lynt-smitka · September 1, 2022 20:17
diff --git a/lynt-installer-security.php b/lynt-installer-security.php
 <?php
 /**
 * Plugin Name: Lynt WP Installer Security PoC1
 * Author:      Vladimir Smitka
 * Author URI:  https://lynt.cz/
 * License:     GNU General Public License v3 or later
 * License URI: http://www.gnu.org/licenses/gpl-3.0.html
 */

 if ( defined( 'WP_SETUP_CONFIG' ) && !empty( $_POST['dbhost'] ) ) {
  
  $dbhost = trim( wp_unslash( $_POST['dbhost'] ) );
  
  // default settings - allow localhost only
  // possible enhacement: translate host to IP and allow local subnets
  $allowed_dbhost_regexp = '^(?:localhost|127\.0\.0\.1)$';
  
  // if there is enviroment varianle defined use it
  // the webhoster can modify default settings
  if ( getenv( 'WP_ALLOWED_DBHOSTS' ) ) {
    $allowed_dbhost_regexp = getenv( 'WP_ALLOWED_DBHOSTS' );
  }
  
  // the user can change the default behavior via wp-dbhosts.php
  // can set his own DB hosts or disable limit by "false"
  if ( file_exists( ABSPATH . '/wp-dbhosts.php' ) ) {
      
    require_once ABSPATH . '/wp-dbhosts.php';
      
    if ( defined( 'WP_ALLOWED_DBHOSTS' ) )  {
    
      //if false skip the check later
      if ( !WP_ALLOWED_DBHOSTS ) {
        $allowed_dbhost_regexp = false;
      }

      else {
        $allowed_dbhost_regexp = WP_ALLOWED_DBHOSTS;
      }
    }
  }

  // check if dbhost is allowed
  if( $allowed_dbhost_regexp ) {  
    if ( !preg_match( '#' . $allowed_dbhost_regexp . '#i', $dbhost)) {
      wp_die('The selected database server has been blocked.
            Allowed servers can be managed using environment
            variable or a constant in wp-config.php.');
    }
  }
 }
diff --git a/wp-dbhosts.php b/wp-dbhosts.php
 <?php
 // Example of the optional file to define allowed DB hosts

 if ( ! defined( 'WP_ALLOWED_DBHOSTS' ) ) {
  define( 'WP_ALLOWED_DBHOSTS', '^(?:localhost|127\.0\.0\.1)$');
 }
	<?php
	/**
	* Plugin Name: Lynt WP Installer Security PoC1
	* Author: Vladimir Smitka
	* Author URI: https://lynt.cz/
	* License: GNU General Public License v3 or later
	* License URI: http://www.gnu.org/licenses/gpl-3.0.html
	*/

	if ( defined( 'WP_SETUP_CONFIG' ) && !empty( $_POST['dbhost'] ) ) {

	$dbhost = trim( wp_unslash( $_POST['dbhost'] ) );

	// default settings - allow localhost only
	// possible enhacement: translate host to IP and allow local subnets
	$allowed_dbhost_regexp = '^(?:localhost\|127\.0\.0\.1)$';

	// if there is enviroment varianle defined use it
	// the webhoster can modify default settings
	if ( getenv( 'WP_ALLOWED_DBHOSTS' ) ) {
	$allowed_dbhost_regexp = getenv( 'WP_ALLOWED_DBHOSTS' );
	}

	// the user can change the default behavior via wp-dbhosts.php
	// can set his own DB hosts or disable limit by "false"
	if ( file_exists( ABSPATH . '/wp-dbhosts.php' ) ) {

	require_once ABSPATH . '/wp-dbhosts.php';

	if ( defined( 'WP_ALLOWED_DBHOSTS' ) ) {

	//if false skip the check later
	if ( !WP_ALLOWED_DBHOSTS ) {
	$allowed_dbhost_regexp = false;
	}

	else {
	$allowed_dbhost_regexp = WP_ALLOWED_DBHOSTS;
	}
	}
	}

	// check if dbhost is allowed
	if( $allowed_dbhost_regexp ) {
	if ( !preg_match( '#' . $allowed_dbhost_regexp . '#i', $dbhost)) {
	wp_die('The selected database server has been blocked.
	Allowed servers can be managed using environment
	variable or a constant in wp-config.php.');
	}
	}
	}
	<?php
	// Example of the optional file to define allowed DB hosts

	if ( ! defined( 'WP_ALLOWED_DBHOSTS' ) ) {
	define( 'WP_ALLOWED_DBHOSTS', '^(?:localhost\|127\.0\.0\.1)$');
	}