<?php
/*
Plugin Name: bs-wp-sandbox
Plugin URI: http://blogsecurity.net/
Description: Sandbox WordPress via a flexible whitelist
Author: David Kierznowski
Version: 1.2.1
Author URI: http://blogsecurity.net
*/ 

/*
    License: GPL

    Copyright (C) 2007, BlogSecurity, http://blogsecurity.net
    All rights reserved.

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

*/


/* 
   Pages that aren't on our list are redirected to 
   the BLOGHOME setting below. 
*/
define("BLOGHOME", "/"); // Your blog home (i.e. / or /blog).

function bs_wp_sandbox_check($url)
{

/*
   The default settings below can be adjusted to suit your needs.
   The current settings in ($a) will allow simple blogs to function
   correctly. 
*/
	$a = array(
		"^wp-admin", 			// Allow wp-admin/*
		"^feed", 			// Allow feeds
		"^xmlrpc\.php", 		// Allow trackbacks and other XMLRPC 
		"^wp-cron\.php", 		// Allow wp-cron
		"^wp-login\.php", 		// Let yourself login :)
		"^\?p=\d+&preview=true", 	// Allow you to preview posts
		"^wp-comments-post\.php", 	// Permit comments
	  );

/* 
   We loop through our whitelist to check if the link is
   permitted.
*/
	foreach ($a as $item) 
	{
		if ( preg_match ( "/$item/i", $url ) ) :
			return 1;
		endif;
	}
	return 0;
}

function bs_wp_sandbox()
{

	global $wpdb;
	$bs_wp_sandbox_arr[] = '';
	$bs_wp_sandbox_pass = 0;

	/* Set current URI for check */
        $current_url = get_bloginfo('home') . $_SERVER['REQUEST_URI'];

	/* Exception list 1: Populate whitelist with all pages and posts */
	$bs_wp_sandbox_id = $wpdb->get_col("SELECT id FROM $wpdb->posts");
	foreach ($bs_wp_sandbox_id as $bs_wp_sandbox_item)
	{
		$bs_wp_sandbox_arr[] = get_permalink($bs_wp_sandbox_item);
	} 
	unset($bs_wp_sandbox_item);

        /* make sure web root is included */
        $bs_wp_sandbox_arr[] = get_bloginfo('home') . '/';

	foreach ($bs_wp_sandbox_arr as $bs_wp_sandbox_item) 
	{
		if ( $current_url == $bs_wp_sandbox_item ):
        		$bs_wp_sandbox_pass = 1;
        	endif;
	}

	/* 
	   Exception list 2: See bs_wp_sandbox_check function 
	*/

	/* We have to do it this way to split in the right places. */
		$bs_wp_sandbox_home = split ( "/", get_bloginfo('home') ); 
		$bs_wp_sandbox_validate = split( "/", $current_url );
		$c = count ($bs_wp_sandbox_home);
		
		if ($bs_wp_sandbox_pass < 1) :
			$bs_wp_sandbox_pass = ( bs_wp_sandbox_check($bs_wp_sandbox_validate[$c]) );
		endif;
		

	/* If no match, lets stop the action */
	if ( $bs_wp_sandbox_pass == 0 ) 
	{
		  ob_start();
		  header("Location: " . BLOGHOME);
		  ob_end();
	}

	/* Be clean by unsetting values */
	unset($bs_wp_sandbox_item);
	unset($bs_wp_sandbox_arr);
}

add_action("init",bs_wp_sandbox,1);
 
?>