/** * Verify that correct nonce was used with time limit. * * The user is given an amount of time to use the token, so therefore, since the * UID and $action remain the same, the independent variable is the time. * * @since 2.0.3 * * @param string $nonce Nonce that was used in the form to verify * @param string|int $action Should give context to what is taking place and be the same when nonce was created. * * @return false|int False if the nonce is invalid, 1 if the nonce is valid and generated between * 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago. */ function wp_verify_nonce($nonce, $action = -1) { $nonce = (string) $nonce; $user = wp_get_current_user(); $uid = (int) $user->ID; if (!$uid) { /** * Filter whether the user who generated the nonce is logged out. * * @since 3.5.0 * * @param int $uid ID of the nonce-owning user. * @param string $action The nonce action. */ $uid = apply_filters('nonce_user_logged_out', $uid, $action); } if (empty($nonce)) { die('<mainwp>' . base64_encode(json_encode(array('error' => 'You dont send nonce: ' . $action))) . '</mainwp>'); } $token = wp_get_session_token(); $i = wp_nonce_tick(); // Nonce generated 0-12 hours ago $expected = substr(wp_hash($i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10); if (hash_equals($expected, $nonce)) { return 1; } // Nonce generated 12-24 hours ago $expected = substr(wp_hash($i - 1 . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10); if (hash_equals($expected, $nonce)) { return 2; } // Invalid nonce die('<mainwp>' . base64_encode(json_encode(array('error' => 'Invalid nonce. Try use: ' . $action))) . '</mainwp>'); }
function wptouch_create_anonymous_nonce($action) { // Creates a valid WordPress nonce for anonymous requests. $uid = 0; $token = ''; $i = wp_nonce_tick(); $nonce = substr(wp_hash($i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10); return $nonce; }
public function verify_nonce($nonce, $action) { $i = wp_nonce_tick(); if (substr(wp_hash($i . $action, 'nonce'), -12, 10) === $nonce) { return true; } if (substr(wp_hash($i - 1 . $action, 'nonce'), -12, 10) === $nonce) { return true; } return false; }
function wp_create_nonce($action = -1) { $user = wp_get_current_user(); $uid = (int) $user->ID; if (!$uid) { /** This filter is documented in wp-includes/pluggable.php */ $uid = apply_filters('nonce_user_logged_out', $uid, $action); } $token = wp_get_session_token(); $i = wp_nonce_tick(); return substr(wp_hash($i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10); }
/** * Local nonce verification. * WordPress uses the UID and sometimes I don't want that * Verify that correct nonce was used with time limit. * * The user is given an amount of time to use the token, so therefore, since the * $action remain the same, the independent variable is the time. * * @param string $nonce Nonce that was used in the form to verify * @param string|int $action Should give context to what is taking place and be the same when nonce was created. * * @return bool Whether the nonce check passed or failed. */ public static function verifyNonce($nonce, $action = -1) { $r = false; $i = wp_nonce_tick(); // Nonce generated 0-12 hours ago if (substr(wp_hash($i . $action, 'nonce'), -12, 10) == $nonce) { $r = 1; } elseif (substr(wp_hash($i - 1 . $action, 'nonce'), -12, 10) == $nonce) { // Nonce generated 12-24 hours ago $r = 2; } return $r; }
/** * Creates a random, one time use token. * * @since 2.0.4 * * @param string|int $action Scalar value to add context to the nonce. * @return string The one use form token */ function wp_create_nonce($action = -1) { $user = wp_get_current_user(); $uid = (int) $user->id; $i = wp_nonce_tick(); return substr(wp_hash($i . $action . $uid), -12, 10); }
/** * Creates a random, one time use token. * * @since 2.0.3 * * @param string|int $action Scalar value to add context to the nonce. * @return string The one use form token */ function wp_create_nonce($action = -1) { $user = wp_get_current_user(); $uid = (int) $user->ID; if (!$uid) { $uid = apply_filters('nonce_user_logged_out', $uid, $action); } $i = wp_nonce_tick(); return substr(wp_hash($i . '|' . $action . '|' . $uid, 'nonce'), -12, 10); }
function rs_wpss_create_nonce($action, $name = '_wpss_nonce') { /*** * Creates a different nonce system than WordPress. * 24 hours or 1 time use. * Difference vs WP nonces: Nonce must exist in database, is not tied to a user ID, and is truly 1 time use. * WP nonces don't work for every application. If a comment is posted, and a notification email is sent to admin with link to blacklist the IP, this works better. ***/ $i = wp_nonce_tick(); $timenow = time(); $nonce = substr(rs_wpss_md5($i . $action . $name . WPSS_HASH . $timenow), -12, 10); $spamshield_nonces = get_option('spamshield_nonces'); if (empty($spamshield_nonces)) { $spamshield_nonces = array(); } else { foreach ($spamshield_nonces as $i => $n) { if ($n['expire'] <= $timenow) { unset($spamshield_nonces[$i]); } } } $expire = $timenow + 86400; /* 24 hours */ $spamshield_nonces[] = array('nonce' => $nonce, 'action' => $action, 'name' => $name, 'expire' => $expire); update_option('spamshield_nonces', $spamshield_nonces, FALSE); return $nonce; }
/** * * Get a url to run a job of BackWPup * * @param string $starttype Start types are 'runnow', 'runnowlink', 'cronrun', 'runext', 'restart', 'test' * @param int $jobid The id of job to start else 0 * @return array|object [url] is the job url [header] for auth header or object form wp_remote_get() */ public static function get_jobrun_url($starttype, $jobid = 0) { $wp_admin_user = get_users(array('role' => 'backwpup_admin', 'number' => 1)); //get a user for cookie auth $url = site_url('wp-cron.php'); $header = array(); $authurl = ''; $query_args = array('_nonce' => substr(wp_hash(wp_nonce_tick() . 'backwpup_job_run-' . $starttype, 'nonce'), -12, 10), 'doing_wp_cron' => sprintf('%.22F', microtime(true))); if (in_array($starttype, array('restart', 'runnow', 'cronrun', 'runext', 'test'))) { $query_args['backwpup_run'] = $starttype; } if (in_array($starttype, array('runnowlink', 'runnow', 'cronrun', 'runext')) && !empty($jobid)) { $query_args['jobid'] = $jobid; } if (get_site_option('backwpup_cfg_httpauthuser') && get_site_option('backwpup_cfg_httpauthpassword')) { $header['Authorization'] = 'Basic ' . base64_encode(get_site_option('backwpup_cfg_httpauthuser') . ':' . BackWPup_Encryption::decrypt(get_site_option('backwpup_cfg_httpauthpassword'))); $authurl = get_site_option('backwpup_cfg_httpauthuser') . ':' . BackWPup_Encryption::decrypt(get_site_option('backwpup_cfg_httpauthpassword')) . '@'; } if ($starttype == 'runext') { $query_args['_nonce'] = get_site_option('backwpup_cfg_jobrunauthkey'); $query_args['doing_wp_cron'] = NULL; if (!empty($authurl)) { $url = str_replace('https://', 'https://' . $authurl, $url); $url = str_replace('http://', 'http://' . $authurl, $url); } } if ($starttype == 'runnowlink' && (!defined('ALTERNATE_WP_CRON') || !ALTERNATE_WP_CRON)) { $url = wp_nonce_url(network_admin_url('admin.php'), 'backwpup_job_run-' . $starttype); $query_args['page'] = 'backwpupjobs'; $query_args['action'] = 'runnow'; $query_args['doing_wp_cron'] = NULL; unset($query_args['_nonce']); } if ($starttype == 'runnowlink' && defined('ALTERNATE_WP_CRON') && ALTERNATE_WP_CRON) { $query_args['backwpup_run'] = 'runnowalt'; $query_args['_nonce'] = substr(wp_hash(wp_nonce_tick() . 'backwpup_job_run-runnowalt', 'nonce'), -12, 10); $query_args['doing_wp_cron'] = NULL; } //Extra for WP-Cron control if (class_exists('WP_Cron_Control') && ($starttype == 'runext' || $starttype == 'runnow' || $starttype == 'restart')) { $wp_cron_control_settings = get_option('wpcroncontrol_settings', array()); if (empty($wp_cron_control_settings['secret_string']) && file_exists(WP_PLUGIN_DIR . '/wp-cron-control/wp-cron-control.php')) { $wp_cron_control_settings['secret_string'] = md5(realpath(WP_PLUGIN_DIR . '/wp-cron-control/wp-cron-control.php') . get_current_blog_id()); $wp_cron_control_settings['enable'] = 1; } if (isset($wp_cron_control_settings['enable']) && $wp_cron_control_settings['enable'] == 1) { if (defined('WP_CRON_CONTROL_SECRET')) { $wp_cron_control_settings['secret_string'] = WP_CRON_CONTROL_SECRET; } $query_args[$wp_cron_control_settings['secret_string']] = ''; $query_args['doing_wp_cron'] = NULL; } } $cron_request = apply_filters('cron_request', array('url' => add_query_arg($query_args, $url), 'key' => $query_args['doing_wp_cron'], 'args' => array('blocking' => FALSE, 'sslverify' => apply_filters('https_local_ssl_verify', true), 'timeout' => 0.01, 'headers' => $header, 'cookies' => array(new WP_Http_Cookie(array('name' => AUTH_COOKIE, 'value' => wp_generate_auth_cookie($wp_admin_user[0]->ID, time() + 300, 'auth'))), new WP_Http_Cookie(array('name' => LOGGED_IN_COOKIE, 'value' => wp_generate_auth_cookie($wp_admin_user[0]->ID, time() + 300, 'logged_in')))), 'user-agent' => BackWpup::get_plugin_data('User-Agent')))); if ($starttype == 'test') { $cron_request['args']['timeout'] = 15; $cron_request['args']['blocking'] = TRUE; } if (!in_array($starttype, array('runnowlink', 'runext'))) { set_transient('doing_cron', $query_args['doing_wp_cron']); return wp_remote_post($cron_request['url'], $cron_request['args']); } return $cron_request; }
public function is_valid_token($token) { $token_json = base64_decode($token); $token_array = json_decode($token_json, true); if (empty($token_array)) { return false; } $timestamp = $token_array['timestamp']; $user_id = $token_array['user_id']; $new_status = $token_array['new_status']; $entry_id = $token_array['entry_id']; $sig = $token_array['sig']; $expiration_days = apply_filters('gravityflow_approval_token_expiration_days', 1); $i = wp_nonce_tick(); $is_valid = false; for ($n = 1; $n <= $expiration_days; $n++) { $sig_key = sprintf('%s|%s|%s|%s|%s|%s', $i, $this->get_id(), $timestamp, $entry_id, $user_id, $new_status); $verification_sig = substr(wp_hash($sig_key), -12, 10); if (hash_equals($verification_sig, $sig)) { $is_valid = true; break; } $i--; } return $is_valid; }
/** * Checks if scheduled task is ready for execution, * if it is ready master sends google_drive_token, failed_emails, success_emails if are needed. * * @return void */ function check_backup_tasks() { $this->check_cron_remove(); $failed_emails = array(); $settings = $this->tasks; if (is_array($settings) && !empty($settings)) { foreach ($settings as $task_name => $setting) { if (isset($setting['task_args']['next']) && $setting['task_args']['next'] < time()) { //if ($setting['task_args']['next'] && $_GET['force_backup']) { if ($setting['task_args']['url'] && $setting['task_args']['task_id'] && $setting['task_args']['site_key']) { //Check orphan task $check_data = array('task_name' => $task_name, 'task_id' => $setting['task_args']['task_id'], 'site_key' => $setting['task_args']['site_key'], 'worker_version' => MMB_WORKER_VERSION); if (isset($setting['task_args']['account_info']['mwp_google_drive']['google_drive_token'])) { $check_data['mwp_google_drive_refresh_token'] = true; } $check = $this->validate_task($check_data, $setting['task_args']['url']); if ($check == 'paused' || $check == 'deleted') { continue; } $worker_upto_3_9_22 = MMB_WORKER_VERSION <= '3.9.22'; // worker version is less or equals to 3.9.22 // This is the patch done in worker 3.9.22 because old worked provided message in the following format: // token - not found or token - {...json...} // The new message is a serialized string with google_drive_token or message. if ($worker_upto_3_9_22) { $potential_token = substr($check, 8); if (substr($check, 0, 8) == 'token - ' && $potential_token != 'not found') { $this->tasks[$task_name]['task_args']['account_info']['mwp_google_drive']['google_drive_token'] = $potential_token; $settings[$task_name]['task_args']['account_info']['mwp_google_drive']['google_drive_token'] = $potential_token; $setting['task_args']['account_info']['mwp_google_drive']['google_drive_token'] = $potential_token; } } else { $potential_token = isset($check['google_drive_token']) ? $check['google_drive_token'] : false; if ($potential_token) { $this->tasks[$task_name]['task_args']['account_info']['mwp_google_drive']['google_drive_token'] = $potential_token; $settings[$task_name]['task_args']['account_info']['mwp_google_drive']['google_drive_token'] = $potential_token; $setting['task_args']['account_info']['mwp_google_drive']['google_drive_token'] = $potential_token; } } } $update = array('task_name' => $task_name, 'args' => $settings[$task_name]['task_args']); if ($check != 'paused') { $update['time'] = time(); } //Update task with next schedule $this->set_backup_task($update); if ($check == 'paused') { continue; } $result = $this->backup($setting['task_args'], $task_name); $error = ''; if (is_array($result) && array_key_exists('error', $result)) { $error = $result; $this->set_backup_task(array('task_name' => $task_name, 'args' => $settings[$task_name]['task_args'], 'error' => $error)); } else { if (@count($setting['task_args']['account_info'])) { // Old way through sheduling. // wp_schedule_single_event(time(), 'mmb_scheduled_remote_upload', array('args' => array('task_name' => $task_name))); $nonce = substr(wp_hash(wp_nonce_tick() . 'mmb-backup-nonce' . 0, 'nonce'), -12, 10); $cron_url = site_url('index.php'); $backup_file = $this->tasks[$task_name]['task_results'][count($this->tasks[$task_name]['task_results']) - 1]['server']['file_url']; $del_host_file = $this->tasks[$task_name]['task_args']['del_host_file']; $public_key = get_option('_worker_public_key'); $args = array('body' => array('backup_cron_action' => 'mmb_remote_upload', 'args' => json_encode(array('task_name' => $task_name, 'backup_file' => $backup_file, 'del_host_file' => $del_host_file)), 'mmb_backup_nonce' => $nonce, 'public_key' => $public_key), 'timeout' => 0.01, 'blocking' => false, 'sslverify' => apply_filters('https_local_ssl_verify', true)); wp_remote_post($cron_url, $args); } } break; //Only one backup per cron } } } }
/** * Verifies nonce. * * @version 1.17.3 */ public static function verify_nonce($nonce, $action = false) { $user = wp_get_current_user(); $uid = (int) $user->ID; if (empty($uid)) { $uid = $_SERVER['REMOTE_ADDR']; } $i = wp_nonce_tick(); // Nonce generated 0-12 hours ago if (substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) == $nonce) { return 1; } // Nonce generated 12-24 hours ago if (substr(wp_hash($i - 1 . $action . $uid, 'nonce'), -12, 10) == $nonce) { return 2; } // Invalid nonce return false; }
function verify_anon_nonce($nonce, $action = -1) { $i = wp_nonce_tick(); // Nonce generated 0-12 hours ago if (substr(wp_hash($i . $action), -12, 10) == $nonce) { return 1; } // Nonce generated 12-24 hours ago if (substr(wp_hash($i - 1 . $action), -12, 10) == $nonce) { return 2; } // Invalid nonce return false; }
function wooRedirect($message, $error = false) { if (!$this->useWoo()) { return false; } if ($error === false) { $type = 'cs_message'; } else { $type = 'cs_error'; } $i = wp_nonce_tick(); $nonce = substr(wp_hash($i . 'dit_logout' . 0, 'nonce'), -12, 10); wp_redirect(get_permalink(woocommerce_get_page_id('myaccount')) . '?' . $type . '=' . urlencode($message) . '&_nonce=' . $nonce); exit; }
public static function verify_noprivnonce($nonce, $action, $id) { $i = wp_nonce_tick(); if (substr(wp_hash($i . $action . $id, 'nonce'), -12, 10) == $nonce) { return 1; } if (substr(wp_hash($i - 1 . $action . $id, 'nonce'), -12, 10) == $nonce) { return 2; } return false; }
/** * Verify that correct shared nonce was used with time limit. * * Uses nonces not linked to the current user. See {@see create_shared_nonce()} * for more about why this exists. * * @param string $nonce Nonce that was used in the form to verify * @param string|int $action Should give context to what is taking place and be the same when nonce was created. * @return bool Whether the nonce check passed or failed. */ function verify_shared_nonce($nonce, $action) { if (empty($nonce)) { return false; } $i = wp_nonce_tick(); // Nonce generated 0-12 hours ago $expected = substr(wp_hash($i . '|' . $action, 'nonce'), -12, 10); if (hash_equals($expected, $nonce)) { return 1; } // Nonce generated 12-24 hours ago $expected = substr(wp_hash($i - 1 . '|' . $action, 'nonce'), -12, 10); if (hash_equals($expected, $nonce)) { return 2; } // Invalid nonce return false; }
/** * Verify Token * Based on wp_verify_nonce() this function requires the user id used when the token * was created as by default not logged in users would generate different tokens causing us * to fail. * * @param $user_id (int) required user id * @param $nonce (string) required nonce to check * @returns true or false * @since 0.1 * @version 1.0.1 */ function verify_token($user_id, $nonce) { $uid = absint($user_id); $i = wp_nonce_tick(); if (substr(wp_hash($i . 'mycred-buy-' . $this->id . $uid, 'nonce'), -12, 10) == $nonce) { return true; } if (substr(wp_hash($i - 1 . 'mycred-buy-' . $this->id . $uid, 'nonce'), -12, 10) === $nonce) { return true; } return false; }
function wpcf7_create_nonce($action = -1) { $i = wp_nonce_tick(); $uid = 0; return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10); }
/** * Start job if in cron and run query args are set. */ public static function cron_active() { //only if cron active if (!defined('DOING_CRON') || !DOING_CRON) { return; } //only work if backwpup_run as query var ist set and nothing else and the value ist right if (empty($_GET['backwpup_run']) || !in_array($_GET['backwpup_run'], array('test', 'restart', 'runnow', 'runnowalt', 'runext', 'cronrun'))) { return; } //special header @session_write_close(); @header('Content-Type: text/html; charset=' . get_bloginfo('charset'), TRUE); @header('X-Robots-Tag: noindex, nofollow', TRUE); @header('X-BackWPup-Version: ' . BackWPup::get_plugin_data('version'), TRUE); nocache_headers(); //on test die for fast feedback if ($_GET['backwpup_run'] == 'test') { die('BackWPup Test'); } // generate normal nonce $nonce = substr(wp_hash(wp_nonce_tick() . 'backwpup_job_run-' . $_GET['backwpup_run'], 'nonce'), -12, 10); //special nonce on external start if ($_GET['backwpup_run'] == 'runext') { $nonce = get_site_option('backwpup_cfg_jobrunauthkey'); } // check nonce if (empty($_GET['_nonce']) || $nonce != $_GET['_nonce']) { return; } //check runext is allowed for job if ($_GET['backwpup_run'] == 'runext') { $jobids_external = BackWPup_Option::get_job_ids('activetype', 'link'); if (!isset($_GET['jobid']) || !in_array($_GET['jobid'], $jobids_external)) { return; } } //run BackWPup job BackWPup_Job::start_http($_GET['backwpup_run']); die; }
protected function verify_nonce_without_session($nonce, $action = -1) { $nonce = (string) $nonce; $user = wp_get_current_user(); $uid = (int) $user->ID; if (!$uid) { $uid = apply_filters('nonce_user_logged_out', $uid, $action); } if (empty($nonce)) { return false; } $i = wp_nonce_tick(); $expected = substr(wp_hash($i . '|' . $action . '|' . $uid, 'nonce'), -12, 10); if (hash_equals($expected, $nonce)) { return 1; } $expected = substr(wp_hash($i - 1 . '|' . $action . '|' . $uid, 'nonce'), -12, 10); if (hash_equals($expected, $nonce)) { return 2; } return false; }
protected function session_indep_verify_nonce($nonce, $action = -1) { $nonce = (string) $nonce; if (empty($nonce)) { return false; } $i = wp_nonce_tick(); // Nonce generated 0-12 hours ago $expected = substr(wp_hash($i . '|' . $action, 'nonce'), -12, 10); if ($this->hash_equals($expected, $nonce)) { return 1; } // Nonce generated 12-24 hours ago $expected = substr(wp_hash($i - 1 . '|' . $action, 'nonce'), -12, 10); if ($this->hash_equals($expected, $nonce)) { return 2; } // Invalid nonce return false; }
/** * WangGuard nonce */ function wangguard_get_nonce_value($action) { $user = wp_get_current_user(); $uid = (int) $user->ID; $i = wp_nonce_tick(); return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10); }
/** * Verify that the correct nonce was used within the time limit. * * @uses wp_nonce_tick() * @uses wp_hash() * * @param string $nonce Nonce to be verified * * @return bool Whether the nonce check passed or failed */ protected function verify_async_nonce($nonce) { $action = $this->get_nonce_action(); $i = wp_nonce_tick(); // Nonce generated 0-12 hours ago if (substr(wp_hash($i . $action . get_class($this), 'nonce'), -12, 10) == $nonce) { return 1; } // Nonce generated 12-24 hours ago if (substr(wp_hash($i - 1 . $action . get_class($this), 'nonce'), -12, 10) == $nonce) { return 2; } // Invalid nonce return false; }
function wp_create_nonce_loggedout($action = -1) { // https://www.snip2code.com/Snippet/613860/Nonce-for-loggedout-user-from-loggedin-u $i = wp_nonce_tick(); return substr(wp_hash($i . '|' . $action . '|0|', 'nonce'), -12, 10); }
/** * * Get a url to run a job of BackWPup * * @param string $starttype Start types are 'runnow', 'runnowlink', 'cronrun', 'runext', 'restart', 'restartalt', 'test' * @param int $jobid The id of job to start else 0 * * @return array|object [url] is the job url [header] for auth header or object form wp_remote_get() */ public static function get_jobrun_url($starttype, $jobid = 0) { $authentication = get_site_option('backwpup_cfg_authentication', array('method' => '', 'basic_user' => '', 'basic_password' => '', 'user_id' => 0, 'query_arg' => '')); $url = site_url('wp-cron.php'); $header = array('Cache-Control' => 'no-cache'); $authurl = ''; $query_args = array('_nonce' => substr(wp_hash(wp_nonce_tick() . 'backwpup_job_run-' . $starttype, 'nonce'), -12, 10), 'doing_wp_cron' => sprintf('%.22F', microtime(true))); if (in_array($starttype, array('restart', 'runnow', 'cronrun', 'runext', 'test'), true)) { $query_args['backwpup_run'] = $starttype; } if (in_array($starttype, array('runnowlink', 'runnow', 'cronrun', 'runext'), true) && !empty($jobid)) { $query_args['jobid'] = $jobid; } if (!empty($authentication['basic_user']) && !empty($authentication['basic_password']) && $authentication['method'] == 'basic') { $header['Authorization'] = 'Basic ' . base64_encode($authentication['basic_user'] . ':' . BackWPup_Encryption::decrypt($authentication['basic_password'])); $authurl = urlencode($authentication['basic_user']) . ':' . urlencode(BackWPup_Encryption::decrypt($authentication['basic_password'])) . '@'; } if (!empty($authentication['query_arg']) && $authentication['method'] == 'query_arg') { $url .= '?' . $authentication['query_arg']; } if ($starttype === 'runext') { $query_args['_nonce'] = get_site_option('backwpup_cfg_jobrunauthkey'); $query_args['doing_wp_cron'] = null; if (!empty($authurl)) { $url = str_replace('https://', 'https://' . $authurl, $url); $url = str_replace('http://', 'http://' . $authurl, $url); } } if ($starttype === 'runnowlink' && (!defined('ALTERNATE_WP_CRON') || !ALTERNATE_WP_CRON)) { $url = wp_nonce_url(network_admin_url('admin.php'), 'backwpup_job_run-' . $starttype); $query_args['page'] = 'backwpupjobs'; $query_args['action'] = 'runnow'; $query_args['doing_wp_cron'] = null; unset($query_args['_nonce']); } if ($starttype === 'runnowlink' && defined('ALTERNATE_WP_CRON') && ALTERNATE_WP_CRON) { $query_args['backwpup_run'] = 'runnowalt'; $query_args['_nonce'] = substr(wp_hash(wp_nonce_tick() . 'backwpup_job_run-runnowalt', 'nonce'), -12, 10); $query_args['doing_wp_cron'] = null; } if ($starttype === 'restartalt' && defined('ALTERNATE_WP_CRON') && ALTERNATE_WP_CRON) { $query_args['backwpup_run'] = 'restart'; $query_args['_nonce'] = null; } if ($starttype === 'restart' || $starttype === 'test') { $query_args['_nonce'] = null; } if (!empty($authentication['user_id']) && $authentication['method'] === 'user') { //cache cookies for auth some $cookies = get_site_transient('backwpup_cookies'); if (empty($cookies)) { $wp_admin_user = get_users(array('role' => 'administrator', 'number' => 1)); if (empty($wp_admin_user)) { $wp_admin_user = get_users(array('role' => 'backwpup_admin', 'number' => 1)); } if (!empty($wp_admin_user[0]->ID)) { $expiration = time() + 356 * DAY_IN_SECONDS; $manager = WP_Session_Tokens::get_instance($wp_admin_user[0]->ID); $token = $manager->create($expiration); $cookies[LOGGED_IN_COOKIE] = wp_generate_auth_cookie($wp_admin_user[0]->ID, $expiration, 'logged_in', $token); } set_site_transient('backwpup_cookies', $cookies, HOUR_IN_SECONDS - 30); } } else { $cookies = ''; } $cron_request = array('url' => add_query_arg($query_args, $url), 'key' => $query_args['doing_wp_cron'], 'args' => array('blocking' => false, 'sslverify' => false, 'timeout' => 0.01, 'headers' => $header, 'user-agent' => BackWPup::get_plugin_data('User-Agent'))); if (!empty($cookies)) { foreach ($cookies as $name => $value) { $cron_request['args']['cookies'][] = new WP_Http_Cookie(array('name' => $name, 'value' => $value)); } } $cron_request = apply_filters('cron_request', $cron_request); if ($starttype === 'test') { $cron_request['args']['timeout'] = 15; $cron_request['args']['blocking'] = true; } if (!in_array($starttype, array('runnowlink', 'runext', 'restartalt'), true)) { delete_transient('doing_cron'); return wp_remote_post($cron_request['url'], $cron_request['args']); } return $cron_request; }
/** * Get the time-dependent variable for nonce creation. * @return int */ public function nonce_tick() { return \wp_nonce_tick(); }
/** * Start job if in cron and run query args are set. */ public static function cron_active($args = array()) { //only if cron active if (!defined('DOING_CRON') || !DOING_CRON) { return; } if (isset($_GET['backwpup_run'])) { $args['run'] = sanitize_text_field($_GET['backwpup_run']); } if (isset($_GET['_nonce'])) { $args['nonce'] = sanitize_text_field($_GET['_nonce']); } if (isset($_GET['jobid'])) { $args['jobid'] = absint($_GET['jobid']); } $args = array_merge(array('run' => '', 'nonce' => '', 'jobid' => 0), $args); if (!in_array($args['run'], array('test', 'restart', 'runnow', 'runnowalt', 'runext', 'cronrun'), true)) { return; } //special header @session_write_close(); @header('Content-Type: text/html; charset=' . get_bloginfo('charset'), true); @header('X-Robots-Tag: noindex, nofollow', true); nocache_headers(); //on test die for fast feedback if ($args['run'] === 'test') { die('BackWPup test request'); } if ($args['run'] === 'restart') { $job_object = BackWPup_Job::get_working_data(); //restart job if not working or a restart wished $not_worked_time = microtime(TRUE) - $job_object->timestamp_last_update; if (!$job_object->pid || $not_worked_time > 300) { BackWPup_Job::start_http('restart'); return; } } // generate normal nonce $nonce = substr(wp_hash(wp_nonce_tick() . 'backwpup_job_run-' . $args['run'], 'nonce'), -12, 10); //special nonce on external start if ($args['run'] === 'runext') { $nonce = get_site_option('backwpup_cfg_jobrunauthkey'); } if ($args['run'] === 'cronrun') { $nonce = ''; } // check nonce if ($nonce !== $args['nonce']) { return; } //check runext is allowed for job if ($args['run'] === 'runext') { $jobids_link = BackWPup_Option::get_job_ids('activetype', 'link'); $jobids_easycron = BackWPup_Option::get_job_ids('activetype', 'easycron'); $jobids_external = array_merge($jobids_link, $jobids_easycron); if (!in_array($args['jobid'], $jobids_external, true)) { return; } } //run BackWPup job BackWPup_Job::start_http($args['run'], $args['jobid']); }
function jfb_debug_nonce_components() { global $opt_jfb_generated_nonce; $user = wp_get_current_user(); $uid = (int) $user->id; $nonce_life = apply_filters('nonce_life', 86400); $time = time(); $nonce_tick = ceil(time() / ($nonce_life / 2)); $tick_verify = wp_nonce_tick(); $hash = wp_hash($i . $action . $uid, 'nonce'); $nonce = substr($hash, -12, 10); return "NONCE: {$nonce}, uid: {$uid}, life: {$nonce_life}, time: {$time}, tick: {$nonce_tick}, verify: {$tick_verify}, hash: {$hash}"; }