Steelbird Helmet.Makakuha ng libreng 700pho sa bawat deposito

Resolved gioglifx
(@gioglifx)

7 years, 8 months ago
Hello,

The following prevents a plugin to automatically generate a pdf of a signed contract. This plugin normally worked before with iThemes plugin.

There are (2 parts) that are preventing the plugin to work:

1. There’s a section where one can sign with a mouse, stylus or finger on a mobile. This doesn’t work with iThemes plugin.

2. Once the document is signed, there’s a button to generate the signed document. This also doens’t work with iThemes plugin.

*********************************************

I’ve found where each of the two parts are conflicting.

1. There’s a file named signaturesave.php inside the plugin for contracts that apparently as the name suggests, saves the signature.
>> I found that iThemes plugin blocks requests to PHP files inside plugin directories:
```
# Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins
RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)$ - [NC,F]
```
I added the following to request that file (is this “safe” or correct?):
```
# Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins
RewriteCond %{REQUEST_FILENAME} !(signaturesave\.php)
RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)$ - [NC,F]
```
*********************************************

2. With the above, the signed document can now be saved. With that, it was not generating the PDF version for download. I found that the following was preventing that:

RewriteCond %{HTTP_USER_AGENT} "^$" [NC,OR]

Is there a way to still keep the above line, or edit while still having the security benefits? I tried the following and it works, though I’m not sure if that’s a safe way to do this.

To “whitelist” it:
```
	RewriteCond %{HTTP_USER_AGENT} "^$" [NC,OR]
	# white list the above line?
	RewriteRule "^ -" [L]
```
*********************************************

I’m not too familiar with this type of code, but I’m very comfortable to edit, so I would truly appreciate any input on your part. I’m hoping you can instruct me if that’s an acceptable way to do this. At this point, all I’ve done is try to see what has “worked” but reverted until further instructions or guidance.

Would you kindly let me know if these are acceptable; and if not, would you please guide me in keeping the safety while allowing for the plugin to work as it did before with iThemes?

Thank you in advance, I appreciate your time and effort.

Best regards.

Viewing 2 replies - 1 through 2 (of 2 total)

pronl
(@pronl)

7 years, 8 months ago

@gioglifx

Issue 1

Ok, so you have manually added an exception for plugin file signaturesave.php in the .htaccess file.

This basically means anyone can access that file with a direct http request:

https://www.example.com/wp-content/plugins/pluginname/contracts/signaturesave.php

YOU MUST BE 100% SURE THIS PHP FILE DOES NOT CONTAIN ANY EXPLOITABLE VULNERABILITIES !

Secondly: Since you manually added an exception to the .htaccess file, as soon as the iTSec plugin regenerates the content of the .htaccess file your edit will be lost. This will happen for sure when you decide to change a setting (which writes to the .htaccess file) in the iTSec plugin and save. Depending on your plugins settings the iTSec plugin might even regenerate the content of the .htaccess file without you ever touching anything…(this happens when an IP is fully automatically banned).

In such cases, in order to keep the edit you’ll need to add the extra .htaccess rule to the plugin code. So that requires a code change in the plugin. Not very complicated but that code change will also be lost when updating the plugin …
Hard coding an exception is not a flexible solution anyway …

The simplest solution is to disable the plugin feature in the System Tweaks module.
Disadvantage is that your site is a little bit less secure. Not a big deal if you are using well written/secure and reputable plugins …

Another route is to request a feature at iThemes.

It’s basically an enhancement request that offers anyone the flexibility to add/remove exceptions to the System Tweaks module PHP in Plugins feature from the iTSec plugin Dashboard UI. And/or provide a filter that other plugin developers can hook into.

Before doing so note that the System Tweaks module PHP in Plugins feature is a fallback security mechanism.
If you are using well written/secure and reputable plugins there is no need to block direct access to PHP files from the plugins folder.

Issue 2
To be continued should you be interested ??

Thread Starter gioglifx
(@gioglifx)

7 years, 8 months ago

@pronl

Thank you very much for your well-detailed response. That is VERY helpful. The plugin is regarded as reputable from its Author. With that said though, the points you made in regards to the constant updating seems to be a never ending monitoring and more like a whack a mole since there may be a different conflict tomorrow. I also thank you for your suggestions about security suggestions. I’ll take heed to your warnings as I’d rather trade security for convenience. The less there is, the less the chances and headaches. Nonetheless, I’ll add a request once I can think of a way where it can be globally used instead of a one-off..

Thank you again, have a fantastic day!

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘htaccess & plugin conflict’ is closed to new replies.