class-admin.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/classes/class-admin.php b/classes/class-admin.php index 259165f56..cb68b6ac3 100644 --- a/classes/class-admin.php +++ b/classes/class-admin.php @@ -547,9 +547,10 @@ public function is_stream_screen() { return true; } - $screen = get_current_screen(); - if ( Alerts::POST_TYPE === $screen->post_type ) { - return true; + if ( is_admin() && function_exists( 'get_current_screen' ) ) { + $screen = get_current_screen(); + + return ( Alerts::POST_TYPE === $screen->post_type ); } return false; From fb0f09301afb8909c81db38cd939d11c0966a0db Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 9 Oct 2023 15:24:49 +0300 Subject: [PATCH 09/32] Fix docblock syntax --- includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/functions.php b/includes/functions.php index 186fafe81..7bd438413 100644 --- a/includes/functions.php +++ b/includes/functions.php @@ -16,7 +16,7 @@ * @param int $filter The ID of the filter to apply. * @param mixed $options Associative array of options or bitwise disjunction of flags. If filter accepts options, flags can be provided in "flags" field of array. * - * @return Value of the requested variable on success, FALSE if the filter fails, or NULL if the $variable_name is not set. + * @return mixed|false|null Value of the requested variable on success, FALSE if the filter fails, or NULL if the $variable_name is not set. */ function wp_stream_filter_input( $type, $variable_name, $filter = null, $options = array() ) { return call_user_func_array( array( '\WP_Stream\Filter_Input', 'super' ), func_get_args() ); From c10f996547915dd1e525482dfdae61b783312a52 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 9 Oct 2023 15:26:54 +0300 Subject: [PATCH 10/32] Make it accessible --- classes/class-plugin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/class-plugin.php b/classes/class-plugin.php index c74f0a221..31f4f94d3 100755 --- a/classes/class-plugin.php +++ b/classes/class-plugin.php @@ -342,7 +342,7 @@ public function get_client_ip_address() { * * @return string|null */ - protected function get_unsafe_client_ip_address() { + public function get_unsafe_client_ip_address() { // List of $_SERVER keys that could contain the client IP address. $address_headers = array( 'HTTP_X_FORWARDED_FOR', From d18e872b41678cbef1a55112c4699a411f62cb42 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 9 Oct 2023 12:27:57 +0000 Subject: [PATCH 11/32] Add basic tests --- tests/tests/test-class-plugin.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/tests/test-class-plugin.php b/tests/tests/test-class-plugin.php index 6d6392372..f006fb13f 100644 --- a/tests/tests/test-class-plugin.php +++ b/tests/tests/test-class-plugin.php @@ -84,4 +84,18 @@ public function test_get_version() { $version = $this->plugin->get_version(); $this->assertNotEmpty( $version ); } + + public function test_get_client_ip_address() { + $this->assertEquals( $_SERVER['REMOTE_ADDR'], $this->plugin->get_client_ip_address() ); + } + + public function test_get_unsafe_client_ip_address() { + $_SERVER['HTTP_X_FORWARDED_FOR'] = '123.123.123.123,321.123.123.123'; + + $this->assertEquals( + '123.123.123.123', + $this->plugin->get_unsafe_client_ip_address(), + 'Use the first IP from the list' + ); + } } From 3d11efd22a6b762ed9ae4ca6e94e3d03c15863a2 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 9 Oct 2023 15:30:53 +0300 Subject: [PATCH 12/32] Test for invalid IP --- tests/tests/test-class-plugin.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/tests/test-class-plugin.php b/tests/tests/test-class-plugin.php index f006fb13f..642177936 100644 --- a/tests/tests/test-class-plugin.php +++ b/tests/tests/test-class-plugin.php @@ -97,5 +97,13 @@ public function test_get_unsafe_client_ip_address() { $this->plugin->get_unsafe_client_ip_address(), 'Use the first IP from the list' ); + + $_SERVER['HTTP_X_FORWARDED_FOR'] = '827.invalid-ip'; + + $this->assertEquals( + false, + $this->plugin->get_unsafe_client_ip_address(), + 'Invalid IP format should fail the validation' + ); } } From d9fa9856d03d0362a7ba00e38c5850782e93823b Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 9 Oct 2023 15:51:24 +0300 Subject: [PATCH 13/32] Use the local helper for consistency --- classes/class-plugin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/class-plugin.php b/classes/class-plugin.php index 31f4f94d3..0eb31e583 100755 --- a/classes/class-plugin.php +++ b/classes/class-plugin.php @@ -359,7 +359,7 @@ public function get_unsafe_client_ip_address() { $header_client_ip = $header_client_ips[0]; } - $client_ip = filter_var( trim( $header_client_ip ), FILTER_VALIDATE_IP ); + $client_ip = wp_stream_filter_var( trim( $header_client_ip ), FILTER_VALIDATE_IP ); if ( ! empty( $client_ip ) ) { return $client_ip; From 4afe6ec457f8f270612fc1229bbb0152fcbe4051 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 9 Oct 2023 20:38:35 +0300 Subject: [PATCH 14/32] Update readme.txt Co-authored-by: Alain Schlesser --- readme.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/readme.txt b/readme.txt index 4250d7dd9..064283465 100644 --- a/readme.txt +++ b/readme.txt @@ -67,7 +67,8 @@ With Stream’s powerful logging, you’ll have the valuable information you nee ## Configuration -Most of the plugin configuration is available under the "Stream" → "Settings" in the WordPress dashboard. +Most of the plugin configuration is available under the "Stream" → "Settings" page in the WordPress dashboard. + ### Request IP Address From f0a5e20e0153b5ff410914b611c0b610a855e9f5 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 16 Oct 2023 09:54:38 +0300 Subject: [PATCH 15/32] Apply suggestions from code review Co-authored-by: Alain Schlesser --- readme.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/readme.txt b/readme.txt index 064283465..47bf61ce4 100644 --- a/readme.txt +++ b/readme.txt @@ -74,7 +74,8 @@ Most of the plugin configuration is available under the "Stream" → "Settings" The plugin expects the `$_SERVER['REMOTE_ADDR']` variable to contain the verified IP address of the current request. On hosting environments with PHP processing behind reverse proxies or CDNs the actual client IP is passed to PHP through request HTTP headers such as `X-Forwarded-For` and `True-Client-IP` which can't be trusted without an additional layer of validation. -If `$_SERVER['REMOTE_ADDR']` is not configured, the plugin will attempt to extract the client IP from `$_SERVER['HTTP_X_FORWARDED_FOR']` and `$_SERVER['HTTP_FORWARDED_FOR']` *which are considered unsafe as they can contain arbitraty user input passed with the HTTP request*. This fallback behaviour will be disabled by default in the future versions of this plugin! +If `$_SERVER['REMOTE_ADDR']` is not configured, the plugin will attempt to extract the client IP from `$_SERVER['HTTP_X_FORWARDED_FOR']` or `$_SERVER['HTTP_FORWARDED_FOR']` *which are considered unsafe as they can contain arbitrary user input passed with the HTTP request*. This fallback behaviour will be disabled by default in future versions of this plugin! + Update your server configuration to set the `$_SERVER['REMOTE_ADDR']` variable to the verified client IP address or use the `wp_stream_client_ip_address` filter to do that: From a136099f34df1fbc4843f654b9fb2e8dc271e91b Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 16 Oct 2023 09:55:15 +0300 Subject: [PATCH 16/32] Apply suggestions from code review Co-authored-by: Alain Schlesser --- tests/tests/test-class-plugin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/tests/test-class-plugin.php b/tests/tests/test-class-plugin.php index 642177936..010ebf62b 100644 --- a/tests/tests/test-class-plugin.php +++ b/tests/tests/test-class-plugin.php @@ -90,7 +90,7 @@ public function test_get_client_ip_address() { } public function test_get_unsafe_client_ip_address() { - $_SERVER['HTTP_X_FORWARDED_FOR'] = '123.123.123.123,321.123.123.123'; + $_SERVER['HTTP_X_FORWARDED_FOR'] = ' 123.123.123.123 , 321.123.123.123, 456.123.123.123 '; $this->assertEquals( '123.123.123.123', From 560baf1f86dc15d95041a68b087d07a817626fc6 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 16 Oct 2023 09:59:33 +0300 Subject: [PATCH 17/32] Skip any formatting for simplicity --- classes/class-admin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/class-admin.php b/classes/class-admin.php index cb68b6ac3..fc23a1c08 100644 --- a/classes/class-admin.php +++ b/classes/class-admin.php @@ -224,7 +224,7 @@ public function init() { // Check if the host has configured the `REMOTE_ADDR` correctly. $client_ip = $this->plugin->get_client_ip_address(); if ( ! empty( $client_ip ) && $this->is_stream_screen() ) { - $this->notice( __( 'Stream plugin can\'t determine a reliable client IP address! Please update the hosting environment to set the $_SERVER[\'REMOTE_ADDR\'] variable or use the wp_stream_client_ip_address filter to specify the verified client IP address!', 'stream' ) ); + $this->notice( __( 'Stream plugin can\'t determine a reliable client IP address! Please update the hosting environment to set the $_SERVER[\'REMOTE_ADDR\'] variable or use the wp_stream_client_ip_address filter to specify the verified client IP address!', 'stream' ) ); } } From 94e17bdf2e8a8eb2bb9fb84666be9dc6e2f40647 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 16 Oct 2023 10:07:34 +0300 Subject: [PATCH 18/32] Describe the output types --- classes/class-plugin.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/classes/class-plugin.php b/classes/class-plugin.php index 0eb31e583..6e70b83af 100755 --- a/classes/class-plugin.php +++ b/classes/class-plugin.php @@ -93,7 +93,7 @@ class Plugin { /** * IP address for the current request to be associated with the log entry. * - * @var null|false|string + * @var null|false|string Valid IP address, null if not set, false if invalid. */ protected $client_ip_address; @@ -329,7 +329,7 @@ public function is_mustuse() { /** * Get the IP address for the current request. * - * @return false|null|string + * @return false|null|string Valid IP address, null if not set, false if invalid. */ public function get_client_ip_address() { return apply_filters( 'wp_stream_client_ip_address', $this->client_ip_address ); From 9daaaa8f735b91efa087485c3159826f63b429cc Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 16 Oct 2023 10:13:59 +0300 Subject: [PATCH 19/32] Account for multiple IPs in the forwarded header --- readme.txt | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/readme.txt b/readme.txt index 47bf61ce4..8503f6b08 100644 --- a/readme.txt +++ b/readme.txt @@ -80,15 +80,19 @@ If `$_SERVER['REMOTE_ADDR']` is not configured, the plugin will attempt to extra Update your server configuration to set the `$_SERVER['REMOTE_ADDR']` variable to the verified client IP address or use the `wp_stream_client_ip_address` filter to do that: `add_filter( - 'wp_stream_client_ip_address', - function( $client_ip ) { - // Trust the X-Forwarded-For header. - if ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) { - return $_SERVER['HTTP_X_FORWARDED_FOR']; - } - - return $client_ip; - } + 'wp_stream_client_ip_address', + function( $client_ip ) { + // Trust the first IP in the X-Forwarded-For header. + if ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) { + $forwarded_ips = explode( ',' $_SERVER['HTTP_X_FORWARDED_FOR'] ); + + if ( filter_var( $forwarded_ips[0], FILTER_VALIDATE_IP ) ) { + return $forwarded_ips[0]; + } + } + + return $client_ip; + } );` From 1b9068da98e96b64e21f4e4c06ad8fd40b9a9200 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 16 Oct 2023 10:45:44 +0300 Subject: [PATCH 20/32] Show the notice if client IP missing --- classes/class-admin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/class-admin.php b/classes/class-admin.php index fc23a1c08..6b0dd3eb7 100644 --- a/classes/class-admin.php +++ b/classes/class-admin.php @@ -223,7 +223,7 @@ public function init() { // Check if the host has configured the `REMOTE_ADDR` correctly. $client_ip = $this->plugin->get_client_ip_address(); - if ( ! empty( $client_ip ) && $this->is_stream_screen() ) { + if ( empty( $client_ip ) && $this->is_stream_screen() ) { $this->notice( __( 'Stream plugin can\'t determine a reliable client IP address! Please update the hosting environment to set the $_SERVER[\'REMOTE_ADDR\'] variable or use the wp_stream_client_ip_address filter to specify the verified client IP address!', 'stream' ) ); } } From 38683c13a5d0ca7031a24b69b8bd492b8fae6214 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 16 Oct 2023 10:45:57 +0300 Subject: [PATCH 21/32] =?UTF-8?q?Don=E2=80=99t=20even=20attempt=20to=20use?= =?UTF-8?q?=20the=20unsafe=20option?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- classes/class-log.php | 5 ----- classes/class-plugin.php | 35 ------------------------------- tests/tests/test-class-plugin.php | 18 ---------------- 3 files changed, 58 deletions(-) diff --git a/classes/class-log.php b/classes/class-log.php index 2e26efd2e..2a9f6c681 100644 --- a/classes/class-log.php +++ b/classes/class-log.php @@ -75,11 +75,6 @@ public function log( $connector, $message, $args, $object_id, $context, $action, $ip_address = $this->plugin->get_client_ip_address(); - // Fallback to unsafe IP extracted from the request HTTP headers. - if ( empty( $ip_address ) ) { - $ip_address = $this->plugin->get_unsafe_client_ip_address(); - } - $user = new \WP_User( $user_id ); if ( $this->is_record_excluded( $connector, $context, $action, $user, $ip_address ) ) { diff --git a/classes/class-plugin.php b/classes/class-plugin.php index 6e70b83af..170c472bc 100755 --- a/classes/class-plugin.php +++ b/classes/class-plugin.php @@ -334,39 +334,4 @@ public function is_mustuse() { public function get_client_ip_address() { return apply_filters( 'wp_stream_client_ip_address', $this->client_ip_address ); } - - /** - * Get the client IP address from the HTTP request headers. - * - * There is no guarantee that this is the real IP address of the client. - * - * @return string|null - */ - public function get_unsafe_client_ip_address() { - // List of $_SERVER keys that could contain the client IP address. - $address_headers = array( - 'HTTP_X_FORWARDED_FOR', - 'HTTP_FORWARDED_FOR', - ); - - foreach ( $address_headers as $header ) { - if ( ! empty( $_SERVER[ $header ] ) ) { - $header_client_ip = $_SERVER[ $header ]; - - // Account for multiple IPs in case of multiple proxies. - if ( false !== strpos( $header_client_ip, ',' ) ) { - $header_client_ips = explode( ',', $header_client_ip ); - $header_client_ip = $header_client_ips[0]; - } - - $client_ip = wp_stream_filter_var( trim( $header_client_ip ), FILTER_VALIDATE_IP ); - - if ( ! empty( $client_ip ) ) { - return $client_ip; - } - } - } - - return null; - } } diff --git a/tests/tests/test-class-plugin.php b/tests/tests/test-class-plugin.php index 010ebf62b..3bbc50f18 100644 --- a/tests/tests/test-class-plugin.php +++ b/tests/tests/test-class-plugin.php @@ -88,22 +88,4 @@ public function test_get_version() { public function test_get_client_ip_address() { $this->assertEquals( $_SERVER['REMOTE_ADDR'], $this->plugin->get_client_ip_address() ); } - - public function test_get_unsafe_client_ip_address() { - $_SERVER['HTTP_X_FORWARDED_FOR'] = ' 123.123.123.123 , 321.123.123.123, 456.123.123.123 '; - - $this->assertEquals( - '123.123.123.123', - $this->plugin->get_unsafe_client_ip_address(), - 'Use the first IP from the list' - ); - - $_SERVER['HTTP_X_FORWARDED_FOR'] = '827.invalid-ip'; - - $this->assertEquals( - false, - $this->plugin->get_unsafe_client_ip_address(), - 'Invalid IP format should fail the validation' - ); - } } From f6c799b3793aaeb00dc13ebc7f1687b09e286d03 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 16 Oct 2023 10:50:06 +0300 Subject: [PATCH 22/32] We no longer default to a fallback --- readme.txt | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/readme.txt b/readme.txt index 8503f6b08..0574a8030 100644 --- a/readme.txt +++ b/readme.txt @@ -72,12 +72,7 @@ Most of the plugin configuration is available under the "Stream" → "Settings" ### Request IP Address -The plugin expects the `$_SERVER['REMOTE_ADDR']` variable to contain the verified IP address of the current request. On hosting environments with PHP processing behind reverse proxies or CDNs the actual client IP is passed to PHP through request HTTP headers such as `X-Forwarded-For` and `True-Client-IP` which can't be trusted without an additional layer of validation. - -If `$_SERVER['REMOTE_ADDR']` is not configured, the plugin will attempt to extract the client IP from `$_SERVER['HTTP_X_FORWARDED_FOR']` or `$_SERVER['HTTP_FORWARDED_FOR']` *which are considered unsafe as they can contain arbitrary user input passed with the HTTP request*. This fallback behaviour will be disabled by default in future versions of this plugin! - - -Update your server configuration to set the `$_SERVER['REMOTE_ADDR']` variable to the verified client IP address or use the `wp_stream_client_ip_address` filter to do that: +The plugin expects the `$_SERVER['REMOTE_ADDR']` variable to contain the verified IP address of the current request. On hosting environments with PHP processing behind reverse proxies or CDNs the actual client IP is passed to PHP through request HTTP headers such as `X-Forwarded-For` and `True-Client-IP` which can't be trusted without an additional layer of validation. Update your server configuration to set the `$_SERVER['REMOTE_ADDR']` variable to the verified client IP address or use the `wp_stream_client_ip_address` filter to do that: `add_filter( 'wp_stream_client_ip_address', From 85bdc4db446ef07d120185cbff01493c3445935f Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Mon, 16 Oct 2023 10:54:01 +0300 Subject: [PATCH 23/32] Add the changelog --- readme.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/readme.txt b/readme.txt index 0574a8030..363447b1a 100644 --- a/readme.txt +++ b/readme.txt @@ -129,6 +129,10 @@ Track changes to posts when using the block editor. == Changelog == += NEXT = + +- Breaking: Use only `$_SERVER['REMOTE_ADDR']` as the reliable client IP address for event logs. This might cause incorrectly reported event log IP addresses on environments where PHP is behind a proxy server or CDN. Use the `wp_stream_client_ip_address` filter to set the correct client IP address (see `readme.txt` for instructions) or configure the hosting environment to report the correct IP address in `$_SERVER['REMOTE_ADDR']`. + = 3.10.0 - October 9, 2023 = - Fix: Improve PHP 8.1 compatibility by updating `filter_*()` calls referencing `FILTER_SANITIZE_STRING` (issue [#1422](https://github.com/xwp/stream/pull/1422)). From 9bcc4906d6b3bfac6bda0e665d1d650f3ffcc697 Mon Sep 17 00:00:00 2001 From: Alain Schlesser Date: Mon, 16 Oct 2023 17:44:01 +0200 Subject: [PATCH 24/32] Add noticeable warning regarding HTTP_* spoofing --- readme.txt | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/readme.txt b/readme.txt index 363447b1a..8315816d9 100644 --- a/readme.txt +++ b/readme.txt @@ -65,19 +65,22 @@ With Stream’s powerful logging, you’ll have the valuable information you nee * WP-CLI command for querying records -## Configuration +== Configuration == Most of the plugin configuration is available under the "Stream" → "Settings" page in the WordPress dashboard. -### Request IP Address += Request IP Address = -The plugin expects the `$_SERVER['REMOTE_ADDR']` variable to contain the verified IP address of the current request. On hosting environments with PHP processing behind reverse proxies or CDNs the actual client IP is passed to PHP through request HTTP headers such as `X-Forwarded-For` and `True-Client-IP` which can't be trusted without an additional layer of validation. Update your server configuration to set the `$_SERVER['REMOTE_ADDR']` variable to the verified client IP address or use the `wp_stream_client_ip_address` filter to do that: +The plugin expects the `$_SERVER['REMOTE_ADDR']` variable to contain the verified IP address of the current request. On hosting environments with PHP processing behind reverse proxies or CDNs the actual client IP is passed to PHP through request HTTP headers such as `X-Forwarded-For` and `True-Client-IP` which can't be trusted without an additional layer of validation. Update your server configuration to set the `$_SERVER['REMOTE_ADDR']` variable to the verified client IP address. + +As a workaround, you can use the `wp_stream_client_ip_address` filter to adapt the IP address: `add_filter( 'wp_stream_client_ip_address', function( $client_ip ) { // Trust the first IP in the X-Forwarded-For header. + // ⚠️ Note: This is inherently insecure and can easily be spoofed! if ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) { $forwarded_ips = explode( ',' $_SERVER['HTTP_X_FORWARDED_FOR'] ); @@ -90,13 +93,15 @@ The plugin expects the `$_SERVER['REMOTE_ADDR']` variable to contain the verifie } );` +⚠️ **WARNING:** The above is an insecure workaround that you should only use when you fully understand what this implies. Relying on any variable with the `HTTP_*` prefix is prone to spoofing and cannot be trusted! + -## Known Issues +== Known Issues == * We have temporarily disabled the data removal feature through plugin uninstallation, starting with version 3.9.3. We identified a few edge cases that did not behave as expected and we decided that a temporary removal is preferable at this time for such an impactful and irreversible operation. Our team is actively working on refining this feature to ensure it performs optimally and securely. We plan to reintroduce it in a future update with enhanced safeguards. -## Contribute +== Contribute == There are several ways you can get involved to help make Stream better: From 8d7dc4ad6adcecba6c70312af6cfa0b0a65616bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Viktor=20Sz=C3=A9pe?= Date: Tue, 24 Oct 2023 18:32:59 +0200 Subject: [PATCH 25/32] Install Composer v2 on TravisCI --- .travis.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 852c05f60..879f170cb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -74,8 +74,6 @@ before_install: - docker-compose pull - nvm install - nvm use - # Lock to Composer version 1 for now. - - composer self-update --1 install: - npm install From 6f9e4defe72cf59466f3a24e79d5cde039822f75 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 17 Nov 2023 22:58:37 +0000 Subject: [PATCH 26/32] Update dependency eslint to ^8.54.0 --- package-lock.json | 92 +++++++++++++++++++++++++++-------------------- package.json | 2 +- 2 files changed, 54 insertions(+), 40 deletions(-) diff --git a/package-lock.json b/package-lock.json index dab20ebae..eb759b51c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,7 +8,7 @@ "license": "GPLv2+", "devDependencies": { "@wordpress/eslint-plugin": "^15.1.0", - "eslint": "^8.50.0", + "eslint": "^8.54.0", "grunt": "^1.6.1", "grunt-contrib-clean": "^2.0.1", "grunt-contrib-compress": "^2.0.0", @@ -1932,9 +1932,9 @@ } }, "node_modules/@eslint/eslintrc": { - "version": "2.1.2", - "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.2.tgz", - "integrity": "sha512-+wvgpDsrB1YqAMdEUCcnTlpfVBH7Vqn6A/NT3D8WVXFIaKMlErPIZT3oCIAVCOtarRpMtelZLqJeU3t7WY6X6g==", + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.3.tgz", + "integrity": "sha512-yZzuIG+jnVu6hNSzFEN07e8BxF3uAzYtQb6uDkaYZLo6oYZDCq454c5kB8zxnzfCYyP4MIuyBn10L0DqwujTmA==", "dev": true, "dependencies": { "ajv": "^6.12.4", @@ -1985,21 +1985,21 @@ } }, "node_modules/@eslint/js": { - "version": "8.50.0", - "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.50.0.tgz", - "integrity": "sha512-NCC3zz2+nvYd+Ckfh87rA47zfu2QsQpvc6k1yzTk+b9KzRj0wkGa8LSoGOXN6Zv4lRf/EIoZ80biDh9HOI+RNQ==", + "version": "8.54.0", + "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.54.0.tgz", + "integrity": "sha512-ut5V+D+fOoWPgGGNj83GGjnntO39xDy6DWxO0wb7Jp3DcMX0TfIqdzHF85VTQkerdyGmuuMD9AKAo5KiNlf/AQ==", "dev": true, "engines": { "node": "^12.22.0 || ^14.17.0 || >=16.0.0" } }, "node_modules/@humanwhocodes/config-array": { - "version": "0.11.11", - "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.11.tgz", - "integrity": "sha512-N2brEuAadi0CcdeMXUkhbZB84eskAc8MEX1By6qEchoVywSgXPIjou4rYsl0V3Hj0ZnuGycGCjdNgockbzeWNA==", + "version": "0.11.13", + "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.13.tgz", + "integrity": "sha512-JSBDMiDKSzQVngfRjOdFXgFfklaXI4K9nLF49Auh21lmBWRLIK3+xTErTWD4KU54pb6coM6ESE7Awz/FNU3zgQ==", "dev": true, "dependencies": { - "@humanwhocodes/object-schema": "^1.2.1", + "@humanwhocodes/object-schema": "^2.0.1", "debug": "^4.1.1", "minimatch": "^3.0.5" }, @@ -2033,9 +2033,9 @@ } }, "node_modules/@humanwhocodes/object-schema": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-1.2.1.tgz", - "integrity": "sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-2.0.1.tgz", + "integrity": "sha512-dvuCeX5fC9dXgJn9t+X5atfmgQAzUOWqS1254Gh0m6i8wKd10ebXkfNKiRK+1GWi/yTvvLDHpoxLr0xxxeslWw==", "dev": true }, "node_modules/@jridgewell/gen-mapping": { @@ -2439,6 +2439,12 @@ "url": "https://opencollective.com/eslint" } }, + "node_modules/@ungap/structured-clone": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/@ungap/structured-clone/-/structured-clone-1.2.0.tgz", + "integrity": "sha512-zuVdFrMJiuCDQUMCzQaD6KL28MjnqqN8XnAqiEq9PNm/hCPTSGfrXCOfwj1ow4LFb/tNymJPwsNbVePc1xFqrQ==", + "dev": true + }, "node_modules/@wordpress/babel-plugin-import-jsx-pragma": { "version": "4.24.0", "resolved": "https://registry.npmjs.org/@wordpress/babel-plugin-import-jsx-pragma/-/babel-plugin-import-jsx-pragma-4.24.0.tgz", @@ -3622,18 +3628,19 @@ } }, "node_modules/eslint": { - "version": "8.50.0", - "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.50.0.tgz", - "integrity": "sha512-FOnOGSuFuFLv/Sa+FDVRZl4GGVAAFFi8LecRsI5a1tMO5HIE8nCm4ivAlzt4dT3ol/PaaGC0rJEEXQmHJBGoOg==", + "version": "8.54.0", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.54.0.tgz", + "integrity": "sha512-NY0DfAkM8BIZDVl6PgSa1ttZbx3xHgJzSNJKYcQglem6CppHyMhRIQkBVSSMaSRnLhig3jsDbEzOjwCVt4AmmA==", "dev": true, "dependencies": { "@eslint-community/eslint-utils": "^4.2.0", "@eslint-community/regexpp": "^4.6.1", - "@eslint/eslintrc": "^2.1.2", - "@eslint/js": "8.50.0", - "@humanwhocodes/config-array": "^0.11.11", + "@eslint/eslintrc": "^2.1.3", + "@eslint/js": "8.54.0", + "@humanwhocodes/config-array": "^0.11.13", "@humanwhocodes/module-importer": "^1.0.1", "@nodelib/fs.walk": "^1.2.8", + "@ungap/structured-clone": "^1.2.0", "ajv": "^6.12.4", "chalk": "^4.0.0", "cross-spawn": "^7.0.2", @@ -9372,9 +9379,9 @@ "dev": true }, "@eslint/eslintrc": { - "version": "2.1.2", - "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.2.tgz", - "integrity": "sha512-+wvgpDsrB1YqAMdEUCcnTlpfVBH7Vqn6A/NT3D8WVXFIaKMlErPIZT3oCIAVCOtarRpMtelZLqJeU3t7WY6X6g==", + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.3.tgz", + "integrity": "sha512-yZzuIG+jnVu6hNSzFEN07e8BxF3uAzYtQb6uDkaYZLo6oYZDCq454c5kB8zxnzfCYyP4MIuyBn10L0DqwujTmA==", "dev": true, "requires": { "ajv": "^6.12.4", @@ -9415,18 +9422,18 @@ } }, "@eslint/js": { - "version": "8.50.0", - "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.50.0.tgz", - "integrity": "sha512-NCC3zz2+nvYd+Ckfh87rA47zfu2QsQpvc6k1yzTk+b9KzRj0wkGa8LSoGOXN6Zv4lRf/EIoZ80biDh9HOI+RNQ==", + "version": "8.54.0", + "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.54.0.tgz", + "integrity": "sha512-ut5V+D+fOoWPgGGNj83GGjnntO39xDy6DWxO0wb7Jp3DcMX0TfIqdzHF85VTQkerdyGmuuMD9AKAo5KiNlf/AQ==", "dev": true }, "@humanwhocodes/config-array": { - "version": "0.11.11", - "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.11.tgz", - "integrity": "sha512-N2brEuAadi0CcdeMXUkhbZB84eskAc8MEX1By6qEchoVywSgXPIjou4rYsl0V3Hj0ZnuGycGCjdNgockbzeWNA==", + "version": "0.11.13", + "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.13.tgz", + "integrity": "sha512-JSBDMiDKSzQVngfRjOdFXgFfklaXI4K9nLF49Auh21lmBWRLIK3+xTErTWD4KU54pb6coM6ESE7Awz/FNU3zgQ==", "dev": true, "requires": { - "@humanwhocodes/object-schema": "^1.2.1", + "@humanwhocodes/object-schema": "^2.0.1", "debug": "^4.1.1", "minimatch": "^3.0.5" }, @@ -9449,9 +9456,9 @@ "dev": true }, "@humanwhocodes/object-schema": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-1.2.1.tgz", - "integrity": "sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-2.0.1.tgz", + "integrity": "sha512-dvuCeX5fC9dXgJn9t+X5atfmgQAzUOWqS1254Gh0m6i8wKd10ebXkfNKiRK+1GWi/yTvvLDHpoxLr0xxxeslWw==", "dev": true }, "@jridgewell/gen-mapping": { @@ -9729,6 +9736,12 @@ } } }, + "@ungap/structured-clone": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/@ungap/structured-clone/-/structured-clone-1.2.0.tgz", + "integrity": "sha512-zuVdFrMJiuCDQUMCzQaD6KL28MjnqqN8XnAqiEq9PNm/hCPTSGfrXCOfwj1ow4LFb/tNymJPwsNbVePc1xFqrQ==", + "dev": true + }, "@wordpress/babel-plugin-import-jsx-pragma": { "version": "4.24.0", "resolved": "https://registry.npmjs.org/@wordpress/babel-plugin-import-jsx-pragma/-/babel-plugin-import-jsx-pragma-4.24.0.tgz", @@ -10635,18 +10648,19 @@ "dev": true }, "eslint": { - "version": "8.50.0", - "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.50.0.tgz", - "integrity": "sha512-FOnOGSuFuFLv/Sa+FDVRZl4GGVAAFFi8LecRsI5a1tMO5HIE8nCm4ivAlzt4dT3ol/PaaGC0rJEEXQmHJBGoOg==", + "version": "8.54.0", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.54.0.tgz", + "integrity": "sha512-NY0DfAkM8BIZDVl6PgSa1ttZbx3xHgJzSNJKYcQglem6CppHyMhRIQkBVSSMaSRnLhig3jsDbEzOjwCVt4AmmA==", "dev": true, "requires": { "@eslint-community/eslint-utils": "^4.2.0", "@eslint-community/regexpp": "^4.6.1", - "@eslint/eslintrc": "^2.1.2", - "@eslint/js": "8.50.0", - "@humanwhocodes/config-array": "^0.11.11", + "@eslint/eslintrc": "^2.1.3", + "@eslint/js": "8.54.0", + "@humanwhocodes/config-array": "^0.11.13", "@humanwhocodes/module-importer": "^1.0.1", "@nodelib/fs.walk": "^1.2.8", + "@ungap/structured-clone": "^1.2.0", "ajv": "^6.12.4", "chalk": "^4.0.0", "cross-spawn": "^7.0.2", diff --git a/package.json b/package.json index 0721e3497..8ba4d7f7c 100644 --- a/package.json +++ b/package.json @@ -26,7 +26,7 @@ ], "devDependencies": { "@wordpress/eslint-plugin": "^15.1.0", - "eslint": "^8.50.0", + "eslint": "^8.54.0", "grunt": "^1.6.1", "grunt-contrib-clean": "^2.0.1", "grunt-contrib-compress": "^2.0.0", From 8c8c182bb8d785ef9c419b2e2aafe5b6d8d20e0d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 2 Dec 2023 01:56:04 +0000 Subject: [PATCH 27/32] Update dependency eslint to ^8.55.0 --- package-lock.json | 46 +++++++++++++++++++++++----------------------- package.json | 2 +- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/package-lock.json b/package-lock.json index eb759b51c..a9aee19ca 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,7 +8,7 @@ "license": "GPLv2+", "devDependencies": { "@wordpress/eslint-plugin": "^15.1.0", - "eslint": "^8.54.0", + "eslint": "^8.55.0", "grunt": "^1.6.1", "grunt-contrib-clean": "^2.0.1", "grunt-contrib-compress": "^2.0.0", @@ -1932,9 +1932,9 @@ } }, "node_modules/@eslint/eslintrc": { - "version": "2.1.3", - "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.3.tgz", - "integrity": "sha512-yZzuIG+jnVu6hNSzFEN07e8BxF3uAzYtQb6uDkaYZLo6oYZDCq454c5kB8zxnzfCYyP4MIuyBn10L0DqwujTmA==", + "version": "2.1.4", + "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.4.tgz", + "integrity": "sha512-269Z39MS6wVJtsoUl10L60WdkhJVdPG24Q4eZTH3nnF6lpvSShEK3wQjDX9JRWAUPvPh7COouPpU9IrqaZFvtQ==", "dev": true, "dependencies": { "ajv": "^6.12.4", @@ -1985,9 +1985,9 @@ } }, "node_modules/@eslint/js": { - "version": "8.54.0", - "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.54.0.tgz", - "integrity": "sha512-ut5V+D+fOoWPgGGNj83GGjnntO39xDy6DWxO0wb7Jp3DcMX0TfIqdzHF85VTQkerdyGmuuMD9AKAo5KiNlf/AQ==", + "version": "8.55.0", + "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.55.0.tgz", + "integrity": "sha512-qQfo2mxH5yVom1kacMtZZJFVdW+E70mqHMJvVg6WTLo+VBuQJ4TojZlfWBjK0ve5BdEeNAVxOsl/nvNMpJOaJA==", "dev": true, "engines": { "node": "^12.22.0 || ^14.17.0 || >=16.0.0" @@ -3628,15 +3628,15 @@ } }, "node_modules/eslint": { - "version": "8.54.0", - "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.54.0.tgz", - "integrity": "sha512-NY0DfAkM8BIZDVl6PgSa1ttZbx3xHgJzSNJKYcQglem6CppHyMhRIQkBVSSMaSRnLhig3jsDbEzOjwCVt4AmmA==", + "version": "8.55.0", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.55.0.tgz", + "integrity": "sha512-iyUUAM0PCKj5QpwGfmCAG9XXbZCWsqP/eWAWrG/W0umvjuLRBECwSFdt+rCntju0xEH7teIABPwXpahftIaTdA==", "dev": true, "dependencies": { "@eslint-community/eslint-utils": "^4.2.0", "@eslint-community/regexpp": "^4.6.1", - "@eslint/eslintrc": "^2.1.3", - "@eslint/js": "8.54.0", + "@eslint/eslintrc": "^2.1.4", + "@eslint/js": "8.55.0", "@humanwhocodes/config-array": "^0.11.13", "@humanwhocodes/module-importer": "^1.0.1", "@nodelib/fs.walk": "^1.2.8", @@ -9379,9 +9379,9 @@ "dev": true }, "@eslint/eslintrc": { - "version": "2.1.3", - "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.3.tgz", - "integrity": "sha512-yZzuIG+jnVu6hNSzFEN07e8BxF3uAzYtQb6uDkaYZLo6oYZDCq454c5kB8zxnzfCYyP4MIuyBn10L0DqwujTmA==", + "version": "2.1.4", + "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.4.tgz", + "integrity": "sha512-269Z39MS6wVJtsoUl10L60WdkhJVdPG24Q4eZTH3nnF6lpvSShEK3wQjDX9JRWAUPvPh7COouPpU9IrqaZFvtQ==", "dev": true, "requires": { "ajv": "^6.12.4", @@ -9422,9 +9422,9 @@ } }, "@eslint/js": { - "version": "8.54.0", - "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.54.0.tgz", - "integrity": "sha512-ut5V+D+fOoWPgGGNj83GGjnntO39xDy6DWxO0wb7Jp3DcMX0TfIqdzHF85VTQkerdyGmuuMD9AKAo5KiNlf/AQ==", + "version": "8.55.0", + "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.55.0.tgz", + "integrity": "sha512-qQfo2mxH5yVom1kacMtZZJFVdW+E70mqHMJvVg6WTLo+VBuQJ4TojZlfWBjK0ve5BdEeNAVxOsl/nvNMpJOaJA==", "dev": true }, "@humanwhocodes/config-array": { @@ -10648,15 +10648,15 @@ "dev": true }, "eslint": { - "version": "8.54.0", - "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.54.0.tgz", - "integrity": "sha512-NY0DfAkM8BIZDVl6PgSa1ttZbx3xHgJzSNJKYcQglem6CppHyMhRIQkBVSSMaSRnLhig3jsDbEzOjwCVt4AmmA==", + "version": "8.55.0", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.55.0.tgz", + "integrity": "sha512-iyUUAM0PCKj5QpwGfmCAG9XXbZCWsqP/eWAWrG/W0umvjuLRBECwSFdt+rCntju0xEH7teIABPwXpahftIaTdA==", "dev": true, "requires": { "@eslint-community/eslint-utils": "^4.2.0", "@eslint-community/regexpp": "^4.6.1", - "@eslint/eslintrc": "^2.1.3", - "@eslint/js": "8.54.0", + "@eslint/eslintrc": "^2.1.4", + "@eslint/js": "8.55.0", "@humanwhocodes/config-array": "^0.11.13", "@humanwhocodes/module-importer": "^1.0.1", "@nodelib/fs.walk": "^1.2.8", diff --git a/package.json b/package.json index 8ba4d7f7c..6fac7b328 100644 --- a/package.json +++ b/package.json @@ -26,7 +26,7 @@ ], "devDependencies": { "@wordpress/eslint-plugin": "^15.1.0", - "eslint": "^8.54.0", + "eslint": "^8.55.0", "grunt": "^1.6.1", "grunt-contrib-clean": "^2.0.1", "grunt-contrib-compress": "^2.0.0", From 97d244f35c935c7ec3699178696ca1220eea9b5d Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Tue, 9 Jan 2024 17:53:41 +0200 Subject: [PATCH 28/32] Documet the 4.0.0 release --- readme.txt | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/readme.txt b/readme.txt index ff44c5fec..c831db603 100644 --- a/readme.txt +++ b/readme.txt @@ -127,16 +127,18 @@ Past Contributors: fjarrett, shadyvb, chacha, westonruter, johnregan3, jacobschw == Upgrade Notice == -= 3.9.0 = += 4.0.0 = -Track changes to posts when using the block editor. +Use only `$_SERVER['REMOTE_ADDR']` as the client IP address for event logs without additional support for `X-Forwarded-For` HTTP request header value which could be spoofed. See the changelog for additional details. == Changelog == -= NEXT = += 4.0.0 - January 9, 2024 = -- Breaking: Use only `$_SERVER['REMOTE_ADDR']` as the reliable client IP address for event logs. This might cause incorrectly reported event log IP addresses on environments where PHP is behind a proxy server or CDN. Use the `wp_stream_client_ip_address` filter to set the correct client IP address (see `readme.txt` for instructions) or configure the hosting environment to report the correct IP address in `$_SERVER['REMOTE_ADDR']`. +- Breaking: Use only `$_SERVER['REMOTE_ADDR']` as the reliable client IP address for event logs. This might cause incorrectly reported event log IP addresses on environments where PHP is behind a proxy server or CDN. Use the `wp_stream_client_ip_address` filter to set the correct client IP address (see `readme.txt` for instructions) or configure the hosting environment to report the correct IP address in `$_SERVER['REMOTE_ADDR']` (issue [#1456](https://github.com/xwp/stream/issues/1456), props [@calvinalkan](https://github.com/calvinalkan)). +- Fix: types in message strings and code comments (fixed in [#1461](https://github.com/xwp/stream/pull/1461) by [@szepeviktor](https://github.com/szepeviktor)). +- Development: use Composer v2 during CI runs (fixed in [#1465](https://github.com/xwp/stream/pull/1465) by [@szepeviktor](https://github.com/szepeviktor)). = 3.10.0 - October 9, 2023 = From bfc5be09d3d59272745294bcaa9b59a6598cccbe Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Tue, 9 Jan 2024 17:54:51 +0200 Subject: [PATCH 29/32] Lock the stable tag --- readme.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.txt b/readme.txt index c831db603..53fbfc055 100644 --- a/readme.txt +++ b/readme.txt @@ -3,7 +3,7 @@ Contributors: xwp Tags: wp stream, stream, activity, logs, track Requires at least: 4.5 Tested up to: 6.3 -Stable tag: 3.10.0 +Stable tag: 4.0.0 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html From b49743e6eff77fa7abed75304cd15e48cd869ada Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Tue, 9 Jan 2024 17:56:11 +0200 Subject: [PATCH 30/32] Confirm that tested with the latest WP --- readme.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.txt b/readme.txt index 53fbfc055..3f8a53ce4 100644 --- a/readme.txt +++ b/readme.txt @@ -2,7 +2,7 @@ Contributors: xwp Tags: wp stream, stream, activity, logs, track Requires at least: 4.5 -Tested up to: 6.3 +Tested up to: 6.4 Stable tag: 4.0.0 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html From 5faea5365308692fe2fa75a3aba47b6bfe54a87b Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Tue, 9 Jan 2024 17:56:28 +0200 Subject: [PATCH 31/32] Other version references --- classes/class-plugin.php | 2 +- stream.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/classes/class-plugin.php b/classes/class-plugin.php index 170c472bc..5e8b2adb9 100755 --- a/classes/class-plugin.php +++ b/classes/class-plugin.php @@ -18,7 +18,7 @@ class Plugin { * * @const string */ - const VERSION = '3.10.0'; + const VERSION = '4.0.0'; /** * WP-CLI command diff --git a/stream.php b/stream.php index 46dbc44c1..075269f12 100644 --- a/stream.php +++ b/stream.php @@ -3,7 +3,7 @@ * Plugin Name: Stream * Plugin URI: https://xwp.co/work/stream/ * Description: Stream tracks logged-in user activity so you can monitor every change made on your WordPress site in beautifully organized detail. All activity is organized by context, action and IP address for easy filtering. Developers can extend Stream with custom connectors to log any kind of action. - * Version: 3.10.0 + * Version: 4.0.0 * Author: XWP * Author URI: https://xwp.co * License: GPLv2+ From 571ffe855fded9c9584382a31c499a3d5621eb83 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Tue, 9 Jan 2024 18:02:52 +0200 Subject: [PATCH 32/32] Match the labels with prior messages --- readme.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/readme.txt b/readme.txt index 3f8a53ce4..79979bcb9 100644 --- a/readme.txt +++ b/readme.txt @@ -136,8 +136,8 @@ Use only `$_SERVER['REMOTE_ADDR']` as the client IP address for event logs witho = 4.0.0 - January 9, 2024 = -- Breaking: Use only `$_SERVER['REMOTE_ADDR']` as the reliable client IP address for event logs. This might cause incorrectly reported event log IP addresses on environments where PHP is behind a proxy server or CDN. Use the `wp_stream_client_ip_address` filter to set the correct client IP address (see `readme.txt` for instructions) or configure the hosting environment to report the correct IP address in `$_SERVER['REMOTE_ADDR']` (issue [#1456](https://github.com/xwp/stream/issues/1456), props [@calvinalkan](https://github.com/calvinalkan)). -- Fix: types in message strings and code comments (fixed in [#1461](https://github.com/xwp/stream/pull/1461) by [@szepeviktor](https://github.com/szepeviktor)). +- Fix: Use only `$_SERVER['REMOTE_ADDR']` as the reliable client IP address for event logs. This might cause incorrectly reported event log IP addresses on environments where PHP is behind a proxy server or CDN. Use the `wp_stream_client_ip_address` filter to set the correct client IP address (see `readme.txt` for instructions) or configure the hosting environment to report the correct IP address in `$_SERVER['REMOTE_ADDR']` (issue [#1456](https://github.com/xwp/stream/issues/1456), props [@calvinalkan](https://github.com/calvinalkan)). +- Tweak: fix typos in message strings and code comments (fixed in [#1461](https://github.com/xwp/stream/pull/1461) by [@szepeviktor](https://github.com/szepeviktor)). - Development: use Composer v2 during CI runs (fixed in [#1465](https://github.com/xwp/stream/pull/1465) by [@szepeviktor](https://github.com/szepeviktor)). = 3.10.0 - October 9, 2023 =