Skip to content

fix: fp when installing/uploading plugin via zip file #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Nov 7, 2024
Merged

fix: fp when installing/uploading plugin via zip file #62

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5855760
fix: fp when installing/uploading plugin via zip file
EsadCetiner Sep 14, 2024
ffa5ced
fix: linting errors
EsadCetiner Sep 14, 2024
9845e0f
fix: typos
EsadCetiner Sep 14, 2024
c26763c
perf: remove unneeded chain rule
EsadCetiner Sep 19, 2024
4d3711d
Merge branch 'coreruleset:master' into fix-plugin-page
EsadCetiner Nov 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions plugins/wordpress-rule-exclusions-before.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1120,4 +1120,34 @@
"t:none,\
ctl:ruleRemoveTargetById=942360;ARGS:s"

# Uploading plugins as a zip file
SecRule REQUEST_FILENAME "@endsWith /wp-admin/update.php" \
"id:9507973,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'wordpress-rule-exclusions-plugin/1.0.1',\
chain"
SecRule ARGS:action "@streq upload-plugin" \
"t:none,\
chain"
SecRule FILES:pluginzip "@endsWith .zip" \

Check failure on line 1135 in plugins/wordpress-rule-exclusions-before.conf

View workflow job for this annotation

GitHub Actions / plugin-lint / check-syntax

'Syntax invalid' 

Expected '|' or '"'
"t:none,\
ctl:ruleRemoveTargetById=944110;REQUEST_BODY,\
ctl:ruleRemoveTargetById=944250;REQUEST_BODY"

# Installing a plugin via zip file upload
SecRule REQUEST_FILENAME "@endsWith /wp-admin/update.php" \
"id:9507974,\
phase:2,\
pass,\
t:none,\
nolog,\
ver:'wordpress-rule-exclusions-plugin/1.0.1',\
chain"
SecRule ARGS:install-plugin-submit "@streq Install Now" \
"t:none,\
ctl:ruleRemoveTargetById=932236;ARGS:install-plugin-submit"

SecMarker "END-WORDPRESS-ADMIN"
43 changes: 43 additions & 0 deletions tests/regression/wordpress-rule-exclusions-plugin/9507974.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
---
meta:
author: "Esad Cetiner"
description: "Wordpress Rule Exclusions Plugin"
enabled: true
name: 9507974.yaml
tests:
- test_title: 9507974-1
desc: Installing a plugin via zip file upload
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: "multipart/form-data; boundary=----WebKitFormBoundarylBwlewqbn4fBRA7B"
port: 80
method: POST
version: "HTTP/1.1"
uri: /post/wp-admin/update.php?action=upload-plugin
data: |
------WebKitFormBoundarylBwlewqbn4fBRA7B
Content-Disposition: form-data; name="_wpnonce"

7347be877b
------WebKitFormBoundarylBwlewqbn4fBRA7B
Content-Disposition: form-data; name="_wp_http_referer"

/wp-admin/plugin-install.php
------WebKitFormBoundarylBwlewqbn4fBRA7B
Content-Disposition: form-data; name="pluginzip"; filename="akismet.5.3.3.zip"
Content-Type: application/x-zip-compressed
<Plugin data goes here>

------WebKitFormBoundarylBwlewqbn4fBRA7B
Content-Disposition: form-data; name="install-plugin-submit"

Install Now
------WebKitFormBoundarylBwlewqbn4fBRA7B--
output:
no_log_contains: id "932236"
Loading