Issues in class.jetpack-signature.php - New Issues - Inspection of "Satisfy PHPCS." - Automattic/jetpack - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — update/videopress-transcode-al... ( ffe79d...2d3973 )

by Kirk

created 2019-09-24 19:16 UTC

connection/legacy/class.jetpack-signature.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * The Jetpack Connection signature class file.
 *
 * @package automattic/jetpack-connection
 */

use Automattic\Jetpack\Connection\Manager as Connection_Manager;

/**
 * The Jetpack Connection signature class that is used to sign requests.
 */
class Jetpack_Signature {
	/**
	 * Token part of the access token.
	 *
	 * @access public
	 * @var string
	 */
	public $token;

	/**
	 * Access token secret.
	 *
	 * @access public
	 * @var string
	 */
	public $secret;

	/**
	 * The current request URL.
	 *
	 * @access public
	 * @var string
	 */
	public $current_request_url;

	/**
	 * Constructor.
	 *
	 * @param array $access_token Access token.
	 * @param int   $time_diff    Timezone difference (in seconds).
	 */
	public function __construct( $access_token, $time_diff = 0 ) {
		$secret = explode( '.', $access_token );
		if ( 2 !== count( $secret ) ) {
			return;
		}

		$this->token     = $secret[0];
		$this->secret    = $secret[1];
		$this->time_diff = $time_diff;
class MyClass { }

$x = new MyClass();
$x->foo = true;
	}

	/**
	 * Sign the current request.
	 *
	 * @todo Implement a proper nonce verification.
	 *
	 * @param array $override Optional arguments to override the ones from the current request.
	 * @return string|WP_Error Request signature, or a WP_Error on failure.
	 */
	public function sign_current_request( $override = array() ) {
		if ( isset( $override['scheme'] ) ) {
			$scheme = $override['scheme'];
			if ( ! in_array( $scheme, array( 'http', 'https' ), true ) ) {
				return new WP_Error( 'invalid_scheme', 'Invalid URL scheme' );
			}
		} else {
			if ( is_ssl() ) {
				$scheme = 'https';
			} else {
				$scheme = 'http';
			}
		}

		$host_port = isset( $_SERVER['HTTP_X_FORWARDED_PORT'] ) ? $_SERVER['HTTP_X_FORWARDED_PORT'] : $_SERVER['SERVER_PORT'];
		$host_port = intval( $host_port );

		/**
		 * Note: This port logic is tested in the Jetpack_Cxn_Tests->test__server_port_value() test.
		 * Please update the test if any changes are made in this logic.
		 */
		if ( is_ssl() ) {
			// 443: Standard Port
			// 80: Assume we're behind a proxy without X-Forwarded-Port. Hardcoding "80" here means most sites
			// with SSL termination proxies (self-served, Cloudflare, etc.) don't need to fiddle with
			// the JETPACK_SIGNATURE__HTTPS_PORT constant. The code also implies we can't talk to a
			// site at https://example.com:80/ (which would be a strange configuration).
			// JETPACK_SIGNATURE__HTTPS_PORT: Set this constant in wp-config.php to the back end webserver's port
			// if the site is behind a proxy running on port 443 without
			// X-Forwarded-Port and the back end's port is *not* 80. It's better,
			// though, to configure the proxy to send X-Forwarded-Port.
			$https_port = defined( 'JETPACK_SIGNATURE__HTTPS_PORT' ) ? JETPACK_SIGNATURE__HTTPS_PORT : 443;
			$port       = in_array( $host_port, array( 443, 80, $https_port ), true ) ? '' : $host_port;
		} else {
			// 80: Standard Port
			// JETPACK_SIGNATURE__HTTPS_PORT: Set this constant in wp-config.php to the back end webserver's port
			// if the site is behind a proxy running on port 80 without
			// X-Forwarded-Port. It's better, though, to configure the proxy to
			// send X-Forwarded-Port.
			$http_port = defined( 'JETPACK_SIGNATURE__HTTP_PORT' ) ? JETPACK_SIGNATURE__HTTP_PORT : 80;
			$port      = in_array( $host_port, array( 80, $http_port ), true ) ? '' : $host_port;
		}

		$this->current_request_url = "{$scheme}://{$_SERVER['HTTP_HOST']}:{$port}" . stripslashes( $_SERVER['REQUEST_URI'] );

		if ( array_key_exists( 'body', $override ) && ! empty( $override['body'] ) ) {
			$body = $override['body'];
		} elseif ( 'POST' === strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
			$body = isset( $GLOBALS['HTTP_RAW_POST_DATA'] ) ? $GLOBALS['HTTP_RAW_POST_DATA'] : null;

			// Convert the $_POST to the body, if the body was empty. This is how arrays are hashed
			// and encoded on the Jetpack side.
			if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
				// phpcs:ignore WordPress.Security.NonceVerification.Missing
				if ( empty( $body ) && is_array( $_POST ) && count( $_POST ) > 0 ) {
					$body = $_POST; // phpcs:ignore WordPress.Security.NonceVerification.Missing
				}
			}
		} elseif ( 'PUT' === strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
			// This is a little strange-looking, but there doesn't seem to be another way to get the PUT body.
			$raw_put_data = file_get_contents( 'php://input' );
			parse_str( $raw_put_data, $body );

			if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
				$put_data = json_decode( $raw_put_data, true );
				if ( is_array( $put_data ) && count( $put_data ) > 0 ) {
					$body = $put_data;
				}
			}
		} else {
			$body = null;
		}

		if ( empty( $body ) ) {
			$body = null;
		}

		$a = array();
		foreach ( array( 'token', 'timestamp', 'nonce', 'body-hash' ) as $parameter ) {
			if ( isset( $override[ $parameter ] ) ) {
				$a[ $parameter ] = $override[ $parameter ];
			} else {
				// phpcs:ignore WordPress.Security.NonceVerification.Recommended
				$a[ $parameter ] = isset( $_GET[ $parameter ] ) ? stripslashes( $_GET[ $parameter ] ) : '';
			}
		}

		$method = isset( $override['method'] ) ? $override['method'] : $_SERVER['REQUEST_METHOD'];
		return $this->sign_request( $a['token'], $a['timestamp'], $a['nonce'], $a['body-hash'], $method, $this->current_request_url, $body, true );
	}

	/**
	 * Sign a specified request.
	 *
	 * @todo Having body_hash v. body-hash is annoying. Refactor to accept an array?
	 * @todo Use wp_json_encode() instead of json_encode()?
	 * @todo Use wp_parse_url() instead of parse_url()?
	 *
	 * @param string $token            Request token.
	 * @param int    $timestamp        Timestamp of the request.
	 * @param string $nonce            Request nonce.
	 * @param string $body_hash        Request body hash.
	 * @param string $method           Request method.
	 * @param string $url              Request URL.
	 * @param mixed  $body             Request body.
	 * @param bool   $verify_body_hash Whether to verify the body hash against the body.
	 * @return string|WP_Error Request signature, or a WP_Error on failure.
	 */
	public function sign_request( $token = '', $timestamp = 0, $nonce = '', $body_hash = '', $method = '', $url = '', $body = null, $verify_body_hash = true ) {
		if ( ! $this->secret ) {
			return new WP_Error( 'invalid_secret', 'Invalid secret' );
		}

		if ( ! $this->token ) {
			return new WP_Error( 'invalid_token', 'Invalid token' );
		}

		list( $token ) = explode( '.', $token );

		$signature_details = compact( 'token', 'timestamp', 'nonce', 'body_hash', 'method', 'url' );

		if ( 0 !== strpos( $token, "$this->token:" ) ) {
			return new WP_Error( 'token_mismatch', 'Incorrect token', compact( 'signature_details' ) );
		}

		// If we got an array at this point, let's encode it, so we can see what it looks like as a string.
		if ( is_array( $body ) ) {
			if ( count( $body ) > 0 ) {
				// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
				$body = json_encode( $body );

			} else {
				$body = '';
			}
		}

		$required_parameters = array( 'token', 'timestamp', 'nonce', 'method', 'url' );
		if ( ! is_null( $body ) ) {
			$required_parameters[] = 'body_hash';
			if ( ! is_string( $body ) ) {
				return new WP_Error( 'invalid_body', 'Body is malformed.', compact( 'signature_details' ) );
			}
		}

		foreach ( $required_parameters as $required ) {
			if ( ! is_scalar( $$required ) ) {
				return new WP_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', str_replace( '_', '-', $required ) ), compact( 'signature_details' ) );
			}

			if ( ! strlen( $$required ) ) {
				return new WP_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is missing.', str_replace( '_', '-', $required ) ), compact( 'signature_details' ) );
			}
		}

		if ( empty( $body ) ) {
			if ( $body_hash ) {
				return new WP_Error( 'invalid_body_hash', 'Invalid body hash for empty body.', compact( 'signature_details' ) );
			}
		} else {
			$connection = new Connection_Manager();
			if ( $verify_body_hash && $connection->sha1_base64( $body ) !== $body_hash ) {
				return new WP_Error( 'invalid_body_hash', 'The body hash does not match.', compact( 'signature_details' ) );
			}
		}

		// phpcs:ignore WordPress.WP.AlternativeFunctions.parse_url_parse_url
		$parsed = parse_url( $url );
		if ( ! isset( $parsed['host'] ) ) {
			return new WP_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'url' ), compact( 'signature_details' ) );
		}

		if ( ! empty( $parsed['port'] ) ) {
			$port = $parsed['port'];
		} else {
			if ( 'http' === $parsed['scheme'] ) {
				$port = 80;
			} elseif ( 'https' === $parsed['scheme'] ) {
				$port = 443;
			} else {
				return new WP_Error( 'unknown_scheme_port', "The scheme's port is unknown", compact( 'signature_details' ) );
			}
		}

		if ( ! ctype_digit( "$timestamp" ) || 10 < strlen( $timestamp ) ) { // If Jetpack is around in 275 years, you can blame mdawaffe for the bug.
			return new WP_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'timestamp' ), compact( 'signature_details' ) );
		}

		$local_time = $timestamp - $this->time_diff;
		if ( $local_time < time() - 600 || $local_time > time() + 300 ) {
			return new WP_Error( 'invalid_signature', 'The timestamp is too old.', compact( 'signature_details' ) );
		}

		if ( 12 < strlen( $nonce ) || preg_match( '/[^a-zA-Z0-9]/', $nonce ) ) {
			return new WP_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'nonce' ), compact( 'signature_details' ) );
		}

		$normalized_request_pieces = array(
			$token,
			$timestamp,
			$nonce,
			$body_hash,
			strtoupper( $method ),
			strtolower( $parsed['host'] ),
			$port,
			$parsed['path'],
			// Normalized Query String.
		);

		$normalized_request_pieces      = array_merge( $normalized_request_pieces, $this->normalized_query_parameters( isset( $parsed['query'] ) ? $parsed['query'] : '' ) );
		$flat_normalized_request_pieces = array();
		foreach ( $normalized_request_pieces as $piece ) {
			if ( is_array( $piece ) ) {
				foreach ( $piece as $subpiece ) {
					$flat_normalized_request_pieces[] = $subpiece;
				}
			} else {
				$flat_normalized_request_pieces[] = $piece;
			}
		}
		$normalized_request_pieces = $flat_normalized_request_pieces;

		$normalized_request_string = join( "\n", $normalized_request_pieces ) . "\n";

		// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
		return base64_encode( hash_hmac( 'sha1', $normalized_request_string, $this->secret, true ) );
	}

	/**
	 * Retrieve and normalize the parameters from a query string.
	 *
	 * @param string $query_string Query string.
	 * @return array Normalized query string parameters.
	 */
	public function normalized_query_parameters( $query_string ) {
		parse_str( $query_string, $array );
		if ( get_magic_quotes_gpc() ) {
			$array = stripslashes_deep( $array );
		}

		unset( $array['signature'] );

		$names  = array_keys( $array );
		$values = array_values( $array );

		$names  = array_map( array( $this, 'encode_3986' ), $names );
		$values = array_map( array( $this, 'encode_3986' ), $values );

		$pairs = array_map( array( $this, 'join_with_equal_sign' ), $names, $values );

		sort( $pairs );

		return $pairs;
	}

	/**
	 * Encodes a string or array of strings according to RFC 3986.
	 *
	 * @param string|array $string_or_array String or array to encode.
	 * @return string|array URL-encoded string or array.
	 */
	public function encode_3986( $string_or_array ) {
		if ( is_array( $string_or_array ) ) {
			return array_map( array( $this, 'encode_3986' ), $string_or_array );
		}

		return rawurlencode( $string_or_array );
	}

	/**
	 * Concatenates a parameter name and a parameter value with an equals sign between them.
	 * Supports one-dimensional arrays as `$value`.
	 *
	 * @param string $name  Parameter name.
	 * @param mixed  $value Parameter value.
	 * @return string A pair with parameter name and value (e.g. `name=value`).
	 */
	public function join_with_equal_sign( $name, $value ) {
		if ( is_array( $value ) ) {
			$result = array();
			foreach ( $value as $array_key => $array_value ) {
				$result[] = $name . '[' . $array_key . ']=' . $array_value;
			}
			return $result;
		}
		return "{$name}={$value}";
	}
}


1		<?php
2		/**
3		* The Jetpack Connection signature class file.
4		*
5		* @package automattic/jetpack-connection
6		*/
7
8		use Automattic\Jetpack\Connection\Manager as Connection_Manager;
9
10		/**
11		* The Jetpack Connection signature class that is used to sign requests.
12		*/
13		class Jetpack_Signature {
14		/**
15		* Token part of the access token.
16		*
17		* @access public
18		* @var string
19		*/
20		public $token;
21
22		/**
23		* Access token secret.
24		*
25		* @access public
26		* @var string
27		*/
28		public $secret;
29
30		/**
31		* The current request URL.
32		*
33		* @access public
34		* @var string
35		*/
36		public $current_request_url;
37
38		/**
39		* Constructor.
40		*
41		* @param array $access_token Access token.
42		* @param int $time_diff Timezone difference (in seconds).
43		*/
44		public function __construct( $access_token, $time_diff = 0 ) {
45		$secret = explode( '.', $access_token );
46		if ( 2 !== count( $secret ) ) {
47		return;
48		}
49
50		$this->token = $secret[0];
51		$this->secret = $secret[1];
52		$this->time_diff = $time_diff;
		0 ignored issues – show Bug introduced 2019-09-16 23:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `time_diff` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
53		}
54
55		/**
56		* Sign the current request.
57		*
58		* @todo Implement a proper nonce verification.
59		*
60		* @param array $override Optional arguments to override the ones from the current request.
61		* @return string\|WP_Error Request signature, or a WP_Error on failure.
62		*/
63		public function sign_current_request( $override = array() ) {
64		if ( isset( $override['scheme'] ) ) {
65		$scheme = $override['scheme'];
66		if ( ! in_array( $scheme, array( 'http', 'https' ), true ) ) {
67		return new WP_Error( 'invalid_scheme', 'Invalid URL scheme' );
68		}
69		} else {
70		if ( is_ssl() ) {
71		$scheme = 'https';
72		} else {
73		$scheme = 'http';
74		}
75		}
76
77		$host_port = isset( $_SERVER['HTTP_X_FORWARDED_PORT'] ) ? $_SERVER['HTTP_X_FORWARDED_PORT'] : $_SERVER['SERVER_PORT'];
78		$host_port = intval( $host_port );
79
80		/**
81		* Note: This port logic is tested in the Jetpack_Cxn_Tests->test__server_port_value() test.
82		* Please update the test if any changes are made in this logic.
83		*/
84		if ( is_ssl() ) {
85		// 443: Standard Port
86		// 80: Assume we're behind a proxy without X-Forwarded-Port. Hardcoding "80" here means most sites
87		// with SSL termination proxies (self-served, Cloudflare, etc.) don't need to fiddle with
88		// the JETPACK_SIGNATURE__HTTPS_PORT constant. The code also implies we can't talk to a
89		// site at https://example.com:80/ (which would be a strange configuration).
90		// JETPACK_SIGNATURE__HTTPS_PORT: Set this constant in wp-config.php to the back end webserver's port
91		// if the site is behind a proxy running on port 443 without
92		// X-Forwarded-Port and the back end's port is not 80. It's better,
93		// though, to configure the proxy to send X-Forwarded-Port.
94		$https_port = defined( 'JETPACK_SIGNATURE__HTTPS_PORT' ) ? JETPACK_SIGNATURE__HTTPS_PORT : 443;
95		$port = in_array( $host_port, array( 443, 80, $https_port ), true ) ? '' : $host_port;
96		} else {
97		// 80: Standard Port
98		// JETPACK_SIGNATURE__HTTPS_PORT: Set this constant in wp-config.php to the back end webserver's port
99		// if the site is behind a proxy running on port 80 without
100		// X-Forwarded-Port. It's better, though, to configure the proxy to
101		// send X-Forwarded-Port.
102		$http_port = defined( 'JETPACK_SIGNATURE__HTTP_PORT' ) ? JETPACK_SIGNATURE__HTTP_PORT : 80;
103		$port = in_array( $host_port, array( 80, $http_port ), true ) ? '' : $host_port;
104		}
105
106		$this->current_request_url = "{$scheme}://{$_SERVER['HTTP_HOST']}:{$port}" . stripslashes( $_SERVER['REQUEST_URI'] );
107
108		if ( array_key_exists( 'body', $override ) && ! empty( $override['body'] ) ) {
109		$body = $override['body'];
110		} elseif ( 'POST' === strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
111		$body = isset( $GLOBALS['HTTP_RAW_POST_DATA'] ) ? $GLOBALS['HTTP_RAW_POST_DATA'] : null;
112
113		// Convert the $_POST to the body, if the body was empty. This is how arrays are hashed
114		// and encoded on the Jetpack side.
115		if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
116		// phpcs:ignore WordPress.Security.NonceVerification.Missing
117		if ( empty( $body ) && is_array( $_POST ) && count( $_POST ) > 0 ) {
118		$body = $_POST; // phpcs:ignore WordPress.Security.NonceVerification.Missing
119		}
120		}
121		} elseif ( 'PUT' === strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
122		// This is a little strange-looking, but there doesn't seem to be another way to get the PUT body.
123		$raw_put_data = file_get_contents( 'php://input' );
124		parse_str( $raw_put_data, $body );
125
126		if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
127		$put_data = json_decode( $raw_put_data, true );
128		if ( is_array( $put_data ) && count( $put_data ) > 0 ) {
129		$body = $put_data;
130		}
131		}
132		} else {
133		$body = null;
134		}
135
136		if ( empty( $body ) ) {
137		$body = null;
138		}
139
140		$a = array();
141		foreach ( array( 'token', 'timestamp', 'nonce', 'body-hash' ) as $parameter ) {
142		if ( isset( $override[ $parameter ] ) ) {
143		$a[ $parameter ] = $override[ $parameter ];
144		} else {
145		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
146		$a[ $parameter ] = isset( $_GET[ $parameter ] ) ? stripslashes( $_GET[ $parameter ] ) : '';
147		}
148		}
149
150		$method = isset( $override['method'] ) ? $override['method'] : $_SERVER['REQUEST_METHOD'];
151		return $this->sign_request( $a['token'], $a['timestamp'], $a['nonce'], $a['body-hash'], $method, $this->current_request_url, $body, true );
152		}
153
154		/**
155		* Sign a specified request.
156		*
157		* @todo Having body_hash v. body-hash is annoying. Refactor to accept an array?
158		* @todo Use wp_json_encode() instead of json_encode()?
159		* @todo Use wp_parse_url() instead of parse_url()?
160		*
161		* @param string $token Request token.
162		* @param int $timestamp Timestamp of the request.
163		* @param string $nonce Request nonce.
164		* @param string $body_hash Request body hash.
165		* @param string $method Request method.
166		* @param string $url Request URL.
167		* @param mixed $body Request body.
168		* @param bool $verify_body_hash Whether to verify the body hash against the body.
169		* @return string\|WP_Error Request signature, or a WP_Error on failure.
170		*/
171		public function sign_request( $token = '', $timestamp = 0, $nonce = '', $body_hash = '', $method = '', $url = '', $body = null, $verify_body_hash = true ) {
172		if ( ! $this->secret ) {
173		return new WP_Error( 'invalid_secret', 'Invalid secret' );
174		}
175
176		if ( ! $this->token ) {
177		return new WP_Error( 'invalid_token', 'Invalid token' );
178		}
179
180		list( $token ) = explode( '.', $token );
181
182		$signature_details = compact( 'token', 'timestamp', 'nonce', 'body_hash', 'method', 'url' );
183
184		if ( 0 !== strpos( $token, "$this->token:" ) ) {
185		return new WP_Error( 'token_mismatch', 'Incorrect token', compact( 'signature_details' ) );
186		}
187
188		// If we got an array at this point, let's encode it, so we can see what it looks like as a string.
189		if ( is_array( $body ) ) {
190		if ( count( $body ) > 0 ) {
191		// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
192		$body = json_encode( $body );
193
194		} else {
195		$body = '';
196		}
197		}
198
199		$required_parameters = array( 'token', 'timestamp', 'nonce', 'method', 'url' );
200		if ( ! is_null( $body ) ) {
201		$required_parameters[] = 'body_hash';
202		if ( ! is_string( $body ) ) {
203		return new WP_Error( 'invalid_body', 'Body is malformed.', compact( 'signature_details' ) );
204		}
205		}
206
207		foreach ( $required_parameters as $required ) {
208		if ( ! is_scalar( $$required ) ) {
209		return new WP_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', str_replace( '_', '-', $required ) ), compact( 'signature_details' ) );
210		}
211
212	View Code Duplication	if ( ! strlen( $$required ) ) {
213		return new WP_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is missing.', str_replace( '_', '-', $required ) ), compact( 'signature_details' ) );
214		}
215		}
216
217		if ( empty( $body ) ) {
218		if ( $body_hash ) {
219		return new WP_Error( 'invalid_body_hash', 'Invalid body hash for empty body.', compact( 'signature_details' ) );
220		}
221		} else {
222		$connection = new Connection_Manager();
223		if ( $verify_body_hash && $connection->sha1_base64( $body ) !== $body_hash ) {
224		return new WP_Error( 'invalid_body_hash', 'The body hash does not match.', compact( 'signature_details' ) );
225		}
226		}
227
228		// phpcs:ignore WordPress.WP.AlternativeFunctions.parse_url_parse_url
229		$parsed = parse_url( $url );
230		if ( ! isset( $parsed['host'] ) ) {
231		return new WP_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'url' ), compact( 'signature_details' ) );
232		}
233
234		if ( ! empty( $parsed['port'] ) ) {
235		$port = $parsed['port'];
236		} else {
237		if ( 'http' === $parsed['scheme'] ) {
238		$port = 80;
239		} elseif ( 'https' === $parsed['scheme'] ) {
240		$port = 443;
241		} else {
242		return new WP_Error( 'unknown_scheme_port', "The scheme's port is unknown", compact( 'signature_details' ) );
243		}
244		}
245
246	View Code Duplication	if ( ! ctype_digit( "$timestamp" ) \|\| 10 < strlen( $timestamp ) ) { // If Jetpack is around in 275 years, you can blame mdawaffe for the bug.
247		return new WP_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'timestamp' ), compact( 'signature_details' ) );
248		}
249
250		$local_time = $timestamp - $this->time_diff;
251	View Code Duplication	if ( $local_time < time() - 600 \|\| $local_time > time() + 300 ) {
252		return new WP_Error( 'invalid_signature', 'The timestamp is too old.', compact( 'signature_details' ) );
253		}
254
255	View Code Duplication	if ( 12 < strlen( $nonce ) \|\| preg_match( '/[^a-zA-Z0-9]/', $nonce ) ) {
256		return new WP_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'nonce' ), compact( 'signature_details' ) );
257		}
258
259		$normalized_request_pieces = array(
260		$token,
261		$timestamp,
262		$nonce,
263		$body_hash,
264		strtoupper( $method ),
265		strtolower( $parsed['host'] ),
266		$port,
267		$parsed['path'],
268		// Normalized Query String.
269		);
270
271		$normalized_request_pieces = array_merge( $normalized_request_pieces, $this->normalized_query_parameters( isset( $parsed['query'] ) ? $parsed['query'] : '' ) );
272		$flat_normalized_request_pieces = array();
273		foreach ( $normalized_request_pieces as $piece ) {
274		if ( is_array( $piece ) ) {
275		foreach ( $piece as $subpiece ) {
276		$flat_normalized_request_pieces[] = $subpiece;
277		}
278		} else {
279		$flat_normalized_request_pieces[] = $piece;
280		}
281		}
282		$normalized_request_pieces = $flat_normalized_request_pieces;
283
284		$normalized_request_string = join( "\n", $normalized_request_pieces ) . "\n";
285
286		// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
287		return base64_encode( hash_hmac( 'sha1', $normalized_request_string, $this->secret, true ) );
288		}
289
290		/**
291		* Retrieve and normalize the parameters from a query string.
292		*
293		* @param string $query_string Query string.
294		* @return array Normalized query string parameters.
295		*/
296		public function normalized_query_parameters( $query_string ) {
297		parse_str( $query_string, $array );
298		if ( get_magic_quotes_gpc() ) {
299		$array = stripslashes_deep( $array );
300		}
301
302		unset( $array['signature'] );
303
304		$names = array_keys( $array );
305		$values = array_values( $array );
306
307		$names = array_map( array( $this, 'encode_3986' ), $names );
308		$values = array_map( array( $this, 'encode_3986' ), $values );
309
310		$pairs = array_map( array( $this, 'join_with_equal_sign' ), $names, $values );
311
312		sort( $pairs );
313
314		return $pairs;
315		}
316
317		/**
318		* Encodes a string or array of strings according to RFC 3986.
319		*
320		* @param string\|array $string_or_array String or array to encode.
321		* @return string\|array URL-encoded string or array.
322		*/
323		public function encode_3986( $string_or_array ) {
324		if ( is_array( $string_or_array ) ) {
325		return array_map( array( $this, 'encode_3986' ), $string_or_array );
326		}
327
328		return rawurlencode( $string_or_array );
329		}
330
331		/**
332		* Concatenates a parameter name and a parameter value with an equals sign between them.
333		* Supports one-dimensional arrays as `$value`.
334		*
335		* @param string $name Parameter name.
336		* @param mixed $value Parameter value.
337		* @return string A pair with parameter name and value (e.g. `name=value`).
338		*/
339		public function join_with_equal_sign( $name, $value ) {
340		if ( is_array( $value ) ) {
341		$result = array();
342		foreach ( $value as $array_key => $array_value ) {
343		$result[] = $name . '[' . $array_key . ']=' . $array_value;
344		}
345		return $result;
346		}
347		return "{$name}={$value}";
348		}
349		}
350

Automattic / jetpack

Push — update/videopress-transcode-al... ( ffe79d...2d3973 )

connection/legacy/class.jetpack-signature.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like