Completed
Push — add/publicize-rest-api-2 ( 304115...4d77e8 )
by
unknown
205:42 queued 174:00
created

class.jetpack-signature.php (1 issue)

Labels
Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
3
// These constants can be set in wp-config.php to ensure sites behind proxies will still work.
4
// Setting these constants, though, is *not* the preferred method. It's better to configure
5
// the proxy to send the X-Forwarded-Port header.
6
defined( 'JETPACK_SIGNATURE__HTTP_PORT'  ) or define( 'JETPACK_SIGNATURE__HTTP_PORT' , 80  );
7
defined( 'JETPACK_SIGNATURE__HTTPS_PORT' ) or define( 'JETPACK_SIGNATURE__HTTPS_PORT', 443 );
8
9
class Jetpack_Signature {
10
	public $token;
11
	public $secret;
12
13
	function __construct( $access_token, $time_diff = 0 ) {
14
		$secret = explode( '.', $access_token );
15
		if ( 2 != count( $secret ) )
16
			return;
17
18
		$this->token  = $secret[0];
19
		$this->secret = $secret[1];
20
		$this->time_diff = $time_diff;
0 ignored issues
show
The property time_diff does not exist. Did you maybe forget to declare it?

In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code:

class MyClass { }

$x = new MyClass();
$x->foo = true;

Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion:

class MyClass {
    public $foo;
}

$x = new MyClass();
$x->foo = true;
Loading history...
21
	}
22
23
	function sign_current_request( $override = array() ) {
24
		if ( isset( $override['scheme'] ) ) {
25
			$scheme = $override['scheme'];
26
			if ( !in_array( $scheme, array( 'http', 'https' ) ) ) {
27
				return new Jetpack_Error( 'invalid_scheme', 'Invalid URL scheme' );
28
			}
29
		} else {
30
			if ( is_ssl() ) {
31
				$scheme = 'https';
32
			} else {
33
				$scheme = 'http';
34
			}
35
		}
36
37
		$host_port = isset( $_SERVER['HTTP_X_FORWARDED_PORT'] ) ? $_SERVER['HTTP_X_FORWARDED_PORT'] : $_SERVER['SERVER_PORT'];
38
39
		if ( is_ssl() ) {
40
			// 443: Standard Port
41
			// 80: Assume we're behind a proxy without X-Forwarded-Port. Hardcoding "80" here means most sites
42
			//     with SSL termination proxies (self-served, Cloudflare, etc.) don't need to fiddle with
43
			//     the JETPACK_SIGNATURE__HTTPS_PORT constant. The code also implies we can't talk to a
44
			//     site at https://example.com:80/ (which would be a strange configuration).
45
			// JETPACK_SIGNATURE__HTTPS_PORT: Set this constant in wp-config.php to the back end webserver's port
46
			//                                if the site is behind a proxy running on port 443 without
47
			//                                X-Forwarded-Port and the back end's port is *not* 80. It's better,
48
			//                                though, to configure the proxy to send X-Forwarded-Port.
49
			$port = in_array( $host_port, array( 443, 80, JETPACK_SIGNATURE__HTTPS_PORT ) ) ? '' : $host_port;
50
		} else {
51
			// 80: Standard Port
52
			// JETPACK_SIGNATURE__HTTPS_PORT: Set this constant in wp-config.php to the back end webserver's port
53
			//                                if the site is behind a proxy running on port 80 without
54
			//                                X-Forwarded-Port. It's better, though, to configure the proxy to
55
			//                                send X-Forwarded-Port.
56
			$port = in_array( $host_port, array( 80, JETPACK_SIGNATURE__HTTP_PORT ) ) ? '' : $host_port;
57
		}
58
59
		$url = "{$scheme}://{$_SERVER['HTTP_HOST']}:{$port}" . stripslashes( $_SERVER['REQUEST_URI'] );
60
61
		if ( array_key_exists( 'body', $override ) && ! empty( $override['body'] ) ) {
62
			$body = $override['body'];
63
		} else if ( 'POST' == strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
64
			$body = isset( $GLOBALS['HTTP_RAW_POST_DATA'] ) ? $GLOBALS['HTTP_RAW_POST_DATA'] : null;
65
66
			// Convert the $_POST to the body, if the body was empty. This is how arrays are hashed
67
			// and encoded on the Jetpack side.
68
			if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
69
				if ( empty( $body ) && is_array( $_POST ) && count( $_POST ) > 0 ) {
70
					$body = $_POST;
71
				}
72
			}
73
		} else if ( 'PUT' == strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
74
			// This is a little strange-looking, but there doesn't seem to be another way to get the PUT body
75
			$raw_put_data = file_get_contents( 'php://input' );
76
			parse_str( $raw_put_data, $body );
77
78
			if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
79
				$put_data = json_decode( $raw_put_data, true );
80
				if ( is_array( $put_data ) && count( $put_data ) > 0 ) {
81
					$body = $put_data;
82
				}
83
			}
84
		} else {
85
			$body = null;
86
		}
87
88
		if ( empty( $body ) ) {
89
			$body = null;
90
		}
91
92
		$a = array();
93
		foreach ( array( 'token', 'timestamp', 'nonce', 'body-hash' ) as $parameter ) {
94
			if ( isset( $override[$parameter] ) ) {
95
				$a[$parameter] = $override[$parameter];
96
			} else {
97
				$a[$parameter] = isset( $_GET[$parameter] ) ? stripslashes( $_GET[$parameter] ) : '';
98
			}
99
		}
100
101
		$method = isset( $override['method'] ) ? $override['method'] : $_SERVER['REQUEST_METHOD'];
102
		return $this->sign_request( $a['token'], $a['timestamp'], $a['nonce'], $a['body-hash'], $method, $url, $body, true );
103
	}
104
105
	// body_hash v. body-hash is annoying.  Refactor to accept an array?
106
	function sign_request( $token = '', $timestamp = 0, $nonce = '', $body_hash = '', $method = '', $url = '', $body = null, $verify_body_hash = true ) {
107
		if ( !$this->secret ) {
108
			return new Jetpack_Error( 'invalid_secret', 'Invalid secret' );
109
		}
110
111
		if ( !$this->token ) {
112
			return new Jetpack_Error( 'invalid_token', 'Invalid token' );
113
		}
114
115
		list( $token ) = explode( '.', $token );
116
117
		if ( 0 !== strpos( $token, "$this->token:" ) ) {
118
			return new Jetpack_Error( 'token_mismatch', 'Incorrect token' );
119
		}
120
121
		// If we got an array at this point, let's encode it, so we can see what it looks like as a string.
122
		if ( is_array( $body ) ) {
123
			if ( count( $body ) > 0 ) {
124
				$body = json_encode( $body );
125
126
			} else {
127
				$body = '';
128
			}
129
		}
130
131
		$required_parameters = array( 'token', 'timestamp', 'nonce', 'method', 'url' );
132
		if ( !is_null( $body ) ) {
133
			$required_parameters[] = 'body_hash';
134
			if ( !is_string( $body ) ) {
135
				return new Jetpack_Error( 'invalid_body', 'Body is malformed.' );
136
			}
137
		}
138
139
		foreach ( $required_parameters as $required ) {
140 View Code Duplication
			if ( !is_scalar( $$required ) ) {
141
				return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', str_replace( '_', '-', $required ) ) );
142
			}
143
144 View Code Duplication
			if ( !strlen( $$required ) ) {
145
				return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is missing.', str_replace( '_', '-', $required ) ) );
146
			}
147
		}
148
149
		if ( empty( $body ) ) {
150
			if ( $body_hash ) {
151
				return new Jetpack_Error( 'invalid_body_hash', 'The body hash does not match.' );
152
			}
153
		} else {
154
			if ( $verify_body_hash && jetpack_sha1_base64( $body ) !== $body_hash ) {
155
				return new Jetpack_Error( 'invalid_body_hash', 'The body hash does not match.' );
156
			}
157
		}
158
159
		$parsed = parse_url( $url );
160
		if ( !isset( $parsed['host'] ) ) {
161
			return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'url' ) );
162
		}
163
164
		if ( !empty( $parsed['port'] ) ) {
165
			$port = $parsed['port'];
166
		} else {
167
			if ( 'http' == $parsed['scheme'] ) {
168
				$port = 80;
169
			} else if ( 'https' == $parsed['scheme'] ) {
170
				$port = 443;
171
			} else {
172
				return new Jetpack_Error( 'unknown_scheme_port', "The scheme's port is unknown" );
173
			}
174
		}
175
176
		if ( !ctype_digit( "$timestamp" ) || 10 < strlen( $timestamp ) ) { // If Jetpack is around in 275 years, you can blame mdawaffe for the bug.
177
			return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'timestamp' ) );
178
		}
179
180
		$local_time = $timestamp - $this->time_diff;
181
		if ( $local_time < time() - 600 || $local_time > time() + 300 ) {
182
			return new Jetpack_Error( 'invalid_signature', 'The timestamp is too old.' );
183
		}
184
185
		if ( 12 < strlen( $nonce ) || preg_match( '/[^a-zA-Z0-9]/', $nonce ) ) {
186
			return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'nonce' ) );
187
		}
188
189
		$normalized_request_pieces = array(
190
			$token,
191
			$timestamp,
192
			$nonce,
193
			$body_hash,
194
			strtoupper( $method ),
195
			strtolower( $parsed['host'] ),
196
			$port,
197
			$parsed['path'],
198
			// Normalized Query String
199
		);
200
201
		$normalized_request_pieces = array_merge( $normalized_request_pieces, $this->normalized_query_parameters( isset( $parsed['query'] ) ? $parsed['query'] : '' ) );
202
		$flat_normalized_request_pieces = array();
203
		foreach ($normalized_request_pieces as $piece) {
204
			if ( is_array( $piece ) ) {
205
				foreach ( $piece as $subpiece ) {
206
					$flat_normalized_request_pieces[] = $subpiece;
207
				}
208
			} else {
209
				$flat_normalized_request_pieces[] = $piece;
210
			}
211
		}
212
		$normalized_request_pieces = $flat_normalized_request_pieces;
213
214
		$normalized_request_string = join( "\n", $normalized_request_pieces ) . "\n";
215
216
		return base64_encode( hash_hmac( 'sha1', $normalized_request_string, $this->secret, true ) );
217
	}
218
219
	function normalized_query_parameters( $query_string ) {
220
		parse_str( $query_string, $array );
221
		if ( get_magic_quotes_gpc() )
222
			$array = stripslashes_deep( $array );
223
224
		unset( $array['signature'] );
225
226
		$names  = array_keys( $array );
227
		$values = array_values( $array );
228
229
		$names  = array_map( array( $this, 'encode_3986' ), $names  );
230
		$values = array_map( array( $this, 'encode_3986' ), $values );
231
232
		$pairs  = array_map( array( $this, 'join_with_equal_sign' ), $names, $values );
233
234
		sort( $pairs );
235
236
		return $pairs;
237
	}
238
239
	function encode_3986( $string_or_array ) {
240
		if ( is_array( $string_or_array ) ) {
241
			return array_map( array( $this, 'encode_3986' ), $string_or_array );
242
		}
243
244
		$string_or_array = rawurlencode( $string_or_array );
245
		return str_replace( '%7E', '~', $string_or_array ); // prior to PHP 5.3, rawurlencode was RFC 1738
246
	}
247
248
	function join_with_equal_sign( $name, $value ) {
249
		if ( is_array( $value ) ) {
250
			$result = array();
251
			foreach ( $value as $array_key => $array_value ) {
252
				$result[] = $name . '[' . $array_key . ']' . '=' . $array_value;
253
			}
254
			return $result;
255
		}
256
		return "{$name}={$value}";
257
	}
258
}
259
260
function jetpack_sha1_base64( $text ) {
261
	return base64_encode( sha1( $text, true ) );
262
}
263