sign_current_request() public method

public sign_current_request ( $override = [] )
Esempio n. 1
0
 /**
  * Authenticates XML-RPC and other requests from the Jetpack Server
  */
 function authenticate_jetpack($user, $username, $password)
 {
     if (is_a($user, 'WP_User')) {
         return $user;
     }
     // It's not for us
     if (!isset($_GET['token']) || empty($_GET['signature'])) {
         return $user;
     }
     @(list($token_key, $version, $user_id) = explode(':', $_GET['token']));
     if (empty($token_key) || empty($version) || strval(JETPACK__API_VERSION) !== $version || empty($user_id) || !ctype_digit($user_id) || !get_userdata($user_id)) {
         return $user;
     }
     $token = Jetpack_Data::get_access_token($user_id);
     if (!$token) {
         return $user;
     }
     if (0 !== strpos($token->secret, "{$token_key}.")) {
         return $user;
     }
     require_once dirname(__FILE__) . '/class.jetpack-signature.php';
     $jetpack_signature = new Jetpack_Signature($token->secret, (int) Jetpack::get_option('time_diff'));
     if (isset($_POST['_jetpack_is_multipart'])) {
         $post_data = $_POST;
         $file_hashes = array();
         foreach ($post_data as $post_data_key => $post_data_value) {
             if (0 !== strpos($post_data_key, '_jetpack_file_hmac_')) {
                 continue;
             }
             $post_data_key = substr($post_data_key, strlen('_jetpack_file_hmac_'));
             $file_hashes[$post_data_key] = $post_data_value;
         }
         foreach ($file_hashes as $post_data_key => $post_data_value) {
             unset($post_data["_jetpack_file_hmac_{$post_data_key}"]);
             $post_data[$post_data_key] = $post_data_value;
         }
         ksort($post_data);
         $body = http_build_query(stripslashes_deep($post_data));
     } elseif (is_null($this->HTTP_RAW_POST_DATA)) {
         $body = file_get_contents('php://input');
     } else {
         $body = null;
     }
     $signature = $jetpack_signature->sign_current_request(array('body' => is_null($body) ? $this->HTTP_RAW_POST_DATA : $body));
     if (!$signature) {
         return $user;
     } else {
         if (is_wp_error($signature)) {
             return $signature;
         } else {
             if ($signature !== $_GET['signature']) {
                 return $user;
             }
         }
     }
     $timestamp = (int) $_GET['timestamp'];
     $nonce = stripslashes((string) $_GET['nonce']);
     if (!$this->add_nonce($timestamp, $nonce)) {
         return $user;
     }
     nocache_headers();
     return new WP_User($token->external_user_id);
 }
Esempio n. 2
0
 function verify_json_api_authorization_request()
 {
     require_once JETPACK__PLUGIN_DIR . 'class.jetpack-signature.php';
     $token = Jetpack_Data::get_access_token(JETPACK_MASTER_USER);
     if (!$token || empty($token->secret)) {
         wp_die(__('You must connect your Jetpack plugin to WordPress.com to use this feature.', 'jetpack'));
     }
     $die_error = __('Someone may be trying to trick you into giving them access to your site.  Or it could be you just encountered a bug :).  Either way, please close this window.', 'jetpack');
     $jetpack_signature = new Jetpack_Signature($token->secret, (int) Jetpack_Options::get_option('time_diff'));
     if (isset($_POST['jetpack_json_api_original_query'])) {
         $signature = $jetpack_signature->sign_request($_GET['token'], $_GET['timestamp'], $_GET['nonce'], '', 'GET', $_POST['jetpack_json_api_original_query'], null, true);
     } else {
         $signature = $jetpack_signature->sign_current_request(array('body' => null, 'method' => 'GET'));
     }
     if (!$signature) {
         wp_die($die_error);
     } else {
         if (is_wp_error($signature)) {
             wp_die($die_error);
         } else {
             if ($signature !== $_GET['signature']) {
                 if (is_ssl()) {
                     // If we signed an HTTP request on the Jetpack Servers, but got redirected to HTTPS by the local blog, check the HTTP signature as well
                     $signature = $jetpack_signature->sign_current_request(array('scheme' => 'http', 'body' => null, 'method' => 'GET'));
                     if (!$signature || is_wp_error($signature) || $signature !== $_GET['signature']) {
                         wp_die($die_error);
                     }
                 } else {
                     wp_die($die_error);
                 }
             }
         }
     }
     $timestamp = (int) $_GET['timestamp'];
     $nonce = stripslashes((string) $_GET['nonce']);
     if (!$this->add_nonce($timestamp, $nonce)) {
         // De-nonce the nonce, at least for 5 minutes.
         // We have to reuse this nonce at least once (used the first time when the initial request is made, used a second time when the login form is POSTed)
         $old_nonce_time = get_option("jetpack_nonce_{$timestamp}_{$nonce}");
         if ($old_nonce_time < time() - 300) {
             wp_die(__('The authorization process expired.  Please go back and try again.', 'jetpack'));
         }
     }
     $data = json_decode(base64_decode(stripslashes($_GET['data'])));
     $data_filters = array('state' => 'opaque', 'client_id' => 'int', 'client_title' => 'string', 'client_image' => 'url');
     foreach ($data_filters as $key => $sanitation) {
         if (!isset($data->{$key})) {
             wp_die($die_error);
         }
         switch ($sanitation) {
             case 'int':
                 $this->json_api_authorization_request[$key] = (int) $data->{$key};
                 break;
             case 'opaque':
                 $this->json_api_authorization_request[$key] = (string) $data->{$key};
                 break;
             case 'string':
                 $this->json_api_authorization_request[$key] = wp_kses((string) $data->{$key}, array());
                 break;
             case 'url':
                 $this->json_api_authorization_request[$key] = esc_url_raw((string) $data->{$key});
                 break;
         }
     }
     if (empty($this->json_api_authorization_request['client_id'])) {
         wp_die($die_error);
     }
 }
Esempio n. 3
0
 /**
  * Authenticates XML-RPC requests from the Jetpack Server
  *
  * We don't actually know who the real user is; we set it to the account that created the connection.
  */
 function authenticate_xml_rpc($user, $username, $password)
 {
     if (is_a($user, 'WP_User')) {
         return $user;
     }
     // It's not for us
     if (!isset($_GET['for']) || 'jetpack' != $_GET['for'] || !isset($_GET['token']) || empty($_GET['signature'])) {
         return $user;
     }
     @(list($token_key, $version, $user_id) = explode(':', $_GET['token']));
     if (empty($token_key) || empty($version) || strval(JETPACK__API_VERSION) !== $version || empty($user_id) || !ctype_digit($user_id) || !get_userdata($user_id)) {
         return $user;
     }
     $token = Jetpack_Data::get_access_token($user_id);
     if (!$token) {
         return $user;
     }
     if (0 !== strpos($token->secret, "{$token_key}.")) {
         return $user;
     }
     require_once dirname(__FILE__) . '/class.jetpack-signature.php';
     $jetpack_signature = new Jetpack_Signature($token->secret, (int) Jetpack::get_option('time_diff'));
     $signature = $jetpack_signature->sign_current_request(array('body' => $this->HTTP_RAW_POST_DATA));
     if (!$signature) {
         return $user;
     } else {
         if (is_wp_error($signature)) {
             return $signature;
         } else {
             if ($signature !== $_GET['signature']) {
                 return $user;
             }
         }
     }
     if (!$this->add_nonce($_GET['timestamp'], $_GET['nonce'])) {
         return $user;
     }
     nocache_headers();
     return new WP_User($token->external_user_id);
 }