/blog/wp-content/plugins/jetpack/class.jetpack-signature.php

https://gitlab.com/relacilia/cakra · PHP · 188 lines · 167 code · 20 blank · 1 comment · 40 complexity · 3ad3cee28f75fd005e20efe505201d69 MD5 · raw file 

    

  1. <?php
    2. 

  2. 

  3. defined( 'JETPACK_SIGNATURE__HTTP_PORT'  ) or define( 'JETPACK_SIGNATURE__HTTP_PORT' , 80  );
    4. 

  4. defined( 'JETPACK_SIGNATURE__HTTPS_PORT' ) or define( 'JETPACK_SIGNATURE__HTTPS_PORT', 443 );
    5. 

  5. 

  6. class Jetpack_Signature {
    7. 

  7. 	public $token;
    8. 

  8. 	public $secret;
    9. 

  9. 

  10. 	function __construct( $access_token, $time_diff = 0 ) {
    11. 

  11. 		$secret = explode( '.', $access_token );
    12. 

  12. 		if ( 2 != count( $secret ) )
    13. 

  13. 			return;
    14. 

  14. 

  15. 		$this->token  = $secret[0];
    16. 

  16. 		$this->secret = $secret[1];
    17. 

  17. 		$this->time_diff = $time_diff;
    18. 

  18. 	}
    19. 

  19. 

  20. 	function sign_current_request( $override = array() ) {
    21. 

  21. 		if ( isset( $override['scheme'] ) ) {
    22. 

  22. 			$scheme = $override['scheme'];
    23. 

  23. 			if ( !in_array( $scheme, array( 'http', 'https' ) ) ) {
    24. 

  24. 				return new Jetpack_Error( 'invalid_sheme', 'Invalid URL scheme' );
    25. 

  25. 			}
    26. 

  26. 		} else {
    27. 

  27. 			if ( is_ssl() ) {
    28. 

  28. 				$scheme = 'https';
    29. 

  29. 			} else {
    30. 

  30. 				$scheme = 'http';
    31. 

  31. 			}
    32. 

  32. 		}
    33. 

  33. 

  34. 		if ( is_ssl() ) {
    35. 

  35. 			$port = JETPACK_SIGNATURE__HTTPS_PORT == $_SERVER['SERVER_PORT'] ? '' : $_SERVER['SERVER_PORT'];
    36. 

  36. 		} else {
    37. 

  37. 			$port = JETPACK_SIGNATURE__HTTP_PORT  == $_SERVER['SERVER_PORT'] ? '' : $_SERVER['SERVER_PORT'];
    38. 

  38. 		}
    39. 

  39. 

  40. 		$url = "{$scheme}://{$_SERVER['HTTP_HOST']}:{$port}" . stripslashes( $_SERVER['REQUEST_URI'] );
    41. 

  41. 

  42. 		if ( array_key_exists( 'body', $override ) && !is_null( $override['body'] ) ) {
    43. 

  43. 			$body = $override['body'];
    44. 

  44. 		} else if ( 'POST' == strtoupper( $_SERVER['REQUEST_METHOD'] ) ) {
    45. 

  45. 			$body = isset( $GLOBALS['HTTP_RAW_POST_DATA'] ) ? $GLOBALS['HTTP_RAW_POST_DATA'] : null;
    46. 

  46. 		} else {
    47. 

  47. 			$body = null;
    48. 

  48. 		}
    49. 

  49. 

  50. 		$a = array();
    51. 

  51. 		foreach ( array( 'token', 'timestamp', 'nonce', 'body-hash' ) as $parameter ) {
    52. 

  52. 			if ( isset( $override[$parameter] ) ) {
    53. 

  53. 				$a[$parameter] = $override[$parameter];
    54. 

  54. 			} else {
    55. 

  55. 				$a[$parameter] = isset( $_GET[$parameter] ) ? stripslashes( $_GET[$parameter] ) : '';
    56. 

  56. 			}
    57. 

  57. 		}
    58. 

  58. 

  59. 		$method = isset( $override['method'] ) ? $override['method'] : $_SERVER['REQUEST_METHOD'];
    60. 

  60. 		return $this->sign_request( $a['token'], $a['timestamp'], $a['nonce'], $a['body-hash'], $method, $url, $body, true );
    61. 

  61. 	}
    62. 

  62. 

  63. 	// body_hash v. body-hash is annoying.  Refactor to accept an array?
    64. 

  64. 	function sign_request( $token = '', $timestamp = 0, $nonce = '', $body_hash = '', $method = '', $url = '', $body = null, $verify_body_hash = true ) {
    65. 

  65. 		if ( !$this->secret ) {
    66. 

  66. 			return new Jetpack_Error( 'invalid_secret', 'Invalid secret' );
    67. 

  67. 		}
    68. 

  68. 

  69. 		if ( !$this->token ) {
    70. 

  70. 			return new Jetpack_Error( 'invalid_token', 'Invalid token' );
    71. 

  71. 		}
    72. 

  72. 

  73. 		list( $token ) = explode( '.', $token );
    74. 

  74. 

  75. 		if ( 0 !== strpos( $token, "$this->token:" ) ) {
    76. 

  76. 			return new Jetpack_Error( 'token_mismatch', 'Incorrect token' );
    77. 

  77. 		}
    78. 

  78. 

  79. 		$required_parameters = array( 'token', 'timestamp', 'nonce', 'method', 'url' );
    80. 

  80. 		if ( !is_null( $body ) ) {
    81. 

  81. 			$required_parameters[] = 'body_hash';
    82. 

  82. 			if ( !is_string( $body ) ) {
    83. 

  83. 				return new Jetpack_Error( 'invalid_body', 'Body is malformed.' );
    84. 

  84. 			}
    85. 

  85. 		}
    86. 

  86. 

  87. 		foreach ( $required_parameters as $required ) {
    88. 

  88. 			if ( !is_scalar( $$required ) ) {
    89. 

  89. 				return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', str_replace( '_', '-', $required ) ) );
    90. 

  90. 			}
    91. 

  91. 

  92. 			if ( !strlen( $$required ) ) {
    93. 

  93. 				return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is missing.', str_replace( '_', '-', $required ) ) );
    94. 

  94. 			}
    95. 

  95. 		}
    96. 

  96. 

  97. 		if ( is_null( $body ) ) {
    98. 

  98. 			if ( $body_hash ) {
    99. 

  99. 				return new Jetpack_Error( 'invalid_body_hash', 'The body hash does not match.' );
    100. 

  100. 			}
    101. 

  101. 		} else {
    102. 

  102. 			if ( $verify_body_hash && jetpack_sha1_base64( $body ) !== $body_hash ) {
    103. 

  103. 				return new Jetpack_Error( 'invalid_body_hash', 'The body hash does not match.' );
    104. 

  104. 			}
    105. 

  105. 		}
    106. 

  106. 

  107. 		$parsed = parse_url( $url );
    108. 

  108. 		if ( !isset( $parsed['host'] ) ) {
    109. 

  109. 			return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'url' ) );
    110. 

  110. 		}
    111. 

  111. 

  112. 		if ( !empty( $parsed['port'] ) ) {
    113. 

  113. 			$port = $parsed['port'];
    114. 

  114. 		} else {
    115. 

  115. 			if ( 'http' == $parsed['scheme'] ) {
    116. 

  116. 				$port = 80;
    117. 

  117. 			} else if ( 'https' == $parsed['scheme'] ) {
    118. 

  118. 				$port = 443;
    119. 

  119. 			} else {
    120. 

  120. 				return new Jetpack_Error( 'unknown_scheme_port', "The scheme's port is unknown" );
    121. 

  121. 			}
    122. 

  122. 		}
    123. 

  123. 

  124. 		if ( !ctype_digit( "$timestamp" ) || 10 < strlen( $timestamp ) ) { // If Jetpack is around in 275 years, you can blame mdawaffe for the bug.
    125. 

  125. 			return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'timestamp' ) );
    126. 

  126. 		}
    127. 

  127. 

  128. 		$local_time = $timestamp - $this->time_diff;
    129. 

  129. 		if ( $local_time < time() - 600 || $local_time > time() + 300 ) {
    130. 

  130. 			return new Jetpack_Error( 'invalid_signature', 'The timestamp is too old.' );
    131. 

  131. 		}
    132. 

  132. 

  133. 		if ( 12 < strlen( $nonce ) || preg_match( '/[^a-zA-Z0-9]/', $nonce ) ) {
    134. 

  134. 			return new Jetpack_Error( 'invalid_signature', sprintf( 'The required "%s" parameter is malformed.', 'nonce' ) );
    135. 

  135. 		}
    136. 

  136. 

  137. 		$normalized_request_pieces = array(
    138. 

  138. 			$token,
    139. 

  139. 			$timestamp,
    140. 

  140. 			$nonce,
    141. 

  141. 			$body_hash,
    142. 

  142. 			strtoupper( $method ),
    143. 

  143. 			strtolower( $parsed['host'] ),
    144. 

  144. 			$port,
    145. 

  145. 			$parsed['path'],
    146. 

  146. 			// Normalized Query String
    147. 

  147. 		);
    148. 

  148. 

  149. 		$normalized_request_pieces = array_merge( $normalized_request_pieces, $this->normalized_query_parameters( isset( $parsed['query'] ) ? $parsed['query'] : '' ) );
    150. 

  150. 

  151. 		$normalized_request_string = join( "\n", $normalized_request_pieces ) . "\n";
    152. 

  152. 

  153. 		return base64_encode( hash_hmac( 'sha1', $normalized_request_string, $this->secret, true ) );
    154. 

  154. 	}
    155. 

  155. 

  156. 	function normalized_query_parameters( $query_string ) {
    157. 

  157. 		parse_str( $query_string, $array );
    158. 

  158. 		if ( get_magic_quotes_gpc() )
    159. 

  159. 			$array = stripslashes_deep( $array );
    160. 

  160. 

  161. 		unset( $array['signature'] );
    162. 

  162. 

  163. 		$names  = array_keys( $array );
    164. 

  164. 		$values = array_values( $array );
    165. 

  165. 

  166. 		$names  = array_map( array( $this, 'encode_3986' ), $names  );
    167. 

  167. 		$values = array_map( array( $this, 'encode_3986' ), $values );
    168. 

  168. 

  169. 		$pairs  = array_map( array( $this, 'join_with_equal_sign' ), $names, $values );
    170. 

  170. 

  171. 		sort( $pairs );
    172. 

  172. 

  173. 		return $pairs;
    174. 

  174. 	}
    175. 

  175. 

  176. 	function encode_3986( $string ) {
    177. 

  177. 		$string = rawurlencode( $string );
    178. 

  178. 		return str_replace( '%7E', '~', $string ); // prior to PHP 5.3, rawurlencode was RFC 1738
    179. 

  179. 	}
    180. 

  180. 

  181. 	function join_with_equal_sign( $name, $value ) {
    182. 

  182. 		return "{$name}={$value}";
    183. 

  183. 	}
    184. 

  184. }
    185. 

  185. 

  186. function jetpack_sha1_base64( $text ) {
    187. 

  187. 	return base64_encode( sha1( $text, true ) );
    188. 

  188. }
    189.