False positive malware?

Hi @boomerangz

thank you for reporting this issue.
This is surely a false detection but I would like to check which part of the code triggers it.

I suspect this line:

define( 'EOS_DP_DOCUMENTATION_URL','https://freesoul-deactivate-plugins.com/how-deactivate-plugiins-on-specific-pages/' );

Maybe because it’s defined as an external URL the security tool detects a potential security issue.
That URL is used to link the PRO menu items to the FDP documentation website.
But it could be also something else, I should investigate it deeper.

Can you please tell me what you used for the scan?

Have a great day!

Jose

Hola @boomerangz

gracias a ti.

Acabo de probar Anti-Malware Security and Brute-Force Firewall y no veo ningún aviso con respecto a los archivos de Freesoul Deactivate Plugins.
Puedes compartir el mensaje reportado por Anti-Malware Security and Brute-Force Firewall?

I’ve right now tested Anti-Malware Security and Brute-Force Firewall and I don’t see any alert about any file of Freesoul Deactivate Plugins.
Can you share the message given by Anti-Malware Security and Brute-Force Firewall?

Muchas gracias

Jose

Hola @boomerangz

I think this is the code that triggers the warning:

add_filter( 'nocache_headers',function( $headers ){10                        $domain = isset( $_SERVER['HTTP_HOST'] ) ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME'];
  $headers['Content-Security-Policy'] = "script-src ".esc_attr( $domain )." 'unsafe-inline'";      return $headers;               
} );

With this code FDP allows only scripts loaded by the same domain on the FDP backend pages.
Absurdly, this increases the safety of the site because no external scripts that aren’t loaded by FDP can load.
The core of WordPress inlines some scripts, this is why the Content Security Policy needs ‘unsafe-inline’. Without ‘unsafe-inline’ the backend would not work.
The declaration ‘usafe-inline’ may trigger the warning, but also the way to get the domain:

$domain = isset( $_SERVER[‘HTTP_HOST’] ) ? $_SERVER[‘HTTP_HOST’] : $_SERVER[‘SERVER_NAME’];

Honestly, this could be done better. The variable $_SERVER[‘HTTP_HOST’] may be manipulated. In the next version that will be published soon, the domain will be taken in a safer way.
I’m not sure which one of the two mentioned possible causes trigger the warning. If it’s the first one also the next version will trigger the warning, but in that case I will not change it, because as said, this would not be against security. On the contrary, this increases the security.

I will let you know as soon as the new version is ready.

In any case, it’s strange that on my installations I don’t have the same warning.

Have a great day!

Jose

Hola @boomerangz

Gracias a ti. La nueva version 1.9.5.6 es lista. Si quieres puedes actualizar y ver si aun tienes l’advertencia.

Tan pronto como tenga tiempo, respondo las otras tus preguntas.

Thanks to you. The new version 1.9.5.6 is ready. If you want you can update and see if you still have the warning.

As soon as I have time I will answer your other questions.

Have a great day

Jose