/** * Authenticates XML-RPC and other requests from the Jetpack Server */ function authenticate_jetpack($user, $username, $password) { if (is_a($user, 'WP_User')) { return $user; } // It's not for us if (!isset($_GET['token']) || empty($_GET['signature'])) { return $user; } @(list($token_key, $version, $user_id) = explode(':', $_GET['token'])); if (empty($token_key) || empty($version) || strval(JETPACK__API_VERSION) !== $version || empty($user_id) || !ctype_digit($user_id) || !get_userdata($user_id)) { return $user; } $token = Jetpack_Data::get_access_token($user_id); if (!$token) { return $user; } if (0 !== strpos($token->secret, "{$token_key}.")) { return $user; } require_once dirname(__FILE__) . '/class.jetpack-signature.php'; $jetpack_signature = new Jetpack_Signature($token->secret, (int) Jetpack::get_option('time_diff')); if (isset($_POST['_jetpack_is_multipart'])) { $post_data = $_POST; $file_hashes = array(); foreach ($post_data as $post_data_key => $post_data_value) { if (0 !== strpos($post_data_key, '_jetpack_file_hmac_')) { continue; } $post_data_key = substr($post_data_key, strlen('_jetpack_file_hmac_')); $file_hashes[$post_data_key] = $post_data_value; } foreach ($file_hashes as $post_data_key => $post_data_value) { unset($post_data["_jetpack_file_hmac_{$post_data_key}"]); $post_data[$post_data_key] = $post_data_value; } ksort($post_data); $body = http_build_query(stripslashes_deep($post_data)); } elseif (is_null($this->HTTP_RAW_POST_DATA)) { $body = file_get_contents('php://input'); } else { $body = null; } $signature = $jetpack_signature->sign_current_request(array('body' => is_null($body) ? $this->HTTP_RAW_POST_DATA : $body)); if (!$signature) { return $user; } else { if (is_wp_error($signature)) { return $signature; } else { if ($signature !== $_GET['signature']) { return $user; } } } $timestamp = (int) $_GET['timestamp']; $nonce = stripslashes((string) $_GET['nonce']); if (!$this->add_nonce($timestamp, $nonce)) { return $user; } nocache_headers(); return new WP_User($token->external_user_id); }
function verify_json_api_authorization_request() { require_once JETPACK__PLUGIN_DIR . 'class.jetpack-signature.php'; $token = Jetpack_Data::get_access_token(JETPACK_MASTER_USER); if (!$token || empty($token->secret)) { wp_die(__('You must connect your Jetpack plugin to WordPress.com to use this feature.', 'jetpack')); } $die_error = __('Someone may be trying to trick you into giving them access to your site. Or it could be you just encountered a bug :). Either way, please close this window.', 'jetpack'); $jetpack_signature = new Jetpack_Signature($token->secret, (int) Jetpack_Options::get_option('time_diff')); if (isset($_POST['jetpack_json_api_original_query'])) { $signature = $jetpack_signature->sign_request($_GET['token'], $_GET['timestamp'], $_GET['nonce'], '', 'GET', $_POST['jetpack_json_api_original_query'], null, true); } else { $signature = $jetpack_signature->sign_current_request(array('body' => null, 'method' => 'GET')); } if (!$signature) { wp_die($die_error); } else { if (is_wp_error($signature)) { wp_die($die_error); } else { if ($signature !== $_GET['signature']) { if (is_ssl()) { // If we signed an HTTP request on the Jetpack Servers, but got redirected to HTTPS by the local blog, check the HTTP signature as well $signature = $jetpack_signature->sign_current_request(array('scheme' => 'http', 'body' => null, 'method' => 'GET')); if (!$signature || is_wp_error($signature) || $signature !== $_GET['signature']) { wp_die($die_error); } } else { wp_die($die_error); } } } } $timestamp = (int) $_GET['timestamp']; $nonce = stripslashes((string) $_GET['nonce']); if (!$this->add_nonce($timestamp, $nonce)) { // De-nonce the nonce, at least for 5 minutes. // We have to reuse this nonce at least once (used the first time when the initial request is made, used a second time when the login form is POSTed) $old_nonce_time = get_option("jetpack_nonce_{$timestamp}_{$nonce}"); if ($old_nonce_time < time() - 300) { wp_die(__('The authorization process expired. Please go back and try again.', 'jetpack')); } } $data = json_decode(base64_decode(stripslashes($_GET['data']))); $data_filters = array('state' => 'opaque', 'client_id' => 'int', 'client_title' => 'string', 'client_image' => 'url'); foreach ($data_filters as $key => $sanitation) { if (!isset($data->{$key})) { wp_die($die_error); } switch ($sanitation) { case 'int': $this->json_api_authorization_request[$key] = (int) $data->{$key}; break; case 'opaque': $this->json_api_authorization_request[$key] = (string) $data->{$key}; break; case 'string': $this->json_api_authorization_request[$key] = wp_kses((string) $data->{$key}, array()); break; case 'url': $this->json_api_authorization_request[$key] = esc_url_raw((string) $data->{$key}); break; } } if (empty($this->json_api_authorization_request['client_id'])) { wp_die($die_error); } }
/** * Authenticates XML-RPC requests from the Jetpack Server * * We don't actually know who the real user is; we set it to the account that created the connection. */ function authenticate_xml_rpc($user, $username, $password) { if (is_a($user, 'WP_User')) { return $user; } // It's not for us if (!isset($_GET['for']) || 'jetpack' != $_GET['for'] || !isset($_GET['token']) || empty($_GET['signature'])) { return $user; } @(list($token_key, $version, $user_id) = explode(':', $_GET['token'])); if (empty($token_key) || empty($version) || strval(JETPACK__API_VERSION) !== $version || empty($user_id) || !ctype_digit($user_id) || !get_userdata($user_id)) { return $user; } $token = Jetpack_Data::get_access_token($user_id); if (!$token) { return $user; } if (0 !== strpos($token->secret, "{$token_key}.")) { return $user; } require_once dirname(__FILE__) . '/class.jetpack-signature.php'; $jetpack_signature = new Jetpack_Signature($token->secret, (int) Jetpack::get_option('time_diff')); $signature = $jetpack_signature->sign_current_request(array('body' => $this->HTTP_RAW_POST_DATA)); if (!$signature) { return $user; } else { if (is_wp_error($signature)) { return $signature; } else { if ($signature !== $_GET['signature']) { return $user; } } } if (!$this->add_nonce($_GET['timestamp'], $_GET['nonce'])) { return $user; } nocache_headers(); return new WP_User($token->external_user_id); }