Merge pull request #25 from dxw/feature/add-http-referrer-allow-list-option

Feature/add http referrer allow list option

Author: jkeasley

composer.json

@@ -5,8 +5,7 @@
     },
     "require-dev": {
         "dxw/phar-install": "^1.1",
-        "friendsofphp/php-cs-fixer": "^2.0",
-        "kahlan/kahlan": "^4.7"
+        "friendsofphp/php-cs-fixer": "^2.0"
     },
     "scripts": {
         "post-update-cmd": "vendor/bin/phar-install"

composer.lock

@@ -3,7 +3,7 @@
  * Plugin Name: dxw Members Only
  * Plugin URI: http://dxw.com
  * Description: Make your WordPress site visible to signed-in users only with the added ability to whitelist specific content for access by all users.
- * Version: 4.0.4
+ * Version: 4.1.0
  * Author: dxw
  * Author URI: http://dxw.com
  * Text Domain: dxwmembersonly

dxw-members-only.php

@@ -83,6 +83,36 @@ function dxw_members_only_current_ip_in_whitelist()
     return false;
 }
 
+function dxw_members_only_referrer_in_allow_list()
+{
+    $referrer_list = explode("\n", get_option('dxw_members_only_referrer_allow_list'));
+    /*
+     * If there is no referrer header, or if we have no configured referrers to
+     * whitelist we can stop here.
+     */
+    if (isset($_SERVER['HTTP_REFERER'])) {
+        foreach ($referrer_list as $referrer) {
+            if (!empty($referrer)) {
+                /*
+                 * Add the site url to the referrer string to ensure that external
+                 * referrers can't be used here.
+                 */
+                $whitelisted_referrer = get_site_url() . $referrer;
+                $referrer_check = strpos($_SERVER['HTTP_REFERER'], $whitelisted_referrer);
+                /*
+                 * Check that there is a match, and that match is at the start of the referrer string.
+                 * This is to ensure that the referrer being whitelisted can't be fooled by having
+                 * a whitelisted referrer passed in as a parameter on the referrer string.
+                 */
+                if ($referrer_check !== false && $referrer_check == 0) {
+                    return true;
+                }
+            }
+        }
+    }
+    return false;
+}
+
 add_action('init', function () {
     // Fix for wp-cli
     if (defined('WP_CLI_ROOT')) {
@@ -122,6 +152,13 @@ function dxw_members_only_current_ip_in_whitelist()
         return;
     }
 
+    // Referrer whitelist
+    if (dxw_members_only_referrer_in_allow_list()) {
+        header('Cache-Control: private, max-age=' . $max_age);
+        dxw_members_only_serve_uploads();
+        return;
+    }
+
     // List
     $hit = false;
     $list = explode("\n", get_option('dxw_members_only_list_content'));

redirect.php

@@ -5,7 +5,7 @@
 function dxw_members_only_metasettings()
 {
     $ms = new dmometasettings(__FILE__, 'dxw_members_only');
-    $ms->add_settings(__('dxw Members Only', 'dxwmembersonly'), ['list_type', 'list_content', 'ip_whitelist', 'redirect', 'redirect_root', 'upload_default', 'max_age'], 'dxw_members_only_options_page');
+    $ms->add_settings(__('dxw Members Only', 'dxwmembersonly'), ['list_type', 'list_content', 'ip_whitelist', 'referrer_allow_list', 'redirect', 'redirect_root', 'upload_default', 'max_age'], 'dxw_members_only_options_page');
 }
 
 /**
@@ -53,6 +53,24 @@ function dxw_members_only_options_page()
 
     </table>
 
+    <h3><?php _e('Referrer Allow list') ?></h3>
+    <p><?php _e('Enter a list of internal referrers to whitelist.', 'dxwmembersonly') ?></p>
+    <p><?php _e('This is for enabling certain plugins such as Nelio AB to function correctly, do not use unless required', 'dxwmembersonly') ?></p>
+
+    <table class="form-table">
+
+      <tr valign="top">
+        <th scope="row"><label for="dxw_members_only_referrer_allow_list"><?php _e('List of referrers', 'dxwmembersonly') ?></label></th>
+        <td>
+          <textarea cols="30" rows="5" name="dxw_members_only_referrer_allow_list" id="dxw_members_only_referrer_allow_list" class="large-text code"><?php echo esc_html(get_option('dxw_members_only_referrer_allow_list')) ?></textarea>
+          <br>
+          <span class="description"><?php _e('One address per line, do not include the domain (eg /admin.php?page=test)', 'dxwmembersonly') ?></span>
+        </td>
+      </tr>
+
+  </table>
+      <?php echo get_option('dxw_members_only_referrer_whitelist'); ?>
+
     <h3><?php _e('Redirection', 'dxwmembersonly') ?></h3>
     <p><?php _e('In both the following options, <code>%return_path%</code> will be converted to the URL that was originally visited. i.e. <code>/wp-login.php?redirect_to=http://example.com/private-page</code>', 'dxwmembersonly') ?></p>