/** * Populate global variables with information about the currently logged in user. * * Will set the current user, if the current user is not set. The current user * will be set to the logged in person. If no user is logged in, then it will * set the current user to 0, which is invalid and won't have any permissions. * * @since 0.71 * @uses $current_user Checks if the current user is set * @uses wp_validate_auth_cookie() Retrieves current logged in user. * * @return bool|null False on XMLRPC Request and invalid auth cookie. Null when current user set */ function get_currentuserinfo() { global $current_user; if (!empty($current_user)) { if ($current_user instanceof WP_User) { return; } // Upgrade stdClass to WP_User if (is_object($current_user) && isset($current_user->ID)) { $cur_id = $current_user->ID; $current_user = null; wp_set_current_user($cur_id); return; } // $current_user has a junk value. Force to WP_User with ID 0. $current_user = null; wp_set_current_user(0); return false; } if (defined('XMLRPC_REQUEST') && XMLRPC_REQUEST) { wp_set_current_user(0); return false; } if (!($user = wp_validate_auth_cookie())) { if (is_blog_admin() || is_network_admin() || empty($_COOKIE[LOGGED_IN_COOKIE]) || !($user = wp_validate_auth_cookie($_COOKIE[LOGGED_IN_COOKIE], 'logged_in'))) { wp_set_current_user(0); return false; } } wp_set_current_user($user); }
public static function verify_cookie($value) { if ($old_user_id = wp_validate_auth_cookie($value, 'logged_in')) { return user_can($old_user_id, 'view_query_monitor'); } return false; }
public function create_post() { global $json_api; if (!$json_api->query->nonce) { $json_api->error("You must include a 'nonce' value to create posts. Use the `get_nonce` Core API method."); } if (!$json_api->query->cookie) { $json_api->error("You must include a 'cookie' authentication cookie. Use the `create_auth_cookie` Auth API method."); } $nonce_id = $json_api->get_nonce_id('posts', 'create_post'); if (!wp_verify_nonce($json_api->query->nonce, $nonce_id)) { $json_api->error("Your 'nonce' value was incorrect. Use the 'get_nonce' API method."); } $user_id = wp_validate_auth_cookie($json_api->query->cookie, 'logged_in'); if (!$user_id) { $json_api->error("Invalid authentication cookie. Use the `generate_auth_cookie` Auth API method."); } if (!user_can($user_id, 'edit_posts')) { $json_api->error("You need to login with a user capable of creating posts."); } nocache_headers(); $post = new JSON_API_Post(); $id = $post->create($_REQUEST); if (empty($id)) { $json_api->error("Could not create post."); } return array('post' => $post); }
function test_auth_cookie_scheme() { // arbitrary scheme name $cookie = wp_generate_auth_cookie(self::$user_id, time() + 3600, 'foo'); $this->assertEquals(self::$user_id, wp_validate_auth_cookie($cookie, 'foo')); // wrong scheme name - should fail $cookie = wp_generate_auth_cookie(self::$user_id, time() + 3600, 'foo'); $this->assertEquals(false, wp_validate_auth_cookie($cookie, 'bar')); }
function wp_signon($credentials = '') { if (empty($credentials)) { if (!empty($_POST['log'])) { $credentials['user_login'] = $_POST['log']; } if (!empty($_POST['pwd'])) { $credentials['user_password'] = $_POST['pwd']; } if (!empty($_POST['rememberme'])) { $credentials['remember'] = $_POST['rememberme']; } } if (!empty($credentials['user_login'])) { $credentials['user_login'] = sanitize_user($credentials['user_login']); } if (!empty($credentials['user_password'])) { $credentials['user_password'] = trim($credentials['user_password']); } if (!empty($credentials['remember'])) { $credentials['remember'] = true; } else { $credentials['remember'] = false; } do_action_ref_array('wp_authenticate', array(&$credentials['user_login'], &$credentials['user_password'])); // If no credential info provided, check cookie. if (empty($credentials['user_login']) && empty($credentials['user_password'])) { $user = wp_validate_auth_cookie(); if ($user) { return new WP_User($user); } if (!empty($_COOKIE[AUTH_COOKIE])) { return new WP_Error('expired_session', __('Please log in again.')); } // If the cookie is not set, be silent. return new WP_Error(); } if (empty($credentials['user_login']) || empty($credentials['user_password'])) { $error = new WP_Error(); if (empty($credentials['user_login'])) { $error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.')); } if (empty($credentials['user_password'])) { $error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.')); } return $error; } $user = wp_authenticate($credentials['user_login'], $credentials['user_password']); if (is_wp_error($user)) { return $user; } wp_set_auth_cookie($user->ID, $credentials['remember']); do_action('wp_login', $credentials['user_login']); return $user; }
function json_api_auth_checkAuthCookie($sDefaultPath) { global $json_api; if ($json_api->query->cookie) { $user_id = wp_validate_auth_cookie($json_api->query->cookie, 'logged_in'); if ($user_id) { $user = get_userdata($user_id); wp_set_current_user($user->ID, $user->user_login); } } }
public function login(StatTracker $app) { $response = null; if (wp_validate_auth_cookie('', 'logged_in')) { if ($app['session']->get("agent") === null) { $user = wp_get_current_user(); // Allow a plugin to grant/deny this user. See wiki for details $user = apply_filters(ST_USER_AUTH_FILTER, $user); if (!$user instanceof \WP_User) { if (is_string($user)) { $response = AuthResponse::registrationRequired($user); } else { $response = AuthResponse::registrationRequired("Access was denied. Please contact @" . ADMIN_AGENT); } $this->logger->info(sprintf("Registration required for %s", $email_address)); } else { $agent = Agent::lookupAgentName($user->user_email); if (!$agent->isValid()) { $name = apply_filters(ST_AGENT_NAME_FILTER, $user->user_login); $this->logger->info(sprintf("Adding new agent %s", $name)); $agent->name = $name; // Insert them into the DB $stmt = $app->db()->prepare("INSERT INTO Agent (email, agent) VALUES (?, ?) ON DUPLICATE KEY UPDATE agent = ?;"); $stmt->execute(array($user->user_email, $name, $name)); $stmt->closeCursor(); // Generate an API token $this->generateAPIToken($agent); $agent = Agent::lookupAgentName($user->user_email); if (!$agent->isValid()) { $this->logger->error(sprintf("%s still not a valid agent", $agent->name)); return AuthResponse::error("An unrecoverable error has occured"); } } $app['session']->set("agent", $agent); $response = AuthResponse::okay($agent); $this->logger->info(sprintf("%s authenticated successfully", $agent->name)); } } else { $agent = $app['session']->get("agent"); if (Agent::lookupAgentByToken($agent->getToken())->isValid()) { $response = AuthResponse::okay($agent); } else { $this->logger->info(sprintf("Invalid token for %s. Logging out", $agent->name)); return $this->logout($app); } } return $response; } else { $app['session']->set("agent", null); $response = AuthResponse::authenticationRequired($this); } return $response; }
public function get_currentuserinfo() { global $json_api; if (!$json_api->query->cookie) { $json_api->error("You must include a 'cookie' var in your request. Use the `generate_auth_cookie` Auth API method."); } $user_id = wp_validate_auth_cookie($json_api->query->cookie, 'logged_in'); if (!$user_id) { $json_api->error("Invalid authentication cookie. Use the `generate_auth_cookie` Auth API method."); } $user = get_userdata($user_id); return array("user" => array("id" => $user->ID, "username" => $user->user_login, "nicename" => $user->user_nicename, "email" => $user->user_email, "url" => $user->user_url, "registered" => $user->user_registered, "displayname" => $user->display_name, "firstname" => $user->user_firstname, "lastname" => $user->last_name, "nickname" => $user->nickname, "description" => $user->user_description, "capabilities" => $user->wp_capabilities)); }
function auth_redirect() { // Checks if a user is logged in, if not redirects them to the login page if (is_ssl() || force_ssl_admin()) { $secure = true; } else { $secure = false; } // If https is required and request is http, redirect if ($secure && !is_ssl() && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin')) { if (0 === strpos($_SERVER['REQUEST_URI'], 'http')) { wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI'])); exit; } else { wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); exit; } } if ($user_id = wp_validate_auth_cookie()) { do_action('auth_redirect', $user_id); // If the user wants ssl but the session is not ssl, redirect. if (!$secure && get_user_option('use_ssl', $user_id) && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin')) { if (0 === strpos($_SERVER['REQUEST_URI'], 'http')) { wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI'])); exit; } else { wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); exit; } } return; // The cookie is good so we're done } // The cookie is no good so force login nocache_headers(); if (OPENSSO_ENABLED) { // Redirect to OpenSSO login page then return here $login_url = OPENSSO_BASE_URL . '?goto=' . urlencode(opensso_full_url()); } else { if (is_ssl()) { $proto = 'https://'; } else { $proto = 'http://'; } $redirect = strpos($_SERVER['REQUEST_URI'], '/options.php') && wp_get_referer() ? wp_get_referer() : $proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; $login_url = wp_login_url($redirect); } wp_redirect($login_url); exit; }
function auth_redirect() { // Checks if a user is logged in, if not redirects them to the login page $secure = is_ssl() || force_ssl_admin(); $secure = apply_filters('secure_auth_redirect', $secure); // If https is required and request is http, redirect if ($secure && !is_ssl() && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin')) { if (0 === strpos($_SERVER['REQUEST_URI'], 'http')) { wp_redirect(set_url_scheme($_SERVER['REQUEST_URI'], 'https')); exit; } else { wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); exit; } } if (is_user_admin()) { $scheme = 'logged_in'; } else { $scheme = apply_filters('auth_redirect_scheme', ''); } if ($user_id = wp_validate_auth_cookie('', $scheme)) { do_action('auth_redirect', $user_id); // If the user wants ssl but the session is not ssl, redirect. if (!$secure && get_user_option('use_ssl', $user_id) && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin')) { if (0 === strpos($_SERVER['REQUEST_URI'], 'http')) { wp_redirect(set_url_scheme($_SERVER['REQUEST_URI'], 'https')); exit; } else { wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); exit; } } return; // The cookie is good so we're done } // The cookie is no good so force login nocache_headers(); $redirect = strpos($_SERVER['REQUEST_URI'], '/options.php') && wp_get_referer() ? wp_get_referer() : set_url_scheme('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); // Change login url $login_url = Maestrano::sso()->getInitPath(); wp_redirect($login_url); exit; }
public static function syncAttackData($exit = true) { global $wpdb; $waf = wfWAF::getInstance(); $lastAttackMicroseconds = $wpdb->get_var("SELECT MAX(attackLogTime) FROM {$wpdb->base_prefix}wfHits"); if ($waf->getStorageEngine()->hasNewerAttackData($lastAttackMicroseconds)) { $attackData = $waf->getStorageEngine()->getNewestAttackDataArray($lastAttackMicroseconds); if ($attackData) { foreach ($attackData as $request) { if (count($request) !== 9) { continue; } list($logTimeMicroseconds, $requestTime, $ip, $learningMode, $paramKey, $paramValue, $failedRules, $ssl, $requestString) = $request; // Skip old entries and hits in learning mode, since they'll get picked up anyways. if ($logTimeMicroseconds <= $lastAttackMicroseconds || $learningMode) { continue; } $hit = new wfRequestModel(); $hit->attackLogTime = $logTimeMicroseconds; $hit->statusCode = 403; $hit->ctime = $requestTime; $hit->IP = wfUtils::inet_pton($ip); if (preg_match('/user\\-agent:(.*?)\\n/i', $requestString, $matches)) { $hit->UA = trim($matches[1]); $hit->isGoogle = wfCrawl::isGoogleCrawler($hit->UA); } if (preg_match('/Referer:(.*?)\\n/i', $requestString, $matches)) { $hit->referer = trim($matches[1]); } if (preg_match('/^[a-z]+\\s+(.*?)\\s+/i', $requestString, $uriMatches) && preg_match('/Host:(.*?)\\n/i', $requestString, $hostMatches)) { $hit->URL = 'http' . ($ssl ? 's' : '') . '://' . trim($hostMatches[1]) . trim($uriMatches[1]); } if (preg_match('/cookie:(.*?)\\n/i', $requestString, $matches)) { $hit->newVisit = strpos($matches[1], 'wfvt_' . crc32(site_url())) !== false ? 1 : 0; $hasVerifiedHumanCookie = strpos($matches[1], 'wordfence_verifiedHuman') !== false; if ($hasVerifiedHumanCookie && preg_match('/wordfence_verifiedHuman=(.*?);/', $matches[1], $cookieMatches)) { $hit->jsRun = (int) wp_verify_nonce($cookieMatches[1], 'wordfence_verifiedHuman' . $hit->UA . $ip); } $hasLoginCookie = strpos($matches[1], $ssl ? SECURE_AUTH_COOKIE : AUTH_COOKIE) !== false; if ($hasLoginCookie && preg_match('/' . ($ssl ? SECURE_AUTH_COOKIE : AUTH_COOKIE) . '=(.*?);/', $matches[1], $cookieMatches)) { $authCookie = rawurldecode($cookieMatches[1]); $authID = $ssl ? wp_validate_auth_cookie($authCookie, 'secure_auth') : wp_validate_auth_cookie($authCookie, 'auth'); if ($authID) { $hit->userID = $authID; } } } $path = '/'; if (preg_match('/^[A-Z]+ (.*?) HTTP\\/1\\.1/', $requestString, $matches)) { if (($pos = strpos($matches[1], '?')) !== false) { $path = substr($matches[1], 0, $pos); } else { $path = $matches[1]; } } $hit->action = 'blocked:waf'; /** @var wfWAFRule $rule */ $ruleIDs = explode('|', $failedRules); $actionData = array('learningMode' => $learningMode, 'failedRules' => $failedRules, 'paramKey' => $paramKey, 'paramValue' => $paramValue, 'path' => $path); if ($ruleIDs && $ruleIDs[0]) { $rule = $waf->getRule($ruleIDs[0]); if ($rule) { $hit->actionDescription = $rule->getDescription(); $actionData['category'] = $rule->getCategory(); $actionData['ssl'] = $ssl; $actionData['fullRequest'] = base64_encode($requestString); } } $hit->actionData = wfRequestModel::serializeActionData($actionData); $hit->save(); self::scheduleSendAttackData(); } } $waf->getStorageEngine()->truncateAttackData(); } update_site_option('wordfence_syncingAttackData', 0); update_site_option('wordfence_syncAttackDataAttempts', 0); if ($exit) { exit; } }
/** * This happens only if allow_facebook_registration is true. */ function handle_fb_session_state() { if (wp_validate_auth_cookie('')) { return $this->handle_fb_auth_tokens(); } $fb_user = $this->model->fb->getUser(); if ($fb_user) { $user_id = $this->model->get_wp_user_from_fb(); if (!$user_id) { $user_id = $this->model->map_fb_to_current_wp_user(); } if ($user_id) { $user = get_userdata($user_id); /* if (is_multisite() && function_exists('is_user_member_of_blog')) { if (!is_user_member_of_blog($user_id)) return false; // Don't allow this } */ wp_set_current_user($user->ID, $user->user_login); wp_set_auth_cookie($user->ID); // Logged in with Facebook, yay do_action('wp_login', $user->user_login); $this->handle_fb_auth_tokens(); if (!(defined('DOING_AJAX') && isset($_REQUEST['action']) && 'wdfb_perhaps_create_wp_user' == $_REQUEST['action'])) { wp_redirect(admin_url()); exit; } } } }
if (!defined('WP_ADMIN')) { define('WP_ADMIN', true); } if (defined('ABSPATH')) { require_once ABSPATH . 'wp-load.php'; } else { require_once dirname(dirname(__FILE__)) . '/wp-load.php'; } /** Allow for cross-domain requests (from the front end). */ send_origin_headers(); require_once ABSPATH . 'wp-admin/includes/admin.php'; nocache_headers(); /** This action is documented in wp-admin/admin.php */ do_action('admin_init'); $action = empty($_REQUEST['action']) ? '' : $_REQUEST['action']; if (!wp_validate_auth_cookie()) { if (empty($action)) { /** * Fires on a non-authenticated admin post request where no action was supplied. * * @since 2.6.0 */ do_action('admin_post_nopriv'); } else { /** * Fires on a non-authenticated admin post request for the given action. * * The dynamic portion of the hook name, `$action`, refers to the given * request action. * * @since 2.6.0
/** * Checks if a user is logged in, if not it redirects them to the login page. * * @param none * @return void */ function auth_redirect() { if ($this->is_ssl() || force_ssl_admin()) { $secure = true; } else { $secure = false; } // If https is required and request is http, redirect if ($secure && !$this->is_ssl() && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin')) { $this->redirect('https'); } if ($user_id = wp_validate_auth_cookie('', apply_filters('auth_redirect_scheme', ''))) { do_action('auth_redirect', $user_id); // If the user wants ssl but the session is not ssl, redirect. if (!$secure && get_user_option('use_ssl', $user_id) && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin')) { $this->redirect('https'); } return; // The cookie is good so we're done } // The cookie is no good so force login nocache_headers(); if ($this->is_ssl()) { $proto = 'https://'; } else { $proto = 'http://'; } $redirect = strpos($_SERVER['REQUEST_URI'], '/admin.php') && wp_get_referer() ? wp_get_referer() : $proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; // Rewrite URL to Shared SSL URL if ($this->shared_ssl && strpos($redirect, 'https://') !== false) { $redirect = $this->replace_http_url($redirect); } $login_url = wp_login_url($redirect); wp_redirect($login_url); exit; }
/** * Set headers and cookies. * * @since 1.1.0 */ protected function set_headers_cookies() { if (!$this->options_handler->is_enabled('enable_cache') || $this->is_url_blacklisted()) { header('X-Cache-Enabled: False'); return; } header('X-Cache-Enabled: True'); // Check if WP LOGGED_IN_COOKIE is set, validate it and define $userIsLoggedIn if (isset($_COOKIE[LOGGED_IN_COOKIE])) { $userIsLoggedIn = wp_validate_auth_cookie($_COOKIE[LOGGED_IN_COOKIE], 'logged_in'); } else { $userIsLoggedIn = false; } // Logged In Users if ($userIsLoggedIn || !empty($_POST['wp-submit']) && 'Log In' === $_POST['wp-submit']) { // Enable the cache bypass for logged users by setting a cache bypass cookie setcookie('wpSGCacheBypass', 1, time() + 100 * MINUTE_IN_SECONDS, '/'); } elseif (!$userIsLoggedIn || 'logout' === $_GET['action']) { setcookie('wpSGCacheBypass', 0, time() - HOUR_IN_SECONDS, '/'); } }
/** * Register a form * * @param unknown_type $newforms * @return array */ function bum_register_form($newforms = null) { static $forms; if (!isset($forms)) { $forms = array(); } if (is_null($newforms)) { return $forms; } //initializing variables $defaults = array('action' => 'example-form', 'redirect_to' => false, 'current_user_can' => 'edit_posts', 'is_user_logged_in' => true, 'validate' => false, 'delete' => false, 'user_ip' => $_SERVER['REMOTE_ADDR'], 'send_email' => false, 'ID' => false, 'post_title' => "", 'post_parent' => 0, 'post_status' => 'pending', 'post_category' => '', 'comment_status' => 'open', 'tags_input' => "", 'post_type' => 'post', 'post_name' => "", 'post_content' => '', 'post_excerpt' => "", 'post_author' => wp_validate_auth_cookie(), 'ping_status' => get_option('default_ping_status'), 'menu_order' => 0, 'to_ping' => '', 'pinged' => '', 'post_password' => '', 'guid' => '', 'post_content_filtered' => '', 'post_excerpt' => '', 'import_id' => 0, 'post_date' => date('Y-m-d H:i:s', time()), 'post_date_gmt' => date('Y-m-d H:i:s', time())); $newforms = wp_parse_args($newforms, $defaults); $forms[$newforms['action']] = $newforms; return true; }
/** * Checks if a user is logged in, if not it redirects them to the login page. * * @since 1.5 */ function auth_redirect() { // Checks if a user is logged in, if not redirects them to the login page if ( is_ssl() || force_ssl_admin() ) $secure = true; else $secure = false; // If https is required and request is http, redirect if ( $secure && !is_ssl() && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin') ) { if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) { wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI'])); exit(); } else { wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); exit(); } } if ( $user_id = wp_validate_auth_cookie() ) { // If the user wants ssl but the session is not ssl, redirect. if ( !$secure && get_user_option('use_ssl', $user_id) && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin') ) { if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) { wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI'])); exit(); } else { wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); exit(); } } return; // The cookie is good so we're done } // The cookie is no good so force login nocache_headers(); if ( is_ssl() ) $proto = 'https://'; else $proto = 'http://'; $redirect = ( strpos($_SERVER['REQUEST_URI'], '/options.php') && wp_get_referer() ) ? wp_get_referer() : $proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; $login_url = site_url( 'wp-login.php?redirect_to=' . urlencode( $redirect ), 'login' ); wp_redirect($login_url); exit(); }
/** * Is it a good time to check for updates? * * @return bool */ private function can_update() { // Don't check for updates on wp-login.php, this happens when you request // an admin page but are not logged in and then redirected to wp-login.php if (false === wp_validate_auth_cookie()) { return false; } // Don't run on plugin activation/deactivation, request will seem slow foreach (array('activate', 'deactivate', 'activate-multi', 'deactivate-multi') as $key) { if (array_key_exists($key, $_REQUEST)) { return false; } } // Don't check for updates on the following actions $actions = array('hmwp_ms_upgrade_diff', 'hmwp_ms_upgrade', 'hmwp_ms_upgrade_run', 'activate', 'deactivate', 'activate-selected', 'deactivate-selected'); if (in_array(HMWP_MS_Utils::get('action'), $actions)) { return false; } return true; }
function get_currentuserinfo() { global $current_user; global $xoopsModule,$xoopsUser,$xoopsUserIsAdmin; if ($xoopsModule){ if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST ) return false; if (is_object($xoopsUser)){ // When the user is logging in xoops if ( ! empty($current_user) ){ $xoops_user = $xoopsUser->getVar("uname"); if ($current_user->user_login == $xoops_user){ // If xoops login user and wordpress current user are the same return; } } if (check_xpress_auth_cookie()){ //The cookie is login user's or it checks it if (function_exists('wp_validate_auth_cookie')){ if ( $user = wp_validate_auth_cookie() ) { // When the user meta prefix is different according to the change in the xoops data base prefix, it restores it. if (!check_user_meta_prefix($user)){ repair_user_meta_prefix(); } wp_set_current_user($user); return ; } } else { // for WP2.0 if ( !empty($_COOKIE[USER_COOKIE]) && !empty($_COOKIE[PASS_COOKIE])){ if(wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true) ) { $user_login = $_COOKIE[USER_COOKIE]; wp_set_current_user(0, $user_login); return; } } } } return xpress_login(); } else { // For the xoops guest if ( ! empty($current_user) ){ // When a current user of wordpress is set, a current user is cleared. wp_set_current_user(0); wp_logout(); wp_clear_auth_cookie(); } return false; } } else { // WP original if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST ) return false; if ( ! empty($current_user) ) return; if (function_exists('wp_validate_auth_cookie')){ if ( ! $user = wp_validate_auth_cookie() ) { if ( empty($_COOKIE[LOGGED_IN_COOKIE]) || !$user = wp_validate_auth_cookie($_COOKIE[LOGGED_IN_COOKIE], 'logged_in') ) { wp_set_current_user(0); return false; } } wp_set_current_user($user); } else { // for WP2.0 if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) || !wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true) ) { wp_set_current_user(0); return false; } $user_login = $_COOKIE[USER_COOKIE]; wp_set_current_user(0, $user_login); } } }
/** * Validate the old_user cookie and return its user data. * * @return bool|object False if there's no old_user cookie or it's invalid, WP_User object if it's present and valid. */ function get_old_user() { if (isset($_COOKIE[OLDUSER_COOKIE])) { if ($old_user_id = wp_validate_auth_cookie($_COOKIE[OLDUSER_COOKIE], 'old_user')) { return get_userdata($old_user_id); } } return false; }
/** * Checks if a user is logged in, if not it redirects them to the login page. * * @since 1.5 */ function auth_redirect() { // Checks if a user is logged in, if not redirects them to the login page if (is_ssl() || force_ssl_admin()) { $secure = true; } else { $secure = false; } // If https is required and request is http, redirect if ($secure && !is_ssl()) { if (0 === strpos($_SERVER['REQUEST_URI'], 'http')) { wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI'])); exit; } else { wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); exit; } } if (wp_validate_auth_cookie()) { return; } // The cookie is good so we're done // The cookie is no good so force login nocache_headers(); if (is_ssl()) { $proto = 'https://'; } else { $proto = 'http://'; } $login_url = site_url('wp-login.php?redirect_to=' . urlencode($proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']), 'login'); wp_redirect($login_url); exit; }
/** * @see UGD_Login_Module_Interface::isAuthenticated() * */ public function isAuthenticated() { return wp_validate_auth_cookie(); }
/** * Get the current user * * Function is responsible for creating and returning the user object * * @since 1.0 * @param $userid * @return global object reference */ function &get_user($userid = null) { //initializing variables static $users; if (is_null($users)) { $users = array(); } //loading library require_once ABSPATH . WPINC . DS . 'pluggable.php'; //if we want the logged in user if (is_null($userid)) { if (!($user = wp_validate_auth_cookie())) { if (is_admin() || empty($_COOKIE[LOGGED_IN_COOKIE]) || !($user = wp_validate_auth_cookie($_COOKIE[LOGGED_IN_COOKIE], 'logged_in'))) { $userid = 0; } } $userid = $user; } //if we're wanting to standardize the userid if (is_object($userid) && isset($userid->ID)) { $userid = $userid->ID; } if (!isset($users[$userid])) { $user = new WP_User($userid); $users[$userid] =& $user; } return $users[$userid]; }
/** * Validate the logged-in cookie. * * Checks the logged-in cookie if the previous auth cookie could not be * validated and parsed. * * This is a callback for the determine_current_user filter, rather than API. * * @since 3.9.0 * * @param int|bool $user_id The user ID (or false) as received from the * determine_current_user filter. * @return int|false User ID if validated, false otherwise. If a user ID from * an earlier filter callback is received, that value is returned. */ function wp_validate_logged_in_cookie($user_id) { if ($user_id) { return $user_id; } if (is_blog_admin() || is_network_admin() || empty($_COOKIE[LOGGED_IN_COOKIE])) { return false; } return wp_validate_auth_cookie($_COOKIE[LOGGED_IN_COOKIE], 'logged_in'); }
/** * Checks if a user is logged in, if not it redirects them to the login page. * * @since 1.5.0 */ function auth_redirect() { // Checks if a user is logged in, if not redirects them to the login page $secure = is_ssl() || force_ssl_admin(); /** * Filter whether to use a secure authentication redirect. * * @since 3.1.0 * * @param bool $secure Whether to use a secure authentication redirect. Default false. */ $secure = apply_filters('secure_auth_redirect', $secure); // If https is required and request is http, redirect if ($secure && !is_ssl() && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin')) { if (0 === strpos($_SERVER['REQUEST_URI'], 'http')) { wp_redirect(set_url_scheme($_SERVER['REQUEST_URI'], 'https')); exit; } else { wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); exit; } } if (is_user_admin()) { $scheme = 'logged_in'; } else { /** * Filter the authentication redirect scheme. * * @since 2.9.0 * * @param string $scheme Authentication redirect scheme. Default empty. */ $scheme = apply_filters('auth_redirect_scheme', ''); } if ($user_id = wp_validate_auth_cookie('', $scheme)) { /** * Fires before the authentication redirect. * * @since 2.8.0 * * @param int $user_id User ID. */ do_action('auth_redirect', $user_id); // If the user wants ssl but the session is not ssl, redirect. if (!$secure && get_user_option('use_ssl', $user_id) && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin')) { if (0 === strpos($_SERVER['REQUEST_URI'], 'http')) { wp_redirect(set_url_scheme($_SERVER['REQUEST_URI'], 'https')); exit; } else { wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); exit; } } return; // The cookie is good so we're done } // The cookie is no good so force login nocache_headers(); $redirect = strpos($_SERVER['REQUEST_URI'], '/options.php') && wp_get_referer() ? wp_get_referer() : set_url_scheme('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); $login_url = wp_login_url($redirect, true); wp_redirect($login_url); exit; }
/** * Produces a token based on the current user. * * @since 140422 First documented version. * * @return string Produces a token based on the current user; * else an empty string if that's not possible to do. * * @note The return value of this function is cached to reduce overhead on repeat calls. * * @note This routine may trigger a flag which indicates that the current user was logged-in at some point, * but now the login cookie can no longer be validated by WordPress; i.e. they are NOT actually logged in any longer. * See {@link $user_login_cookie_expired_or_invalid} * * @warning Do NOT call upon this method until WordPress reaches it's cache postload phase. */ public function user_token() { if (isset(static::$static[__FUNCTION__])) { return static::$static[__FUNCTION__]; } $wp_validate_auth_cookie_possible = $this->function_is_possible('wp_validate_auth_cookie'); if ($wp_validate_auth_cookie_possible && ($user_id = (int) wp_validate_auth_cookie('', 'logged_in'))) { return static::$static[__FUNCTION__] = $user_id; } else { if (!empty($_COOKIE['comment_author_email_' . COOKIEHASH]) && is_string($_COOKIE['comment_author_email_' . COOKIEHASH])) { return static::$static[__FUNCTION__] = md5(strtolower(stripslashes($_COOKIE['comment_author_email_' . COOKIEHASH]))); } else { if (!empty($_COOKIE['wp-postpass_' . COOKIEHASH]) && is_string($_COOKIE['wp-postpass_' . COOKIEHASH])) { return static::$static[__FUNCTION__] = md5(stripslashes($_COOKIE['wp-postpass_' . COOKIEHASH])); } else { if (defined('SID') && SID) { return static::$static[__FUNCTION__] = preg_replace('/[^a-z0-9]/i', '', SID); } } } } if ($wp_validate_auth_cookie_possible && !empty($_COOKIE['wordpress_logged_in_' . COOKIEHASH]) && is_string($_COOKIE['wordpress_logged_in_' . COOKIEHASH])) { $this->user_login_cookie_expired_or_invalid = TRUE; } // Flag as `TRUE`. return static::$static[__FUNCTION__] = ''; }
public function post_comment() { global $json_api; if (!$json_api->query->cookie) { $json_api->error("You must include a 'cookie' var in your request. Use the `generate_auth_cookie` method."); } $user_id = wp_validate_auth_cookie($json_api->query->cookie, 'logged_in'); if (!$user_id) { $json_api->error("Invalid cookie. Use the `generate_auth_cookie` method."); } if (!$json_api->query->post_id) { $json_api->error("No post specified. Include 'post_id' var in your request."); } elseif (!$json_api->query->content) { $json_api->error("Please include 'content' var in your request."); } if (!$json_api->query->comment_status) { $json_api->error("Please include 'comment_status' var in your request. Possible values are '1' (approved) or '0' (not-approved)"); } else { $comment_approved = $json_api->query->comment_status; } $user_info = get_userdata($user_id); $time = current_time('mysql'); $agent = $_SERVER['HTTP_USER_AGENT']; $ip = $_SERVER['REMOTE_ADDR']; $data = array('comment_post_ID' => $json_api->query->post_id, 'comment_author' => $user_info->user_login, 'comment_author_email' => $user_info->user_email, 'comment_author_url' => $user_info->user_url, 'comment_content' => $json_api->query->content, 'comment_type' => '', 'comment_parent' => 0, 'user_id' => $user_info->ID, 'comment_author_IP' => $ip, 'comment_agent' => $agent, 'comment_date' => $time, 'comment_approved' => $comment_approved); //print_r($data); $comment_id = wp_insert_comment($data); return array("comment_id" => $comment_id); }
/** * Authenticate an old user by verifying the latest entry in the auth cookie. * * @param WP_User $user A WP_User object (usually from the logged_in cookie). * @return bool Whether verification with the auth cookie passed. */ public static function authenticate_old_user(WP_User $user) { $cookie = user_switching_get_auth_cookie(); if (!empty($cookie)) { if (user_switching::secure_auth_cookie()) { $scheme = 'secure_auth'; } else { $scheme = 'auth'; } if ($old_user_id = wp_validate_auth_cookie(end($cookie), $scheme)) { return $user->ID === $old_user_id; } } return false; }
/** * Authenticate the user using the WordPress auth cookie. */ function wp_authenticate_cookie($user, $username, $password) { if (is_a($user, 'WP_User')) { return $user; } if (empty($username) && empty($password)) { $user_id = wp_validate_auth_cookie(); if ($user_id) { return new WP_User($user_id); } global $auth_secure_cookie; if ($auth_secure_cookie) { $auth_cookie = SECURE_AUTH_COOKIE; } else { $auth_cookie = AUTH_COOKIE; } if (!empty($_COOKIE[$auth_cookie])) { return new WP_Error('expired_session', __('Please log in again.')); } // If the cookie is not set, be silent. } return $user; }
public static function syncAttackData($exit = true) { global $wpdb; $waf = wfWAF::getInstance(); $lastAttackMicroseconds = $wpdb->get_var("SELECT MAX(attackLogTime) FROM {$wpdb->base_prefix}wfHits"); if ($waf->getStorageEngine()->hasNewerAttackData($lastAttackMicroseconds)) { $attackData = $waf->getStorageEngine()->getNewestAttackDataArray($lastAttackMicroseconds); if ($attackData) { foreach ($attackData as $request) { if (count($request) !== 9 && count($request) !== 10) { continue; } list($logTimeMicroseconds, $requestTime, $ip, $learningMode, $paramKey, $paramValue, $failedRules, $ssl, $requestString, $metadata) = $request; // Skip old entries and hits in learning mode, since they'll get picked up anyways. if ($logTimeMicroseconds <= $lastAttackMicroseconds || $learningMode) { continue; } $hit = new wfRequestModel(); $hit->attackLogTime = $logTimeMicroseconds; $hit->statusCode = 403; $hit->ctime = $requestTime; $hit->IP = wfUtils::inet_pton($ip); if (preg_match('/user\\-agent:(.*?)\\n/i', $requestString, $matches)) { $hit->UA = trim($matches[1]); $hit->isGoogle = wfCrawl::isGoogleCrawler($hit->UA); } if (preg_match('/Referer:(.*?)\\n/i', $requestString, $matches)) { $hit->referer = trim($matches[1]); } if (preg_match('/^[a-z]+\\s+(.*?)\\s+/i', $requestString, $uriMatches) && preg_match('/Host:(.*?)\\n/i', $requestString, $hostMatches)) { $hit->URL = 'http' . ($ssl ? 's' : '') . '://' . trim($hostMatches[1]) . trim($uriMatches[1]); } if (preg_match('/cookie:(.*?)\\n/i', $requestString, $matches)) { $hit->newVisit = strpos($matches[1], 'wfvt_' . crc32(site_url())) !== false ? 1 : 0; $hasVerifiedHumanCookie = strpos($matches[1], 'wordfence_verifiedHuman') !== false; if ($hasVerifiedHumanCookie && preg_match('/wordfence_verifiedHuman=(.*?);/', $matches[1], $cookieMatches)) { $hit->jsRun = (int) wp_verify_nonce($cookieMatches[1], 'wordfence_verifiedHuman' . $hit->UA . $ip); } $hasLoginCookie = strpos($matches[1], $ssl ? SECURE_AUTH_COOKIE : AUTH_COOKIE) !== false; if ($hasLoginCookie && preg_match('/' . ($ssl ? SECURE_AUTH_COOKIE : AUTH_COOKIE) . '=(.*?);/', $matches[1], $cookieMatches)) { $authCookie = rawurldecode($cookieMatches[1]); $authID = $ssl ? wp_validate_auth_cookie($authCookie, 'secure_auth') : wp_validate_auth_cookie($authCookie, 'auth'); if ($authID) { $hit->userID = $authID; } } } $path = '/'; if (preg_match('/^[A-Z]+ (.*?) HTTP\\/1\\.1/', $requestString, $matches)) { if (($pos = strpos($matches[1], '?')) !== false) { $path = substr($matches[1], 0, $pos); } else { $path = $matches[1]; } } $metadata = $metadata != null ? (array) $metadata : array(); if (isset($metadata['finalAction']) && $metadata['finalAction']) { // The request was blocked/redirected because of its IP based on the plugin's blocking settings. WAF blocks should be reported but not shown in live traffic with that as a reason. $action = $metadata['finalAction']['action']; $actionDescription = $action; if (class_exists('wfWAFIPBlocksController')) { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_UAREFIPRANGE) { $id = $metadata['finalAction']['id']; $wpdb->query($wpdb->prepare("UPDATE {$wpdb->base_prefix}wfBlocksAdv SET totalBlocked = totalBlocked + 1, lastBlocked = %d WHERE id = %d", $requestTime, $id)); wfActivityReport::logBlockedIP($ip); } else { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY_REDIR) { $actionDescription .= ' (' . wfConfig::get('cbl_redirURL') . ')'; wfConfig::inc('totalCountryBlocked'); wfActivityReport::logBlockedIP($ip); } else { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY) { wfConfig::inc('totalCountryBlocked'); wfActivityReport::logBlockedIP($ip); } else { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_WFSN) { wordfence::wfsnReportBlockedAttempt($ip, 'login'); } } } } } if (strlen($actionDescription) == 0) { $actionDescription = 'Blocked by Wordfence'; } if (empty($failedRules)) { // Just a plugin block $hit->action = 'blocked:wordfence'; if (class_exists('wfWAFIPBlocksController')) { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_WFSN) { $hit->action = 'blocked:wfsnrepeat'; } } $hit->actionDescription = $actionDescription; } else { if ($failedRules == 'logged') { $hit->action = 'logged:waf'; } else { // Blocked by the WAF but would've been blocked anyway by the plugin settings so that message takes priority $hit->action = 'blocked:waf-always'; $hit->actionDescription = $actionDescription; } } } else { if ($failedRules == 'logged') { $hit->action = 'logged:waf'; } else { $hit->action = 'blocked:waf'; } } /** @var wfWAFRule $rule */ $ruleIDs = explode('|', $failedRules); $actionData = array('learningMode' => $learningMode, 'failedRules' => $failedRules, 'paramKey' => $paramKey, 'paramValue' => $paramValue, 'path' => $path); if ($ruleIDs && $ruleIDs[0]) { $rule = $waf->getRule($ruleIDs[0]); if ($rule) { if ($hit->action == 'logged:waf' || $hit->action == 'blocked:waf') { $hit->actionDescription = $rule->getDescription(); } $actionData['category'] = $rule->getCategory(); $actionData['ssl'] = $ssl; $actionData['fullRequest'] = base64_encode($requestString); } else { if ($ruleIDs[0] == 'logged') { if ($hit->action == 'logged:waf' || $hit->action == 'blocked:waf') { $hit->actionDescription = 'Watched IP Traffic: ' . $ip; } $actionData['category'] = 'logged'; $actionData['ssl'] = $ssl; $actionData['fullRequest'] = base64_encode($requestString); } } } $hit->actionData = wfRequestModel::serializeActionData($actionData); $hit->save(); self::scheduleSendAttackData(); } } $waf->getStorageEngine()->truncateAttackData(); } update_site_option('wordfence_syncingAttackData', 0); update_site_option('wordfence_syncAttackDataAttempts', 0); update_site_option('wordfence_lastSyncAttackData', time()); if ($exit) { exit; } }