Merge pull request #294 from 10up/release/7.5.0

Release/7.5.0

CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 ## [Unreleased] - TBD
 
+## [7.5.0] - 2023-12-14
+**Note:** this release changes the default behavior for new installs in regards to IP detection. This shouldn't impact existing installs but there are two filters that can be used to change this behavior. See the [readme](https://github.com/10up/restricted-site-access#how-secure-is-this-plug-in) for full details.
+
+### Fixed
+- Update code snippet in the readme (props [@dkotter](https://github.com/dkotter), [@jeffpaul](https://github.com/jeffpaul) via [#291](https://github.com/10up/restricted-site-access/pull/291)).
+
+### Security
+- For new installs, ensure we only trust the `REMOTE_ADDR` HTTP header by default. Existing installs will still utilize the old list of approved headers but can modify this (and are recommended to) by using the `rsa_trusted_headers` filter (props [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc), [@dustinrue](https://github.com/dustinrue), [@mikhail-net](https://github.com/mikhail-net), [Darius Sveikauskas](https://patchstack.com/) via [#290](https://github.com/10up/restricted-site-access/pull/290)).
+- Bump `axios` from 0.25.0 to 1.6.2 and `@wordpress/scripts` from 23.7.2 to 26.19.0 (props [@dependabot](https://github.com/apps/dependabot), [@dkotter](https://github.com/dkotter) via [#293](https://github.com/10up/restricted-site-access/pull/293)).
+
 ## [7.4.1] - 2023-11-14
 ### Added
 - GitHub Action summary report for Cypress end-to-end tests (props [@jayedul](https://github.com/jayedul), [@Sidsector9](https://github.com/Sidsector9) via [#258](https://github.com/10up/restricted-site-access/pull/258)).
@@ -326,6 +336,7 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Initial public release
 
 [Unreleased]: https://github.com/10up/restricted-site-access/compare/trunk...develop
+[7.5.0]: https://github.com/10up/restricted-site-access/compare/7.4.1...7.5.0
 [7.4.1]: https://github.com/10up/restricted-site-access/compare/7.4.0...7.4.1
 [7.4.0]: https://github.com/10up/restricted-site-access/compare/7.3.5...7.4.0
 [7.3.5]: https://github.com/10up/restricted-site-access/compare/7.3.4...7.3.5

CREDITS.md

@@ -10,7 +10,7 @@ The following individuals are responsible for curating the list of issues, respo
 
 Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
 
-[Jake Goldman (@jakemgold)](https://github.com/jakemgold), [Joey Blake (@joeyblake)](https://github.com/joeyblake), [Steve Grunwell (@stevegrunwell)](https://github.com/stevegrunwell), [Grant Mangham (@vancoder)](https://github.com/vancoder), [@jmata-loop](https://github.com/jmata-loop), [Taylor Lovett (@tlovett1)](https://github.com/tlovett1), [Ivan Kristianto (@ivankristianto)](https://github.com/ivankristianto), [Mika Epstein (@Ipstenu)](https://github.com/Ipstenu), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Prasath Nadarajah (@nprasath002)](https://github.com/nprasath002), [Mathieu Viet (@imath)](https://github.com/imath), [Ryan Welcher (@ryanwelcher)](https://github.com/ryanwelcher), [Peter Tasker (@ptasker)](https://github.com/ptasker), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Helen Hou-Sandí (@helen)](https://github.com/helen), [Echo (@ChaosExAnima)](https://github.com/ChaosExAnima), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Pete Nelson (@petenelson)](https://github.com/petenelson), [Nate Allen (@nate-allen)](https://github.com/nate-allen), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Evan Mattson (@aaemnnosttv)](https://github.com/aaemnnosttv), [@JayWood](https://github.com/JayWood), [Ivan Kruchkoff (@ivankruchkoff)](https://github.com/ivankruchkoff), [Paul Schreiber (@paulschreiber)](https://github.com/paulschreiber), [Nick Lobeck (@eightam)](https://github.com/eightam), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Mikel King (@mikelking)](https://github.com/mikelking), [Max Lyuchin (@cadic)](https://github.com/cadic), [Crisoforo Gaspar Hernández (@mitogh)](https://github.com/mitogh), [Ankit K Gupta (@ankitguptaindia)](https://github.com/ankitguptaindia), [Brandon Berg (@BBerg10up)](https://github.com/BBerg10up), [Justin Kopepasah (@kopepasah)](https://github.com/kopepasah), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Wayne K. Walrath (@wkw)](https://github.com/wkw), [Ivan Lopez (@ivanlopez)](https://github.com/ivanlopez), [Chuck Scott (@n8dnx)](https://github.com/n8dnx), [Leho Kraav (@lkraav)](https://github.com/lkraav), [Pablo Amato (@pabamato)](https://github.com/pabamato), [Pedro Mendonça (@pedro-mendonca)](https://github.com/pedro-mendonca), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Stephanie Walters (@PypWalters)](https://github.com/PypWalters), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Marc-Alexandre Montpas (@marcS0H)](https://github.com/marcS0H), [Daniel Ruf (@DanielRuf)](https://github.com/DanielRuf), [David E. Smith (@dsXLII)](https://github.com/dsXLII), [Eduard Florea (@eflorea)](https://github.com/eflorea), [Dhanendran Rajagopal (@dhanendran)](https://github.com/dhanendran), [Pablo Javier Marti (@pablojmarti)](https://github.com/pablojmarti), [Shahzaib Mushtaq (@shahzaib10up)](https://github.com/shahzaib10up), [Barry Ceelen (@barryceelen)](https://github.com/barryceelen), [Kirtan Gajjar (@kirtangajjar)](https://github.com/kirtangajjar), [Mikel King (@mikelking)](https://github.com/mikelking), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Jayedul K. (@jayedul)](https://github.com/jayedul), [@mikegibbons4](https://profiles.wordpress.org/mikegibbons4/), [Miguel A. Estrada (@mae829)](https://github.com/mae829), [David Chandra Purnama (@turtlepod)](https://github.com/turtlepod), [GitHub Dependabot (@dependabot)](https://github.com/apps/dependabot), [Sumit Bagthariya (@qasumitbagthariya)](https://github.com/qasumitbagthariya).
+[Jake Goldman (@jakemgold)](https://github.com/jakemgold), [Joey Blake (@joeyblake)](https://github.com/joeyblake), [Steve Grunwell (@stevegrunwell)](https://github.com/stevegrunwell), [Grant Mangham (@vancoder)](https://github.com/vancoder), [@jmata-loop](https://github.com/jmata-loop), [Taylor Lovett (@tlovett1)](https://github.com/tlovett1), [Ivan Kristianto (@ivankristianto)](https://github.com/ivankristianto), [Mika Epstein (@Ipstenu)](https://github.com/Ipstenu), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Prasath Nadarajah (@nprasath002)](https://github.com/nprasath002), [Mathieu Viet (@imath)](https://github.com/imath), [Ryan Welcher (@ryanwelcher)](https://github.com/ryanwelcher), [Peter Tasker (@ptasker)](https://github.com/ptasker), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Helen Hou-Sandí (@helen)](https://github.com/helen), [Echo (@ChaosExAnima)](https://github.com/ChaosExAnima), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Pete Nelson (@petenelson)](https://github.com/petenelson), [Nate Allen (@nate-allen)](https://github.com/nate-allen), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Evan Mattson (@aaemnnosttv)](https://github.com/aaemnnosttv), [@JayWood](https://github.com/JayWood), [Ivan Kruchkoff (@ivankruchkoff)](https://github.com/ivankruchkoff), [Paul Schreiber (@paulschreiber)](https://github.com/paulschreiber), [Nick Lobeck (@eightam)](https://github.com/eightam), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Mikel King (@mikelking)](https://github.com/mikelking), [Max Lyuchin (@cadic)](https://github.com/cadic), [Crisoforo Gaspar Hernández (@mitogh)](https://github.com/mitogh), [Ankit K Gupta (@ankitguptaindia)](https://github.com/ankitguptaindia), [Brandon Berg (@BBerg10up)](https://github.com/BBerg10up), [Justin Kopepasah (@kopepasah)](https://github.com/kopepasah), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Wayne K. Walrath (@wkw)](https://github.com/wkw), [Ivan Lopez (@ivanlopez)](https://github.com/ivanlopez), [Chuck Scott (@n8dnx)](https://github.com/n8dnx), [Leho Kraav (@lkraav)](https://github.com/lkraav), [Pablo Amato (@pabamato)](https://github.com/pabamato), [Pedro Mendonça (@pedro-mendonca)](https://github.com/pedro-mendonca), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Stephanie Walters (@PypWalters)](https://github.com/PypWalters), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Marc-Alexandre Montpas (@marcS0H)](https://github.com/marcS0H), [Daniel Ruf (@DanielRuf)](https://github.com/DanielRuf), [David E. Smith (@dsXLII)](https://github.com/dsXLII), [Eduard Florea (@eflorea)](https://github.com/eflorea), [Dhanendran Rajagopal (@dhanendran)](https://github.com/dhanendran), [Pablo Javier Marti (@pablojmarti)](https://github.com/pablojmarti), [Shahzaib Mushtaq (@shahzaib10up)](https://github.com/shahzaib10up), [Barry Ceelen (@barryceelen)](https://github.com/barryceelen), [Kirtan Gajjar (@kirtangajjar)](https://github.com/kirtangajjar), [Mikel King (@mikelking)](https://github.com/mikelking), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Jayedul K. (@jayedul)](https://github.com/jayedul), [@mikegibbons4](https://profiles.wordpress.org/mikegibbons4/), [Miguel A. Estrada (@mae829)](https://github.com/mae829), [David Chandra Purnama (@turtlepod)](https://github.com/turtlepod), [GitHub Dependabot (@dependabot)](https://github.com/apps/dependabot), [Sumit Bagthariya (@qasumitbagthariya)](https://github.com/qasumitbagthariya), [Dustin Rue (@dustinrue)](https://github.com/dustinrue), [Mika (@mikhail-net)](https://github.com/mikhail-net), [Darius Sveikauskas](https://patchstack.com/).
 
 ## Libraries
 

README.md

@@ -78,17 +78,15 @@ Visitors that are not logged in or allowed by IP address will not be able to bro
 
 Restricted Site Access is not meant to be a top secret data safe, but simply a reliable and convenient way to handle unwanted visitors.
 
-In 7.3.2, two new filters have been added that can be utilized to help prevent IP spoofing attacks. The first filter allows you to set up a list of approved proxy IP addresses and the second allows you to set up a list of approved HTTP headers. For any sites that were using Restricted Site Access prior to version 7.5.0, a handful of HTTP headers are trusted by default. It is recommended to review these filters and utilize them appropriately for your site to secure things further.
-
-If your site is not running behind a proxy, we recommend doing the following:
+In 7.3.2, two new filters were added that can be utilized to help prevent IP spoofing attacks. The first filter allows you to set up a list of approved proxy IP addresses and the second allows you to set up a list of approved HTTP headers. For any sites that were using Restricted Site Access prior to version 7.5.0, a handful of HTTP headers are trusted by default. To change this, utilize the `rsa_trusted_headers` filter to modify the HTTP headers you want to trust. If your site is not running behind a proxy, we recommend doing the following:
 
 ```php
 add_filter( 'rsa_trusted_headers', '__return_empty_array' );
 ```
 
-This will then only use the `REMOTE_ADDR` HTTP header to determine the IP address of the visitor. This header can't be spoofed, so this will increase security.
+This will then only use the `REMOTE_ADDR` HTTP header to determine the IP address of the visitor. This header can't be spoofed, so this will increase security. Note that this is now the default for all new installs since version 7.5.0.
 
-If your site is running behind a proxy (like a CDN), you can't rely on the `REMOTE_ADDR` HTTP header, as this will contain the IP address of the proxy, not the user. If your proxy uses static IP addresses, we recommend using the `rsa_trusted_proxies` filter to set those trusted IP addresses:
+If your site is running behind a proxy (like a CDN), you usually can't rely on the `REMOTE_ADDR` HTTP header, as this will contain the IP address of the proxy, not the user. If your proxy uses static IP addresses, we recommend using the `rsa_trusted_proxies` filter to set those trusted IP addresses:
 
 ```php
 add_filter( 'rsa_trusted_proxies', 'my_rsa_trusted_proxies' );

package.json

@@ -1,6 +1,6 @@
 {
   "name": "restricted-site-access",
-  "version": "7.4.1",
+  "version": "7.5.0",
   "description": "Limit access to visitors who are logged in or allowed by IP addresses. Includes many options for handling blocked visitors.",
   "homepage": "https://github.com/10up/restricted-site-access#readme",
   "license": "GPL-2.0-or-later",

readme.txt

@@ -4,7 +4,7 @@ Donate link:       https://10up.com/plugins/restricted-site-access-wordpress/
 Tags:              privacy, restricted, restrict, privacy, limited, permissions, security, block
 Requires at least: 5.7
 Tested up to:      6.4
-Stable tag:        7.4.1
+Stable tag:        7.5.0
 Requires PHP:      7.4
 License:           GPLv2 or later
 License URI:       http://www.gnu.org/licenses/gpl-2.0.html
@@ -64,17 +64,15 @@ Visitors that are not logged in or allowed by IP address will not be able to bro
 
 Restricted Site Access is not meant to be a top secret data safe, but simply a reliable and convenient way to handle unwanted visitors.
 
-In 7.3.2, two new filters have been added that can be utilized to help prevent IP spoofing attacks. The first filter allows you to set up a list of approved proxy IP addresses and the second allows you to set up a list of approved HTTP headers. For any sites that were using Restricted Site Access prior to version 7.5.0, a handful of HTTP headers are trusted by default. It is recommended to review these filters and utilize them appropriately for your site to secure things further.
-
-If your site is not running behind a proxy, we recommend doing the following:
+In 7.3.2, two new filters were added that can be utilized to help prevent IP spoofing attacks. The first filter allows you to set up a list of approved proxy IP addresses and the second allows you to set up a list of approved HTTP headers. For any sites that were using Restricted Site Access prior to version 7.5.0, a handful of HTTP headers are trusted by default. To change this, utilize the `rsa_trusted_headers` filter to modify the HTTP headers you want to trust. If your site is not running behind a proxy, we recommend doing the following:
 
 `
 add_filter( 'rsa_trusted_headers', '__return_empty_array' );
 `
 
-This will then only use the `REMOTE_ADDR` HTTP header to determine the IP address of the visitor. This header can't be spoofed, so this will increase security.
+This will then only use the `REMOTE_ADDR` HTTP header to determine the IP address of the visitor. This header can't be spoofed, so this will increase security. Note that this is now the default for all new installs since version 7.5.0.
 
-If your site is running behind a proxy (like a CDN), you can't rely on the `REMOTE_ADDR` HTTP header, as this will contain the IP address of the proxy, not the user. If your proxy uses static IP addresses, we recommend using the `rsa_trusted_proxies` filter to set those trusted IP addresses:
+If your site is running behind a proxy (like a CDN), you usually can't rely on the `REMOTE_ADDR` HTTP header, as this will contain the IP address of the proxy, not the user. If your proxy uses static IP addresses, we recommend using the `rsa_trusted_proxies` filter to set those trusted IP addresses:
 
 `
 add_filter( 'rsa_trusted_proxies', 'my_rsa_trusted_proxies' );
@@ -206,6 +204,13 @@ When this option is activated, it serves as a barrier to all visitors except tho
 
 == Changelog ==
 
+= 7.5.0 - 2023-12-14 =
+**Note:** this release changes the default behavior for new installs in regards to IP detection. This shouldn't impact existing installs but there are two filters that can be used to change this behavior. See the [readme](https://github.com/10up/restricted-site-access#how-secure-is-this-plug-in) for full details.
+
+* **Fixed:** Update code snippet in the readme (props [@dkotter](https://github.com/dkotter), [@jeffpaul](https://github.com/jeffpaul) via [#291](https://github.com/10up/restricted-site-access/pull/291)).
+* **Security:** For new installs, ensure we only trust the `REMOTE_ADDR` HTTP header by default. Existing installs will still utilize the old list of approved headers but can modify this (and are recommended to) by using the `rsa_trusted_headers` filter (props [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc), [@dustinrue](https://github.com/dustinrue), [@mikhail-net](https://github.com/mikhail-net), [Darius Sveikauskas](https://patchstack.com/) via [#290](https://github.com/10up/restricted-site-access/pull/290)).
+* **Security:** Bump `axios` from 0.25.0 to 1.6.2 and `@wordpress/scripts` from 23.7.2 to 26.19.0 (props [@dependabot](https://github.com/apps/dependabot), [@dkotter](https://github.com/dkotter) via [#293](https://github.com/10up/restricted-site-access/pull/293)).
+
 = 7.4.1 - 2023-11-14 =
 * **Added:** GitHub Action summary report for Cypress end-to-end tests (props [@jayedul](https://github.com/jayedul), [@Sidsector9](https://github.com/Sidsector9) via [#258](https://github.com/10up/restricted-site-access/pull/258)).
 * **Added:** `Restricted_Site_Access::append_ips()` method to add IP addresses programatically (props [@Sidsector9](https://github.com/Sidsector9), [@faisal-alvi](https://github.com/faisal-alvi) via [#267](https://github.com/10up/restricted-site-access/pull/267)).
@@ -432,6 +437,9 @@ __Note: There is currently an edge case bug affecting IP whitelisting. This bug
 
 == Upgrade Notice ==
 
+= 7.5.0 =
+This release changes the default behavior for new installs in regards to IP detection. This shouldn't impact existing installs but there are two filters that can be used to change this behavior. See the [readme](https://github.com/10up/restricted-site-access#how-secure-is-this-plug-in) for full details.
+
 = 7.4.0 =
 Changes the [Support Level](https://github.com/10up/restricted-site-access#support-level) from `Active` to `Stable`.
 

restricted_site_access.php

@@ -3,7 +3,7 @@
  * Plugin Name:       Restricted Site Access
  * Plugin URI:        https://10up.com/plugins/restricted-site-access-wordpress/
  * Description:       <strong>Limit access your site</strong> to visitors who are logged in or accessing the site from a set of specific IP addresses. Send restricted visitors to the log in page, redirect them, or display a message or page. <strong>Powerful control over redirection</strong>, including <strong>SEO friendly redirect headers</strong>. Great solution for Extranets, publicly hosted Intranets, or parallel development sites.
- * Version:           7.4.1
+ * Version:           7.5.0
  * Requires at least: 5.7
  * Requires PHP:      7.4
  * Author:            10up
@@ -57,7 +57,7 @@ function() {
 	return;
 }
 
-define( 'RSA_VERSION', '7.4.1' );
+define( 'RSA_VERSION', '7.5.0' );
 
 /**
  * Class responsible for all plugin funcitonality.

tests/rsa-seeder/rsa-seeder.php

@@ -5,6 +5,16 @@
  * @package RSA Seeder
  */
 
+// Allow the HTTP_X_FORWARDED in tests.
+add_filter(
+	'rsa_trusted_headers',
+	function() {
+		return array(
+			'HTTP_X_FORWARDED',
+		);
+	}
+);
+
 add_filter( 'restricted_site_access_is_restricted', 'my_rsa_feed_override', 10, 2 );
 
 function my_rsa_feed_override( $is_restricted, $wp ) {