From 5c9eba80b99c35cf47451d40c9e48318967a1729 Mon Sep 17 00:00:00 2001
From: Darin Kotter <darin.kotter@gmail.com>
Date: Tue, 5 Dec 2023 13:32:52 -0700
Subject: [PATCH 1/4] By default, only trust the REMOTE_ADDR header. Add a note
 detailing why this is the case and how to utilize filters to get around this

---
 restricted_site_access.php | 35 ++++++++++++++---------------------
 1 file changed, 14 insertions(+), 21 deletions(-)

diff --git a/restricted_site_access.php b/restricted_site_access.php
index ae550fb4..e70d2b6e 100644
--- a/restricted_site_access.php
+++ b/restricted_site_access.php
@@ -1735,8 +1735,8 @@ public static function get_client_ip_address() {
 	 * @return string
 	 */
 	public static function get_ip_from_headers() {
-		$ip              = '';
-		$trusted_headers = array(
+		$ip                  = '';
+		$old_trusted_headers = array(
 			'HTTP_CF_CONNECTING_IP',
 			'HTTP_CLIENT_IP',
 			'HTTP_X_FORWARDED_FOR',
@@ -1749,30 +1749,23 @@ public static function get_ip_from_headers() {
 		/**
 		 * Filter hook to set array of trusted IP address headers.
 		 *
-		 * Most CDN providers will set the IP address of the client in a number
-		 * of headers. This allows the plugin to detect the IP address of the client
-		 * even if it is behind a proxy.
+		 * By default we only trust the REMOTE_ADDR header, as other
+		 * headers can easily be spoofed.
 		 *
-		 * Use this hook to modify the permitted proxy headers. For sites without a
-		 * CDN (or local proxy) it is recommended to add a filter to this hook to
-		 * return an empty array.
+		 * If your site is behind a proxy, typically the REMOTE_ADDR header
+		 * will contain the IP address of the proxy and not the client. To
+		 * deal with this situation, you'll need to use this filter
+		 * to set any other headers you want to trust.
 		 *
-		 * add_filter( 'rsa_trusted_headers', '__return_empty_array' );
-		 *
-		 * By default, the following headers are trusted:
-		 * - HTTP_CF_CONNECTING_IP
-		 * - HTTP_CLIENT_IP
-		 * - HTTP_X_FORWARDED_FOR
-		 * - HTTP_X_FORWARDED
-		 * - HTTP_X_CLUSTER_CLIENT_IP
-		 * - HTTP_FORWARDED_FOR
-		 * - HTTP_FORWARDED
-		 *
-		 * To allow for CDNs, these headers take priority over the REMOTE_ADDR value.
+		 * Note that by doing this you will open your site up to IP spoofing
+		 * attacks so proceed with caution. If possible, you should also use
+		 * the rsa_trusted_proxies filter to set the proxy IP addresses you
+		 * trust so these headers will only be used if a request came from
+		 * the proxy.
 		 *
 		 * @param string[] $trusted_proxies Array of trusted IP Address headers.
 		 */
-		$trusted_headers = apply_filters( 'rsa_trusted_headers', $trusted_headers );
+		$trusted_headers = apply_filters( 'rsa_trusted_headers', array() );
 
 		// Add the REMOTE_ADDR value to the end of the array.
 		$trusted_headers[] = 'REMOTE_ADDR';

From dae88a192469298275790fafa37fd839abb47d64 Mon Sep 17 00:00:00 2001
From: Darin Kotter <darin.kotter@gmail.com>
Date: Tue, 5 Dec 2023 14:41:12 -0700
Subject: [PATCH 2/4] During the activation routine, store the RSA version for
 sites that don't have that stored yet and also aren't configured yet. Use
 this value to determine what our default set of trusted headers is. This
 allows us to keep backwards compatibility with existing sites that are
 configured

---
 restricted_site_access.php | 52 +++++++++++++++++++++++++++++---------
 1 file changed, 40 insertions(+), 12 deletions(-)

diff --git a/restricted_site_access.php b/restricted_site_access.php
index e70d2b6e..c9bbb9b0 100644
--- a/restricted_site_access.php
+++ b/restricted_site_access.php
@@ -1575,6 +1575,26 @@ public static function plugin_action_links( $links ) {
 	 * @param boolean $network_active Whether the plugin network active.
 	 */
 	public static function activation( $network_active ) {
+		// For new or non-configured installs, store the RSA version.
+		// This is used later to determine what default HTTP headers we trust.
+		if ( $network_active ) {
+			$sites = get_sites();
+
+			foreach ( $sites as $site ) {
+				switch_to_blog( $site->blog_id );
+
+				if ( ! get_option( 'rsa_activation_version', false ) && ! get_option( 'rsa_options', false ) ) {
+					update_option( 'rsa_activation_version', RSA_VERSION );
+				}
+
+				restore_current_blog();
+			}
+		} else {
+			if ( ! get_option( 'rsa_activation_version', false ) && ! get_option( 'rsa_options', false ) ) {
+				update_option( 'rsa_activation_version', RSA_VERSION );
+			}
+		}
+
 		if ( ! $network_active ) {
 			update_option( 'blog_public', 2 );
 		}
@@ -1735,16 +1755,22 @@ public static function get_client_ip_address() {
 	 * @return string
 	 */
 	public static function get_ip_from_headers() {
-		$ip                  = '';
-		$old_trusted_headers = array(
-			'HTTP_CF_CONNECTING_IP',
-			'HTTP_CLIENT_IP',
-			'HTTP_X_FORWARDED_FOR',
-			'HTTP_X_FORWARDED',
-			'HTTP_X_CLUSTER_CLIENT_IP',
-			'HTTP_FORWARDED_FOR',
-			'HTTP_FORWARDED',
-		);
+		$ip = '';
+
+		// For any active version prior to 7.5.0, we use the default trusted headers.
+		if ( version_compare( get_option( 'rsa_activation_version', '0.0.0' ), '7.5.0', '<' ) ) {
+			$trusted_headers = array(
+				'HTTP_CF_CONNECTING_IP',
+				'HTTP_CLIENT_IP',
+				'HTTP_X_FORWARDED_FOR',
+				'HTTP_X_FORWARDED',
+				'HTTP_X_CLUSTER_CLIENT_IP',
+				'HTTP_FORWARDED_FOR',
+				'HTTP_FORWARDED',
+			);
+		} else {
+			$trusted_headers = array();
+		}
 
 		/**
 		 * Filter hook to set array of trusted IP address headers.
@@ -1763,9 +1789,9 @@ public static function get_ip_from_headers() {
 		 * trust so these headers will only be used if a request came from
 		 * the proxy.
 		 *
-		 * @param string[] $trusted_proxies Array of trusted IP Address headers.
+		 * @param string[] $trusted_headers Array of trusted IP Address headers.
 		 */
-		$trusted_headers = apply_filters( 'rsa_trusted_headers', array() );
+		$trusted_headers = apply_filters( 'rsa_trusted_headers', $trusted_headers );
 
 		// Add the REMOTE_ADDR value to the end of the array.
 		$trusted_headers[] = 'REMOTE_ADDR';
@@ -2115,6 +2141,7 @@ function restricted_site_access_uninstall() {
 				update_option( 'blog_public', 1 );
 			}
 			delete_option( 'rsa_options' );
+			delete_option( 'rsa_activation_version' );
 
 			restore_current_blog();
 		}
@@ -2123,6 +2150,7 @@ function restricted_site_access_uninstall() {
 			update_option( 'blog_public', 1 );
 		}
 		delete_option( 'rsa_options' );
+		delete_option( 'rsa_activation_version' );
 	}
 }
 

From b30bcfa1b1133af37d99edec00985ee3516a541d Mon Sep 17 00:00:00 2001
From: Darin Kotter <darin.kotter@gmail.com>
Date: Tue, 5 Dec 2023 15:00:11 -0700
Subject: [PATCH 3/4] Update readmes

---
 README.md  | 2 +-
 readme.txt | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index db00cb87..0462e8bd 100644
--- a/README.md
+++ b/README.md
@@ -78,7 +78,7 @@ Visitors that are not logged in or allowed by IP address will not be able to bro
 
 Restricted Site Access is not meant to be a top secret data safe, but simply a reliable and convenient way to handle unwanted visitors.
 
-In 7.3.2, two new filters have been added that can be utilized to help prevent IP spoofing attacks. The first filter allows you to set up a list of approved proxy IP addresses and the second allows you to set up a list of approved HTTP headers. By default, these filters will not change existing behavior. It is recommended to review these filters and utilize them appropriately for your site to secure things further.
+In 7.3.2, two new filters have been added that can be utilized to help prevent IP spoofing attacks. The first filter allows you to set up a list of approved proxy IP addresses and the second allows you to set up a list of approved HTTP headers. For any sites that were using Restricted Site Access prior to version 7.5.0, a handful of HTTP headers are trusted by default. It is recommended to review these filters and utilize them appropriately for your site to secure things further.
 
 If your site is not running behind a proxy, we recommend doing the following:
 
diff --git a/readme.txt b/readme.txt
index cfe94677..77c0282f 100644
--- a/readme.txt
+++ b/readme.txt
@@ -64,7 +64,7 @@ Visitors that are not logged in or allowed by IP address will not be able to bro
 
 Restricted Site Access is not meant to be a top secret data safe, but simply a reliable and convenient way to handle unwanted visitors.
 
-In 7.3.2, two new filters have been added that can be utilized to help prevent IP spoofing attacks. The first filter allows you to set up a list of approved proxy IP addresses and the second allows you to set up a list of approved HTTP headers. By default, these filters will not change existing behavior. It is recommended to review these filters and utilize them appropriately for your site to secure things further.
+In 7.3.2, two new filters have been added that can be utilized to help prevent IP spoofing attacks. The first filter allows you to set up a list of approved proxy IP addresses and the second allows you to set up a list of approved HTTP headers. For any sites that were using Restricted Site Access prior to version 7.5.0, a handful of HTTP headers are trusted by default. It is recommended to review these filters and utilize them appropriately for your site to secure things further.
 
 If your site is not running behind a proxy, we recommend doing the following:
 

From df43af4e3c2b6271309858878d0eaa234f50f89b Mon Sep 17 00:00:00 2001
From: Darin Kotter <darin.kotter@gmail.com>
Date: Tue, 5 Dec 2023 15:06:59 -0700
Subject: [PATCH 4/4] Install older version of a mochawesome add-on to get
 around an issue

---
 package-lock.json | 23 +++++++++++++++++++++++
 package.json      |  1 +
 2 files changed, 24 insertions(+)

diff --git a/package-lock.json b/package-lock.json
index 1e5c8723..b9d77efc 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -20,6 +20,7 @@
         "cypress": "^13.2.0",
         "cypress-file-upload": "^5.0.8",
         "eslint": "^8.8.0",
+        "mochawesome-json-to-md": "^0.7.2",
         "prettier": "^2.8.7"
       }
     },
@@ -15648,6 +15649,19 @@
         "mocha": ">=7"
       }
     },
+    "node_modules/mochawesome-json-to-md": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/mochawesome-json-to-md/-/mochawesome-json-to-md-0.7.2.tgz",
+      "integrity": "sha512-dxh+o73bhC6nEph6fNky9wy35R+2oK3ueXwAlJ/COAanlFgu8GuvGzQ00VNO4PPYhYGDsO4vbt4QTcMA3lv25g==",
+      "deprecated": "🙌 Thanks for using it. We recommend upgrading to the newer version, 1.x.x. Check out https://www.npmjs.com/package/mochawesome-json-to-md for details.",
+      "dev": true,
+      "dependencies": {
+        "yargs": "^17.0.1"
+      },
+      "bin": {
+        "mochawesome-json-to-md": "index.js"
+      }
+    },
     "node_modules/mochawesome-merge": {
       "version": "4.3.0",
       "resolved": "https://registry.npmjs.org/mochawesome-merge/-/mochawesome-merge-4.3.0.tgz",
@@ -33798,6 +33812,15 @@
         }
       }
     },
+    "mochawesome-json-to-md": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/mochawesome-json-to-md/-/mochawesome-json-to-md-0.7.2.tgz",
+      "integrity": "sha512-dxh+o73bhC6nEph6fNky9wy35R+2oK3ueXwAlJ/COAanlFgu8GuvGzQ00VNO4PPYhYGDsO4vbt4QTcMA3lv25g==",
+      "dev": true,
+      "requires": {
+        "yargs": "^17.0.1"
+      }
+    },
     "mochawesome-merge": {
       "version": "4.3.0",
       "resolved": "https://registry.npmjs.org/mochawesome-merge/-/mochawesome-merge-4.3.0.tgz",
diff --git a/package.json b/package.json
index 2cf3c8ef..baa79366 100644
--- a/package.json
+++ b/package.json
@@ -19,6 +19,7 @@
     "cypress": "^13.2.0",
     "cypress-file-upload": "^5.0.8",
     "eslint": "^8.8.0",
+    "mochawesome-json-to-md": "^0.7.2",
     "prettier": "^2.8.7"
   },
   "scripts": {