Issues in class.jetpack-xmlrpc-server.php - New Issues - Inspection of "Legacy: removed the wp_die and made the notice loo..." - Automattic/jetpack - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — add/fallback-views ( 111d6f...097491 )

unknown

created 2016-05-25 14:56 UTC

class.jetpack-xmlrpc-server.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * Just a sack of functions.  Not actually an IXR_Server
 */
class Jetpack_XMLRPC_Server {
	/**
	 * The current error object
	 */
	public $error = null;

	/**
	 * Whitelist of the XML-RPC methods available to the Jetpack Server. If the
	 * user is not authenticated (->login()) then the methods are never added,
	 * so they will get a "does not exist" error.
	 */
	function xmlrpc_methods( $core_methods ) {
		$jetpack_methods = array(
			'jetpack.jsonAPI'      => array( $this, 'json_api' ),
			'jetpack.verifyAction' => array( $this, 'verify_action' ),
		);

		$user = $this->login();

		if ( $user ) {
			$jetpack_methods = array_merge( $jetpack_methods, array(
				'jetpack.testConnection'    => array( $this, 'test_connection' ),
				'jetpack.testAPIUserCode'   => array( $this, 'test_api_user_code' ),
				'jetpack.featuresAvailable' => array( $this, 'features_available' ),
				'jetpack.featuresEnabled'   => array( $this, 'features_enabled' ),
				'jetpack.getPost'           => array( $this, 'get_post' ),
				'jetpack.getPosts'          => array( $this, 'get_posts' ),
				'jetpack.getComment'        => array( $this, 'get_comment' ),
				'jetpack.getComments'       => array( $this, 'get_comments' ),
				'jetpack.disconnectBlog'    => array( $this, 'disconnect_blog' ),
				'jetpack.unlinkUser'        => array( $this, 'unlink_user' ),
			) );

			if ( isset( $core_methods['metaWeblog.editPost'] ) ) {
				$jetpack_methods['metaWeblog.newMediaObject'] = $core_methods['metaWeblog.newMediaObject'];
				$jetpack_methods['jetpack.updateAttachmentParent'] = array( $this, 'update_attachment_parent' );
			}

			/**
			 * Filters the XML-RPC methods available to Jetpack for authenticated users.
			 *
			 * @since 1.1.0
			 *
			 * @param array $jetpack_methods XML-RPC methods available to the Jetpack Server.
			 * @param array $core_methods Available core XML-RPC methods.
			 * @param WP_User $user Information about a given WordPress user.
			 */
			$jetpack_methods = apply_filters( 'jetpack_xmlrpc_methods', $jetpack_methods, $core_methods, $user );
		}

		/**
		 * Filters the XML-RPC methods available to Jetpack for unauthenticated users.
		 *
		 * @since 3.0.0
		 *
		 * @param array $jetpack_methods XML-RPC methods available to the Jetpack Server.
		 * @param array $core_methods Available core XML-RPC methods.
		 */
		return apply_filters( 'jetpack_xmlrpc_unauthenticated_methods', $jetpack_methods, $core_methods );
	}

	/**
	 * Whitelist of the bootstrap XML-RPC methods
	 */
	function bootstrap_xmlrpc_methods() {
		return array(
			'jetpack.verifyRegistration' => array( $this, 'verify_registration' ),
			'jetpack.remoteAuthorize' => array( $this, 'remote_authorize' ),
		);
	}

	function authorize_xmlrpc_methods() {
		return array(
			'jetpack.remoteAuthorize' => array( $this, 'remote_authorize' ),
			'jetpack.activateManage'    => array( $this, 'activate_manage' ),
		);
	}

	function activate_manage( $request ) {
		foreach( array( 'secret', 'state' ) as $required ) {
			if ( ! isset( $request[ $required ] ) || empty( $request[ $required ] ) ) {
				return $this->error( new Jetpack_Error( 'missing_parameter', 'One or more parameters is missing from the request.', 400 ) );
			}
		}
		$verified = $this->verify_action( array( 'activate_manage', $request['secret'], $request['state'] ) );
		if ( is_a( $verified, 'IXR_Error' ) ) {
			return $verified;
		}
		$activated = Jetpack::activate_module( 'manage', false, false );
		if ( false === $activated || ! Jetpack::is_module_active( 'manage' ) ) {
			return $this->error( new Jetpack_Error( 'activation_error', 'There was an error while activating the module.', 500 ) );
		}
		return 'active';
	}

	function remote_authorize( $request ) {
		foreach( array( 'secret', 'state', 'redirect_uri', 'code' ) as $required ) {
			if ( ! isset( $request[ $required ] ) || empty( $request[ $required ] ) ) {
				return $this->error( new Jetpack_Error( 'missing_parameter', 'One or more parameters is missing from the request.', 400 ) );
			}
		}

		if ( ! get_user_by( 'id', $request['state'] ) ) {
			return $this->error( new Jetpack_Error( 'user_unknown', 'User not found.', 404 ) );
		}

		if ( Jetpack::is_active() && Jetpack::is_user_connected( $request['state'] ) ) {
			return $this->error( new Jetpack_Error( 'already_connected', 'User already connected.', 400 ) );
		}

		$verified = $this->verify_action( array( 'authorize', $request['secret'], $request['state'] ) );

		if ( is_a( $verified, 'IXR_Error' ) ) {
			return $verified;
		}

		wp_set_current_user( $request['state'] );

		$client_server = new Jetpack_Client_Server;
		$result = $client_server->authorize( $request );

		if ( is_wp_error( $result ) ) {
			return $this->error( $result );
		}
		// Creates a new secret, allowing someone to activate the manage module for up to 1 day after authorization.
		$secrets = Jetpack::init()->generate_secrets( 'activate_manage', DAY_IN_SECONDS );
		@list( $secret ) = explode( ':', $secrets );
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
		$response = array(
			'result' => $result,
			'activate_manage' => $secret,
		);
		return $response;
	}

	/**
	* Verifies that Jetpack.WordPress.com received a registration request from this site
	*/
	function verify_registration( $data ) {
		return $this->verify_action( array( 'register', $data[0], $data[1] ) );
	}

	/**
	 * @return WP_Error|string secret_2 on success, WP_Error( error_code => error_code, error_message => error description, error_data => status code ) on failure
	 *
	 * Possible error_codes:
	 *
	 * verify_secret_1_missing
	 * verify_secret_1_malformed
	 * verify_secrets_missing: No longer have verification secrets stored
	 * verify_secrets_mismatch: stored secret_1 does not match secret_1 sent by Jetpack.WordPress.com
	 *
	 * The 'authorize' and 'register' actions have additional error codes
	 *
	 * state_missing: a state ( user id ) was not supplied
	 * state_malformed: state is not the correct data type
	 * invalid_state: supplied state does not match the stored state
	 */
	function verify_action( $params ) {
		$action = $params[0];
		$verify_secret = $params[1];
		$state = isset( $params[2] ) ? $params[2] : '';

		if ( empty( $verify_secret ) ) {
			return $this->error( new Jetpack_Error( 'verify_secret_1_missing', sprintf( 'The required "%s" parameter is missing.', 'secret_1' ), 400 ) );
		} else if ( ! is_string( $verify_secret ) ) {
			return $this->error( new Jetpack_Error( 'verify_secret_1_malformed', sprintf( 'The required "%s" parameter is malformed.', 'secret_1' ), 400 ) );
		}

		$secrets = Jetpack_Options::get_option( $action );
		if ( !$secrets || is_wp_error( $secrets ) ) {
			Jetpack_Options::delete_option( $action );
			return $this->error( new Jetpack_Error( 'verify_secrets_missing', 'Verification took too long', 400 ) );
		}

		@list( $secret_1, $secret_2, $secret_eol, $user_id ) = explode( ':', $secrets );

		if ( empty( $secret_1 ) || empty( $secret_2 ) || empty( $secret_eol ) || $secret_eol < time() ) {
			Jetpack_Options::delete_option( $action );
			return $this->error( new Jetpack_Error( 'verify_secrets_missing', 'Verification took too long', 400 ) );
		}

		if ( ! hash_equals( $verify_secret, $secret_1 ) ) {
			Jetpack_Options::delete_option( $action );
			return $this->error( new Jetpack_Error( 'verify_secrets_mismatch', 'Secret mismatch', 400 ) );
		}

		if ( in_array( $action, array( 'authorize', 'register' ) ) ) {
			// 'authorize' and 'register' actions require further testing
			if ( empty( $state ) ) {
				return $this->error( new Jetpack_Error( 'state_missing', sprintf( 'The required "%s" parameter is missing.', 'state' ), 400 ) );
			} else if ( ! ctype_digit( $state ) ) {
				return $this->error( new Jetpack_Error( 'state_malformed', sprintf( 'The required "%s" parameter is malformed.', 'state' ), 400 ) );
			}
			if ( empty( $user_id ) || $user_id !== $state ) {
				Jetpack_Options::delete_option( $action );
				return $this->error( new Jetpack_Error( 'invalid_state', 'State is invalid', 400 ) );
			}
		}

		Jetpack_Options::delete_option( $action );

		return $secret_2;
	}

	/**
	 * Wrapper for wp_authenticate( $username, $password );
	 *
	 * @return WP_User|IXR_Error
	 */
	function login() {
		Jetpack::init()->require_jetpack_authentication();
		$user = wp_authenticate( 'username', 'password' );
		if ( is_wp_error( $user ) ) {
			if ( 'authentication_failed' == $user->get_error_code() ) { // Generic error could mean most anything.
				$this->error = new Jetpack_Error( 'invalid_request', 'Invalid Request', 403 );
			} else {
				$this->error = $user;
			}
			return false;
		} else if ( !$user ) { // Shouldn't happen.
			$this->error = new Jetpack_Error( 'invalid_request', 'Invalid Request', 403 );
			return false;
		}

		return $user;
	}

	/**
	 * Returns the current error as an IXR_Error
	 *
	 * @return null|IXR_Error
	 */
	function error( $error = null ) {
		if ( !is_null( $error ) ) {
			$this->error = $error;
		}

		if ( is_wp_error( $this->error ) ) {
			$code = $this->error->get_error_data();
			if ( !$code ) {
				$code = -10520;
			}
			$message = sprintf( 'Jetpack: [%s] %s', $this->error->get_error_code(), $this->error->get_error_message() );
			return new IXR_Error( $code, $message );
		} else if ( is_a( $this->error, 'IXR_Error' ) ) {
			return $this->error;
		}

		return false;
	}

/* API Methods */

	/**
	 * Just authenticates with the given Jetpack credentials.
	 *
	 * @return bool|IXR_Error
	 */
	function test_connection() {
		return JETPACK__VERSION;
	}

	function test_api_user_code( $args ) {
		$client_id = (int) $args[0];
		$user_id   = (int) $args[1];
		$nonce     = (string) $args[2];
		$verify    = (string) $args[3];

		if ( !$client_id || !$user_id || !strlen( $nonce ) || 32 !== strlen( $verify ) ) {
			return false;
		}

		$user = get_user_by( 'id', $user_id );
		if ( !$user || is_wp_error( $user ) ) {
			return false;
		}

		/* debugging
		error_log( "CLIENT: $client_id" );
		error_log( "USER:   $user_id" );
		error_log( "NONCE:  $nonce" );
		error_log( "VERIFY: $verify" );
		*/

		$jetpack_token = Jetpack_Data::get_access_token( JETPACK_MASTER_USER );

		$api_user_code = get_user_meta( $user_id, "jetpack_json_api_$client_id", true );
		if ( !$api_user_code ) {
			return false;
		}

		$hmac = hash_hmac( 'md5', json_encode( (object) array(
			'client_id' => (int) $client_id,
			'user_id'   => (int) $user_id,
			'nonce'     => (string) $nonce,
			'code'      => (string) $api_user_code,
		) ), $jetpack_token->secret );

		if ( $hmac !== $verify ) {
			return false;
		}

		return $user_id;
	}

	/**
	* Disconnect this blog from the connected wordpress.com account
	* @return boolean
	*/
	function disconnect_blog() {
		Jetpack::log( 'disconnect' );
		Jetpack::disconnect();

		return true;
	}

	/**
	 * Unlink a user from WordPress.com
	 *
	 * This will fail if called by the Master User.
	 */
	function unlink_user() {
		Jetpack::log( 'unlink' );
		return Jetpack::unlink_user();
	}

	/**
	 * Returns what features are available. Uses the slug of the module files.
	 *
	 * @return array|IXR_Error
	 */
	function features_available() {
		$raw_modules = Jetpack::get_available_modules();
		$modules = array();
		foreach ( $raw_modules as $module ) {
			$modules[] = Jetpack::get_module_slug( $module );
		}

		return $modules;
	}

	/**
	 * Returns what features are enabled. Uses the slug of the modules files.
	 *
	 * @return array|IXR_Error
	 */
	function features_enabled() {
		$raw_modules = Jetpack::get_active_modules();
		$modules = array();
		foreach ( $raw_modules as $module ) {
			$modules[] = Jetpack::get_module_slug( $module );
		}

		return $modules;
	}

	function get_post( $id ) {
		if ( !$id = (int) $id ) {
			return false;
		}

		$jetpack = Jetpack::init();

		$post = $jetpack->sync->get_post( $id );
		return $post;
	}

	function get_posts( $args ) {
		list( $post_ids ) = $args;
		$post_ids = array_map( 'intval', (array) $post_ids );
		$jp = Jetpack::init();
		$sync_data = $jp->sync->get_content( array( 'posts' => $post_ids ) );

		return $sync_data;
	}

	function get_comment( $id ) {
		if ( !$id = (int) $id ) {
			return false;
		}

		$jetpack = Jetpack::init();

		$comment = $jetpack->sync->get_comment( $id );
		if ( !is_array( $comment ) )
			return false;

		$post = $jetpack->sync->get_post( $comment['comment_post_ID'] );
		if ( !$post ) {
			return false;
		}

		return $comment;
	}

	function get_comments( $args ) {
		list( $comment_ids ) = $args;
		$comment_ids = array_map( 'intval', (array) $comment_ids );
		$jp = Jetpack::init();
		$sync_data = $jp->sync->get_content( array( 'comments' => $comment_ids ) );

		return $sync_data;
	}

	function update_attachment_parent( $args ) {
		$attachment_id = (int) $args[0];
		$parent_id     = (int) $args[1];

		return wp_update_post( array(
			'ID'          => $attachment_id,
			'post_parent' => $parent_id,
		) );
	}

	function json_api( $args = array() ) {
		$json_api_args = $args[0];
		$verify_api_user_args = $args[1];

		$method       = (string) $json_api_args[0];
		$url          = (string) $json_api_args[1];
		$post_body    = is_null( $json_api_args[2] ) ? null : (string) $json_api_args[2];
		$user_details = (array) $json_api_args[4];
		$locale       = (string) $json_api_args[5];

		if ( !$verify_api_user_args ) {
			$user_id = 0;
		} elseif ( 'internal' === $verify_api_user_args[0] ) {
			$user_id = (int) $verify_api_user_args[1];
			if ( $user_id ) {
				$user = get_user_by( 'id', $user_id );
				if ( !$user || is_wp_error( $user ) ) {
					return false;
				}
			}
		} else {
			$user_id = call_user_func( array( $this, 'test_api_user_code' ), $verify_api_user_args );
			if ( !$user_id ) {
				return false;
			}
		}

		/* debugging
		error_log( "-- begin json api via jetpack debugging -- " );
		error_log( "METHOD: $method" );
		error_log( "URL: $url" );
		error_log( "POST BODY: $post_body" );
		error_log( "VERIFY_ARGS: " . print_r( $verify_api_user_args, 1 ) );
		error_log( "VERIFIED USER_ID: " . (int) $user_id );
		error_log( "-- end json api via jetpack debugging -- " );
		*/

		if ( 'en' !== $locale ) {
			// .org mo files are named slightly different from .com, and all we have is this the locale -- try to guess them.
			$new_locale = $locale;
			if ( strpos( $locale, '-' ) !== false ) {
				$pieces = explode( '-', $locale );
				$new_locale = $locale_pieces[0];
				$new_locale .= ( ! empty( $locale_pieces[1] ) ) ? '_' . strtoupper( $locale_pieces[1] ) : '';
			} else {
				// .com might pass 'fr' because thats what our language files are named as, where core seems
				// to do fr_FR - so try that if we don't think we can load the file.
				if ( ! file_exists( WP_LANG_DIR . '/' . $locale . '.mo' ) ) {
					$new_locale =  $locale . '_' . strtoupper( $locale );
				}
			}

			if ( file_exists( WP_LANG_DIR . '/' . $new_locale . '.mo' ) ) {
				unload_textdomain( 'default' );
				load_textdomain( 'default', WP_LANG_DIR . '/' . $new_locale . '.mo' );
			}
		}

		$old_user = wp_get_current_user();
		wp_set_current_user( $user_id );

		$token = Jetpack_Data::get_access_token( get_current_user_id() );
		if ( !$token || is_wp_error( $token ) ) {
			return false;
		}

		define( 'REST_API_REQUEST', true );
		define( 'WPCOM_JSON_API__BASE', 'public-api.wordpress.com/rest/v1' );

		// needed?
		require_once ABSPATH . 'wp-admin/includes/admin.php';

		require_once JETPACK__PLUGIN_DIR . 'class.json-api.php';
		$api = WPCOM_JSON_API::init( $method, $url, $post_body );
		$api->token_details['user'] = $user_details;
		require_once JETPACK__PLUGIN_DIR . 'class.json-api-endpoints.php';

		$display_errors = ini_set( 'display_errors', 0 );
		ob_start();
		$content_type = $api->serve( false );
		$output = ob_get_clean();
		ini_set( 'display_errors', $display_errors );

		$nonce = wp_generate_password( 10, false );
		$hmac  = hash_hmac( 'md5', $nonce . $output, $token->secret );

		wp_set_current_user( isset( $old_user->ID ) ? $old_user->ID : 0 );

		return array(
			(string) $output,
			(string) $nonce,
			(string) $hmac,
		);
	}
}


1		<?php
2
3		/**
4		* Just a sack of functions. Not actually an IXR_Server
5		*/
6		class Jetpack_XMLRPC_Server {
7		/**
8		* The current error object
9		*/
10		public $error = null;
11
12		/**
13		* Whitelist of the XML-RPC methods available to the Jetpack Server. If the
14		* user is not authenticated (->login()) then the methods are never added,
15		* so they will get a "does not exist" error.
16		*/
17		function xmlrpc_methods( $core_methods ) {
18		$jetpack_methods = array(
19		'jetpack.jsonAPI' => array( $this, 'json_api' ),
20		'jetpack.verifyAction' => array( $this, 'verify_action' ),
21		);
22
23		$user = $this->login();
24
25		if ( $user ) {
26		$jetpack_methods = array_merge( $jetpack_methods, array(
27		'jetpack.testConnection' => array( $this, 'test_connection' ),
28		'jetpack.testAPIUserCode' => array( $this, 'test_api_user_code' ),
29		'jetpack.featuresAvailable' => array( $this, 'features_available' ),
30		'jetpack.featuresEnabled' => array( $this, 'features_enabled' ),
31		'jetpack.getPost' => array( $this, 'get_post' ),
32		'jetpack.getPosts' => array( $this, 'get_posts' ),
33		'jetpack.getComment' => array( $this, 'get_comment' ),
34		'jetpack.getComments' => array( $this, 'get_comments' ),
35		'jetpack.disconnectBlog' => array( $this, 'disconnect_blog' ),
36		'jetpack.unlinkUser' => array( $this, 'unlink_user' ),
37		) );
38
39		if ( isset( $core_methods['metaWeblog.editPost'] ) ) {
40		$jetpack_methods['metaWeblog.newMediaObject'] = $core_methods['metaWeblog.newMediaObject'];
41		$jetpack_methods['jetpack.updateAttachmentParent'] = array( $this, 'update_attachment_parent' );
42		}
43
44		/**
45		* Filters the XML-RPC methods available to Jetpack for authenticated users.
46		*
47		* @since 1.1.0
48		*
49		* @param array $jetpack_methods XML-RPC methods available to the Jetpack Server.
50		* @param array $core_methods Available core XML-RPC methods.
51		* @param WP_User $user Information about a given WordPress user.
52		*/
53		$jetpack_methods = apply_filters( 'jetpack_xmlrpc_methods', $jetpack_methods, $core_methods, $user );
54		}
55
56		/**
57		* Filters the XML-RPC methods available to Jetpack for unauthenticated users.
58		*
59		* @since 3.0.0
60		*
61		* @param array $jetpack_methods XML-RPC methods available to the Jetpack Server.
62		* @param array $core_methods Available core XML-RPC methods.
63		*/
64		return apply_filters( 'jetpack_xmlrpc_unauthenticated_methods', $jetpack_methods, $core_methods );
65		}
66
67		/**
68		* Whitelist of the bootstrap XML-RPC methods
69		*/
70		function bootstrap_xmlrpc_methods() {
71		return array(
72		'jetpack.verifyRegistration' => array( $this, 'verify_registration' ),
73		'jetpack.remoteAuthorize' => array( $this, 'remote_authorize' ),
74		);
75		}
76
77		function authorize_xmlrpc_methods() {
78		return array(
79		'jetpack.remoteAuthorize' => array( $this, 'remote_authorize' ),
80		'jetpack.activateManage' => array( $this, 'activate_manage' ),
81		);
82		}
83
84		function activate_manage( $request ) {
85	View Code Duplication	foreach( array( 'secret', 'state' ) as $required ) {
86		if ( ! isset( $request[ $required ] ) \|\| empty( $request[ $required ] ) ) {
87		return $this->error( new Jetpack_Error( 'missing_parameter', 'One or more parameters is missing from the request.', 400 ) );
88		}
89		}
90		$verified = $this->verify_action( array( 'activate_manage', $request['secret'], $request['state'] ) );
91		if ( is_a( $verified, 'IXR_Error' ) ) {
92		return $verified;
93		}
94		$activated = Jetpack::activate_module( 'manage', false, false );
95		if ( false === $activated \|\| ! Jetpack::is_module_active( 'manage' ) ) {
96		return $this->error( new Jetpack_Error( 'activation_error', 'There was an error while activating the module.', 500 ) );
97		}
98		return 'active';
99		}
100
101		function remote_authorize( $request ) {
102	View Code Duplication	foreach( array( 'secret', 'state', 'redirect_uri', 'code' ) as $required ) {
103		if ( ! isset( $request[ $required ] ) \|\| empty( $request[ $required ] ) ) {
104		return $this->error( new Jetpack_Error( 'missing_parameter', 'One or more parameters is missing from the request.', 400 ) );
105		}
106		}
107
108		if ( ! get_user_by( 'id', $request['state'] ) ) {
109		return $this->error( new Jetpack_Error( 'user_unknown', 'User not found.', 404 ) );
110		}
111
112		if ( Jetpack::is_active() && Jetpack::is_user_connected( $request['state'] ) ) {
113		return $this->error( new Jetpack_Error( 'already_connected', 'User already connected.', 400 ) );
114		}
115
116		$verified = $this->verify_action( array( 'authorize', $request['secret'], $request['state'] ) );
117
118		if ( is_a( $verified, 'IXR_Error' ) ) {
119		return $verified;
120		}
121
122		wp_set_current_user( $request['state'] );
123
124		$client_server = new Jetpack_Client_Server;
125		$result = $client_server->authorize( $request );
126
127		if ( is_wp_error( $result ) ) {
128		return $this->error( $result );
129		}
130		// Creates a new secret, allowing someone to activate the manage module for up to 1 day after authorization.
131		$secrets = Jetpack::init()->generate_secrets( 'activate_manage', DAY_IN_SECONDS );
132		@list( $secret ) = explode( ':', $secrets );
		0 ignored issues – show Security Best Practice introduced 2015-11-20 23:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
133		$response = array(
134		'result' => $result,
135		'activate_manage' => $secret,
136		);
137		return $response;
138		}
139
140		/**
141		* Verifies that Jetpack.WordPress.com received a registration request from this site
142		*/
143		function verify_registration( $data ) {
144		return $this->verify_action( array( 'register', $data[0], $data[1] ) );
145		}
146
147		/**
148		* @return WP_Error\|string secret_2 on success, WP_Error( error_code => error_code, error_message => error description, error_data => status code ) on failure
149		*
150		* Possible error_codes:
151		*
152		* verify_secret_1_missing
153		* verify_secret_1_malformed
154		* verify_secrets_missing: No longer have verification secrets stored
155		* verify_secrets_mismatch: stored secret_1 does not match secret_1 sent by Jetpack.WordPress.com
156		*
157		* The 'authorize' and 'register' actions have additional error codes
158		*
159		* state_missing: a state ( user id ) was not supplied
160		* state_malformed: state is not the correct data type
161		* invalid_state: supplied state does not match the stored state
162		*/
163		function verify_action( $params ) {
164		$action = $params[0];
165		$verify_secret = $params[1];
166		$state = isset( $params[2] ) ? $params[2] : '';
167
168		if ( empty( $verify_secret ) ) {
169		return $this->error( new Jetpack_Error( 'verify_secret_1_missing', sprintf( 'The required "%s" parameter is missing.', 'secret_1' ), 400 ) );
170		} else if ( ! is_string( $verify_secret ) ) {
171		return $this->error( new Jetpack_Error( 'verify_secret_1_malformed', sprintf( 'The required "%s" parameter is malformed.', 'secret_1' ), 400 ) );
172		}
173
174		$secrets = Jetpack_Options::get_option( $action );
175		if ( !$secrets \|\| is_wp_error( $secrets ) ) {
176		Jetpack_Options::delete_option( $action );
177		return $this->error( new Jetpack_Error( 'verify_secrets_missing', 'Verification took too long', 400 ) );
178		}
179
180		@list( $secret_1, $secret_2, $secret_eol, $user_id ) = explode( ':', $secrets );
181
182		if ( empty( $secret_1 ) \|\| empty( $secret_2 ) \|\| empty( $secret_eol ) \|\| $secret_eol < time() ) {
183		Jetpack_Options::delete_option( $action );
184		return $this->error( new Jetpack_Error( 'verify_secrets_missing', 'Verification took too long', 400 ) );
185		}
186
187		if ( ! hash_equals( $verify_secret, $secret_1 ) ) {
188		Jetpack_Options::delete_option( $action );
189		return $this->error( new Jetpack_Error( 'verify_secrets_mismatch', 'Secret mismatch', 400 ) );
190		}
191
192		if ( in_array( $action, array( 'authorize', 'register' ) ) ) {
193		// 'authorize' and 'register' actions require further testing
194		if ( empty( $state ) ) {
195		return $this->error( new Jetpack_Error( 'state_missing', sprintf( 'The required "%s" parameter is missing.', 'state' ), 400 ) );
196		} else if ( ! ctype_digit( $state ) ) {
197		return $this->error( new Jetpack_Error( 'state_malformed', sprintf( 'The required "%s" parameter is malformed.', 'state' ), 400 ) );
198		}
199		if ( empty( $user_id ) \|\| $user_id !== $state ) {
200		Jetpack_Options::delete_option( $action );
201		return $this->error( new Jetpack_Error( 'invalid_state', 'State is invalid', 400 ) );
202		}
203		}
204
205		Jetpack_Options::delete_option( $action );
206
207		return $secret_2;
208		}
209
210		/**
211		* Wrapper for wp_authenticate( $username, $password );
212		*
213		* @return WP_User\|IXR_Error
214		*/
215		function login() {
216		Jetpack::init()->require_jetpack_authentication();
217		$user = wp_authenticate( 'username', 'password' );
218		if ( is_wp_error( $user ) ) {
219		if ( 'authentication_failed' == $user->get_error_code() ) { // Generic error could mean most anything.
220		$this->error = new Jetpack_Error( 'invalid_request', 'Invalid Request', 403 );
221		} else {
222		$this->error = $user;
223		}
224		return false;
225		} else if ( !$user ) { // Shouldn't happen.
226		$this->error = new Jetpack_Error( 'invalid_request', 'Invalid Request', 403 );
227		return false;
228		}
229
230		return $user;
231		}
232
233		/**
234		* Returns the current error as an IXR_Error
235		*
236		* @return null\|IXR_Error
237		*/
238		function error( $error = null ) {
239		if ( !is_null( $error ) ) {
240		$this->error = $error;
241		}
242
243		if ( is_wp_error( $this->error ) ) {
244		$code = $this->error->get_error_data();
245		if ( !$code ) {
246		$code = -10520;
247		}
248		$message = sprintf( 'Jetpack: [%s] %s', $this->error->get_error_code(), $this->error->get_error_message() );
249		return new IXR_Error( $code, $message );
250		} else if ( is_a( $this->error, 'IXR_Error' ) ) {
251		return $this->error;
252		}
253
254		return false;
255		}
256
257		/* API Methods */
258
259		/**
260		* Just authenticates with the given Jetpack credentials.
261		*
262		* @return bool\|IXR_Error
263		*/
264		function test_connection() {
265		return JETPACK__VERSION;
266		}
267
268		function test_api_user_code( $args ) {
269		$client_id = (int) $args[0];
270		$user_id = (int) $args[1];
271		$nonce = (string) $args[2];
272		$verify = (string) $args[3];
273
274		if ( !$client_id \|\| !$user_id \|\| !strlen( $nonce ) \|\| 32 !== strlen( $verify ) ) {
275		return false;
276		}
277
278		$user = get_user_by( 'id', $user_id );
279		if ( !$user \|\| is_wp_error( $user ) ) {
280		return false;
281		}
282
283		/* debugging
284		error_log( "CLIENT: $client_id" );
285		error_log( "USER: $user_id" );
286		error_log( "NONCE: $nonce" );
287		error_log( "VERIFY: $verify" );
288		*/
289
290		$jetpack_token = Jetpack_Data::get_access_token( JETPACK_MASTER_USER );
291
292		$api_user_code = get_user_meta( $user_id, "jetpack_json_api_$client_id", true );
293		if ( !$api_user_code ) {
294		return false;
295		}
296
297		$hmac = hash_hmac( 'md5', json_encode( (object) array(
298		'client_id' => (int) $client_id,
299		'user_id' => (int) $user_id,
300		'nonce' => (string) $nonce,
301		'code' => (string) $api_user_code,
302		) ), $jetpack_token->secret );
303
304		if ( $hmac !== $verify ) {
305		return false;
306		}
307
308		return $user_id;
309		}
310
311		/**
312		* Disconnect this blog from the connected wordpress.com account
313		* @return boolean
314		*/
315		function disconnect_blog() {
316		Jetpack::log( 'disconnect' );
317		Jetpack::disconnect();
318
319		return true;
320		}
321
322		/**
323		* Unlink a user from WordPress.com
324		*
325		* This will fail if called by the Master User.
326		*/
327		function unlink_user() {
328		Jetpack::log( 'unlink' );
329		return Jetpack::unlink_user();
330		}
331
332		/**
333		* Returns what features are available. Uses the slug of the module files.
334		*
335		* @return array\|IXR_Error
336		*/
337	View Code Duplication	function features_available() {
338		$raw_modules = Jetpack::get_available_modules();
339		$modules = array();
340		foreach ( $raw_modules as $module ) {
341		$modules[] = Jetpack::get_module_slug( $module );
342		}
343
344		return $modules;
345		}
346
347		/**
348		* Returns what features are enabled. Uses the slug of the modules files.
349		*
350		* @return array\|IXR_Error
351		*/
352	View Code Duplication	function features_enabled() {
353		$raw_modules = Jetpack::get_active_modules();
354		$modules = array();
355		foreach ( $raw_modules as $module ) {
356		$modules[] = Jetpack::get_module_slug( $module );
357		}
358
359		return $modules;
360		}
361
362		function get_post( $id ) {
363		if ( !$id = (int) $id ) {
364		return false;
365		}
366
367		$jetpack = Jetpack::init();
368
369		$post = $jetpack->sync->get_post( $id );
370		return $post;
371		}
372
373	View Code Duplication	function get_posts( $args ) {
374		list( $post_ids ) = $args;
375		$post_ids = array_map( 'intval', (array) $post_ids );
376		$jp = Jetpack::init();
377		$sync_data = $jp->sync->get_content( array( 'posts' => $post_ids ) );
378
379		return $sync_data;
380		}
381
382		function get_comment( $id ) {
383		if ( !$id = (int) $id ) {
384		return false;
385		}
386
387		$jetpack = Jetpack::init();
388
389		$comment = $jetpack->sync->get_comment( $id );
390		if ( !is_array( $comment ) )
391		return false;
392
393		$post = $jetpack->sync->get_post( $comment['comment_post_ID'] );
394		if ( !$post ) {
395		return false;
396		}
397
398		return $comment;
399		}
400
401	View Code Duplication	function get_comments( $args ) {
402		list( $comment_ids ) = $args;
403		$comment_ids = array_map( 'intval', (array) $comment_ids );
404		$jp = Jetpack::init();
405		$sync_data = $jp->sync->get_content( array( 'comments' => $comment_ids ) );
406
407		return $sync_data;
408		}
409
410		function update_attachment_parent( $args ) {
411		$attachment_id = (int) $args[0];
412		$parent_id = (int) $args[1];
413
414		return wp_update_post( array(
415		'ID' => $attachment_id,
416		'post_parent' => $parent_id,
417		) );
418		}
419
420		function json_api( $args = array() ) {
421		$json_api_args = $args[0];
422		$verify_api_user_args = $args[1];
423
424		$method = (string) $json_api_args[0];
425		$url = (string) $json_api_args[1];
426		$post_body = is_null( $json_api_args[2] ) ? null : (string) $json_api_args[2];
427		$user_details = (array) $json_api_args[4];
428		$locale = (string) $json_api_args[5];
429
430		if ( !$verify_api_user_args ) {
431		$user_id = 0;
432		} elseif ( 'internal' === $verify_api_user_args[0] ) {
433		$user_id = (int) $verify_api_user_args[1];
434		if ( $user_id ) {
435		$user = get_user_by( 'id', $user_id );
436		if ( !$user \|\| is_wp_error( $user ) ) {
437		return false;
438		}
439		}
440		} else {
441		$user_id = call_user_func( array( $this, 'test_api_user_code' ), $verify_api_user_args );
442		if ( !$user_id ) {
443		return false;
444		}
445		}
446
447		/* debugging
448		error_log( "-- begin json api via jetpack debugging -- " );
449		error_log( "METHOD: $method" );
450		error_log( "URL: $url" );
451		error_log( "POST BODY: $post_body" );
452		error_log( "VERIFY_ARGS: " . print_r( $verify_api_user_args, 1 ) );
453		error_log( "VERIFIED USER_ID: " . (int) $user_id );
454		error_log( "-- end json api via jetpack debugging -- " );
455		*/
456
457		if ( 'en' !== $locale ) {
458		// .org mo files are named slightly different from .com, and all we have is this the locale -- try to guess them.
459		$new_locale = $locale;
460		if ( strpos( $locale, '-' ) !== false ) {
461		$pieces = explode( '-', $locale );
462		$new_locale = $locale_pieces[0];
463		$new_locale .= ( ! empty( $locale_pieces[1] ) ) ? '_' . strtoupper( $locale_pieces[1] ) : '';
464		} else {
465		// .com might pass 'fr' because thats what our language files are named as, where core seems
466		// to do fr_FR - so try that if we don't think we can load the file.
467		if ( ! file_exists( WP_LANG_DIR . '/' . $locale . '.mo' ) ) {
468		$new_locale = $locale . '_' . strtoupper( $locale );
469		}
470		}
471
472		if ( file_exists( WP_LANG_DIR . '/' . $new_locale . '.mo' ) ) {
473		unload_textdomain( 'default' );
474		load_textdomain( 'default', WP_LANG_DIR . '/' . $new_locale . '.mo' );
475		}
476		}
477
478		$old_user = wp_get_current_user();
479		wp_set_current_user( $user_id );
480
481		$token = Jetpack_Data::get_access_token( get_current_user_id() );
482		if ( !$token \|\| is_wp_error( $token ) ) {
483		return false;
484		}
485
486		define( 'REST_API_REQUEST', true );
487		define( 'WPCOM_JSON_API__BASE', 'public-api.wordpress.com/rest/v1' );
488
489		// needed?
490		require_once ABSPATH . 'wp-admin/includes/admin.php';
491
492		require_once JETPACK__PLUGIN_DIR . 'class.json-api.php';
493		$api = WPCOM_JSON_API::init( $method, $url, $post_body );
494		$api->token_details['user'] = $user_details;
495		require_once JETPACK__PLUGIN_DIR . 'class.json-api-endpoints.php';
496
497		$display_errors = ini_set( 'display_errors', 0 );
498		ob_start();
499		$content_type = $api->serve( false );
500		$output = ob_get_clean();
501		ini_set( 'display_errors', $display_errors );
502
503		$nonce = wp_generate_password( 10, false );
504		$hmac = hash_hmac( 'md5', $nonce . $output, $token->secret );
505
506		wp_set_current_user( isset( $old_user->ID ) ? $old_user->ID : 0 );
507
508		return array(
509		(string) $output,
510		(string) $nonce,
511		(string) $hmac,
512		);
513		}
514		}
515

Automattic / jetpack

Push — add/fallback-views ( 111d6f...097491 )

class.jetpack-xmlrpc-server.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like