Issues in class-jetpack-wpcom-block-editor.php - New Issues - Inspection of "Removed the AMP-specific test since the previous t..." - Automattic/jetpack - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — fusion-sync/danroundhill/r2061... ( 6c7cf7...0f1caf )

by Jeremy

created 2020-04-24 18:24 UTC

class-jetpack-wpcom-block-editor.php (2 issues)

Labels

Unused Code 2

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * WordPress.com Block Editor
 * Allow new block editor posts to be composed on WordPress.com.
 * This is auto-loaded as of Jetpack v7.4 for sites connected to WordPress.com only.
 *
 * @package Jetpack
 */

/**
 * WordPress.com Block editor for Jetpack
 */
class Jetpack_WPCOM_Block_Editor {
	/**
	 * ID of the user who signed the nonce.
	 *
	 * @var int
	 */
	private $nonce_user_id;

	/**
	 * Singleton
	 */
	public static function init() {
		static $instance = false;

		if ( ! $instance ) {
			$instance = new Jetpack_WPCOM_Block_Editor();
		}

		return $instance;
	}

	/**
	 * Jetpack_WPCOM_Block_Editor constructor.
	 */
	private function __construct() {
		if ( $this->is_iframed_block_editor() ) {
			add_action( 'admin_init', array( $this, 'disable_send_frame_options_header' ), 9 );
			add_filter( 'admin_body_class', array( $this, 'add_iframed_body_class' ) );
		}

		add_action( 'login_init', array( $this, 'allow_block_editor_login' ), 1 );
		add_action( 'enqueue_block_editor_assets', array( $this, 'enqueue_block_editor_assets' ), 9 );
		add_action( 'enqueue_block_assets', array( $this, 'enqueue_block_assets' ) );
		add_filter( 'mce_external_plugins', array( $this, 'add_tinymce_plugins' ) );

		$this->enable_cross_site_auth_cookies();
	}

	/**
	 * Checks if we are embedding the block editor in an iframe in WordPress.com.
	 *
	 * @return bool Whether the current request is from the iframed block editor.
	 */
	public function is_iframed_block_editor() {
		global $pagenow;

		// phpcs:ignore WordPress.Security.NonceVerification
		return ( 'post.php' === $pagenow || 'post-new.php' === $pagenow ) && ! empty( $_GET['frame-nonce'] );
	}

	/**
	 * Prevents frame options header from firing if this is a whitelisted iframe request.
	 */
	public function disable_send_frame_options_header() {
		// phpcs:ignore WordPress.Security.NonceVerification
		if ( $this->framing_allowed( $_GET['frame-nonce'] ) ) {
			remove_action( 'admin_init', 'send_frame_options_header' );
		}
	}

	/**
	 * Adds custom admin body class if this is a whitelisted iframe request.
	 *
	 * @param string $classes Admin body classes.
	 * @return string
	 */
	public function add_iframed_body_class( $classes ) {
		// phpcs:ignore WordPress.Security.NonceVerification
		if ( $this->framing_allowed( $_GET['frame-nonce'] ) ) {
			$classes .= ' is-iframed ';
		}

		return $classes;
	}

	/**
	 * Allows to iframe the login page if a user is logged out
	 * while trying to access the block editor from wordpress.com.
	 */
	public function allow_block_editor_login() {
		// phpcs:ignore WordPress.Security.NonceVerification
		if ( empty( $_REQUEST['redirect_to'] ) ) {
			return;
		}

		// phpcs:ignore WordPress.Security.NonceVerification
		$query = wp_parse_url( urldecode( $_REQUEST['redirect_to'] ), PHP_URL_QUERY );

		$args  = wp_parse_args( $query );

		// Check nonce and make sure this is a Gutenframe request.
		if ( ! empty( $args['frame-nonce'] ) && $this->framing_allowed( $args['frame-nonce'] ) ) {

			// If SSO is active, we'll let WordPress.com handle authentication...
			if ( Jetpack::is_module_active( 'sso' ) ) {
				// ...but only if it's not an Atomic site. They already do that.
				if ( ! jetpack_is_atomic_site() ) {
					add_filter( 'jetpack_sso_bypass_login_forward_wpcom', '__return_true' );
				}
			} else {
				$_REQUEST['interim-login'] = true;
				add_action( 'wp_login', array( $this, 'do_redirect' ) );
				add_action( 'login_form', array( $this, 'add_login_html' ) );
				add_filter( 'wp_login_errors', array( $this, 'add_login_message' ) );
				remove_action( 'login_init', 'send_frame_options_header' );
				wp_add_inline_style( 'login', '.interim-login #login{padding-top:8%}' );
			}
		}
	}

	/**
	 * Adds a login message.
	 *
	 * Intended to soften the expectation mismatch of ending up with a login screen rather than the editor.
	 *
	 * @param WP_Error $errors WP Error object.
	 * @return \WP_Error
	 */
	public function add_login_message( $errors ) {
		$errors->remove( 'expired' );
		$errors->add( 'info', __( 'Before we continue, please log in to your Jetpack site.', 'jetpack' ), 'message' );

		return $errors;
	}

	/**
	 * Maintains the `redirect_to` parameter in login form links.
	 * Adds visual feedback of login in progress.
	 */
	public function add_login_html() {
		?>
		<input type="hidden" name="redirect_to" value="<?php echo esc_url( $_REQUEST['redirect_to'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended ?>" />
		<script type="application/javascript">
			document.getElementById( 'loginform' ).addEventListener( 'submit' , function() {
				document.getElementById( 'wp-submit' ).setAttribute( 'disabled', 'disabled' );
				document.getElementById( 'wp-submit' ).value = '<?php echo esc_js( __( 'Logging In...', 'jetpack' ) ); ?>';
			} );
		</script>
		<?php
	}

	/**
	 * Does the redirect to the block editor.
	 */
	public function do_redirect() {
		wp_safe_redirect( $GLOBALS['redirect_to'] );
		exit;
	}

	/**
	 * Checks whether this is a whitelisted iframe request.
	 *
	 * @param string $nonce Nonce to verify.
	 * @return bool
	 */
	public function framing_allowed( $nonce ) {
		$verified = $this->verify_frame_nonce( $nonce, 'frame-' . Jetpack_Options::get_option( 'id' ) );

		if ( is_wp_error( $verified ) ) {
			wp_die( $verified ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
		}

		if ( $verified && ! defined( 'IFRAME_REQUEST' ) ) {
			define( 'IFRAME_REQUEST', true );
		}

		return (bool) $verified;
	}

	/**
	 * Verify that correct nonce was used with time limit.
	 *
	 * The user is given an amount of time to use the token, so therefore, since the
	 * UID and $action remain the same, the independent variable is the time.
	 *
	 * @param string $nonce Nonce that was used in the form to verify.
	 * @param string $action Should give context to what is taking place and be the same when nonce was created.
	 * @return boolean|WP_Error Whether the nonce is valid.
	 */
	public function verify_frame_nonce( $nonce, $action ) {
		if ( empty( $nonce ) ) {
			return false;
		}

		list( $expiration, $user_id, $hash ) = explode( ':', $nonce, 3 );

		$this->nonce_user_id = (int) $user_id;
		if ( ! $this->nonce_user_id ) {
			return false;
		}

		$token = Jetpack_Data::get_access_token( $this->nonce_user_id );
		if ( ! $token ) {
			return false;
		}

		/*
		 * Failures must return `false` (blocking the iframe) prior to the
		 * signature verification.
		 */

		add_filter( 'salt', array( $this, 'filter_salt' ), 10, 2 );
		$expected_hash = wp_hash( "$expiration|$action|{$this->nonce_user_id}", 'jetpack_frame_nonce' );
		remove_filter( 'salt', array( $this, 'filter_salt' ) );

		if ( ! hash_equals( $hash, $expected_hash ) ) {
			return false;
		}

		/*
		 * Failures may return `WP_Error` (showing an error in the iframe) after the
		 * signature verification passes.
		 */

		if ( time() > $expiration ) {
			return new WP_Error( 'nonce_invalid_expired', 'Expired nonce.', array( 'status' => 401 ) );
		}

		// Check if it matches the current user, unless they're trying to log in.
		if ( get_current_user_id() !== $this->nonce_user_id && ! doing_action( 'login_init' ) ) {
			return new WP_Error( 'nonce_invalid_user_mismatch', 'User ID mismatch.', array( 'status' => 401 ) );
		}

		return true;
	}

	/**
	 * Filters the WordPress salt.
	 *
	 * @param string $salt Salt for the given scheme.
	 * @param string $scheme Authentication scheme.
	 * @return string
	 */
	public function filter_salt( $salt, $scheme ) {
		if ( 'jetpack_frame_nonce' === $scheme ) {
			$token = Jetpack_Data::get_access_token( $this->nonce_user_id );

			if ( $token ) {
				$salt = $token->secret;
			}
		}

		return $salt;
	}

	/**
	 * Enqueues the WordPress.com block editor integration assets for the editor.
	 */
	public function enqueue_block_editor_assets() {
		$debug   = defined( 'SCRIPT_DEBUG' ) && SCRIPT_DEBUG;
		$version = gmdate( 'Ymd' );

		wp_enqueue_script(
			'wpcom-block-editor-default-editor-script',
			$debug
				? '//widgets.wp.com/wpcom-block-editor/default.editor.js?minify=false'
				: '//widgets.wp.com/wpcom-block-editor/default.editor.min.js',
			array(
				'jquery',
				'lodash',
				'wp-compose',
				'wp-data',
				'wp-editor',
				'wp-element',
				'wp-rich-text',
			),
			$version,
			true
		);

		wp_localize_script(
			'wpcom-block-editor-default-editor-script',
			'wpcomGutenberg',
			array(
				'switchToClassic' => array(
					'isVisible' => $this->is_iframed_block_editor(),
					'label'     => __( 'Switch to Classic Editor', 'jetpack' ),
					'url'       => Jetpack_Calypsoify::getInstance()->get_switch_to_classic_editor_url(),
				),
				'richTextToolbar' => array(
					'justify'   => __( 'Justify', 'jetpack' ),
					'underline' => __( 'Underline', 'jetpack' ),
				),
			)
		);

		if ( jetpack_is_atomic_site() ) {
			wp_enqueue_script(
				'wpcom-block-editor-wpcom-editor-script',
				$debug
					? '//widgets.wp.com/wpcom-block-editor/wpcom.editor.js?minify=false'
					: '//widgets.wp.com/wpcom-block-editor/wpcom.editor.min.js',
				array(
					'lodash',
					'wp-blocks',
					'wp-data',
					'wp-dom-ready',
					'wp-plugins',
				),
				$version,
				true
			);
		}

		if ( $this->is_iframed_block_editor() ) {
			wp_enqueue_script(
				'wpcom-block-editor-calypso-editor-script',
				$debug
					? '//widgets.wp.com/wpcom-block-editor/calypso.editor.js?minify=false'
					: '//widgets.wp.com/wpcom-block-editor/calypso.editor.min.js',
				array(
					'calypsoify_wpadminmods_js',
					'jquery',
					'lodash',
					'react',
					'wp-blocks',
					'wp-data',
					'wp-hooks',
					'wp-tinymce',
					'wp-url',
				),
				$version,
				true
			);

			wp_enqueue_style(
				'wpcom-block-editor-calypso-editor-styles',
				$debug
					? '//widgets.wp.com/wpcom-block-editor/calypso.editor.css?minify=false'
					: '//widgets.wp.com/wpcom-block-editor/calypso.editor.min.css',
				array(),
				$version
			);
		}
	}

	/**
	 * Enqueues the WordPress.com block editor integration assets for both editor and front-end.
	 */
	public function enqueue_block_assets() {
		// These styles are manually copied from //widgets.wp.com/wpcom-block-editor/default.view.css in order to
		// improve the performance by avoiding an extra network request to download the CSS file on every page.
		wp_add_inline_style( 'wp-block-library', '.has-text-align-justify{text-align:justify;}' );
	}

	/**
	 * Determines if the current $post contains a justified paragraph block.
	 *
	 * @return boolean true if justified paragraph is found, false otherwise.
	 */
	public function has_justified_block() {
		global $post;
		if ( ! $post instanceof WP_Post ) {
			return false;
		};

		if ( ! has_blocks( $post ) ) {
			return false;
		}

		return false !== strpos( $post->post_content, '<!-- wp:paragraph {"align":"justify"' );
	}

	/**
	 * Register the Tiny MCE plugins for the WordPress.com block editor integration.
	 *
	 * @param array $plugin_array An array of external Tiny MCE plugins.
	 * @return array External TinyMCE plugins.
	 */
	public function add_tinymce_plugins( $plugin_array ) {
		if ( $this->is_iframed_block_editor() ) {
			$debug = defined( 'SCRIPT_DEBUG' ) && SCRIPT_DEBUG;

			$plugin_array['gutenberg-wpcom-iframe-media-modal'] = add_query_arg(
				'v',
				gmdate( 'YW' ),
				$debug
					? '//widgets.wp.com/wpcom-block-editor/calypso.tinymce.js?minify=false'
					: '//widgets.wp.com/wpcom-block-editor/calypso.tinymce.min.js'
			);
		}

		return $plugin_array;
	}

	/**
	 * Ensures the authentication cookies are designated for cross-site access.
	 */
	private function enable_cross_site_auth_cookies() {
		/**
		 * Allow plugins to disable the cross-site auth cookies.
		 *
		 * @since 8.1.1
		 *
		 * @param false bool Whether auth cookies should be disabled for cross-site access. False by default.
		 */
		if ( apply_filters( 'jetpack_disable_cross_site_auth_cookies', false ) ) {
			return;
		}

		add_action( 'set_auth_cookie', array( $this, 'set_samesite_auth_cookies' ), 10, 5 );
		add_action( 'set_logged_in_cookie', array( $this, 'set_samesite_logged_in_cookies' ), 10, 4 );
		add_action( 'clear_auth_cookie', array( $this, 'clear_auth_cookies' ) );
		add_filter( 'send_auth_cookies', '__return_false' );
	}

	/**
	 * Gets the SameSite attribute to use in auth cookies.
	 *
	 * @param  bool $secure Whether the connection is secure.
	 * @return string SameSite attribute to use on auth cookies.
	 */
	public function get_samesite_attr_for_auth_cookies( $secure ) {
		$samesite = $secure ? 'None' : 'Lax';
		/**
		 * Filters the SameSite attribute to use in auth cookies.
		 *
		 * @param string $samesite SameSite attribute to use in auth cookies.
		 *
		 * @since 8.1.1
		 */
		$samesite = apply_filters( 'jetpack_auth_cookie_samesite', $samesite );

		return $samesite;
	}

	/**
	 * Generates cross-site auth cookies so they can be accessed by WordPress.com.
	 *
	 * @param string $auth_cookie Authentication cookie value.
	 * @param int    $expire      The time the login grace period expires as a UNIX timestamp.
	 *                            Default is 12 hours past the cookie's expiration time.
	 * @param int    $expiration  The time when the authentication cookie expires as a UNIX timestamp.
	 *                            Default is 14 days from now.
	 * @param int    $user_id     User ID.
	 * @param string $scheme      Authentication scheme. Values include 'auth' or 'secure_auth'.
	 */
	public function set_samesite_auth_cookies( $auth_cookie, $expire, $expiration, $user_id, $scheme ) {
		if ( wp_startswith( $scheme, 'secure_' ) ) {
			$secure           = true;
			$auth_cookie_name = SECURE_AUTH_COOKIE;
		} else {
			$secure           = false;
			$auth_cookie_name = AUTH_COOKIE;
		}
		$samesite = $this->get_samesite_attr_for_auth_cookies( $secure );

		jetpack_shim_setcookie(
			$auth_cookie_name,
			$auth_cookie,
			array(
				'expires'  => $expire,
				'path'     => PLUGINS_COOKIE_PATH,
				'domain'   => COOKIE_DOMAIN,
				'secure'   => $secure,
				'httponly' => true,
				'samesite' => $samesite,
			)
		);

		jetpack_shim_setcookie(
			$auth_cookie_name,
			$auth_cookie,
			array(
				'expires'  => $expire,
				'path'     => ADMIN_COOKIE_PATH,
				'domain'   => COOKIE_DOMAIN,
				'secure'   => $secure,
				'httponly' => true,
				'samesite' => $samesite,
			)
		);
	}

	/**
	 * Generates cross-site logged in cookies so they can be accessed by WordPress.com.
	 *
	 * @param string $logged_in_cookie The logged-in cookie value.
	 * @param int    $expire           The time the login grace period expires as a UNIX timestamp.
	 *                                 Default is 12 hours past the cookie's expiration time.
	 * @param int    $expiration       The time when the logged-in cookie expires as a UNIX timestamp.
	 *                                 Default is 14 days from now.
	 * @param int    $user_id          User ID.
	 */
	public function set_samesite_logged_in_cookies( $logged_in_cookie, $expire, $expiration, $user_id ) {
		$secure = is_ssl();

		// Front-end cookie is secure when the auth cookie is secure and the site's home URL is forced HTTPS.
		$secure_logged_in_cookie = $secure && 'https' === wp_parse_url( get_option( 'home' ), PHP_URL_SCHEME );


		/** This filter is documented in core/src/wp-includes/pluggable.php */
		$secure = apply_filters( 'secure_auth_cookie', $secure, $user_id );

		/** This filter is documented in core/src/wp-includes/pluggable.php */
		$secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', $secure_logged_in_cookie, $user_id, $secure );

		$samesite = $this->get_samesite_attr_for_auth_cookies( $secure_logged_in_cookie );

		jetpack_shim_setcookie(
			LOGGED_IN_COOKIE,
			$logged_in_cookie,
			array(
				'expires'  => $expire,
				'path'     => COOKIEPATH,
				'domain'   => COOKIE_DOMAIN,
				'secure'   => $secure_logged_in_cookie,
				'httponly' => true,
				'samesite' => $samesite,
			)
		);

		if ( COOKIEPATH !== SITECOOKIEPATH ) {
			jetpack_shim_setcookie(
				LOGGED_IN_COOKIE,
				$logged_in_cookie,
				array(
					'expires'  => $expire,
					'path'     => SITECOOKIEPATH,
					'domain'   => COOKIE_DOMAIN,
					'secure'   => $secure_logged_in_cookie,
					'httponly' => true,
					'samesite' => $samesite,
				)
			);
		}
	}

	/**
	 * Removes all of the cookies associated with authentication.
	 *
	 * This is copied from core's `wp_clear_auth_cookie` since disabling the core auth cookies prevents also the auth
	 * cookies from being cleared.
	 *
	 * @see wp_clear_auth_cookie
	 */
	public function clear_auth_cookies() {
		// Auth cookies.
		setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN );
		setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN );
		setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
		setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
		setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
		setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );

		// Settings cookies.
		setcookie( 'wp-settings-' . get_current_user_id(), ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH );
		setcookie( 'wp-settings-time-' . get_current_user_id(), ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH );

		// Old cookies.
		setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
		setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
		setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
		setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );

		// Even older cookies.
		setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
		setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
		setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
		setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );

		// Post password cookie.
		setcookie( 'wp-postpass_' . COOKIEHASH, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
	}
}

Jetpack_WPCOM_Block_Editor::init();


1			<?php
2			/**
3			* WordPress.com Block Editor
4			* Allow new block editor posts to be composed on WordPress.com.
5			* This is auto-loaded as of Jetpack v7.4 for sites connected to WordPress.com only.
6			*
7			* @package Jetpack
8			*/
9
10			/**
11			* WordPress.com Block editor for Jetpack
12			*/
13			class Jetpack_WPCOM_Block_Editor {
14			/**
15			* ID of the user who signed the nonce.
16			*
17			* @var int
18			*/
19			private $nonce_user_id;
20
21			/**
22			* Singleton
23			*/
24			public static function init() {
25			static $instance = false;
26
27			if ( ! $instance ) {
28			$instance = new Jetpack_WPCOM_Block_Editor();
29			}
30
31			return $instance;
32			}
33
34			/**
35			* Jetpack_WPCOM_Block_Editor constructor.
36			*/
37			private function __construct() {
38			if ( $this->is_iframed_block_editor() ) {
39			add_action( 'admin_init', array( $this, 'disable_send_frame_options_header' ), 9 );
40			add_filter( 'admin_body_class', array( $this, 'add_iframed_body_class' ) );
41			}
42
43			add_action( 'login_init', array( $this, 'allow_block_editor_login' ), 1 );
44			add_action( 'enqueue_block_editor_assets', array( $this, 'enqueue_block_editor_assets' ), 9 );
45			add_action( 'enqueue_block_assets', array( $this, 'enqueue_block_assets' ) );
46			add_filter( 'mce_external_plugins', array( $this, 'add_tinymce_plugins' ) );
47
48			$this->enable_cross_site_auth_cookies();
49			}
50
51			/**
52			* Checks if we are embedding the block editor in an iframe in WordPress.com.
53			*
54			* @return bool Whether the current request is from the iframed block editor.
55			*/
56			public function is_iframed_block_editor() {
57			global $pagenow;
58
59			// phpcs:ignore WordPress.Security.NonceVerification
60			return ( 'post.php' === $pagenow \|\| 'post-new.php' === $pagenow ) && ! empty( $_GET['frame-nonce'] );
61			}
62
63			/**
64			* Prevents frame options header from firing if this is a whitelisted iframe request.
65			*/
66			public function disable_send_frame_options_header() {
67			// phpcs:ignore WordPress.Security.NonceVerification
68			if ( $this->framing_allowed( $_GET['frame-nonce'] ) ) {
69			remove_action( 'admin_init', 'send_frame_options_header' );
70			}
71			}
72
73			/**
74			* Adds custom admin body class if this is a whitelisted iframe request.
75			*
76			* @param string $classes Admin body classes.
77			* @return string
78			*/
79			public function add_iframed_body_class( $classes ) {
80			// phpcs:ignore WordPress.Security.NonceVerification
81			if ( $this->framing_allowed( $_GET['frame-nonce'] ) ) {
82			$classes .= ' is-iframed ';
83			}
84
85			return $classes;
86			}
87
88			/**
89			* Allows to iframe the login page if a user is logged out
90			* while trying to access the block editor from wordpress.com.
91			*/
92			public function allow_block_editor_login() {
93			// phpcs:ignore WordPress.Security.NonceVerification
94			if ( empty( $_REQUEST['redirect_to'] ) ) {
95			return;
96			}
97
98			// phpcs:ignore WordPress.Security.NonceVerification
99			$query = wp_parse_url( urldecode( $_REQUEST['redirect_to'] ), PHP_URL_QUERY );
			0 ignored issues – show Unused Code introduced 2020-04-22 20:18 UTC by Report Bug Copy Issue Report Show Similar Issues like this The call to `wp_parse_url()` has too many arguments starting with `PHP_URL_QUERY`. This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue. If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress. In this case you can add the `@ignore` PhpDoc annotation to the duplicate definition and it will be ignored. Loading history...
100			$args = wp_parse_args( $query );
101
102			// Check nonce and make sure this is a Gutenframe request.
103			if ( ! empty( $args['frame-nonce'] ) && $this->framing_allowed( $args['frame-nonce'] ) ) {
104
105			// If SSO is active, we'll let WordPress.com handle authentication...
106			if ( Jetpack::is_module_active( 'sso' ) ) {
107			// ...but only if it's not an Atomic site. They already do that.
108			if ( ! jetpack_is_atomic_site() ) {
109			add_filter( 'jetpack_sso_bypass_login_forward_wpcom', '__return_true' );
110			}
111			} else {
112			$_REQUEST['interim-login'] = true;
113			add_action( 'wp_login', array( $this, 'do_redirect' ) );
114			add_action( 'login_form', array( $this, 'add_login_html' ) );
115			add_filter( 'wp_login_errors', array( $this, 'add_login_message' ) );
116			remove_action( 'login_init', 'send_frame_options_header' );
117			wp_add_inline_style( 'login', '.interim-login #login{padding-top:8%}' );
118			}
119			}
120			}
121
122			/**
123			* Adds a login message.
124			*
125			* Intended to soften the expectation mismatch of ending up with a login screen rather than the editor.
126			*
127			* @param WP_Error $errors WP Error object.
128			* @return \WP_Error
129			*/
130			public function add_login_message( $errors ) {
131			$errors->remove( 'expired' );
132			$errors->add( 'info', __( 'Before we continue, please log in to your Jetpack site.', 'jetpack' ), 'message' );
133
134			return $errors;
135			}
136
137			/**
138			* Maintains the `redirect_to` parameter in login form links.
139			* Adds visual feedback of login in progress.
140			*/
141			public function add_login_html() {
142			?>
143			<input type="hidden" name="redirect_to" value="<?php echo esc_url( $_REQUEST['redirect_to'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended ?>" />
144			<script type="application/javascript">
145			document.getElementById( 'loginform' ).addEventListener( 'submit' , function() {
146			document.getElementById( 'wp-submit' ).setAttribute( 'disabled', 'disabled' );
147			document.getElementById( 'wp-submit' ).value = '<?php echo esc_js( __( 'Logging In...', 'jetpack' ) ); ?>';
148			} );
149			</script>
150			<?php
151			}
152
153			/**
154			* Does the redirect to the block editor.
155			*/
156			public function do_redirect() {
157			wp_safe_redirect( $GLOBALS['redirect_to'] );
158			exit;
159			}
160
161			/**
162			* Checks whether this is a whitelisted iframe request.
163			*
164			* @param string $nonce Nonce to verify.
165			* @return bool
166			*/
167			public function framing_allowed( $nonce ) {
168			$verified = $this->verify_frame_nonce( $nonce, 'frame-' . Jetpack_Options::get_option( 'id' ) );
169
170			if ( is_wp_error( $verified ) ) {
171			wp_die( $verified ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
172			}
173
174			if ( $verified && ! defined( 'IFRAME_REQUEST' ) ) {
175			define( 'IFRAME_REQUEST', true );
176			}
177
178			return (bool) $verified;
179			}
180
181			/**
182			* Verify that correct nonce was used with time limit.
183			*
184			* The user is given an amount of time to use the token, so therefore, since the
185			* UID and $action remain the same, the independent variable is the time.
186			*
187			* @param string $nonce Nonce that was used in the form to verify.
188			* @param string $action Should give context to what is taking place and be the same when nonce was created.
189			* @return boolean\|WP_Error Whether the nonce is valid.
190			*/
191			public function verify_frame_nonce( $nonce, $action ) {
192			if ( empty( $nonce ) ) {
193			return false;
194			}
195
196			list( $expiration, $user_id, $hash ) = explode( ':', $nonce, 3 );
197
198			$this->nonce_user_id = (int) $user_id;
199			if ( ! $this->nonce_user_id ) {
200			return false;
201			}
202
203			$token = Jetpack_Data::get_access_token( $this->nonce_user_id );
204			if ( ! $token ) {
205			return false;
206			}
207
208			/*
209			* Failures must return `false` (blocking the iframe) prior to the
210			* signature verification.
211			*/
212
213			add_filter( 'salt', array( $this, 'filter_salt' ), 10, 2 );
214			$expected_hash = wp_hash( "$expiration\|$action\|{$this->nonce_user_id}", 'jetpack_frame_nonce' );
215			remove_filter( 'salt', array( $this, 'filter_salt' ) );
216
217			if ( ! hash_equals( $hash, $expected_hash ) ) {
218			return false;
219			}
220
221			/*
222			* Failures may return `WP_Error` (showing an error in the iframe) after the
223			* signature verification passes.
224			*/
225
226			if ( time() > $expiration ) {
227			return new WP_Error( 'nonce_invalid_expired', 'Expired nonce.', array( 'status' => 401 ) );
228			}
229
230			// Check if it matches the current user, unless they're trying to log in.
231			if ( get_current_user_id() !== $this->nonce_user_id && ! doing_action( 'login_init' ) ) {
232			return new WP_Error( 'nonce_invalid_user_mismatch', 'User ID mismatch.', array( 'status' => 401 ) );
233			}
234
235			return true;
236			}
237
238			/**
239			* Filters the WordPress salt.
240			*
241			* @param string $salt Salt for the given scheme.
242			* @param string $scheme Authentication scheme.
243			* @return string
244			*/
245			public function filter_salt( $salt, $scheme ) {
246			if ( 'jetpack_frame_nonce' === $scheme ) {
247			$token = Jetpack_Data::get_access_token( $this->nonce_user_id );
248
249			if ( $token ) {
250			$salt = $token->secret;
251			}
252			}
253
254			return $salt;
255			}
256
257			/**
258			* Enqueues the WordPress.com block editor integration assets for the editor.
259			*/
260			public function enqueue_block_editor_assets() {
261			$debug = defined( 'SCRIPT_DEBUG' ) && SCRIPT_DEBUG;
262			$version = gmdate( 'Ymd' );
263
264			wp_enqueue_script(
265			'wpcom-block-editor-default-editor-script',
266			$debug
267			? '//widgets.wp.com/wpcom-block-editor/default.editor.js?minify=false'
268			: '//widgets.wp.com/wpcom-block-editor/default.editor.min.js',
269			array(
270			'jquery',
271			'lodash',
272			'wp-compose',
273			'wp-data',
274			'wp-editor',
275			'wp-element',
276			'wp-rich-text',
277			),
278			$version,
279			true
280			);
281
282			wp_localize_script(
283			'wpcom-block-editor-default-editor-script',
284			'wpcomGutenberg',
285			array(
286			'switchToClassic' => array(
287			'isVisible' => $this->is_iframed_block_editor(),
288			'label' => __( 'Switch to Classic Editor', 'jetpack' ),
289			'url' => Jetpack_Calypsoify::getInstance()->get_switch_to_classic_editor_url(),
290			),
291			'richTextToolbar' => array(
292			'justify' => __( 'Justify', 'jetpack' ),
293			'underline' => __( 'Underline', 'jetpack' ),
294			),
295			)
296			);
297
298			if ( jetpack_is_atomic_site() ) {
299			wp_enqueue_script(
300			'wpcom-block-editor-wpcom-editor-script',
301			$debug
302			? '//widgets.wp.com/wpcom-block-editor/wpcom.editor.js?minify=false'
303			: '//widgets.wp.com/wpcom-block-editor/wpcom.editor.min.js',
304			array(
305			'lodash',
306			'wp-blocks',
307			'wp-data',
308			'wp-dom-ready',
309			'wp-plugins',
310			),
311			$version,
312			true
313			);
314			}
315
316			if ( $this->is_iframed_block_editor() ) {
317			wp_enqueue_script(
318			'wpcom-block-editor-calypso-editor-script',
319			$debug
320			? '//widgets.wp.com/wpcom-block-editor/calypso.editor.js?minify=false'
321			: '//widgets.wp.com/wpcom-block-editor/calypso.editor.min.js',
322			array(
323			'calypsoify_wpadminmods_js',
324			'jquery',
325			'lodash',
326			'react',
327			'wp-blocks',
328			'wp-data',
329			'wp-hooks',
330			'wp-tinymce',
331			'wp-url',
332			),
333			$version,
334			true
335			);
336
337			wp_enqueue_style(
338			'wpcom-block-editor-calypso-editor-styles',
339			$debug
340			? '//widgets.wp.com/wpcom-block-editor/calypso.editor.css?minify=false'
341			: '//widgets.wp.com/wpcom-block-editor/calypso.editor.min.css',
342			array(),
343			$version
344			);
345			}
346			}
347
348			/**
349			* Enqueues the WordPress.com block editor integration assets for both editor and front-end.
350			*/
351			public function enqueue_block_assets() {
352			// These styles are manually copied from //widgets.wp.com/wpcom-block-editor/default.view.css in order to
353			// improve the performance by avoiding an extra network request to download the CSS file on every page.
354			wp_add_inline_style( 'wp-block-library', '.has-text-align-justify{text-align:justify;}' );
355			}
356
357			/**
358			* Determines if the current $post contains a justified paragraph block.
359			*
360			* @return boolean true if justified paragraph is found, false otherwise.
361			*/
362			public function has_justified_block() {
363			global $post;
364			if ( ! $post instanceof WP_Post ) {
365			return false;
366			};
367
368			if ( ! has_blocks( $post ) ) {
369			return false;
370			}
371
372			return false !== strpos( $post->post_content, '<!-- wp:paragraph {"align":"justify"' );
373			}
374
375			/**
376			* Register the Tiny MCE plugins for the WordPress.com block editor integration.
377			*
378			* @param array $plugin_array An array of external Tiny MCE plugins.
379			* @return array External TinyMCE plugins.
380			*/
381			public function add_tinymce_plugins( $plugin_array ) {
382			if ( $this->is_iframed_block_editor() ) {
383			$debug = defined( 'SCRIPT_DEBUG' ) && SCRIPT_DEBUG;
384
385			$plugin_array['gutenberg-wpcom-iframe-media-modal'] = add_query_arg(
386			'v',
387			gmdate( 'YW' ),
388			$debug
389			? '//widgets.wp.com/wpcom-block-editor/calypso.tinymce.js?minify=false'
390			: '//widgets.wp.com/wpcom-block-editor/calypso.tinymce.min.js'
391			);
392			}
393
394			return $plugin_array;
395			}
396
397			/**
398			* Ensures the authentication cookies are designated for cross-site access.
399			*/
400			private function enable_cross_site_auth_cookies() {
401			/**
402			* Allow plugins to disable the cross-site auth cookies.
403			*
404			* @since 8.1.1
405			*
406			* @param false bool Whether auth cookies should be disabled for cross-site access. False by default.
407			*/
408			if ( apply_filters( 'jetpack_disable_cross_site_auth_cookies', false ) ) {
409			return;
410			}
411
412			add_action( 'set_auth_cookie', array( $this, 'set_samesite_auth_cookies' ), 10, 5 );
413			add_action( 'set_logged_in_cookie', array( $this, 'set_samesite_logged_in_cookies' ), 10, 4 );
414			add_action( 'clear_auth_cookie', array( $this, 'clear_auth_cookies' ) );
415			add_filter( 'send_auth_cookies', '__return_false' );
416			}
417
418			/**
419			* Gets the SameSite attribute to use in auth cookies.
420			*
421			* @param bool $secure Whether the connection is secure.
422			* @return string SameSite attribute to use on auth cookies.
423			*/
424			public function get_samesite_attr_for_auth_cookies( $secure ) {
425			$samesite = $secure ? 'None' : 'Lax';
426			/**
427			* Filters the SameSite attribute to use in auth cookies.
428			*
429			* @param string $samesite SameSite attribute to use in auth cookies.
430			*
431			* @since 8.1.1
432			*/
433			$samesite = apply_filters( 'jetpack_auth_cookie_samesite', $samesite );
434
435			return $samesite;
436			}
437
438			/**
439			* Generates cross-site auth cookies so they can be accessed by WordPress.com.
440			*
441			* @param string $auth_cookie Authentication cookie value.
442			* @param int $expire The time the login grace period expires as a UNIX timestamp.
443			* Default is 12 hours past the cookie's expiration time.
444			* @param int $expiration The time when the authentication cookie expires as a UNIX timestamp.
445			* Default is 14 days from now.
446			* @param int $user_id User ID.
447			* @param string $scheme Authentication scheme. Values include 'auth' or 'secure_auth'.
448			*/
449			public function set_samesite_auth_cookies( $auth_cookie, $expire, $expiration, $user_id, $scheme ) {
450			if ( wp_startswith( $scheme, 'secure_' ) ) {
451			$secure = true;
452			$auth_cookie_name = SECURE_AUTH_COOKIE;
453			} else {
454			$secure = false;
455			$auth_cookie_name = AUTH_COOKIE;
456			}
457			$samesite = $this->get_samesite_attr_for_auth_cookies( $secure );
458
459			jetpack_shim_setcookie(
460			$auth_cookie_name,
461			$auth_cookie,
462			array(
463			'expires' => $expire,
464			'path' => PLUGINS_COOKIE_PATH,
465			'domain' => COOKIE_DOMAIN,
466			'secure' => $secure,
467			'httponly' => true,
468			'samesite' => $samesite,
469			)
470			);
471
472			jetpack_shim_setcookie(
473			$auth_cookie_name,
474			$auth_cookie,
475			array(
476			'expires' => $expire,
477			'path' => ADMIN_COOKIE_PATH,
478			'domain' => COOKIE_DOMAIN,
479			'secure' => $secure,
480			'httponly' => true,
481			'samesite' => $samesite,
482			)
483			);
484			}
485
486			/**
487			* Generates cross-site logged in cookies so they can be accessed by WordPress.com.
488			*
489			* @param string $logged_in_cookie The logged-in cookie value.
490			* @param int $expire The time the login grace period expires as a UNIX timestamp.
491			* Default is 12 hours past the cookie's expiration time.
492			* @param int $expiration The time when the logged-in cookie expires as a UNIX timestamp.
493			* Default is 14 days from now.
494			* @param int $user_id User ID.
495			*/
496			public function set_samesite_logged_in_cookies( $logged_in_cookie, $expire, $expiration, $user_id ) {
497			$secure = is_ssl();
498
499			// Front-end cookie is secure when the auth cookie is secure and the site's home URL is forced HTTPS.
500			$secure_logged_in_cookie = $secure && 'https' === wp_parse_url( get_option( 'home' ), PHP_URL_SCHEME );
			0 ignored issues – show Unused Code introduced 2020-04-22 20:18 UTC by Report Bug Copy Issue Report Show Similar Issues like this The call to `wp_parse_url()` has too many arguments starting with `PHP_URL_SCHEME`. This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue. If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress. In this case you can add the `@ignore` PhpDoc annotation to the duplicate definition and it will be ignored. Loading history...
501
502			/** This filter is documented in core/src/wp-includes/pluggable.php */
503			$secure = apply_filters( 'secure_auth_cookie', $secure, $user_id );
504
505			/** This filter is documented in core/src/wp-includes/pluggable.php */
506			$secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', $secure_logged_in_cookie, $user_id, $secure );
507
508			$samesite = $this->get_samesite_attr_for_auth_cookies( $secure_logged_in_cookie );
509
510			jetpack_shim_setcookie(
511			LOGGED_IN_COOKIE,
512			$logged_in_cookie,
513			array(
514			'expires' => $expire,
515			'path' => COOKIEPATH,
516			'domain' => COOKIE_DOMAIN,
517			'secure' => $secure_logged_in_cookie,
518			'httponly' => true,
519			'samesite' => $samesite,
520			)
521			);
522
523			if ( COOKIEPATH !== SITECOOKIEPATH ) {
524			jetpack_shim_setcookie(
525			LOGGED_IN_COOKIE,
526			$logged_in_cookie,
527			array(
528			'expires' => $expire,
529			'path' => SITECOOKIEPATH,
530			'domain' => COOKIE_DOMAIN,
531			'secure' => $secure_logged_in_cookie,
532			'httponly' => true,
533			'samesite' => $samesite,
534			)
535			);
536			}
537			}
538
539			/**
540			* Removes all of the cookies associated with authentication.
541			*
542			* This is copied from core's `wp_clear_auth_cookie` since disabling the core auth cookies prevents also the auth
543			* cookies from being cleared.
544			*
545			* @see wp_clear_auth_cookie
546			*/
547			public function clear_auth_cookies() {
548			// Auth cookies.
549			setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN );
550			setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN );
551			setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
552			setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
553			setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
554			setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
555
556			// Settings cookies.
557			setcookie( 'wp-settings-' . get_current_user_id(), ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH );
558			setcookie( 'wp-settings-time-' . get_current_user_id(), ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH );
559
560			// Old cookies.
561			setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
562			setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
563			setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
564			setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
565
566			// Even older cookies.
567			setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
568			setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
569			setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
570			setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
571
572			// Post password cookie.
573			setcookie( 'wp-postpass_' . COOKIEHASH, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
574			}
575			}
576
577			Jetpack_WPCOM_Block_Editor::init();
578

Automattic / jetpack

Push — fusion-sync/danroundhill/r2061... ( 6c7cf7...0f1caf )

class-jetpack-wpcom-block-editor.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like