Completed
Push — add/sync-action ( 3cad0f...8bf709 )
by
unknown
10:42 queued 01:16
created

class.jetpack-client-server.php (4 issues)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
3
/**
4
 * Client = Plugin
5
 * Client Server = API Methods the Plugin must respond to
6
 */
7
class Jetpack_Client_Server {
8
9
	/**
10
	 * Authorizations
11
	 */
12
	function client_authorize() {
13
		$data              = stripslashes_deep( $_GET );
14
		$data['auth_type'] = 'client';
15
		$jetpack           = $this->get_jetpack();
16
		$role              = $jetpack->translate_current_user_to_role();
17
		$redirect          = isset( $data['redirect'] ) ? esc_url_raw( (string) $data['redirect'] ) : '';
18
19
		$this->check_admin_referer( "jetpack-authorize_{$role}_{$redirect}" );
20
21
		$result = $this->authorize( $data );
22
		if ( is_wp_error( $result ) ) {
23
			Jetpack::state( 'error', $result->get_error_code() );
24
		}
25
26
		if ( wp_validate_redirect( $redirect ) ) {
27
			$this->wp_safe_redirect( $redirect );
28
		} else {
29
			$this->wp_safe_redirect( Jetpack::admin_url() );
30
		}
31
32
		$this->do_exit();
33
	}
34
35
	function authorize( $data = array() ) {
36
		$redirect = isset( $data['redirect'] ) ? esc_url_raw( (string) $data['redirect'] ) : '';
0 ignored issues
show
$redirect is not used, you could remove the assignment.

This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently.

$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}

Both the $myVar assignment in line 1 and the $higher assignment in line 2 are dead. The first because $myVar is never used and the second because $higher is always overwritten for every possible time line.

Loading history...
37
38
		$jetpack_unique_connection = Jetpack_Options::get_option( 'unique_connection' );
39
		// Checking if site has been active/connected previously before recording unique connection
40
		if ( ! $jetpack_unique_connection ) {
41
			// jetpack_unique_connection option has never been set
42
			$jetpack_unique_connection = array(
43
				'connected'     => 0,
44
				'disconnected'  => 0,
45
				'version'       => '3.6.1',
46
			);
47
48
			update_option( 'jetpack_unique_connection', $jetpack_unique_connection );
49
50
			//track unique connection
51
			$jetpack = Jetpack::init();
52
53
			$jetpack->stat( 'connections', 'unique-connection' );
54
			$jetpack->do_stats( 'server_side' );
55
		}
56
57
		// increment number of times connected
58
		$jetpack_unique_connection['connected'] += 1;
59
		Jetpack_Options::update_option( 'unique_connection', $jetpack_unique_connection );
60
61
		$jetpack = $this->get_jetpack();
62
		$role = $jetpack->translate_current_user_to_role();
63
64
		if ( ! $role ) {
65
			return new Jetpack_Error( 'no_role', 'Invalid request.', 400 );
66
		}
67
68
		$cap = $jetpack->translate_role_to_cap( $role );
69
		if ( ! $cap ) {
70
			return new Jetpack_Error( 'no_cap', 'Invalid request.', 400 );
71
		}
72
73
		if ( ! empty( $data['error'] ) ) {
74
			return new Jetpack_Error( $data['error'], 'Error included in the request.', 400 );
75
		}
76
77
		if ( ! isset( $data['state'] ) ) {
78
			return new Jetpack_Error( 'no_state', 'Request must include state.', 400 );
79
		}
80
81
		if ( ! ctype_digit( $data['state'] ) ) {
82
			return new Jetpack_Error( $data['error'], 'State must be an integer.', 400 );
83
		}
84
85
		$current_user_id = get_current_user_id();
86
		if ( $current_user_id != $data['state'] ) {
87
			return new Jetpack_Error( 'wrong_state', 'State does not match current user.', 400 );
88
		}
89
90
		if ( empty( $data['code'] ) ) {
91
			return new Jetpack_Error( 'no_code', 'Request must include an authorization code.', 400 );
92
		}
93
94
		$token = $this->get_token( $data );
95
96
		if ( is_wp_error( $token ) ) {
97
			$code = $token->get_error_code();
98
			if ( empty( $code ) ) {
99
				$code = 'invalid_token';
100
			}
101
			return new Jetpack_Error( $code, $token->get_error_message(), 400 );
102
		}
103
104
		if ( ! $token ) {
105
			return new Jetpack_Error( 'no_token', 'Error generating token.', 400 );
106
		}
107
108
		$is_master_user = ! Jetpack::is_active();
109
110
		Jetpack::update_user_token( $current_user_id, sprintf( '%s.%d', $token, $current_user_id ), $is_master_user );
111
112
		if ( ! $is_master_user ) {
113
			// Don't activate anything since we are just connecting a user.
114
			return 'linked';
115
		}
116
117
		$redirect_on_activation_error = ( 'client' === $data['auth_type'] ) ? true : false;
118
		if ( $active_modules = Jetpack_Options::get_option( 'active_modules' ) ) {
119
			Jetpack_Options::delete_option( 'active_modules' );
120
121
			Jetpack::activate_default_modules( 999, 1, $active_modules, $redirect_on_activation_error );
0 ignored issues
show
999 is of type integer, but the function expects a boolean.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
122
		} else {
123
			Jetpack::activate_default_modules( false, false, array(), $redirect_on_activation_error );
124
		}
125
126
		// Sync all registers options and constants
127
		/** This action is documented in class.jetpack.php */
128
		do_action( 'jetpack_sync_all_registered_options' );
129
130
		// Start nonce cleaner
131
		wp_clear_scheduled_hook( 'jetpack_clean_nonces' );
132
		wp_schedule_event( time(), 'hourly', 'jetpack_clean_nonces' );
133
134
		return 'authorized';
135
	}
136
137
	public static function deactivate_plugin( $probable_file, $probable_title ) {
138
		include_once( ABSPATH . 'wp-admin/includes/plugin.php' );
139
		if ( is_plugin_active( $probable_file ) ) {
140
			deactivate_plugins( $probable_file );
141
			return 1;
142
		} else {
143
			// If the plugin is not in the usual place, try looking through all active plugins.
144
			$active_plugins = Jetpack::get_active_plugins();
145
			foreach ( $active_plugins as $plugin ) {
146
				$data = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
147
				if ( $data['Name'] == $probable_title ) {
148
					deactivate_plugins( $plugin );
149
					return 1;
150
				}
151
			}
152
		}
153
154
		return 0;
155
	}
156
157
	/**
158
	 * @return object|WP_Error
159
	 */
160
	function get_token( $data ) {
161
		$jetpack = $this->get_jetpack();
162
		$role = $jetpack->translate_current_user_to_role();
163
164
		if ( ! $role ) {
165
			return new Jetpack_Error( 'role', __( 'An administrator for this blog must set up the Jetpack connection.', 'jetpack' ) );
166
		}
167
168
		$client_secret = Jetpack_Data::get_access_token();
169
		if ( ! $client_secret ) {
170
			return new Jetpack_Error( 'client_secret', __( 'You need to register your Jetpack before connecting it.', 'jetpack' ) );
171
		}
172
173
		$redirect = isset( $data['redirect'] ) ? esc_url_raw( (string) $data['redirect'] ) : '';
174
		$redirect_uri = ( 'calypso' === $data['auth_type'] )
175
			? $data['redirect_uri']
176
			: add_query_arg( array(
177
				'action' => 'authorize',
178
				'_wpnonce' => wp_create_nonce( "jetpack-authorize_{$role}_{$redirect}" ),
179
				'redirect' => $redirect ? urlencode( $redirect ) : false,
180
			), menu_page_url( 'jetpack', false ) );
181
182
		$body = array(
183
			'client_id' => Jetpack_Options::get_option( 'id' ),
184
			'client_secret' => $client_secret->secret,
185
			'grant_type' => 'authorization_code',
186
			'code' => $data['code'],
187
			'redirect_uri' => $redirect_uri,
188
		);
189
190
		$args = array(
191
			'method' => 'POST',
192
			'body' => $body,
193
			'headers' => array(
194
				'Accept' => 'application/json',
195
			),
196
		);
197
		$response = Jetpack_Client::_wp_remote_request( Jetpack::fix_url_for_bad_hosts( Jetpack::api_url( 'token' ) ), $args );
198
199
		if ( is_wp_error( $response ) ) {
200
			return new Jetpack_Error( 'token_http_request_failed', $response->get_error_message() );
201
		}
202
203
		$code = wp_remote_retrieve_response_code( $response );
204
		$entity = wp_remote_retrieve_body( $response );
205
206
		if ( $entity ) {
207
			$json = json_decode( $entity );
208
		} else {
209
			$json = false;
210
		}
211
212
		if ( 200 != $code || ! empty( $json->error ) ) {
213
			if ( empty( $json->error ) ) {
214
				return new Jetpack_Error( 'unknown', '', $code );
215
			}
216
217
			$error_description = isset( $json->error_description ) ? sprintf( __( 'Error Details: %s', 'jetpack' ), (string) $json->error_description ) : '';
218
219
			return new Jetpack_Error( (string) $json->error, $error_description, $code );
220
		}
221
222
		if ( empty( $json->access_token ) || ! is_scalar( $json->access_token ) ) {
223
			return new Jetpack_Error( 'access_token', '', $code );
224
		}
225
226
		if ( empty( $json->token_type ) || 'X_JETPACK' != strtoupper( $json->token_type ) ) {
227
			return new Jetpack_Error( 'token_type', '', $code );
228
		}
229
230
		if ( empty( $json->scope ) ) {
231
			return new Jetpack_Error( 'scope', 'No Scope', $code );
232
		}
233
234
		@list( $role, $hmac ) = explode( ':', $json->scope );
0 ignored issues
show
Security Best Practice introduced by
It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended.

If you suppress an error, we recommend checking for the error condition explicitly:

// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
Loading history...
235
		if ( empty( $role ) || empty( $hmac ) ) {
236
			return new Jetpack_Error( 'scope', 'Malformed Scope', $code );
237
		}
238
239
		if ( $jetpack->sign_role( $role ) !== $json->scope ) {
240
			return new Jetpack_Error( 'scope', 'Invalid Scope', $code );
241
		}
242
243
		if ( ! $cap = $jetpack->translate_role_to_cap( $role ) ) {
244
			return new Jetpack_Error( 'scope', 'No Cap', $code );
245
		}
246
247
		if ( ! current_user_can( $cap ) ) {
248
			return new Jetpack_Error( 'scope', 'current_user_cannot', $code );
249
		}
250
251
		/**
252
		 * Fires after user has successfully received an auth token.
253
		 *
254
		 * @since 3.9.0
255
		 */
256
		do_action( 'jetpack_user_authorized' );
257
258
		return (string) $json->access_token;
259
	}
260
261
	public function get_jetpack() {
262
		return Jetpack::init();
263
	}
264
265
	public function check_admin_referer( $action ) {
266
		return check_admin_referer( $action );
267
	}
268
269
	public function wp_safe_redirect( $redirect ) {
270
		return wp_safe_redirect( $redirect );
271
	}
272
273
	public function do_exit() {
274
		exit;
0 ignored issues
show
Coding Style Compatibility introduced by
The method do_exit() contains an exit expression.

An exit expression should only be used in rare cases. For example, if you write a short command line script.

In most cases however, using an exit expression makes the code untestable and often causes incompatibilities with other libraries. Thus, unless you are absolutely sure it is required here, we recommend to refactor your code to avoid its usage.

Loading history...
275
	}
276
}
277