Synchro

I had a problem with the 5.7.10-5.7.11 update too – it was throwing a fatal error in both admin and on site saying that the function acf_add_local_field_group was not defined. I did this same trick with the version number, and it came back to life, and I reinstalled the plugin.

Now it says that it upgraded successfully, but if I check for updates again, it keeps suggesting the same update. I can see in the files that it is running 5.7.11, but WP seems convinced it’s still 5.7.10.

I am using 2.4. I tried using <FilesMatch "\.ini$"> as well but that didn’t work either, however, the rewrite suggestion does work, so thanks for that. I’d still really like to know why the Files or FilesMatch directives don’t work, especially since they are what is recommended in the docs.

• This reply was modified 5 years, 10 months ago by Synchro.

I’ve run into another one of these with Wordfence 7.1.18 when loading the WF dashboard page on a fresh install with WP 4.9.8:

`
[Error] EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline’ https://www.google-analytics.com https://www.bugherd.com “.

Function (jquery.tmpl.min.1543941426.js:10:3544)
o (jquery.tmpl.min.1543941426.js:10:3544)
template (jquery.tmpl.min.1543941426.js:10:2004)
tmpl (jquery.tmpl.min.1543941426.js:10:1423)
tmpl (jquery.tmpl.min.1543941426.js:10:938)
wafConfigPageRender (admin.1543941426.js:3230)
(anonymous function) (admin.php:238)
i (load-scripts.php:2:27455)
fireWith (load-scripts.php:2:28215)
ready (load-scripts.php:2:30018)
K (load-scripts.php:2:30374)
`

Again, I find it absolutely mystifying that a security product would require you to disable one of the most effective ways to combat XSS available in order to use it. You should be encouraging users to use tighter security, not the reverse. Are you not dogfooding this? Do you not run Wordfence on sites with CSP reporting turned up full? This isn’t some weird edge case, it’s absolutely basic web security applicable to everyone. If your templating system requires unsafe-eval, it’s time to find a templating system that’s not broken.

Thanks. I’ve implemented that and it’s now happy running read-only.

I can switch write access on and off – the problem I have with wordfence is that I can set it all up and configure it all (including the WAF), and it’s happy, but if I then set it to read-only, it breaks, and actually disables the WAF. That seems entirely unnecessary – I can see that things like logging within the webroot might be a problem, but I can’t see any good reason to break in that scenario – more to the point, breaking logging is a much less serious problem than disabling the entire protection system, which is what it does at preesent.

I understand that, and I’ve done that purely so I can do so, but it seems contradictory to have to require everyone to disable an important anti-xss security measure to enable a security product, not the kind of practice that should be encouraged!

Disabling that element of a CSP is a temporary workaround, not an appropriate long-term solution, which would be to implement the review check without needing unsafe-eval in the first place, which is why I tagged this as a bug.

I’ve just run into more of a blocker with the same cause: After upgrading to Wordfence 7.1.7, it’s showing me a dialog that requires me to review the terms, however, clicking either of the review buttons results in a CSP violation due to needing unsafe-eval, so I can’t get past it.

[Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".

	Function (jquery.tmpl.min.1528224180.js:10:3544)
	o (jquery.tmpl.min.1528224180.js:10:3544)
	template (jquery.tmpl.min.1528224180.js:10:2004)
	tmpl (jquery.tmpl.min.1528224180.js:10:1423)
	tmpl (jquery.tmpl.min.1528224180.js:10:938)
	(anonymous function) (admin.php:261)
	dispatch (load-scripts.php:3:12450)
	handle (load-scripts.php:3:9179)
	trigger (load-scripts.php:3:11579)
	trigger (load-scripts.php:9:8280)
	(anonymous function) (load-scripts.php:3:18999)
	each (load-scripts.php:2:2886)
	each (load-scripts.php:2:851)
	trigger (load-scripts.php:3:18972)
	onclick (admin.php:246)

• This reply was modified 6 years, 5 months ago by Synchro.

I just managed to trash my nginx config by accident and I can’t remember where I saw this error originally, but I’ve managed to provoke another one (I think the one I spotted originally was more obvious than this); I’m getting this stack trace when clicking the “Enable firewall” button in wp-admin:

[Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' ".

	Function (jquery.tmpl.min.1527005958.js:10:3544)
	o (jquery.tmpl.min.1527005958.js:10:3544)
	template (jquery.tmpl.min.1527005958.js:10:1915)
	tmpl (jquery.tmpl.min.1527005958.js:10:1423)
	colorboxModal (admin.1527005958.js:1863)
	(anonymous function) (admin.1527005958.js:3266)
	success (admin.1527005958.js:1818)
	i (load-scripts.php:2:27455)
	fireWith (load-scripts.php:2:28215)
	y (load-scripts.php:4:22733)
	c (load-scripts.php:4:26927)

In the page source I can see that the script handler for this button immediately follows the button in the layout – that’s permitted with unsafe-inline (though it would be better to get rid of that too), but I’m not sure why it’s trigging unsafe-eval.

Incidentally, another thing flagged by my CSP is your use of the Roboto font from google fonts. Wordfence is the only thing using an external font on my site. It looks fine without it, but it would be better if it didn’t ask for it.

It was for 120 different files, all not owned by the web server and all marked read-only.

I just got another one of these and checked the ctime, and indeed it has a recent timestamp, however, the contents of the file has not been changed and appears innocuous.

Sorry, that wasn’t clear. The error message is “You need to manually update your .htaccess”, and then it shows me a dialog with what should be put into .htaccess, but that’s not applicable because I’m using nginx. It’s not clear if the nginx config needs anything to be significantly different to the config I linked to to allow caching over https.

Screen shot

The “security concerns” comment was just me saying that there are security measures available outside wordpress – for example changing ownership of files so that nothing can be written by WP, using fail2ban etc. I was quite surprised to find that WF doesn’t mention ownership/permissions as a security measure.

I think this was my fault – I misinterpreted the meaning of “NK Google Analytics Status” as enabling some kind of status display, not that it turned the plugin on.

I didn’t put it inside the plugin at all as that would break when the plugin is updated. The plugin calls whatever function name you give it, so I named it not to clash with its own implemntation and just included it in my own pages by sticking the script in the footer.

Indeed, there are several problems in this area.

Firstly, the instructions tell you to enter ccADDAnalytics() in the On Accept and On CookiesAllowed fields, yet the function provided is called ccAddAnalytics, and since JS is case-sensitive, that won’t work.

The instructions also tell you to create that function, however, the plugin already includes one (even if you leave the GA ID field empty, which I’d definitely class as a bug), so if you create one as instructed you’ll have a name clash.

I rewrote the function (and renamed it so the built-in one isn’t called) to use the async version:

<script type="text/javascript">
function ccAddAnalytics2() {
  "use strict";
  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-XXXXXX-XX']);
  _gaq.push(['_trackPageview']);
  (function() {
    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
    ga.src = ('https:' === document.location.protocol ? 'https://ssl' : 'https://www') + '.google-analytics.com/ga.js';
    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
  })();
}
</script>

All works for me now.

I’m seeing the same thing, even with the example CSV file. It says
No user was successfully imported, please check the error log.
The error log is created, but it’s empty. No permissions problems, no PHP errors logged.
This is on a brand new install of WordPress 3.3.1 with no other plugins, running on PHP 5.3.2.

I can confirm that it’s fixed, thanks very much for dealing with it so quickly.