Merge remote-tracking branch 'origin/master' into fix

# Conflicts:
#	security-malware-firewall.php

.gitignore

@@ -16,7 +16,12 @@ psalm.xml
 /lib/CleantalkSP/Common/Scanner/SignaturesAnalyser/.github/
 /lib/CleantalkSP/Common/Scanner/HeuristicAnalyser/.github/
 /lib/CleantalkSP/Common/Scanner/SignaturesAnalyser/composer.json
+/lib/CleantalkSP/Common/Scanner/SignaturesAnalyser/README.md
 /lib/CleantalkSP/Common/Scanner/HeuristicAnalyser/composer.json
+/lib/CleantalkSP/Common/Scanner/HeuristicAnalyser/README.md
+/lib/CleantalkSP/Common/Scanner/HeuristicAnalyser/Vendors/TiktokenPhp/composer.json
+/lib/CleantalkSP/Common/Scanner/HeuristicAnalyser/Vendors/TiktokenPhp/README.md
 /lib/CleantalkSP/Common/FSWatcher/Storage/data/
 /lib/CleantalkSP/Common/FSWatcher/logs/
+/lib/CleantalkSP/Common/Helpers/composer.json
 

lib/CleantalkSP/Common/RemoteCalls.php

@@ -28,6 +28,10 @@ class RemoteCalls
      */
     protected $without_token;
 
+    protected static $allowedActionsWithoutToken = [
+        'post_api_key',
+    ];
+
     const COOLDOWN = 10;
 
     /**
@@ -53,10 +57,20 @@ public static function checkWithoutToken()
     {
         global $spbc;
 
+        $rc_servers = [
+            'netserv3.cleantalk.org',
+            'netserv4.cleantalk.org',
+        ];
+
         return ! $spbc->key_is_ok &&
                Request::get('spbc_remote_call_action') &&
                in_array(Request::get('plugin_name'), array('security', 'spbc')) &&
-               strpos(IP::resolve(IP::get()), 'cleantalk.org') !== false;
+               in_array(IP::resolve(IP::get('remote_addr')), $rc_servers, true);
+    }
+
+    private static function isAllowedWithoutToken($rc)
+    {
+        return in_array($rc, self::$allowedActionsWithoutToken, true);
     }
 
     /**
@@ -87,9 +101,11 @@ public function process()
                 // Check API key
                 if (
                     ($this->state->data['key_is_ok'] !== false) &&
-                    (($token === strtolower(md5($this->state->api_key)) ||
-                    $token === strtolower(hash('sha256', $this->state->api_key))) ||
-                    $this->without_token)
+                    (
+                        ( $token === strtolower(md5($this->state->api_key)) ||
+                        $token === strtolower(hash('sha256', $this->state->api_key)) ) ||
+                        ( $this->without_token && self::isAllowedWithoutToken($action) )
+                    )
                 ) {
                     // Flag to let plugin know that Remote Call is running.
                     $this->state->rc_running = true;

readme.txt

@@ -4,7 +4,7 @@ Tags: security, firewall, malware, wordpress security, brute force
 Requires at least: 5.0
 Tested up to: 6.6
 Requires PHP: 5.6
-Stable tag: 2.145
+Stable tag: 2.145.1
 License: GPLv2
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -336,6 +336,9 @@ This is required for the Security FireWall to function properly. Plugins that ar
 
 == Changelog ==
 
+= 2.145.1 Nov 01 2024
+* Fix. Remote Calls. RC calling without token fixed. (#438)
+
 = 2.145 Oct 28 2024
 * Fix. Setting. React components i18n fixed.
 * Fix. Code. Frontend malware scanner disabled by default.

security-malware-firewall.php

@@ -5,7 +5,7 @@
 Plugin URI: https://wordpress.org/plugins/security-malware-firewall/
 Description: Security & Malware scan by CleanTalk to protect your website from online threats and viruses. IP/Country FireWall, Web application FireWall. Detailed stats and logs to have full control.
 Author: CleanTalk Security
-Version: 2.145.1-fix
+Version: 2.145.1
 Author URI: https://cleantalk.org
 Text Domain: security-malware-firewall
 Domain Path: /i18n