Upd. FSWatcher. FIle system watcher functionality improved. (#361)

* Fix. FSWatcher. Remote calls handlers moved to the `init` hook.

* Fix. FSWatcher. Remote calls requests checking fixed.

* Fix. FSWatcher. Remote calls requests checking fixed #2.

* Fix. Code. Code style fixed.

* Fix. Code. Code style fixed #2.

lib/CleantalkSP/Common/FSWatcher/Service.php

@@ -92,11 +92,7 @@ public static function attachJS($buffer, $file_to_get_md5 = null)
      */
     public static function isRC()
     {
-        if (isset($_POST['fswatcher_token']) && $_POST['fswatcher_token'] == md5((string)filemtime(__FILE__))) {
-            return true;
-        }
-
-        return false;
+        return static::validateFsWatcherToken();
     }
 
     /**
@@ -163,4 +159,22 @@ public static function getProcessingJournal()
         $storage = Controller::$storage;
         return $storage::getProcessingJournal();
     }
+
+    /**
+     * Generates token (aka nonce).
+     * The $salt must be used obligatorily
+     *
+     * @param $salt
+     *
+     * @return string
+     */
+    public static function generateFsWatcherToken($salt = '')
+    {
+        return md5(filemtime(__FILE__) . $salt);
+    }
+
+    public static function validateFsWatcherToken()
+    {
+        return isset($_POST['fswatcher_token']) && $_POST['fswatcher_token'] === static::generateFsWatcherToken();
+    }
 }

lib/CleantalkSP/Common/FSWatcher/View/View.php

@@ -4,6 +4,7 @@
 
 use CleantalkSP\Common\FSWatcher\Controller;
 use CleantalkSP\Common\FSWatcher\Logger;
+use CleantalkSP\Common\FSWatcher\Service;
 
 class View
 {
@@ -59,8 +60,7 @@ public static function renderSelectors(Phrases $phrases)
         $html .= '</div>';
 
         $html .= '<script type="text/javascript">';
-        $path = __DIR__ . DIRECTORY_SEPARATOR . '..' . DIRECTORY_SEPARATOR . 'Service.php';
-        $html .= 'var fswatcherToken = "' . md5((string)filemtime($path)) . '";';
+        $html .= 'var fswatcherToken = "' . Service::generateFsWatcherToken() . '";';
         $html .= 'var fswatcherWebsiteUrl = "' . get_home_url() . '";';
         $html .= file_get_contents(__DIR__ . '/../assets/fswatcher-logic.js');
         $html .= '</script>';

lib/CleantalkSP/SpbctWP/FSWatcher/SpbctWpFSWService.php

@@ -67,22 +67,18 @@ public static function setAllJournalsAsCompleted()
         $storage::setAllJournalsAsCompleted();
     }
 
-    /**
-     * Is ajax call is in process
-     *
-     * @return bool
-     */
-    public static function isRC()
+    public static function attachJS($buffer, $file_to_get_md5 = null)
     {
-        if (isset($_POST['fswatcher_token']) && $_POST['fswatcher_token'] == md5((string)filemtime(__FILE__))) {
-            return true;
-        }
+        return parent::attachJS($buffer, __FILE__);
+    }
 
-        return false;
+    public static function generateFsWatcherToken($salt = '')
+    {
+        return wp_create_nonce('spbc_secret_fs_watcher_token');
     }
 
-    public static function attachJS($buffer, $file_to_get_md5 = null)
+    public static function validateFsWatcherToken()
     {
-        return parent::attachJS($buffer, __FILE__);
+        return isset($_POST['fswatcher_token']) && spbc_check_ajax_referer('spbc_secret_fs_watcher_token', 'fswatcher_token');
     }
 }

lib/CleantalkSP/SpbctWP/FSWatcher/View/View.php

@@ -4,6 +4,7 @@
 
 use CleantalkSP\SpbctWP\FSWatcher\SpbctWpFSWController;
 use CleantalkSP\Common\FSWatcher\View\Phrases;
+use CleantalkSP\SpbctWP\FSWatcher\SpbctWpFSWService;
 
 class View extends \CleantalkSP\Common\FSWatcher\View\View
 {
@@ -64,8 +65,7 @@ public static function renderSelectors(\CleantalkSP\Common\FSWatcher\View\Phrase
         $html .= '</div>';
 
         $html .= '<script type="text/javascript">';
-        $path = __DIR__ . DIRECTORY_SEPARATOR . '..' . DIRECTORY_SEPARATOR . 'SpbctWpFSWService.php';
-        $html .= 'var fswatcherToken = "' . md5((string)filemtime($path)) . '";';
+        $html .= 'var fswatcherToken = "' . SpbctWpFSWService::generateFsWatcherToken() . '";';
         $html .= 'var fswatcherWebsiteUrl = "' . get_home_url() . '";';
         $html .= file_get_contents(\CleantalkSP\Common\FSWatcher\Storage\FileStorage::getAssetsPath());
         $html .= 'var fswatcherTranslations = ' . json_encode($phrases->getTranslations()) . ';';

security-malware-firewall.php

@@ -342,15 +342,6 @@ function spbc_change_author_name($link, $_author_id, $_author_nicename)
 ! SpbcRemoteCalls::check() && $spbc_cron->execute();
 unset($spbc_cron);
 
-if ($spbc->feature_restrictions->getState($spbc, 'fswatcher')->is_active && $spbc->settings['scanner__fs_watcher']) {
-    $fswatch_params = array(
-        'dir_to_watch' => ABSPATH,
-        'exclude_dirs' => array(),
-        'extensions_to_watch' => array('php'),
-    );
-    FSWatcherController::work($fswatch_params);
-}
-
 if ( is_admin() || is_network_admin() ) {
     // Async loading for JavaScript
     add_filter('script_loader_tag', 'spbc_admin_add_script_attribute', 10, 3);
@@ -398,6 +389,17 @@ function spbc_change_author_name($link, $_author_id, $_author_nicename)
     add_action('login_enqueue_scripts', 'spbc_enqueue_scripts__public');
 }
 
+add_action('init', function () use ($spbc) {
+    if ( $spbc->feature_restrictions->getState($spbc, 'fswatcher')->is_active && $spbc->settings['scanner__fs_watcher'] ) {
+        $fswatch_params = array(
+            'dir_to_watch' => ABSPATH,
+            'exclude_dirs' => array(),
+            'extensions_to_watch' => array('php'),
+        );
+        FSWatcherController::work($fswatch_params);
+    }
+});
+
 /**
  * Enqueue JS scripts on public page
  */