Issues in class.jetpack-xmlrpc-server.php - Fixed Issues - Inspection of "New build" - Automattic/jetpack - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master-stable ( 20f0b5...af901c )

unknown

created 2016-08-10 15:05 UTC

class.jetpack-xmlrpc-server.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * Just a sack of functions.  Not actually an IXR_Server
 */
class Jetpack_XMLRPC_Server {
	/**
	 * The current error object
	 */
	public $error = null;

	/**
	 * Whitelist of the XML-RPC methods available to the Jetpack Server. If the
	 * user is not authenticated (->login()) then the methods are never added,
	 * so they will get a "does not exist" error.
	 */
	function xmlrpc_methods( $core_methods ) {
		$jetpack_methods = array(
			'jetpack.jsonAPI'      => array( $this, 'json_api' ),
			'jetpack.verifyAction' => array( $this, 'verify_action' ),
		);

		$user = $this->login();

		if ( $user ) {
			$jetpack_methods = array_merge( $jetpack_methods, array(
				'jetpack.testConnection'    => array( $this, 'test_connection' ),
				'jetpack.testAPIUserCode'   => array( $this, 'test_api_user_code' ),
				'jetpack.featuresAvailable' => array( $this, 'features_available' ),
				'jetpack.featuresEnabled'   => array( $this, 'features_enabled' ),
				'jetpack.disconnectBlog'    => array( $this, 'disconnect_blog' ),
				'jetpack.unlinkUser'        => array( $this, 'unlink_user' ),
			) );

			if ( isset( $core_methods['metaWeblog.editPost'] ) ) {
				$jetpack_methods['metaWeblog.newMediaObject'] = $core_methods['metaWeblog.newMediaObject'];
				$jetpack_methods['jetpack.updateAttachmentParent'] = array( $this, 'update_attachment_parent' );
			}

			/**
			 * Filters the XML-RPC methods available to Jetpack for authenticated users.
			 *
			 * @since 1.1.0
			 *
			 * @param array $jetpack_methods XML-RPC methods available to the Jetpack Server.
			 * @param array $core_methods Available core XML-RPC methods.
			 * @param WP_User $user Information about a given WordPress user.
			 */
			$jetpack_methods = apply_filters( 'jetpack_xmlrpc_methods', $jetpack_methods, $core_methods, $user );
		}

		/**
		 * Filters the XML-RPC methods available to Jetpack for unauthenticated users.
		 *
		 * @since 3.0.0
		 *
		 * @param array $jetpack_methods XML-RPC methods available to the Jetpack Server.
		 * @param array $core_methods Available core XML-RPC methods.
		 */
		return apply_filters( 'jetpack_xmlrpc_unauthenticated_methods', $jetpack_methods, $core_methods );
	}

	/**
	 * Whitelist of the bootstrap XML-RPC methods
	 */
	function bootstrap_xmlrpc_methods() {
		return array(
			'jetpack.verifyRegistration' => array( $this, 'verify_registration' ),
			'jetpack.remoteAuthorize' => array( $this, 'remote_authorize' ),
		);
	}

	function authorize_xmlrpc_methods() {
		return array(
			'jetpack.remoteAuthorize' => array( $this, 'remote_authorize' ),
			'jetpack.activateManage'    => array( $this, 'activate_manage' ),
		);
	}

	function activate_manage( $request ) {
		foreach( array( 'secret', 'state' ) as $required ) {
			if ( ! isset( $request[ $required ] ) || empty( $request[ $required ] ) ) {
				return $this->error( new Jetpack_Error( 'missing_parameter', 'One or more parameters is missing from the request.', 400 ) );
			}
		}
		$verified = $this->verify_action( array( 'activate_manage', $request['secret'], $request['state'] ) );
		if ( is_a( $verified, 'IXR_Error' ) ) {
			return $verified;
		}
		$activated = Jetpack::activate_module( 'manage', false, false );
		if ( false === $activated || ! Jetpack::is_module_active( 'manage' ) ) {
			return $this->error( new Jetpack_Error( 'activation_error', 'There was an error while activating the module.', 500 ) );
		}
		return 'active';
	}

	function remote_authorize( $request ) {
		foreach( array( 'secret', 'state', 'redirect_uri', 'code' ) as $required ) {
			if ( ! isset( $request[ $required ] ) || empty( $request[ $required ] ) ) {
				return $this->error( new Jetpack_Error( 'missing_parameter', 'One or more parameters is missing from the request.', 400 ) );
			}
		}

		if ( ! get_user_by( 'id', $request['state'] ) ) {
			return $this->error( new Jetpack_Error( 'user_unknown', 'User not found.', 404 ) );
		}

		if ( Jetpack::is_active() && Jetpack::is_user_connected( $request['state'] ) ) {
			return $this->error( new Jetpack_Error( 'already_connected', 'User already connected.', 400 ) );
		}

		$verified = $this->verify_action( array( 'authorize', $request['secret'], $request['state'] ) );

		if ( is_a( $verified, 'IXR_Error' ) ) {
			return $verified;
		}

		wp_set_current_user( $request['state'] );

		$client_server = new Jetpack_Client_Server;
		$result = $client_server->authorize( $request );

		if ( is_wp_error( $result ) ) {
			return $this->error( $result );
		}
		// Creates a new secret, allowing someone to activate the manage module for up to 1 day after authorization.
		$secrets = Jetpack::init()->generate_secrets( 'activate_manage', DAY_IN_SECONDS );
		@list( $secret ) = explode( ':', $secrets );
		$response = array(
			'result' => $result,
			'activate_manage' => $secret,
		);
		return $response;
	}

	/**
	* Verifies that Jetpack.WordPress.com received a registration request from this site
	*/
	function verify_registration( $data ) {
		return $this->verify_action( array( 'register', $data[0], $data[1] ) );
	}

	/**
	 * @return WP_Error|string secret_2 on success, WP_Error( error_code => error_code, error_message => error description, error_data => status code ) on failure
	 *
	 * Possible error_codes:
	 *
	 * verify_secret_1_missing
	 * verify_secret_1_malformed
	 * verify_secrets_missing: No longer have verification secrets stored
	 * verify_secrets_mismatch: stored secret_1 does not match secret_1 sent by Jetpack.WordPress.com
	 *
	 * The 'authorize' and 'register' actions have additional error codes
	 *
	 * state_missing: a state ( user id ) was not supplied
	 * state_malformed: state is not the correct data type
	 * invalid_state: supplied state does not match the stored state
	 */
	function verify_action( $params ) {
		$action = $params[0];
		$verify_secret = $params[1];
		$state = isset( $params[2] ) ? $params[2] : '';

		if ( empty( $verify_secret ) ) {
			return $this->error( new Jetpack_Error( 'verify_secret_1_missing', sprintf( 'The required "%s" parameter is missing.', 'secret_1' ), 400 ) );
		} else if ( ! is_string( $verify_secret ) ) {
			return $this->error( new Jetpack_Error( 'verify_secret_1_malformed', sprintf( 'The required "%s" parameter is malformed.', 'secret_1' ), 400 ) );
		}

		$secrets = Jetpack_Options::get_option( $action );
		if ( !$secrets || is_wp_error( $secrets ) ) {
			Jetpack_Options::delete_option( $action );
			return $this->error( new Jetpack_Error( 'verify_secrets_missing', 'Verification took too long', 400 ) );
		}

		@list( $secret_1, $secret_2, $secret_eol, $user_id ) = explode( ':', $secrets );

		if ( empty( $secret_1 ) || empty( $secret_2 ) || empty( $secret_eol ) || $secret_eol < time() ) {
			Jetpack_Options::delete_option( $action );
			return $this->error( new Jetpack_Error( 'verify_secrets_missing', 'Verification took too long', 400 ) );
		}

		if ( ! hash_equals( $verify_secret, $secret_1 ) ) {
			Jetpack_Options::delete_option( $action );
			return $this->error( new Jetpack_Error( 'verify_secrets_mismatch', 'Secret mismatch', 400 ) );
		}

		if ( in_array( $action, array( 'authorize', 'register' ) ) ) {
			// 'authorize' and 'register' actions require further testing
			if ( empty( $state ) ) {
				return $this->error( new Jetpack_Error( 'state_missing', sprintf( 'The required "%s" parameter is missing.', 'state' ), 400 ) );
			} else if ( ! ctype_digit( $state ) ) {
				return $this->error( new Jetpack_Error( 'state_malformed', sprintf( 'The required "%s" parameter is malformed.', 'state' ), 400 ) );
			}
			if ( empty( $user_id ) || $user_id !== $state ) {
				Jetpack_Options::delete_option( $action );
				return $this->error( new Jetpack_Error( 'invalid_state', 'State is invalid', 400 ) );
			}
		}

		Jetpack_Options::delete_option( $action );

		return $secret_2;
	}

	/**
	 * Wrapper for wp_authenticate( $username, $password );
	 *
	 * @return WP_User|IXR_Error
	 */
	function login() {
		Jetpack::init()->require_jetpack_authentication();
		$user = wp_authenticate( 'username', 'password' );
		if ( is_wp_error( $user ) ) {
			if ( 'authentication_failed' == $user->get_error_code() ) { // Generic error could mean most anything.
				$this->error = new Jetpack_Error( 'invalid_request', 'Invalid Request', 403 );
			} else {
				$this->error = $user;
			}
			return false;
		} else if ( !$user ) { // Shouldn't happen.
			$this->error = new Jetpack_Error( 'invalid_request', 'Invalid Request', 403 );
			return false;
		}

		return $user;
	}

	/**
	 * Returns the current error as an IXR_Error
	 *
	 * @return null|IXR_Error
	 */
	function error( $error = null ) {
		if ( !is_null( $error ) ) {
			$this->error = $error;
		}

		if ( is_wp_error( $this->error ) ) {
			$code = $this->error->get_error_data();
			if ( !$code ) {
				$code = -10520;
			}
			$message = sprintf( 'Jetpack: [%s] %s', $this->error->get_error_code(), $this->error->get_error_message() );
			return new IXR_Error( $code, $message );
		} else if ( is_a( $this->error, 'IXR_Error' ) ) {
			return $this->error;
		}

		return false;
	}

/* API Methods */

	/**
	 * Just authenticates with the given Jetpack credentials.
	 *
	 * @return bool|IXR_Error
	 */
	function test_connection() {
		return JETPACK__VERSION;
	}

	function test_api_user_code( $args ) {
		$client_id = (int) $args[0];
		$user_id   = (int) $args[1];
		$nonce     = (string) $args[2];
		$verify    = (string) $args[3];

		if ( !$client_id || !$user_id || !strlen( $nonce ) || 32 !== strlen( $verify ) ) {
			return false;
		}

		$user = get_user_by( 'id', $user_id );
		if ( !$user || is_wp_error( $user ) ) {
			return false;
		}

		/* debugging
		error_log( "CLIENT: $client_id" );
		error_log( "USER:   $user_id" );
		error_log( "NONCE:  $nonce" );
		error_log( "VERIFY: $verify" );
		*/

		$jetpack_token = Jetpack_Data::get_access_token( JETPACK_MASTER_USER );

		$api_user_code = get_user_meta( $user_id, "jetpack_json_api_$client_id", true );
		if ( !$api_user_code ) {
			return false;
		}

		$hmac = hash_hmac( 'md5', json_encode( (object) array(
			'client_id' => (int) $client_id,
			'user_id'   => (int) $user_id,
			'nonce'     => (string) $nonce,
			'code'      => (string) $api_user_code,
		) ), $jetpack_token->secret );

		if ( ! hash_equals( $hmac, $verify ) ) {
			return false;
		}

		return $user_id;
	}

	/**
	* Disconnect this blog from the connected wordpress.com account
	* @return boolean
	*/
	function disconnect_blog() {
		Jetpack::log( 'disconnect' );
		Jetpack::disconnect();

		return true;
	}

	/**
	 * Unlink a user from WordPress.com
	 *
	 * This will fail if called by the Master User.
	 */
	function unlink_user() {
		Jetpack::log( 'unlink' );
		return Jetpack::unlink_user();
	}

	/**
	 * Returns what features are available. Uses the slug of the module files.
	 *
	 * @return array|IXR_Error
	 */
	function features_available() {
		$raw_modules = Jetpack::get_available_modules();
		$modules = array();
		foreach ( $raw_modules as $module ) {
			$modules[] = Jetpack::get_module_slug( $module );
		}

		return $modules;
	}

	/**
	 * Returns what features are enabled. Uses the slug of the modules files.
	 *
	 * @return array|IXR_Error
	 */
	function features_enabled() {
		$raw_modules = Jetpack::get_active_modules();
		$modules = array();
		foreach ( $raw_modules as $module ) {
			$modules[] = Jetpack::get_module_slug( $module );
		}

		return $modules;
	}

	function update_attachment_parent( $args ) {
		$attachment_id = (int) $args[0];
		$parent_id     = (int) $args[1];

		return wp_update_post( array(
			'ID'          => $attachment_id,
			'post_parent' => $parent_id,
		) );
	}

	function json_api( $args = array() ) {
		$json_api_args = $args[0];
		$verify_api_user_args = $args[1];

		$method       = (string) $json_api_args[0];
		$url          = (string) $json_api_args[1];
		$post_body    = is_null( $json_api_args[2] ) ? null : (string) $json_api_args[2];
		$user_details = (array) $json_api_args[4];
		$locale       = (string) $json_api_args[5];

		if ( !$verify_api_user_args ) {
			$user_id = 0;
		} elseif ( 'internal' === $verify_api_user_args[0] ) {
			$user_id = (int) $verify_api_user_args[1];
			if ( $user_id ) {
				$user = get_user_by( 'id', $user_id );
				if ( !$user || is_wp_error( $user ) ) {
					return false;
				}
			}
		} else {
			$user_id = call_user_func( array( $this, 'test_api_user_code' ), $verify_api_user_args );
			if ( !$user_id ) {
				return false;
			}
		}

		/* debugging
		error_log( "-- begin json api via jetpack debugging -- " );
		error_log( "METHOD: $method" );
		error_log( "URL: $url" );
		error_log( "POST BODY: $post_body" );
		error_log( "VERIFY_ARGS: " . print_r( $verify_api_user_args, 1 ) );
		error_log( "VERIFIED USER_ID: " . (int) $user_id );
		error_log( "-- end json api via jetpack debugging -- " );
		*/

		if ( 'en' !== $locale ) {
			// .org mo files are named slightly different from .com, and all we have is this the locale -- try to guess them.
			$new_locale = $locale;
			if ( strpos( $locale, '-' ) !== false ) {
				$pieces = explode( '-', $locale );
$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}
				$new_locale = $locale_pieces[0];

				$new_locale .= ( ! empty( $locale_pieces[1] ) ) ? '_' . strtoupper( $locale_pieces[1] ) : '';

			} else {
				// .com might pass 'fr' because thats what our language files are named as, where core seems
				// to do fr_FR - so try that if we don't think we can load the file.
				if ( ! file_exists( WP_LANG_DIR . '/' . $locale . '.mo' ) ) {
					$new_locale =  $locale . '_' . strtoupper( $locale );
				}
			}

			if ( file_exists( WP_LANG_DIR . '/' . $new_locale . '.mo' ) ) {
				unload_textdomain( 'default' );
				load_textdomain( 'default', WP_LANG_DIR . '/' . $new_locale . '.mo' );
			}
		}

		$old_user = wp_get_current_user();
		wp_set_current_user( $user_id );

		$token = Jetpack_Data::get_access_token( get_current_user_id() );
		if ( !$token || is_wp_error( $token ) ) {
			return false;
		}

		define( 'REST_API_REQUEST', true );
		define( 'WPCOM_JSON_API__BASE', 'public-api.wordpress.com/rest/v1' );

		// needed?
		require_once ABSPATH . 'wp-admin/includes/admin.php';

		require_once JETPACK__PLUGIN_DIR . 'class.json-api.php';
		$api = WPCOM_JSON_API::init( $method, $url, $post_body );
		$api->token_details['user'] = $user_details;
		require_once JETPACK__PLUGIN_DIR . 'class.json-api-endpoints.php';

		$display_errors = ini_set( 'display_errors', 0 );
		ob_start();
		$content_type = $api->serve( false );
		$output = ob_get_clean();
		ini_set( 'display_errors', $display_errors );

		$nonce = wp_generate_password( 10, false );
		$hmac  = hash_hmac( 'md5', $nonce . $output, $token->secret );

		wp_set_current_user( isset( $old_user->ID ) ? $old_user->ID : 0 );

		return array(
			(string) $output,
			(string) $nonce,
			(string) $hmac,
		);
	}
}


1		<?php
2
3		/**
4		* Just a sack of functions. Not actually an IXR_Server
5		*/
6		class Jetpack_XMLRPC_Server {
7		/**
8		* The current error object
9		*/
10		public $error = null;
11
12		/**
13		* Whitelist of the XML-RPC methods available to the Jetpack Server. If the
14		* user is not authenticated (->login()) then the methods are never added,
15		* so they will get a "does not exist" error.
16		*/
17		function xmlrpc_methods( $core_methods ) {
18		$jetpack_methods = array(
19		'jetpack.jsonAPI' => array( $this, 'json_api' ),
20		'jetpack.verifyAction' => array( $this, 'verify_action' ),
21		);
22
23		$user = $this->login();
24
25		if ( $user ) {
26		$jetpack_methods = array_merge( $jetpack_methods, array(
27		'jetpack.testConnection' => array( $this, 'test_connection' ),
28		'jetpack.testAPIUserCode' => array( $this, 'test_api_user_code' ),
29		'jetpack.featuresAvailable' => array( $this, 'features_available' ),
30		'jetpack.featuresEnabled' => array( $this, 'features_enabled' ),
31		'jetpack.disconnectBlog' => array( $this, 'disconnect_blog' ),
32		'jetpack.unlinkUser' => array( $this, 'unlink_user' ),
33		) );
34
35		if ( isset( $core_methods['metaWeblog.editPost'] ) ) {
36		$jetpack_methods['metaWeblog.newMediaObject'] = $core_methods['metaWeblog.newMediaObject'];
37		$jetpack_methods['jetpack.updateAttachmentParent'] = array( $this, 'update_attachment_parent' );
38		}
39
40		/**
41		* Filters the XML-RPC methods available to Jetpack for authenticated users.
42		*
43		* @since 1.1.0
44		*
45		* @param array $jetpack_methods XML-RPC methods available to the Jetpack Server.
46		* @param array $core_methods Available core XML-RPC methods.
47		* @param WP_User $user Information about a given WordPress user.
48		*/
49		$jetpack_methods = apply_filters( 'jetpack_xmlrpc_methods', $jetpack_methods, $core_methods, $user );
50		}
51
52		/**
53		* Filters the XML-RPC methods available to Jetpack for unauthenticated users.
54		*
55		* @since 3.0.0
56		*
57		* @param array $jetpack_methods XML-RPC methods available to the Jetpack Server.
58		* @param array $core_methods Available core XML-RPC methods.
59		*/
60		return apply_filters( 'jetpack_xmlrpc_unauthenticated_methods', $jetpack_methods, $core_methods );
61		}
62
63		/**
64		* Whitelist of the bootstrap XML-RPC methods
65		*/
66		function bootstrap_xmlrpc_methods() {
67		return array(
68		'jetpack.verifyRegistration' => array( $this, 'verify_registration' ),
69		'jetpack.remoteAuthorize' => array( $this, 'remote_authorize' ),
70		);
71		}
72
73		function authorize_xmlrpc_methods() {
74		return array(
75		'jetpack.remoteAuthorize' => array( $this, 'remote_authorize' ),
76		'jetpack.activateManage' => array( $this, 'activate_manage' ),
77		);
78		}
79
80		function activate_manage( $request ) {
81	View Code Duplication	foreach( array( 'secret', 'state' ) as $required ) {
82		if ( ! isset( $request[ $required ] ) \|\| empty( $request[ $required ] ) ) {
83		return $this->error( new Jetpack_Error( 'missing_parameter', 'One or more parameters is missing from the request.', 400 ) );
84		}
85		}
86		$verified = $this->verify_action( array( 'activate_manage', $request['secret'], $request['state'] ) );
87		if ( is_a( $verified, 'IXR_Error' ) ) {
88		return $verified;
89		}
90		$activated = Jetpack::activate_module( 'manage', false, false );
91		if ( false === $activated \|\| ! Jetpack::is_module_active( 'manage' ) ) {
92		return $this->error( new Jetpack_Error( 'activation_error', 'There was an error while activating the module.', 500 ) );
93		}
94		return 'active';
95		}
96
97		function remote_authorize( $request ) {
98	View Code Duplication	foreach( array( 'secret', 'state', 'redirect_uri', 'code' ) as $required ) {
99		if ( ! isset( $request[ $required ] ) \|\| empty( $request[ $required ] ) ) {
100		return $this->error( new Jetpack_Error( 'missing_parameter', 'One or more parameters is missing from the request.', 400 ) );
101		}
102		}
103
104		if ( ! get_user_by( 'id', $request['state'] ) ) {
105		return $this->error( new Jetpack_Error( 'user_unknown', 'User not found.', 404 ) );
106		}
107
108		if ( Jetpack::is_active() && Jetpack::is_user_connected( $request['state'] ) ) {
109		return $this->error( new Jetpack_Error( 'already_connected', 'User already connected.', 400 ) );
110		}
111
112		$verified = $this->verify_action( array( 'authorize', $request['secret'], $request['state'] ) );
113
114		if ( is_a( $verified, 'IXR_Error' ) ) {
115		return $verified;
116		}
117
118		wp_set_current_user( $request['state'] );
119
120		$client_server = new Jetpack_Client_Server;
121		$result = $client_server->authorize( $request );
122
123		if ( is_wp_error( $result ) ) {
124		return $this->error( $result );
125		}
126		// Creates a new secret, allowing someone to activate the manage module for up to 1 day after authorization.
127		$secrets = Jetpack::init()->generate_secrets( 'activate_manage', DAY_IN_SECONDS );
128		@list( $secret ) = explode( ':', $secrets );
129		$response = array(
130		'result' => $result,
131		'activate_manage' => $secret,
132		);
133		return $response;
134		}
135
136		/**
137		* Verifies that Jetpack.WordPress.com received a registration request from this site
138		*/
139		function verify_registration( $data ) {
140		return $this->verify_action( array( 'register', $data[0], $data[1] ) );
141		}
142
143		/**
144		* @return WP_Error\|string secret_2 on success, WP_Error( error_code => error_code, error_message => error description, error_data => status code ) on failure
145		*
146		* Possible error_codes:
147		*
148		* verify_secret_1_missing
149		* verify_secret_1_malformed
150		* verify_secrets_missing: No longer have verification secrets stored
151		* verify_secrets_mismatch: stored secret_1 does not match secret_1 sent by Jetpack.WordPress.com
152		*
153		* The 'authorize' and 'register' actions have additional error codes
154		*
155		* state_missing: a state ( user id ) was not supplied
156		* state_malformed: state is not the correct data type
157		* invalid_state: supplied state does not match the stored state
158		*/
159		function verify_action( $params ) {
160		$action = $params[0];
161		$verify_secret = $params[1];
162		$state = isset( $params[2] ) ? $params[2] : '';
163
164		if ( empty( $verify_secret ) ) {
165		return $this->error( new Jetpack_Error( 'verify_secret_1_missing', sprintf( 'The required "%s" parameter is missing.', 'secret_1' ), 400 ) );
166		} else if ( ! is_string( $verify_secret ) ) {
167		return $this->error( new Jetpack_Error( 'verify_secret_1_malformed', sprintf( 'The required "%s" parameter is malformed.', 'secret_1' ), 400 ) );
168		}
169
170		$secrets = Jetpack_Options::get_option( $action );
171		if ( !$secrets \|\| is_wp_error( $secrets ) ) {
172		Jetpack_Options::delete_option( $action );
173		return $this->error( new Jetpack_Error( 'verify_secrets_missing', 'Verification took too long', 400 ) );
174		}
175
176		@list( $secret_1, $secret_2, $secret_eol, $user_id ) = explode( ':', $secrets );
177
178		if ( empty( $secret_1 ) \|\| empty( $secret_2 ) \|\| empty( $secret_eol ) \|\| $secret_eol < time() ) {
179		Jetpack_Options::delete_option( $action );
180		return $this->error( new Jetpack_Error( 'verify_secrets_missing', 'Verification took too long', 400 ) );
181		}
182
183		if ( ! hash_equals( $verify_secret, $secret_1 ) ) {
184		Jetpack_Options::delete_option( $action );
185		return $this->error( new Jetpack_Error( 'verify_secrets_mismatch', 'Secret mismatch', 400 ) );
186		}
187
188		if ( in_array( $action, array( 'authorize', 'register' ) ) ) {
189		// 'authorize' and 'register' actions require further testing
190		if ( empty( $state ) ) {
191		return $this->error( new Jetpack_Error( 'state_missing', sprintf( 'The required "%s" parameter is missing.', 'state' ), 400 ) );
192		} else if ( ! ctype_digit( $state ) ) {
193		return $this->error( new Jetpack_Error( 'state_malformed', sprintf( 'The required "%s" parameter is malformed.', 'state' ), 400 ) );
194		}
195		if ( empty( $user_id ) \|\| $user_id !== $state ) {
196		Jetpack_Options::delete_option( $action );
197		return $this->error( new Jetpack_Error( 'invalid_state', 'State is invalid', 400 ) );
198		}
199		}
200
201		Jetpack_Options::delete_option( $action );
202
203		return $secret_2;
204		}
205
206		/**
207		* Wrapper for wp_authenticate( $username, $password );
208		*
209		* @return WP_User\|IXR_Error
210		*/
211		function login() {
212		Jetpack::init()->require_jetpack_authentication();
213		$user = wp_authenticate( 'username', 'password' );
214		if ( is_wp_error( $user ) ) {
215		if ( 'authentication_failed' == $user->get_error_code() ) { // Generic error could mean most anything.
216		$this->error = new Jetpack_Error( 'invalid_request', 'Invalid Request', 403 );
217		} else {
218		$this->error = $user;
219		}
220		return false;
221		} else if ( !$user ) { // Shouldn't happen.
222		$this->error = new Jetpack_Error( 'invalid_request', 'Invalid Request', 403 );
223		return false;
224		}
225
226		return $user;
227		}
228
229		/**
230		* Returns the current error as an IXR_Error
231		*
232		* @return null\|IXR_Error
233		*/
234		function error( $error = null ) {
235		if ( !is_null( $error ) ) {
236		$this->error = $error;
237		}
238
239		if ( is_wp_error( $this->error ) ) {
240		$code = $this->error->get_error_data();
241		if ( !$code ) {
242		$code = -10520;
243		}
244		$message = sprintf( 'Jetpack: [%s] %s', $this->error->get_error_code(), $this->error->get_error_message() );
245		return new IXR_Error( $code, $message );
246		} else if ( is_a( $this->error, 'IXR_Error' ) ) {
247		return $this->error;
248		}
249
250		return false;
251		}
252
253		/* API Methods */
254
255		/**
256		* Just authenticates with the given Jetpack credentials.
257		*
258		* @return bool\|IXR_Error
259		*/
260		function test_connection() {
261		return JETPACK__VERSION;
262		}
263
264		function test_api_user_code( $args ) {
265		$client_id = (int) $args[0];
266		$user_id = (int) $args[1];
267		$nonce = (string) $args[2];
268		$verify = (string) $args[3];
269
270		if ( !$client_id \|\| !$user_id \|\| !strlen( $nonce ) \|\| 32 !== strlen( $verify ) ) {
271		return false;
272		}
273
274		$user = get_user_by( 'id', $user_id );
275		if ( !$user \|\| is_wp_error( $user ) ) {
276		return false;
277		}
278
279		/* debugging
280		error_log( "CLIENT: $client_id" );
281		error_log( "USER: $user_id" );
282		error_log( "NONCE: $nonce" );
283		error_log( "VERIFY: $verify" );
284		*/
285
286		$jetpack_token = Jetpack_Data::get_access_token( JETPACK_MASTER_USER );
287
288		$api_user_code = get_user_meta( $user_id, "jetpack_json_api_$client_id", true );
289		if ( !$api_user_code ) {
290		return false;
291		}
292
293		$hmac = hash_hmac( 'md5', json_encode( (object) array(
294		'client_id' => (int) $client_id,
295		'user_id' => (int) $user_id,
296		'nonce' => (string) $nonce,
297		'code' => (string) $api_user_code,
298		) ), $jetpack_token->secret );
299
300		if ( ! hash_equals( $hmac, $verify ) ) {
301		return false;
302		}
303
304		return $user_id;
305		}
306
307		/**
308		* Disconnect this blog from the connected wordpress.com account
309		* @return boolean
310		*/
311		function disconnect_blog() {
312		Jetpack::log( 'disconnect' );
313		Jetpack::disconnect();
314
315		return true;
316		}
317
318		/**
319		* Unlink a user from WordPress.com
320		*
321		* This will fail if called by the Master User.
322		*/
323		function unlink_user() {
324		Jetpack::log( 'unlink' );
325		return Jetpack::unlink_user();
326		}
327
328		/**
329		* Returns what features are available. Uses the slug of the module files.
330		*
331		* @return array\|IXR_Error
332		*/
333	View Code Duplication	function features_available() {
334		$raw_modules = Jetpack::get_available_modules();
335		$modules = array();
336		foreach ( $raw_modules as $module ) {
337		$modules[] = Jetpack::get_module_slug( $module );
338		}
339
340		return $modules;
341		}
342
343		/**
344		* Returns what features are enabled. Uses the slug of the modules files.
345		*
346		* @return array\|IXR_Error
347		*/
348	View Code Duplication	function features_enabled() {
349		$raw_modules = Jetpack::get_active_modules();
350		$modules = array();
351		foreach ( $raw_modules as $module ) {
352		$modules[] = Jetpack::get_module_slug( $module );
353		}
354
355		return $modules;
356		}
357
358		function update_attachment_parent( $args ) {
359		$attachment_id = (int) $args[0];
360		$parent_id = (int) $args[1];
361
362		return wp_update_post( array(
363		'ID' => $attachment_id,
364		'post_parent' => $parent_id,
365		) );
366		}
367
368		function json_api( $args = array() ) {
369		$json_api_args = $args[0];
370		$verify_api_user_args = $args[1];
371
372		$method = (string) $json_api_args[0];
373		$url = (string) $json_api_args[1];
374		$post_body = is_null( $json_api_args[2] ) ? null : (string) $json_api_args[2];
375		$user_details = (array) $json_api_args[4];
376		$locale = (string) $json_api_args[5];
377
378		if ( !$verify_api_user_args ) {
379		$user_id = 0;
380		} elseif ( 'internal' === $verify_api_user_args[0] ) {
381		$user_id = (int) $verify_api_user_args[1];
382		if ( $user_id ) {
383		$user = get_user_by( 'id', $user_id );
384		if ( !$user \|\| is_wp_error( $user ) ) {
385		return false;
386		}
387		}
388		} else {
389		$user_id = call_user_func( array( $this, 'test_api_user_code' ), $verify_api_user_args );
390		if ( !$user_id ) {
391		return false;
392		}
393		}
394
395		/* debugging
396		error_log( "-- begin json api via jetpack debugging -- " );
397		error_log( "METHOD: $method" );
398		error_log( "URL: $url" );
399		error_log( "POST BODY: $post_body" );
400		error_log( "VERIFY_ARGS: " . print_r( $verify_api_user_args, 1 ) );
401		error_log( "VERIFIED USER_ID: " . (int) $user_id );
402		error_log( "-- end json api via jetpack debugging -- " );
403		*/
404
405		if ( 'en' !== $locale ) {
406		// .org mo files are named slightly different from .com, and all we have is this the locale -- try to guess them.
407		$new_locale = $locale;
408		if ( strpos( $locale, '-' ) !== false ) {
409		$pieces = explode( '-', $locale );
		0 ignored issues – show Unused Code introduced 2015-11-20 23:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$pieces` is not used, you could remove the assignment. This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently. $myVar = 'Value'; $higher = false; if (rand(1, 6) > 3) { $higher = true; } else { $higher = false; } Both the `$myVar` assignment in line 1 and the `$higher` assignment in line 2 are dead. The first because `$myVar` is never used and the second because `$higher` is always overwritten for every possible time line. Loading history...
410		$new_locale = $locale_pieces[0];
		0 ignored issues – show Bug introduced 2015-11-20 23:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$locale_pieces` does not exist. Did you mean `$locale`? This check looks for variables that are accessed but have not been defined. It raises an issue if it finds another variable that has a similar name. The variable may have been renamed without also renaming all references. Loading history...
411		$new_locale .= ( ! empty( $locale_pieces[1] ) ) ? '_' . strtoupper( $locale_pieces[1] ) : '';
		0 ignored issues – show Bug introduced 2015-11-20 23:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$locale_pieces` does not exist. Did you mean `$locale`? This check looks for variables that are accessed but have not been defined. It raises an issue if it finds another variable that has a similar name. The variable may have been renamed without also renaming all references. Loading history...
412		} else {
413		// .com might pass 'fr' because thats what our language files are named as, where core seems
414		// to do fr_FR - so try that if we don't think we can load the file.
415		if ( ! file_exists( WP_LANG_DIR . '/' . $locale . '.mo' ) ) {
416		$new_locale = $locale . '_' . strtoupper( $locale );
417		}
418		}
419
420		if ( file_exists( WP_LANG_DIR . '/' . $new_locale . '.mo' ) ) {
421		unload_textdomain( 'default' );
422		load_textdomain( 'default', WP_LANG_DIR . '/' . $new_locale . '.mo' );
423		}
424		}
425
426		$old_user = wp_get_current_user();
427		wp_set_current_user( $user_id );
428
429		$token = Jetpack_Data::get_access_token( get_current_user_id() );
430		if ( !$token \|\| is_wp_error( $token ) ) {
431		return false;
432		}
433
434		define( 'REST_API_REQUEST', true );
435		define( 'WPCOM_JSON_API__BASE', 'public-api.wordpress.com/rest/v1' );
436
437		// needed?
438		require_once ABSPATH . 'wp-admin/includes/admin.php';
439
440		require_once JETPACK__PLUGIN_DIR . 'class.json-api.php';
441		$api = WPCOM_JSON_API::init( $method, $url, $post_body );
442		$api->token_details['user'] = $user_details;
443		require_once JETPACK__PLUGIN_DIR . 'class.json-api-endpoints.php';
444
445		$display_errors = ini_set( 'display_errors', 0 );
446		ob_start();
447		$content_type = $api->serve( false );
448		$output = ob_get_clean();
449		ini_set( 'display_errors', $display_errors );
450
451		$nonce = wp_generate_password( 10, false );
452		$hmac = hash_hmac( 'md5', $nonce . $output, $token->secret );
453
454		wp_set_current_user( isset( $old_user->ID ) ? $old_user->ID : 0 );
455
456		return array(
457		(string) $output,
458		(string) $nonce,
459		(string) $hmac,
460		);
461		}
462		}
463

Automattic / jetpack

Push — master-stable ( 20f0b5...af901c )

class.jetpack-xmlrpc-server.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like