Completed
Push — whmcs-jetpack-partner-module ( 3960fe...b758cc )
by
unknown
06:40
created

class.jetpack-signature.php (1 issue)

Labels
Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
3
// These constants can be set in wp-config.php to ensure sites behind proxies will still work.
4
// Setting these constants, though, is *not* the preferred method. It's better to configure
5
// the proxy to send the X-Forwarded-Port header.
6
defined( 'JETPACK_SIGNATURE__HTTP_PORT'  ) or define( 'JETPACK_SIGNATURE__HTTP_PORT' , 80  );
7
defined( 'JETPACK_SIGNATURE__HTTPS_PORT' ) or define( 'JETPACK_SIGNATURE__HTTPS_PORT', 443 );
8
defined( 'JETPACK__WPCOM_JSON_API_HOST' )  or define( 'JETPACK__WPCOM_JSON_API_HOST', 'public-api.wordpress.com' );
9
10
class Jetpack_Signature {
11
	public $token;
12
	public $secret;
13
14
	function __construct( $access_token, $time_diff = 0 ) {
15
		$secret = explode( '.', $access_token );
16
		if ( 2 != count( $secret ) )
17
			return;
18
19
		$this->token  = $secret[0];
20
		$this->secret = $secret[1];
21
		$this->time_diff = $time_diff;
0 ignored issues
show
The property time_diff does not exist. Did you maybe forget to declare it?

In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code:

class MyClass { }

$x = new MyClass();
$x->foo = true;

Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion:

class MyClass {
    public $foo;
}

$x = new MyClass();
$x->foo = true;
Loading history...
22
	}
23
24
	function sign_current_request( $override = array() ) {
25
		if ( isset( $override['scheme'] ) ) {
26
			$scheme = $override['scheme'];
27
			if ( !in_array( $scheme, array( 'http', 'https' ) ) ) {
28
				return new Jetpack_Error( 'invalid_scheme', 'Invalid URL scheme' );
29
			}
30
		} else {
31
			if ( is_ssl() ) {
32
				$scheme = 'https';
33
			} else {
34
				$scheme = 'http';
35
			}
36
		}
37
38
		$host_port = isset( $_SERVER['HTTP_X_FORWARDED_PORT'] ) ? $_SERVER['HTTP_X_FORWARDED_PORT'] : $_SERVER['SERVER_PORT'];
39
40
		if ( is_ssl() ) {
41
			// 443: Standard Port
42
			// 80: Assume we're behind a proxy without X-Forwarded-Port. Hardcoding "80" here means most sites
43
			//     with SSL termination proxies (self-served, Cloudflare, etc.) don't need to fiddle with
44
			//     the JETPACK_SIGNATURE__HTTPS_PORT constant. The code also implies we can't talk to a
45
			//     site at https://example.com:80/ (which would be a strange configuration).
46
			// JETPACK_SIGNATURE__HTTPS_PORT: Set this constant in wp-config.php to the back end webserver's port
47
			//                                if the site is behind a proxy running on port 443 without
48
			//                                X-Forwarded-Port and the back end's port is *not* 80. It's better,
49
			//                                though, to configure the proxy to send X-Forwarded-Port.
50
			$port = in_array( $host_port, array( 443, 80, JETPACK_SIGNATURE__HTTPS_PORT ) ) ? '' : $host_port;
51
		} else {
52
			// 80: Standard Port
53
			// JETPACK_SIGNATURE__HTTPS_PORT: Set this constant in wp-config.php to the back end webserver's port
54
			//                                if the site is behind a proxy running on port 80 without
55
			//                                X-Forwarded-Port. It's better, though, to configure the proxy to
56
			//                                send X-Forwarded-Port.
57
			$port = in_array( $host_port, array( 80, JETPACK_SIGNATURE__HTTP_PORT ) ) ? '' : $host_port;
58
		}
59
60
		$url = "{$scheme}://{$_SERVER['HTTP_HOST']}:{$port}" . stripslashes( $_SERVER['REQUEST_URI'] );
61
62
		if ( array_key_exists( 'body', $override ) && ! empty( $override['body'] ) ) {
63
			$body = $override['body'];
64
		} else if ( 'POST' == strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
65
			$body = isset( $GLOBALS['HTTP_RAW_POST_DATA'] ) ? $GLOBALS['HTTP_RAW_POST_DATA'] : null;
66
67
			// Convert the $_POST to the body, if the body was empty. This is how arrays are hashed
68
			// and encoded on the Jetpack side.
69
			if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
70
				if ( empty( $body ) && is_array( $_POST ) && count( $_POST ) > 0 ) {
71
					$body = $_POST;
72
				}
73
			}
74
		} else if ( 'PUT' == strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
75
			// This is a little strange-looking, but there doesn't seem to be another way to get the PUT body
76
			$raw_put_data = file_get_contents( 'php://input' );
77
			parse_str( $raw_put_data, $body );
78
79
			if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
80
				$put_data = json_decode( $raw_put_data, true );
81
				if ( is_array( $put_data ) && count( $put_data ) > 0 ) {
82
					$body = $put_data;
83
				}
84
			}
85
		} else {
86
			$body = null;
87
		}
88
89
		if ( empty( $body ) ) {
90
			$body = null;
91
		}
92
93
		$a = array();
94
		foreach ( array( 'token', 'timestamp', 'nonce', 'body-hash' ) as $parameter ) {
95
			if ( isset( $override[$parameter] ) ) {
96
				$a[$parameter] = $override[$parameter];
97
			} else {
98
				$a[$parameter] = isset( $_GET[$parameter] ) ? stripslashes( $_GET[$parameter] ) : '';
99
			}
100
		}
101
102
		$method = isset( $override['method'] ) ? $override['method'] : $_SERVER['REQUEST_METHOD'];
103
		return $this->sign_request( $a['token'], $a['timestamp'], $a['nonce'], $a['body-hash'], $method, $url, $body, true );
104
	}
105
106
	// body_hash v. body-hash is annoying.  Refactor to accept an array?
107
	function sign_request( $token = '', $timestamp = 0, $nonce = '', $body_hash = '', $method = '', $url = '', $body = null, $verify_body_hash = true ) {
108
		if ( !$this->secret ) {
109
			return new Jetpack_Error( 'invalid_secret', 'Invalid secret' );
110
		}
111
112
		if ( !$this->token ) {
113
			return new Jetpack_Error( 'invalid_token', 'Invalid token' );
114
		}
115
116
		list( $token ) = explode( '.', $token );
117
118
		if ( 0 !== strpos( $token, "$this->token:" ) ) {
119
			return new Jetpack_Error( 'token_mismatch', 'Incorrect token' );
120
		}
121
122
		// If we got an array at this point, let's encode it, so we can see what it looks like as a string.
123
		if ( is_array( $body ) ) {
124
			if ( count( $body ) > 0 ) {
125
				$body = json_encode( $body );
126
127
			} else {
128
				$body = '';
129
			}
130
		}
131
132
		$required_parameters = array( 'token', 'timestamp', 'nonce', 'method', 'url' );
133
		if ( !is_null( $body ) ) {
134
			$required_parameters[] = 'body_hash';
135
			if ( !is_string( $body ) ) {
136
				return new Jetpack_Error( 'invalid_body', 'Body is malformed.' );
137
			}
138
		}
139
140
		foreach ( $required_parameters as $required ) {
141 View Code Duplication
			if ( !is_scalar( $$required ) ) {
142
				return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', str_replace( '_', '-', $required ) ) );
143
			}
144
145 View Code Duplication
			if ( !strlen( $$required ) ) {
146
				return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is missing.', str_replace( '_', '-', $required ) ) );
147
			}
148
		}
149
150
		if ( empty( $body ) ) {
151
			if ( $body_hash ) {
152
				return new Jetpack_Error( 'invalid_body_hash', 'The body hash does not match.' );
153
			}
154
		} else {
155
			if ( $verify_body_hash && jetpack_sha1_base64( $body ) !== $body_hash ) {
156
				return new Jetpack_Error( 'invalid_body_hash', 'The body hash does not match.' );
157
			}
158
		}
159
160
		$parsed = parse_url( $url );
161
		if ( !isset( $parsed['host'] ) ) {
162
			return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'url' ) );
163
		}
164
165
		if ( $parsed['host'] === JETPACK__WPCOM_JSON_API_HOST ) {
166
			$parsed['host'] = 'public-api.wordpress.com';
167
		}
168
169
		if ( !empty( $parsed['port'] ) ) {
170
			$port = $parsed['port'];
171
		} else {
172
			if ( 'http' == $parsed['scheme'] ) {
173
				$port = 80;
174
			} else if ( 'https' == $parsed['scheme'] ) {
175
				$port = 443;
176
			} else {
177
				return new Jetpack_Error( 'unknown_scheme_port', "The scheme's port is unknown" );
178
			}
179
		}
180
181
		if ( !ctype_digit( "$timestamp" ) || 10 < strlen( $timestamp ) ) { // If Jetpack is around in 275 years, you can blame mdawaffe for the bug.
182
			return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'timestamp' ) );
183
		}
184
185
		$local_time = $timestamp - $this->time_diff;
186
		if ( $local_time < time() - 600 || $local_time > time() + 300 ) {
187
			return new Jetpack_Error( 'invalid_signature', 'The timestamp is too old.' );
188
		}
189
190
		if ( 12 < strlen( $nonce ) || preg_match( '/[^a-zA-Z0-9]/', $nonce ) ) {
191
			return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'nonce' ) );
192
		}
193
194
		$normalized_request_pieces = array(
195
			$token,
196
			$timestamp,
197
			$nonce,
198
			$body_hash,
199
			strtoupper( $method ),
200
			strtolower( $parsed['host'] ),
201
			$port,
202
			$parsed['path'],
203
			// Normalized Query String
204
		);
205
206
		$normalized_request_pieces = array_merge( $normalized_request_pieces, $this->normalized_query_parameters( isset( $parsed['query'] ) ? $parsed['query'] : '' ) );
207
		$flat_normalized_request_pieces = array();
208
		foreach ($normalized_request_pieces as $piece) {
209
			if ( is_array( $piece ) ) {
210
				foreach ( $piece as $subpiece ) {
211
					$flat_normalized_request_pieces[] = $subpiece;
212
				}
213
			} else {
214
				$flat_normalized_request_pieces[] = $piece;
215
			}
216
		}
217
		$normalized_request_pieces = $flat_normalized_request_pieces;
218
219
		$normalized_request_string = join( "\n", $normalized_request_pieces ) . "\n";
220
221
		return base64_encode( hash_hmac( 'sha1', $normalized_request_string, $this->secret, true ) );
222
	}
223
224
	function normalized_query_parameters( $query_string ) {
225
		parse_str( $query_string, $array );
226
		if ( get_magic_quotes_gpc() )
227
			$array = stripslashes_deep( $array );
228
229
		unset( $array['signature'] );
230
231
		$names  = array_keys( $array );
232
		$values = array_values( $array );
233
234
		$names  = array_map( array( $this, 'encode_3986' ), $names  );
235
		$values = array_map( array( $this, 'encode_3986' ), $values );
236
237
		$pairs  = array_map( array( $this, 'join_with_equal_sign' ), $names, $values );
238
239
		sort( $pairs );
240
241
		return $pairs;
242
	}
243
244
	function encode_3986( $string_or_array ) {
245
		if ( is_array( $string_or_array ) ) {
246
			return array_map( array( $this, 'encode_3986' ), $string_or_array );
247
		}
248
249
		$string_or_array = rawurlencode( $string_or_array );
250
		return str_replace( '%7E', '~', $string_or_array ); // prior to PHP 5.3, rawurlencode was RFC 1738
251
	}
252
253
	function join_with_equal_sign( $name, $value ) {
254
		if ( is_array( $value ) ) {
255
			$result = array();
256
			foreach ( $value as $array_key => $array_value ) {
257
				$result[] = $name . '[' . $array_key . ']' . '=' . $array_value;
258
			}
259
			return $result;
260
		}
261
		return "{$name}={$value}";
262
	}
263
}
264
265
function jetpack_sha1_base64( $text ) {
266
	return base64_encode( sha1( $text, true ) );
267
}
268