Added: support for running as file in mu-plugins, documentation will follow.

Fixed: fatal error due to type in ctype_digit.
Fixed: issue with rule that contained sub-rules.
Fixed: if open redirect matching type value contains no protocol, add it ourselves so parse_url does not fail.

Author: dave83649

src/Processor.php

@@ -45,7 +45,8 @@ class Processor
         'autoblockAttempts' => 10,
         'autoblockMinutes' => 30,
         'autoblockTime' => 60,
-        'whitelistKeysRules' => []
+        'whitelistKeysRules' => [],
+        'mustUsePluginCall' => false
     ];
 
     /**
@@ -122,13 +123,17 @@ public function __get($name)
     public function launch($mustExit = true)
     {
         // Determine if the user is temporarily blocked from the site before we do anything else.
-        if ($this->extension->isBlocked($this->autoblockMinutes, $this->autoblockTime, $this->autoblockAttempts) && !$this->extension->canBypass()) {
+        if (
+            $this->extension->isBlocked($this->autoblockMinutes, $this->autoblockTime, $this->autoblockAttempts) && (
+                $this->mustUsePluginCall || (!$this->mustUsePluginCall && !$this->extension->canBypass())
+            )
+        ) {
             $this->extension->forceExit(22);
         }
 
         // Check for whitelist based on the legacy whitelist rules.
         $request  = $this->request->capture();
-        if ($this->extension->isWhitelisted($this->whitelistRulesLegacy, $request)) {
+        if (!$this->mustUsePluginCall && $this->extension->isWhitelisted($this->whitelistRulesLegacy, $request)) {
             return true;
         }
 
@@ -143,7 +148,7 @@ public function launch($mustExit = true)
         }
 
         // Determine if the current request is whitelisted or not (role based).
-        $isWhitelisted = $this->extension->canBypass();
+        $isWhitelisted = !$this->mustUsePluginCall && $this->extension->canBypass();
 
         // Merge the rules together. First iterate through the whitelist rules.
         $rules = array_merge($this->whitelistRules, $this->firewallRules);
@@ -158,6 +163,12 @@ public function launch($mustExit = true)
                 continue;
             }
 
+            // If the rule contains matching type we cannot call during mu-plugins, skip.
+            $hasWpAction = $this->hasWpAction($rule['rules']);
+            if (defined('PS_FW_MU_RAN') && !$hasWpAction || $this->mustUsePluginCall && $hasWpAction) {
+                continue;
+            }
+
             // Execute the firewall rule.
             $rule_hit = $this->executeFirewall($rule['rules']);
 
@@ -187,7 +198,7 @@ public function launch($mustExit = true)
         }
 
         // Run the legacy firewall rules processor for backwards compatibility.
-        if (count($this->firewallRulesLegacy) > 0) {
+        if (count($this->firewallRulesLegacy) > 0 && !$this->mustUsePluginCall) {
             $this->launchLegacy(true, $request, $this->extension->getIpAddress());
         }
 
@@ -220,7 +231,7 @@ public function executeFirewall($rules)
 
             // Extract the value of the paramater that we want.
             $value = $this->request->getParameterValue($rule['parameter']);
-            if (is_null($value) && $rule['parameter'] !== false) {
+            if (is_null($value) && $rule['parameter'] !== false && $rule['parameter'] != 'rules') {
                 continue;
             }
 
@@ -349,7 +360,7 @@ public function matchParameterValue($match, $value)
         }
 
         // If the user does not have a WP privilege.
-        if ($matchType == 'current_user_cannot' && is_scalar($matchValue) && function_exists('current_user_can')) {
+        if ($matchType == 'current_user_cannot' && is_scalar($matchValue) && function_exists('current_user_can') && !$this->mustUsePluginCall) {
             return @!current_user_can($matchValue);
         }
 
@@ -380,6 +391,11 @@ public function matchParameterValue($match, $value)
                 return false;
             }
 
+            // If there's no protocol we add it.
+            if (substr($value, 0, 4) != 'http') {
+                $value = 'https://' . $value;
+            }
+
             // We only care about the hostname.
             $host = parse_url($value, PHP_URL_HOST);
             if (!$host) {
@@ -425,6 +441,35 @@ public function matchParameterValue($match, $value)
         return false;
     }
 
+    /**
+     * Determine if the rules contain an action that should not be executed under the mu-plugins context.
+     * 
+     * @param array $rules
+     * @return boolean
+     */
+    private function hasWpAction($rules)
+    {
+        $functions = ['current_user_cannot'];
+
+        if (isset($rules['rules'])) {
+            if ($this->hasWpAction($rules['rules'])) {
+                return true;
+            }
+        }
+
+        foreach ($rules as $rule) {
+            if (!isset($rule['match'], $rule['match']['type'])) {
+                continue;
+            }
+
+            if (in_array($rule['match']['type'], $functions)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     /**
      * The legacy firewall processor will only iterate over the general legacy firewall rules.
      * Will return true if $mustExit is false and all of the rules were processed without a positive detection.

src/Request.php

@@ -42,7 +42,7 @@ public function __construct($options, ExtensionInterface $extension)
     public function getParameterValue($parameter, $data = [])
     {
         // For when a rule contains sub-rules.
-        if (ctype_digit($parameter) || empty($parameter)) {
+        if (empty($parameter) || ctype_digit($parameter)) {
             return null;
         }