From 9a44273410507970153460d163148e3bdc02a8dc Mon Sep 17 00:00:00 2001 From: Viktor Date: Fri, 1 Nov 2024 09:40:43 +0300 Subject: [PATCH] Fix. Remote Calls. RC calling without token fixed. (#438) --- lib/CleantalkSP/Common/RemoteCalls.php | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/lib/CleantalkSP/Common/RemoteCalls.php b/lib/CleantalkSP/Common/RemoteCalls.php index 13ed8fa8b..7b09b1ac3 100644 --- a/lib/CleantalkSP/Common/RemoteCalls.php +++ b/lib/CleantalkSP/Common/RemoteCalls.php @@ -28,6 +28,10 @@ class RemoteCalls */ protected $without_token; + protected static $allowedActionsWithoutToken = [ + 'post_api_key', + ]; + const COOLDOWN = 10; /** @@ -53,10 +57,20 @@ public static function checkWithoutToken() { global $spbc; + $rc_servers = [ + 'netserv3.cleantalk.org', + 'netserv4.cleantalk.org', + ]; + return ! $spbc->key_is_ok && Request::get('spbc_remote_call_action') && in_array(Request::get('plugin_name'), array('security', 'spbc')) && - strpos(IP::resolve(IP::get()), 'cleantalk.org') !== false; + in_array(IP::resolve(IP::get('remote_addr')), $rc_servers, true); + } + + private static function isAllowedWithoutToken($rc) + { + return in_array($rc, self::$allowedActionsWithoutToken, true); } /** @@ -87,9 +101,11 @@ public function process() // Check API key if ( ($this->state->data['key_is_ok'] !== false) && - (($token === strtolower(md5($this->state->api_key)) || - $token === strtolower(hash('sha256', $this->state->api_key))) || - $this->without_token) + ( + ( $token === strtolower(md5($this->state->api_key)) || + $token === strtolower(hash('sha256', $this->state->api_key)) ) || + ( $this->without_token && self::isAllowedWithoutToken($action) ) + ) ) { // Flag to let plugin know that Remote Call is running. $this->state->rc_running = true;