PageRenderTime 69ms CodeModel.GetById 28ms RepoModel.GetById 0ms app.codeStats 1ms

/wp-includes/pluggable.php

https://bitbucket.org/acipriani/madeinapulia.com
PHP | 2279 lines | 1052 code | 278 blank | 949 comment | 285 complexity | ffb1c191d52ecd52959a6decd9f82eb2 MD5 | raw file
Possible License(s): GPL-3.0, MIT, BSD-3-Clause, LGPL-2.1, GPL-2.0, Apache-2.0
  1. <?php
  2. /**
  3. * These functions can be replaced via plugins. If plugins do not redefine these
  4. * functions, then these will be used instead.
  5. *
  6. * @package WordPress
  7. */
  8. if ( !function_exists('wp_set_current_user') ) :
  9. /**
  10. * Changes the current user by ID or name.
  11. *
  12. * Set $id to null and specify a name if you do not know a user's ID.
  13. *
  14. * Some WordPress functionality is based on the current user and not based on
  15. * the signed in user. Therefore, it opens the ability to edit and perform
  16. * actions on users who aren't signed in.
  17. *
  18. * @since 2.0.3
  19. * @global object $current_user The current user object which holds the user data.
  20. *
  21. * @param int $id User ID
  22. * @param string $name User's username
  23. * @return WP_User Current user User object
  24. */
  25. function wp_set_current_user($id, $name = '') {
  26. global $current_user;
  27. if ( isset( $current_user ) && ( $current_user instanceof WP_User ) && ( $id == $current_user->ID ) )
  28. return $current_user;
  29. $current_user = new WP_User( $id, $name );
  30. setup_userdata( $current_user->ID );
  31. /**
  32. * Fires after the current user is set.
  33. *
  34. * @since 2.0.1
  35. */
  36. do_action( 'set_current_user' );
  37. return $current_user;
  38. }
  39. endif;
  40. if ( !function_exists('wp_get_current_user') ) :
  41. /**
  42. * Retrieve the current user object.
  43. *
  44. * @since 2.0.3
  45. *
  46. * @return WP_User Current user WP_User object
  47. */
  48. function wp_get_current_user() {
  49. global $current_user;
  50. get_currentuserinfo();
  51. return $current_user;
  52. }
  53. endif;
  54. if ( !function_exists('get_currentuserinfo') ) :
  55. /**
  56. * Populate global variables with information about the currently logged in user.
  57. *
  58. * Will set the current user, if the current user is not set. The current user
  59. * will be set to the logged-in person. If no user is logged-in, then it will
  60. * set the current user to 0, which is invalid and won't have any permissions.
  61. *
  62. * @since 0.71
  63. *
  64. * @uses $current_user Checks if the current user is set
  65. *
  66. * @return null|false False on XML-RPC Request and invalid auth cookie. Null when current user set.
  67. */
  68. function get_currentuserinfo() {
  69. global $current_user;
  70. if ( ! empty( $current_user ) ) {
  71. if ( $current_user instanceof WP_User )
  72. return;
  73. // Upgrade stdClass to WP_User
  74. if ( is_object( $current_user ) && isset( $current_user->ID ) ) {
  75. $cur_id = $current_user->ID;
  76. $current_user = null;
  77. wp_set_current_user( $cur_id );
  78. return;
  79. }
  80. // $current_user has a junk value. Force to WP_User with ID 0.
  81. $current_user = null;
  82. wp_set_current_user( 0 );
  83. return false;
  84. }
  85. if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST ) {
  86. wp_set_current_user( 0 );
  87. return false;
  88. }
  89. /**
  90. * Filter the current user.
  91. *
  92. * The default filters use this to determine the current user from the
  93. * request's cookies, if available.
  94. *
  95. * Returning a value of false will effectively short-circuit setting
  96. * the current user.
  97. *
  98. * @since 3.9.0
  99. *
  100. * @param int|bool $user_id User ID if one has been determined, false otherwise.
  101. */
  102. $user_id = apply_filters( 'determine_current_user', false );
  103. if ( ! $user_id ) {
  104. wp_set_current_user( 0 );
  105. return false;
  106. }
  107. wp_set_current_user( $user_id );
  108. }
  109. endif;
  110. if ( !function_exists('get_userdata') ) :
  111. /**
  112. * Retrieve user info by user ID.
  113. *
  114. * @since 0.71
  115. *
  116. * @param int $user_id User ID
  117. * @return WP_User|bool WP_User object on success, false on failure.
  118. */
  119. function get_userdata( $user_id ) {
  120. return get_user_by( 'id', $user_id );
  121. }
  122. endif;
  123. if ( !function_exists('get_user_by') ) :
  124. /**
  125. * Retrieve user info by a given field
  126. *
  127. * @since 2.8.0
  128. *
  129. * @param string $field The field to retrieve the user with. id | slug | email | login
  130. * @param int|string $value A value for $field. A user ID, slug, email address, or login name.
  131. * @return WP_User|bool WP_User object on success, false on failure.
  132. */
  133. function get_user_by( $field, $value ) {
  134. $userdata = WP_User::get_data_by( $field, $value );
  135. if ( !$userdata )
  136. return false;
  137. $user = new WP_User;
  138. $user->init( $userdata );
  139. return $user;
  140. }
  141. endif;
  142. if ( !function_exists('cache_users') ) :
  143. /**
  144. * Retrieve info for user lists to prevent multiple queries by get_userdata()
  145. *
  146. * @since 3.0.0
  147. *
  148. * @param array $user_ids User ID numbers list
  149. */
  150. function cache_users( $user_ids ) {
  151. global $wpdb;
  152. $clean = _get_non_cached_ids( $user_ids, 'users' );
  153. if ( empty( $clean ) )
  154. return;
  155. $list = implode( ',', $clean );
  156. $users = $wpdb->get_results( "SELECT * FROM $wpdb->users WHERE ID IN ($list)" );
  157. $ids = array();
  158. foreach ( $users as $user ) {
  159. update_user_caches( $user );
  160. $ids[] = $user->ID;
  161. }
  162. update_meta_cache( 'user', $ids );
  163. }
  164. endif;
  165. if ( !function_exists( 'wp_mail' ) ) :
  166. /**
  167. * Send mail, similar to PHP's mail
  168. *
  169. * A true return value does not automatically mean that the user received the
  170. * email successfully. It just only means that the method used was able to
  171. * process the request without any errors.
  172. *
  173. * Using the two 'wp_mail_from' and 'wp_mail_from_name' hooks allow from
  174. * creating a from address like 'Name <email@address.com>' when both are set. If
  175. * just 'wp_mail_from' is set, then just the email address will be used with no
  176. * name.
  177. *
  178. * The default content type is 'text/plain' which does not allow using HTML.
  179. * However, you can set the content type of the email by using the
  180. * 'wp_mail_content_type' filter.
  181. *
  182. * The default charset is based on the charset used on the blog. The charset can
  183. * be set using the 'wp_mail_charset' filter.
  184. *
  185. * @since 1.2.1
  186. *
  187. * @uses PHPMailer
  188. *
  189. * @param string|array $to Array or comma-separated list of email addresses to send message.
  190. * @param string $subject Email subject
  191. * @param string $message Message contents
  192. * @param string|array $headers Optional. Additional headers.
  193. * @param string|array $attachments Optional. Files to attach.
  194. * @return bool Whether the email contents were sent successfully.
  195. */
  196. function wp_mail( $to, $subject, $message, $headers = '', $attachments = array() ) {
  197. // Compact the input, apply the filters, and extract them back out
  198. /**
  199. * Filter the wp_mail() arguments.
  200. *
  201. * @since 2.2.0
  202. *
  203. * @param array $args A compacted array of wp_mail() arguments, including the "to" email,
  204. * subject, message, headers, and attachments values.
  205. */
  206. $atts = apply_filters( 'wp_mail', compact( 'to', 'subject', 'message', 'headers', 'attachments' ) );
  207. if ( isset( $atts['to'] ) ) {
  208. $to = $atts['to'];
  209. }
  210. if ( isset( $atts['subject'] ) ) {
  211. $subject = $atts['subject'];
  212. }
  213. if ( isset( $atts['message'] ) ) {
  214. $message = $atts['message'];
  215. }
  216. if ( isset( $atts['headers'] ) ) {
  217. $headers = $atts['headers'];
  218. }
  219. if ( isset( $atts['attachments'] ) ) {
  220. $attachments = $atts['attachments'];
  221. }
  222. if ( ! is_array( $attachments ) ) {
  223. $attachments = explode( "\n", str_replace( "\r\n", "\n", $attachments ) );
  224. }
  225. global $phpmailer;
  226. // (Re)create it, if it's gone missing
  227. if ( !is_object( $phpmailer ) || !is_a( $phpmailer, 'PHPMailer' ) ) {
  228. require_once ABSPATH . WPINC . '/class-phpmailer.php';
  229. require_once ABSPATH . WPINC . '/class-smtp.php';
  230. $phpmailer = new PHPMailer( true );
  231. }
  232. // Headers
  233. if ( empty( $headers ) ) {
  234. $headers = array();
  235. } else {
  236. if ( !is_array( $headers ) ) {
  237. // Explode the headers out, so this function can take both
  238. // string headers and an array of headers.
  239. $tempheaders = explode( "\n", str_replace( "\r\n", "\n", $headers ) );
  240. } else {
  241. $tempheaders = $headers;
  242. }
  243. $headers = array();
  244. $cc = array();
  245. $bcc = array();
  246. // If it's actually got contents
  247. if ( !empty( $tempheaders ) ) {
  248. // Iterate through the raw headers
  249. foreach ( (array) $tempheaders as $header ) {
  250. if ( strpos($header, ':') === false ) {
  251. if ( false !== stripos( $header, 'boundary=' ) ) {
  252. $parts = preg_split('/boundary=/i', trim( $header ) );
  253. $boundary = trim( str_replace( array( "'", '"' ), '', $parts[1] ) );
  254. }
  255. continue;
  256. }
  257. // Explode them out
  258. list( $name, $content ) = explode( ':', trim( $header ), 2 );
  259. // Cleanup crew
  260. $name = trim( $name );
  261. $content = trim( $content );
  262. switch ( strtolower( $name ) ) {
  263. // Mainly for legacy -- process a From: header if it's there
  264. case 'from':
  265. if ( strpos($content, '<' ) !== false ) {
  266. // So... making my life hard again?
  267. $from_name = substr( $content, 0, strpos( $content, '<' ) - 1 );
  268. $from_name = str_replace( '"', '', $from_name );
  269. $from_name = trim( $from_name );
  270. $from_email = substr( $content, strpos( $content, '<' ) + 1 );
  271. $from_email = str_replace( '>', '', $from_email );
  272. $from_email = trim( $from_email );
  273. } else {
  274. $from_email = trim( $content );
  275. }
  276. break;
  277. case 'content-type':
  278. if ( strpos( $content, ';' ) !== false ) {
  279. list( $type, $charset ) = explode( ';', $content );
  280. $content_type = trim( $type );
  281. if ( false !== stripos( $charset, 'charset=' ) ) {
  282. $charset = trim( str_replace( array( 'charset=', '"' ), '', $charset ) );
  283. } elseif ( false !== stripos( $charset, 'boundary=' ) ) {
  284. $boundary = trim( str_replace( array( 'BOUNDARY=', 'boundary=', '"' ), '', $charset ) );
  285. $charset = '';
  286. }
  287. } else {
  288. $content_type = trim( $content );
  289. }
  290. break;
  291. case 'cc':
  292. $cc = array_merge( (array) $cc, explode( ',', $content ) );
  293. break;
  294. case 'bcc':
  295. $bcc = array_merge( (array) $bcc, explode( ',', $content ) );
  296. break;
  297. default:
  298. // Add it to our grand headers array
  299. $headers[trim( $name )] = trim( $content );
  300. break;
  301. }
  302. }
  303. }
  304. }
  305. // Empty out the values that may be set
  306. $phpmailer->ClearAllRecipients();
  307. $phpmailer->ClearAttachments();
  308. $phpmailer->ClearCustomHeaders();
  309. $phpmailer->ClearReplyTos();
  310. // From email and name
  311. // If we don't have a name from the input headers
  312. if ( !isset( $from_name ) )
  313. $from_name = 'WordPress';
  314. /* If we don't have an email from the input headers default to wordpress@$sitename
  315. * Some hosts will block outgoing mail from this address if it doesn't exist but
  316. * there's no easy alternative. Defaulting to admin_email might appear to be another
  317. * option but some hosts may refuse to relay mail from an unknown domain. See
  318. * https://core.trac.wordpress.org/ticket/5007.
  319. */
  320. if ( !isset( $from_email ) ) {
  321. // Get the site domain and get rid of www.
  322. $sitename = strtolower( $_SERVER['SERVER_NAME'] );
  323. if ( substr( $sitename, 0, 4 ) == 'www.' ) {
  324. $sitename = substr( $sitename, 4 );
  325. }
  326. $from_email = 'wordpress@' . $sitename;
  327. }
  328. /**
  329. * Filter the email address to send from.
  330. *
  331. * @since 2.2.0
  332. *
  333. * @param string $from_email Email address to send from.
  334. */
  335. $phpmailer->From = apply_filters( 'wp_mail_from', $from_email );
  336. /**
  337. * Filter the name to associate with the "from" email address.
  338. *
  339. * @since 2.3.0
  340. *
  341. * @param string $from_name Name associated with the "from" email address.
  342. */
  343. $phpmailer->FromName = apply_filters( 'wp_mail_from_name', $from_name );
  344. // Set destination addresses
  345. if ( !is_array( $to ) )
  346. $to = explode( ',', $to );
  347. foreach ( (array) $to as $recipient ) {
  348. try {
  349. // Break $recipient into name and address parts if in the format "Foo <bar@baz.com>"
  350. $recipient_name = '';
  351. if( preg_match( '/(.*)<(.+)>/', $recipient, $matches ) ) {
  352. if ( count( $matches ) == 3 ) {
  353. $recipient_name = $matches[1];
  354. $recipient = $matches[2];
  355. }
  356. }
  357. $phpmailer->AddAddress( $recipient, $recipient_name);
  358. } catch ( phpmailerException $e ) {
  359. continue;
  360. }
  361. }
  362. // Set mail's subject and body
  363. $phpmailer->Subject = $subject;
  364. $phpmailer->Body = $message;
  365. // Add any CC and BCC recipients
  366. if ( !empty( $cc ) ) {
  367. foreach ( (array) $cc as $recipient ) {
  368. try {
  369. // Break $recipient into name and address parts if in the format "Foo <bar@baz.com>"
  370. $recipient_name = '';
  371. if( preg_match( '/(.*)<(.+)>/', $recipient, $matches ) ) {
  372. if ( count( $matches ) == 3 ) {
  373. $recipient_name = $matches[1];
  374. $recipient = $matches[2];
  375. }
  376. }
  377. $phpmailer->AddCc( $recipient, $recipient_name );
  378. } catch ( phpmailerException $e ) {
  379. continue;
  380. }
  381. }
  382. }
  383. if ( !empty( $bcc ) ) {
  384. foreach ( (array) $bcc as $recipient) {
  385. try {
  386. // Break $recipient into name and address parts if in the format "Foo <bar@baz.com>"
  387. $recipient_name = '';
  388. if( preg_match( '/(.*)<(.+)>/', $recipient, $matches ) ) {
  389. if ( count( $matches ) == 3 ) {
  390. $recipient_name = $matches[1];
  391. $recipient = $matches[2];
  392. }
  393. }
  394. $phpmailer->AddBcc( $recipient, $recipient_name );
  395. } catch ( phpmailerException $e ) {
  396. continue;
  397. }
  398. }
  399. }
  400. // Set to use PHP's mail()
  401. $phpmailer->IsMail();
  402. // Set Content-Type and charset
  403. // If we don't have a content-type from the input headers
  404. if ( !isset( $content_type ) )
  405. $content_type = 'text/plain';
  406. /**
  407. * Filter the wp_mail() content type.
  408. *
  409. * @since 2.3.0
  410. *
  411. * @param string $content_type Default wp_mail() content type.
  412. */
  413. $content_type = apply_filters( 'wp_mail_content_type', $content_type );
  414. $phpmailer->ContentType = $content_type;
  415. // Set whether it's plaintext, depending on $content_type
  416. if ( 'text/html' == $content_type )
  417. $phpmailer->IsHTML( true );
  418. // If we don't have a charset from the input headers
  419. if ( !isset( $charset ) )
  420. $charset = get_bloginfo( 'charset' );
  421. // Set the content-type and charset
  422. /**
  423. * Filter the default wp_mail() charset.
  424. *
  425. * @since 2.3.0
  426. *
  427. * @param string $charset Default email charset.
  428. */
  429. $phpmailer->CharSet = apply_filters( 'wp_mail_charset', $charset );
  430. // Set custom headers
  431. if ( !empty( $headers ) ) {
  432. foreach( (array) $headers as $name => $content ) {
  433. $phpmailer->AddCustomHeader( sprintf( '%1$s: %2$s', $name, $content ) );
  434. }
  435. if ( false !== stripos( $content_type, 'multipart' ) && ! empty($boundary) )
  436. $phpmailer->AddCustomHeader( sprintf( "Content-Type: %s;\n\t boundary=\"%s\"", $content_type, $boundary ) );
  437. }
  438. if ( !empty( $attachments ) ) {
  439. foreach ( $attachments as $attachment ) {
  440. try {
  441. $phpmailer->AddAttachment($attachment);
  442. } catch ( phpmailerException $e ) {
  443. continue;
  444. }
  445. }
  446. }
  447. /**
  448. * Fires after PHPMailer is initialized.
  449. *
  450. * @since 2.2.0
  451. *
  452. * @param PHPMailer &$phpmailer The PHPMailer instance, passed by reference.
  453. */
  454. do_action_ref_array( 'phpmailer_init', array( &$phpmailer ) );
  455. // Send!
  456. try {
  457. return $phpmailer->Send();
  458. } catch ( phpmailerException $e ) {
  459. return false;
  460. }
  461. }
  462. endif;
  463. if ( !function_exists('wp_authenticate') ) :
  464. /**
  465. * Checks a user's login information and logs them in if it checks out.
  466. *
  467. * @since 2.5.0
  468. *
  469. * @param string $username User's username
  470. * @param string $password User's password
  471. * @return WP_User|WP_Error WP_User object if login successful, otherwise WP_Error object.
  472. */
  473. function wp_authenticate($username, $password) {
  474. $username = sanitize_user($username);
  475. $password = trim($password);
  476. /**
  477. * Filter the user to authenticate.
  478. *
  479. * If a non-null value is passed, the filter will effectively short-circuit
  480. * authentication, returning an error instead.
  481. *
  482. * @since 2.8.0
  483. *
  484. * @param null|WP_User $user User to authenticate.
  485. * @param string $username User login.
  486. * @param string $password User password
  487. */
  488. $user = apply_filters( 'authenticate', null, $username, $password );
  489. if ( $user == null ) {
  490. // TODO what should the error message be? (Or would these even happen?)
  491. // Only needed if all authentication handlers fail to return anything.
  492. $user = new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Invalid username or incorrect password.'));
  493. }
  494. $ignore_codes = array('empty_username', 'empty_password');
  495. if (is_wp_error($user) && !in_array($user->get_error_code(), $ignore_codes) ) {
  496. /**
  497. * Fires after a user login has failed.
  498. *
  499. * @since 2.5.0
  500. *
  501. * @param string $username User login.
  502. */
  503. do_action( 'wp_login_failed', $username );
  504. }
  505. return $user;
  506. }
  507. endif;
  508. if ( !function_exists('wp_logout') ) :
  509. /**
  510. * Log the current user out.
  511. *
  512. * @since 2.5.0
  513. */
  514. function wp_logout() {
  515. wp_destroy_current_session();
  516. wp_clear_auth_cookie();
  517. /**
  518. * Fires after a user is logged-out.
  519. *
  520. * @since 1.5.0
  521. */
  522. do_action( 'wp_logout' );
  523. }
  524. endif;
  525. if ( !function_exists('wp_validate_auth_cookie') ) :
  526. /**
  527. * Validates authentication cookie.
  528. *
  529. * The checks include making sure that the authentication cookie is set and
  530. * pulling in the contents (if $cookie is not used).
  531. *
  532. * Makes sure the cookie is not expired. Verifies the hash in cookie is what is
  533. * should be and compares the two.
  534. *
  535. * @since 2.5.0
  536. *
  537. * @param string $cookie Optional. If used, will validate contents instead of cookie's
  538. * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
  539. * @return bool|int False if invalid cookie, User ID if valid.
  540. */
  541. function wp_validate_auth_cookie($cookie = '', $scheme = '') {
  542. if ( ! $cookie_elements = wp_parse_auth_cookie($cookie, $scheme) ) {
  543. /**
  544. * Fires if an authentication cookie is malformed.
  545. *
  546. * @since 2.7.0
  547. *
  548. * @param string $cookie Malformed auth cookie.
  549. * @param string $scheme Authentication scheme. Values include 'auth', 'secure_auth',
  550. * or 'logged_in'.
  551. */
  552. do_action( 'auth_cookie_malformed', $cookie, $scheme );
  553. return false;
  554. }
  555. $scheme = $cookie_elements['scheme'];
  556. $username = $cookie_elements['username'];
  557. $hmac = $cookie_elements['hmac'];
  558. $token = $cookie_elements['token'];
  559. $expired = $expiration = $cookie_elements['expiration'];
  560. // Allow a grace period for POST and AJAX requests
  561. if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] ) {
  562. $expired += HOUR_IN_SECONDS;
  563. }
  564. // Quick check to see if an honest cookie has expired
  565. if ( $expired < time() ) {
  566. /**
  567. * Fires once an authentication cookie has expired.
  568. *
  569. * @since 2.7.0
  570. *
  571. * @param array $cookie_elements An array of data for the authentication cookie.
  572. */
  573. do_action( 'auth_cookie_expired', $cookie_elements );
  574. return false;
  575. }
  576. $user = get_user_by('login', $username);
  577. if ( ! $user ) {
  578. /**
  579. * Fires if a bad username is entered in the user authentication process.
  580. *
  581. * @since 2.7.0
  582. *
  583. * @param array $cookie_elements An array of data for the authentication cookie.
  584. */
  585. do_action( 'auth_cookie_bad_username', $cookie_elements );
  586. return false;
  587. }
  588. $pass_frag = substr($user->user_pass, 8, 4);
  589. $key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
  590. // If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
  591. $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
  592. $hash = hash_hmac( $algo, $username . '|' . $expiration . '|' . $token, $key );
  593. if ( ! hash_equals( $hash, $hmac ) ) {
  594. /**
  595. * Fires if a bad authentication cookie hash is encountered.
  596. *
  597. * @since 2.7.0
  598. *
  599. * @param array $cookie_elements An array of data for the authentication cookie.
  600. */
  601. do_action( 'auth_cookie_bad_hash', $cookie_elements );
  602. return false;
  603. }
  604. $manager = WP_Session_Tokens::get_instance( $user->ID );
  605. if ( ! $manager->verify( $token ) ) {
  606. do_action( 'auth_cookie_bad_session_token', $cookie_elements );
  607. return false;
  608. }
  609. // AJAX/POST grace period set above
  610. if ( $expiration < time() ) {
  611. $GLOBALS['login_grace_period'] = 1;
  612. }
  613. /**
  614. * Fires once an authentication cookie has been validated.
  615. *
  616. * @since 2.7.0
  617. *
  618. * @param array $cookie_elements An array of data for the authentication cookie.
  619. * @param WP_User $user User object.
  620. */
  621. do_action( 'auth_cookie_valid', $cookie_elements, $user );
  622. return $user->ID;
  623. }
  624. endif;
  625. if ( !function_exists('wp_generate_auth_cookie') ) :
  626. /**
  627. * Generate authentication cookie contents.
  628. *
  629. * @since 2.5.0
  630. *
  631. * @param int $user_id User ID
  632. * @param int $expiration Cookie expiration in seconds
  633. * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
  634. * @param string $token User's session token to use for this cookie
  635. * @return string Authentication cookie contents. Empty string if user does not exist.
  636. */
  637. function wp_generate_auth_cookie( $user_id, $expiration, $scheme = 'auth', $token = '' ) {
  638. $user = get_userdata($user_id);
  639. if ( ! $user ) {
  640. return '';
  641. }
  642. if ( ! $token ) {
  643. $manager = WP_Session_Tokens::get_instance( $user_id );
  644. $token = $manager->create( $expiration );
  645. }
  646. $pass_frag = substr($user->user_pass, 8, 4);
  647. $key = wp_hash( $user->user_login . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
  648. // If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
  649. $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
  650. $hash = hash_hmac( $algo, $user->user_login . '|' . $expiration . '|' . $token, $key );
  651. $cookie = $user->user_login . '|' . $expiration . '|' . $token . '|' . $hash;
  652. /**
  653. * Filter the authentication cookie.
  654. *
  655. * @since 2.5.0
  656. *
  657. * @param string $cookie Authentication cookie.
  658. * @param int $user_id User ID.
  659. * @param int $expiration Authentication cookie expiration in seconds.
  660. * @param string $scheme Cookie scheme used. Accepts 'auth', 'secure_auth', or 'logged_in'.
  661. * @param string $token User's session token used.
  662. */
  663. return apply_filters( 'auth_cookie', $cookie, $user_id, $expiration, $scheme, $token );
  664. }
  665. endif;
  666. if ( !function_exists('wp_parse_auth_cookie') ) :
  667. /**
  668. * Parse a cookie into its components
  669. *
  670. * @since 2.7.0
  671. *
  672. * @param string $cookie
  673. * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
  674. * @return array Authentication cookie components
  675. */
  676. function wp_parse_auth_cookie($cookie = '', $scheme = '') {
  677. if ( empty($cookie) ) {
  678. switch ($scheme){
  679. case 'auth':
  680. $cookie_name = AUTH_COOKIE;
  681. break;
  682. case 'secure_auth':
  683. $cookie_name = SECURE_AUTH_COOKIE;
  684. break;
  685. case "logged_in":
  686. $cookie_name = LOGGED_IN_COOKIE;
  687. break;
  688. default:
  689. if ( is_ssl() ) {
  690. $cookie_name = SECURE_AUTH_COOKIE;
  691. $scheme = 'secure_auth';
  692. } else {
  693. $cookie_name = AUTH_COOKIE;
  694. $scheme = 'auth';
  695. }
  696. }
  697. if ( empty($_COOKIE[$cookie_name]) )
  698. return false;
  699. $cookie = $_COOKIE[$cookie_name];
  700. }
  701. $cookie_elements = explode('|', $cookie);
  702. if ( count( $cookie_elements ) !== 4 ) {
  703. return false;
  704. }
  705. list( $username, $expiration, $token, $hmac ) = $cookie_elements;
  706. return compact( 'username', 'expiration', 'token', 'hmac', 'scheme' );
  707. }
  708. endif;
  709. if ( !function_exists('wp_set_auth_cookie') ) :
  710. /**
  711. * Sets the authentication cookies based on user ID.
  712. *
  713. * The $remember parameter increases the time that the cookie will be kept. The
  714. * default the cookie is kept without remembering is two days. When $remember is
  715. * set, the cookies will be kept for 14 days or two weeks.
  716. *
  717. * @since 2.5.0
  718. *
  719. * @param int $user_id User ID
  720. * @param bool $remember Whether to remember the user
  721. * @param mixed $secure Whether the admin cookies should only be sent over HTTPS.
  722. * Default is_ssl().
  723. */
  724. function wp_set_auth_cookie($user_id, $remember = false, $secure = '') {
  725. if ( $remember ) {
  726. /**
  727. * Filter the duration of the authentication cookie expiration period.
  728. *
  729. * @since 2.8.0
  730. *
  731. * @param int $length Duration of the expiration period in seconds.
  732. * @param int $user_id User ID.
  733. * @param bool $remember Whether to remember the user login. Default false.
  734. */
  735. $expiration = time() + apply_filters( 'auth_cookie_expiration', 14 * DAY_IN_SECONDS, $user_id, $remember );
  736. /*
  737. * Ensure the browser will continue to send the cookie after the expiration time is reached.
  738. * Needed for the login grace period in wp_validate_auth_cookie().
  739. */
  740. $expire = $expiration + ( 12 * HOUR_IN_SECONDS );
  741. } else {
  742. /** This filter is documented in wp-includes/pluggable.php */
  743. $expiration = time() + apply_filters( 'auth_cookie_expiration', 2 * DAY_IN_SECONDS, $user_id, $remember );
  744. $expire = 0;
  745. }
  746. if ( '' === $secure ) {
  747. $secure = is_ssl();
  748. }
  749. // Frontend cookie is secure when the auth cookie is secure and the site's home URL is forced HTTPS.
  750. $secure_logged_in_cookie = $secure && 'https' === parse_url( get_option( 'home' ), PHP_URL_SCHEME );
  751. /**
  752. * Filter whether the connection is secure.
  753. *
  754. * @since 3.1.0
  755. *
  756. * @param bool $secure Whether the connection is secure.
  757. * @param int $user_id User ID.
  758. */
  759. $secure = apply_filters( 'secure_auth_cookie', $secure, $user_id );
  760. /**
  761. * Filter whether to use a secure cookie when logged-in.
  762. *
  763. * @since 3.1.0
  764. *
  765. * @param bool $secure_logged_in_cookie Whether to use a secure cookie when logged-in.
  766. * @param int $user_id User ID.
  767. * @param bool $secure Whether the connection is secure.
  768. */
  769. $secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', $secure_logged_in_cookie, $user_id, $secure );
  770. if ( $secure ) {
  771. $auth_cookie_name = SECURE_AUTH_COOKIE;
  772. $scheme = 'secure_auth';
  773. } else {
  774. $auth_cookie_name = AUTH_COOKIE;
  775. $scheme = 'auth';
  776. }
  777. $manager = WP_Session_Tokens::get_instance( $user_id );
  778. $token = $manager->create( $expiration );
  779. $auth_cookie = wp_generate_auth_cookie( $user_id, $expiration, $scheme, $token );
  780. $logged_in_cookie = wp_generate_auth_cookie( $user_id, $expiration, 'logged_in', $token );
  781. /**
  782. * Fires immediately before the authentication cookie is set.
  783. *
  784. * @since 2.5.0
  785. *
  786. * @param string $auth_cookie Authentication cookie.
  787. * @param int $expire Login grace period in seconds. Default 43,200 seconds, or 12 hours.
  788. * @param int $expiration Duration in seconds the authentication cookie should be valid.
  789. * Default 1,209,600 seconds, or 14 days.
  790. * @param int $user_id User ID.
  791. * @param string $scheme Authentication scheme. Values include 'auth', 'secure_auth', or 'logged_in'.
  792. */
  793. do_action( 'set_auth_cookie', $auth_cookie, $expire, $expiration, $user_id, $scheme );
  794. /**
  795. * Fires immediately before the secure authentication cookie is set.
  796. *
  797. * @since 2.6.0
  798. *
  799. * @param string $logged_in_cookie The logged-in cookie.
  800. * @param int $expire Login grace period in seconds. Default 43,200 seconds, or 12 hours.
  801. * @param int $expiration Duration in seconds the authentication cookie should be valid.
  802. * Default 1,209,600 seconds, or 14 days.
  803. * @param int $user_id User ID.
  804. * @param string $scheme Authentication scheme. Default 'logged_in'.
  805. */
  806. do_action( 'set_logged_in_cookie', $logged_in_cookie, $expire, $expiration, $user_id, 'logged_in' );
  807. setcookie($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
  808. setcookie($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
  809. setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true);
  810. if ( COOKIEPATH != SITECOOKIEPATH )
  811. setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true);
  812. }
  813. endif;
  814. if ( !function_exists('wp_clear_auth_cookie') ) :
  815. /**
  816. * Removes all of the cookies associated with authentication.
  817. *
  818. * @since 2.5.0
  819. */
  820. function wp_clear_auth_cookie() {
  821. /**
  822. * Fires just before the authentication cookies are cleared.
  823. *
  824. * @since 2.7.0
  825. */
  826. do_action( 'clear_auth_cookie' );
  827. setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN );
  828. setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN );
  829. setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
  830. setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
  831. setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
  832. setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
  833. // Old cookies
  834. setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
  835. setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
  836. setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
  837. setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
  838. // Even older cookies
  839. setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
  840. setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
  841. setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
  842. setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
  843. }
  844. endif;
  845. if ( !function_exists('is_user_logged_in') ) :
  846. /**
  847. * Checks if the current visitor is a logged in user.
  848. *
  849. * @since 2.0.0
  850. *
  851. * @return bool True if user is logged in, false if not logged in.
  852. */
  853. function is_user_logged_in() {
  854. $user = wp_get_current_user();
  855. if ( ! $user->exists() )
  856. return false;
  857. return true;
  858. }
  859. endif;
  860. if ( !function_exists('auth_redirect') ) :
  861. /**
  862. * Checks if a user is logged in, if not it redirects them to the login page.
  863. *
  864. * @since 1.5.0
  865. */
  866. function auth_redirect() {
  867. // Checks if a user is logged in, if not redirects them to the login page
  868. $secure = ( is_ssl() || force_ssl_admin() );
  869. /**
  870. * Filter whether to use a secure authentication redirect.
  871. *
  872. * @since 3.1.0
  873. *
  874. * @param bool $secure Whether to use a secure authentication redirect. Default false.
  875. */
  876. $secure = apply_filters( 'secure_auth_redirect', $secure );
  877. // If https is required and request is http, redirect
  878. if ( $secure && !is_ssl() && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin') ) {
  879. if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {
  880. wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
  881. exit();
  882. } else {
  883. wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
  884. exit();
  885. }
  886. }
  887. if ( is_user_admin() ) {
  888. $scheme = 'logged_in';
  889. } else {
  890. /**
  891. * Filter the authentication redirect scheme.
  892. *
  893. * @since 2.9.0
  894. *
  895. * @param string $scheme Authentication redirect scheme. Default empty.
  896. */
  897. $scheme = apply_filters( 'auth_redirect_scheme', '' );
  898. }
  899. if ( $user_id = wp_validate_auth_cookie( '', $scheme) ) {
  900. /**
  901. * Fires before the authentication redirect.
  902. *
  903. * @since 2.8.0
  904. *
  905. * @param int $user_id User ID.
  906. */
  907. do_action( 'auth_redirect', $user_id );
  908. // If the user wants ssl but the session is not ssl, redirect.
  909. if ( !$secure && get_user_option('use_ssl', $user_id) && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin') ) {
  910. if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {
  911. wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
  912. exit();
  913. } else {
  914. wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
  915. exit();
  916. }
  917. }
  918. return; // The cookie is good so we're done
  919. }
  920. // The cookie is no good so force login
  921. nocache_headers();
  922. $redirect = ( strpos( $_SERVER['REQUEST_URI'], '/options.php' ) && wp_get_referer() ) ? wp_get_referer() : set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
  923. $login_url = wp_login_url($redirect, true);
  924. wp_redirect($login_url);
  925. exit();
  926. }
  927. endif;
  928. if ( !function_exists('check_admin_referer') ) :
  929. /**
  930. * Makes sure that a user was referred from another admin page.
  931. *
  932. * To avoid security exploits.
  933. *
  934. * @since 1.2.0
  935. *
  936. * @param int|string $action Action nonce
  937. * @param string $query_arg Where to look for nonce in $_REQUEST (since 2.5)
  938. */
  939. function check_admin_referer($action = -1, $query_arg = '_wpnonce') {
  940. if ( -1 == $action )
  941. _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2' );
  942. $adminurl = strtolower(admin_url());
  943. $referer = strtolower(wp_get_referer());
  944. $result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
  945. if ( !$result && !(-1 == $action && strpos($referer, $adminurl) === 0) ) {
  946. wp_nonce_ays($action);
  947. die();
  948. }
  949. /**
  950. * Fires once the admin request has been validated or not.
  951. *
  952. * @since 1.5.1
  953. *
  954. * @param string $action The nonce action.
  955. * @param bool $result Whether the admin request nonce was validated.
  956. */
  957. do_action( 'check_admin_referer', $action, $result );
  958. return $result;
  959. }
  960. endif;
  961. if ( !function_exists('check_ajax_referer') ) :
  962. /**
  963. * Verifies the AJAX request to prevent processing requests external of the blog.
  964. *
  965. * @since 2.0.3
  966. *
  967. * @param int|string $action Action nonce
  968. * @param string $query_arg Where to look for nonce in $_REQUEST (since 2.5)
  969. */
  970. function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
  971. $nonce = '';
  972. if ( $query_arg && isset( $_REQUEST[ $query_arg ] ) )
  973. $nonce = $_REQUEST[ $query_arg ];
  974. elseif ( isset( $_REQUEST['_ajax_nonce'] ) )
  975. $nonce = $_REQUEST['_ajax_nonce'];
  976. elseif ( isset( $_REQUEST['_wpnonce'] ) )
  977. $nonce = $_REQUEST['_wpnonce'];
  978. $result = wp_verify_nonce( $nonce, $action );
  979. if ( $die && false == $result ) {
  980. if ( defined( 'DOING_AJAX' ) && DOING_AJAX )
  981. wp_die( -1 );
  982. else
  983. die( '-1' );
  984. }
  985. /**
  986. * Fires once the AJAX request has been validated or not.
  987. *
  988. * @since 2.1.0
  989. *
  990. * @param string $action The AJAX nonce action.
  991. * @param bool $result Whether the AJAX request nonce was validated.
  992. */
  993. do_action( 'check_ajax_referer', $action, $result );
  994. return $result;
  995. }
  996. endif;
  997. if ( !function_exists('wp_redirect') ) :
  998. /**
  999. * Redirects to another page.
  1000. *
  1001. * @since 1.5.1
  1002. *
  1003. * @param string $location The path to redirect to.
  1004. * @param int $status Status code to use.
  1005. * @return bool False if $location is not provided, true otherwise.
  1006. */
  1007. function wp_redirect($location, $status = 302) {
  1008. global $is_IIS;
  1009. /**
  1010. * Filter the redirect location.
  1011. *
  1012. * @since 2.1.0
  1013. *
  1014. * @param string $location The path to redirect to.
  1015. * @param int $status Status code to use.
  1016. */
  1017. $location = apply_filters( 'wp_redirect', $location, $status );
  1018. /**
  1019. * Filter the redirect status code.
  1020. *
  1021. * @since 2.3.0
  1022. *
  1023. * @param int $status Status code to use.
  1024. * @param string $location The path to redirect to.
  1025. */
  1026. $status = apply_filters( 'wp_redirect_status', $status, $location );
  1027. if ( ! $location )
  1028. return false;
  1029. $location = wp_sanitize_redirect($location);
  1030. if ( !$is_IIS && php_sapi_name() != 'cgi-fcgi' )
  1031. status_header($status); // This causes problems on IIS and some FastCGI setups
  1032. header("Location: $location", true, $status);
  1033. return true;
  1034. }
  1035. endif;
  1036. if ( !function_exists('wp_sanitize_redirect') ) :
  1037. /**
  1038. * Sanitizes a URL for use in a redirect.
  1039. *
  1040. * @since 2.3.0
  1041. *
  1042. * @return string redirect-sanitized URL
  1043. **/
  1044. function wp_sanitize_redirect($location) {
  1045. $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()]|i', '', $location);
  1046. $location = wp_kses_no_null($location);
  1047. // remove %0d and %0a from location
  1048. $strip = array('%0d', '%0a', '%0D', '%0A');
  1049. $location = _deep_replace($strip, $location);
  1050. return $location;
  1051. }
  1052. endif;
  1053. if ( !function_exists('wp_safe_redirect') ) :
  1054. /**
  1055. * Performs a safe (local) redirect, using wp_redirect().
  1056. *
  1057. * Checks whether the $location is using an allowed host, if it has an absolute
  1058. * path. A plugin can therefore set or remove allowed host(s) to or from the
  1059. * list.
  1060. *
  1061. * If the host is not allowed, then the redirect is to wp-admin on the siteurl
  1062. * instead. This prevents malicious redirects which redirect to another host,
  1063. * but only used in a few places.
  1064. *
  1065. * @since 2.3.0
  1066. *
  1067. * @return void Does not return anything
  1068. **/
  1069. function wp_safe_redirect($location, $status = 302) {
  1070. // Need to look at the URL the way it will end up in wp_redirect()
  1071. $location = wp_sanitize_redirect($location);
  1072. $location = wp_validate_redirect($location, admin_url());
  1073. wp_redirect($location, $status);
  1074. }
  1075. endif;
  1076. if ( !function_exists('wp_validate_redirect') ) :
  1077. /**
  1078. * Validates a URL for use in a redirect.
  1079. *
  1080. * Checks whether the $location is using an allowed host, if it has an absolute
  1081. * path. A plugin can therefore set or remove allowed host(s) to or from the
  1082. * list.
  1083. *
  1084. * If the host is not allowed, then the redirect is to $default supplied
  1085. *
  1086. * @since 2.8.1
  1087. *
  1088. * @param string $location The redirect to validate
  1089. * @param string $default The value to return if $location is not allowed
  1090. * @return string redirect-sanitized URL
  1091. **/
  1092. function wp_validate_redirect($location, $default = '') {
  1093. $location = trim( $location );
  1094. // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
  1095. if ( substr($location, 0, 2) == '//' )
  1096. $location = 'http:' . $location;
  1097. // In php 5 parse_url may fail if the URL query part contains http://, bug #38143
  1098. $test = ( $cut = strpos($location, '?') ) ? substr( $location, 0, $cut ) : $location;
  1099. $lp = parse_url($test);
  1100. // Give up if malformed URL
  1101. if ( false === $lp )
  1102. return $default;
  1103. // Allow only http and https schemes. No data:, etc.
  1104. if ( isset($lp['scheme']) && !('http' == $lp['scheme'] || 'https' == $lp['scheme']) )
  1105. return $default;
  1106. // Reject if scheme is set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
  1107. if ( isset($lp['scheme']) && !isset($lp['host']) )
  1108. return $default;
  1109. $wpp = parse_url(home_url());
  1110. /**
  1111. * Filter the whitelist of hosts to redirect to.
  1112. *
  1113. * @since 2.3.0
  1114. *
  1115. * @param array $hosts An array of allowed hosts.
  1116. * @param bool|string $host The parsed host; empty if not isset.
  1117. */
  1118. $allowed_hosts = (array) apply_filters( 'allowed_redirect_hosts', array($wpp['host']), isset($lp['host']) ? $lp['host'] : '' );
  1119. if ( isset($lp['host']) && ( !in_array($lp['host'], $allowed_hosts) && $lp['host'] != strtolower($wpp['host'])) )
  1120. $location = $default;
  1121. return $location;
  1122. }
  1123. endif;
  1124. if ( ! function_exists('wp_notify_postauthor') ) :
  1125. /**
  1126. * Notify an author (and/or others) of a comment/trackback/pingback on a post.
  1127. *
  1128. * @since 1.0.0
  1129. *
  1130. * @param int $comment_id Comment ID
  1131. * @param string $deprecated Not used
  1132. * @return bool True on completion. False if no email addresses were specified.
  1133. */
  1134. function wp_notify_postauthor( $comment_id, $deprecated = null ) {
  1135. if ( null !== $deprecated ) {
  1136. _deprecated_argument( __FUNCTION__, '3.8' );
  1137. }
  1138. $comment = get_comment( $comment_id );
  1139. if ( empty( $comment ) )
  1140. return false;
  1141. $post = get_post( $comment->comment_post_ID );
  1142. $author = get_userdata( $post->post_author );
  1143. // Who to notify? By default, just the post author, but others can be added.
  1144. $emails = array();
  1145. if ( $author ) {
  1146. $emails[] = $author->user_email;
  1147. }
  1148. /**
  1149. * Filter the list of email addresses to receive a comment notification.
  1150. *
  1151. * By default, only post authors are notified of comments. This filter allows
  1152. * others to be added.
  1153. *
  1154. * @since 3.7.0
  1155. *
  1156. * @param array $emails An array of email addresses to receive a comment notification.
  1157. * @param int $comment_id The comment ID.
  1158. */
  1159. $emails = apply_filters( 'comment_notification_recipients', $emails, $comment_id );
  1160. $emails = array_filter( $emails );
  1161. // If there are no addresses to send the comment to, bail.
  1162. if ( ! count( $emails ) ) {
  1163. return false;
  1164. }
  1165. // Facilitate unsetting below without knowing the keys.
  1166. $emails = array_flip( $emails );
  1167. /**
  1168. * Filter whether to notify comment authors of their comments on their own posts.
  1169. *
  1170. * By default, comment authors aren't notified of their comments on their own
  1171. * posts. This filter allows you to override that.
  1172. *
  1173. * @since 3.8.0
  1174. *
  1175. * @param bool $notify Whether to notify the post author of their own comment.
  1176. * Default false.
  1177. * @param int $comment_id The comment ID.
  1178. */
  1179. $notify_author = apply_filters( 'comment_notification_notify_author', false, $comment_id );
  1180. // The comment was left by the author
  1181. if ( $author && ! $notify_author && $comment->user_id == $post->post_author ) {
  1182. unset( $emails[ $author->user_email ] );
  1183. }
  1184. // The author moderated a comment on their own post
  1185. if ( $author && ! $notify_author && $post->post_author == get_current_user_id() ) {
  1186. unset( $emails[ $author->user_email ] );
  1187. }
  1188. // The post author is no longer a member of the blog
  1189. if ( $author && ! $notify_author && ! user_can( $post->post_author, 'read_post', $post->ID ) ) {
  1190. unset( $emails[ $author->user_email ] );
  1191. }
  1192. // If there's no email to send the comment to, bail, otherwise flip array back around for use below
  1193. if ( ! count( $emails ) ) {
  1194. return false;
  1195. } else {
  1196. $emails = array_flip( $emails );
  1197. }
  1198. $comment_author_domain = @gethostbyaddr($comment->comment_author_IP);
  1199. // The blogname option is escaped with esc_html on the way into the database in sanitize_option
  1200. // we want to reverse this for the plain text arena of emails.
  1201. $blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
  1202. switch ( $comment->comment_type ) {
  1203. case 'trackback':
  1204. $notify_message = sprintf( __( 'New trackback on your post "%s"' ), $post->post_title ) . "\r\n";
  1205. /* translators: 1: website name, 2: author IP, 3: author domain */
  1206. $notify_message .= sprintf( __('Website: %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
  1207. $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
  1208. $notify_message .= sprintf( __( 'Comment: %s' ), $comment->comment_content ) . "\r\n\r\n";
  1209. $notify_message .= __( 'You can see all trackbacks on this post here:' ) . "\r\n";
  1210. /* translators: 1: blog name, 2: post title */
  1211. $subject = sprintf( __('[%1$s] Trackback: "%2$s"'), $blogname, $post->post_title );
  1212. break;
  1213. case 'pingback':
  1214. $notify_message = sprintf( __( 'New pingback on your post "%s"' ), $post->post_title ) . "\r\n";
  1215. /* translators: 1: comment author, 2: author IP, 3: author domain */
  1216. $notify_message .= sprintf( __('Website: %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
  1217. $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
  1218. $notify_message .= sprintf( __( 'Comment: %s' ), $comment->comment_content ) . "\r\n\r\n";
  1219. $notify_message .= __( 'You can see all pingbacks on this post here:' ) . "\r\n";
  1220. /* translators: 1: blog name, 2: post title */
  1221. $subject = sprintf( __('[%1$s] Pingback: "%2$s"'), $blogname, $post->post_title );
  1222. break;
  1223. default: // Comments
  1224. $notify_message = sprintf( __( 'New comment on your post "%s"' ), $post->post_title ) . "\r\n";
  1225. /* translators: 1: comment author, 2: author IP, 3: author domain */
  1226. $notify_message .= sprintf( __( 'Author: %1$s (IP: %2$s , %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
  1227. $notify_message .= sprintf( __( 'E-mail: %s' ), $comment->comment_author_email ) . "\r\n";
  1228. $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
  1229. $notify_message .= sprintf( __( 'Whois: %s' ), "http://whois.arin.net/rest/ip/{$comment->comment_author_IP}" ) . "\r\n";
  1230. $notify_message .= sprintf( __('Comment: %s' ), $comment->comment_content ) . "\r\n\r\n";
  1231. $notify_message .= __( 'You can see all comments on this post here:' ) . "\r\n";
  1232. /* translators: 1: blog name, 2: post title */
  1233. $subject = sprintf( __('[%1$s] Comment: "%2$s"'), $blogname, $post->post_title );
  1234. break;
  1235. }
  1236. $notify_message .= get_permalink($comment->comment_post_ID) . "#comments\r\n\r\n";
  1237. $notify_message .= sprintf( __('Permalink: %s'), get_comment_link( $comment_id ) ) . "\r\n";
  1238. if ( user_can( $post->post_author, 'edit_comment', $comment_id ) ) {
  1239. if ( EMPTY_TRASH_DAYS )
  1240. $notify_message .= sprintf( __('Trash it: %s'), admin_url("comment.php?action=trash&c=$comment_id") ) . "\r\n";
  1241. else
  1242. $notify_message .= sprintf( __('Delete it: %s'), admin_url("comment.php?action=delete&c=$comment_id") ) . "\r\n";
  1243. $notify_message .= sprintf( __('Spam it: %s'), admin_url("comment.php?action=spam&c=$comment_id") ) . "\r\n";
  1244. }
  1245. $wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME']));
  1246. if ( '' == $comment->comment_author ) {
  1247. $from = "From: \"$blogname\" <$wp_email>";
  1248. if ( '' != $comment->comment_author_email )
  1249. $reply_to = "Reply-To: $comment->comment_author_email";
  1250. } else {
  1251. $from = "From: \"$comment->comment_author\" <$wp_email>";
  1252. if ( '' != $comment->comment_author_email )
  1253. $reply_to = "Reply-To: \"$comment->comment_author_email\" <$comment->comment_author_email>";
  1254. }
  1255. $message_headers = "$from\n"
  1256. . "Content-Type: text/plain; charset=\"" . get_option('blog_charset') . "\"\n";
  1257. if ( isset($reply_to) )
  1258. $message_headers .= $reply_to . "\n";
  1259. /**
  1260. * Filter the comment notification email text.
  1261. *
  1262. * @since 1.5.2
  1263. *
  1264. * @param string $notify_message The comment notification email text.
  1265. * @param int $comment_id Comment ID.
  1266. */
  1267. $notify_message = apply_filters( 'comment_notification_text', $notify_message, $comment_id );
  1268. /**
  1269. * Filter the comment notification email subject.
  1270. *
  1271. * @since 1.5.2
  1272. *
  1273. * @param string $subject The comment notification email subject.
  1274. * @param int $comment_id Comment ID.
  1275. */
  1276. $subject = apply_filters( 'comment_notification_subject', $subject, $comment_id );
  1277. /**
  1278. * Filter the comment notification email headers.
  1279. *
  1280. * @since 1.5.2
  1281. *
  1282. * @param string $message_headers Headers for the comment notification email.
  1283. * @param int $comment_id Comment ID.
  1284. */
  1285. $message_headers = apply_filters( 'comment_notification_headers', $message_headers, $comment_id );
  1286. foreach ( $emails as $email ) {
  1287. @wp_mail( $email, wp_specialchars_decode( $subject ), $notify_message, $message_headers );
  1288. }
  1289. return true;
  1290. }
  1291. endif;
  1292. if ( !function_exists('wp_notify_moderator') ) :
  1293. /**
  1294. * Notifies the moderator of the blog about a new comment that is awaiting approval.
  1295. *
  1296. * @since 1.0.0
  1297. *
  1298. * @global wpdb $wpdb WordPress database abstraction object.
  1299. *
  1300. * @param int $comment_id Comment ID
  1301. * @return bool Always returns true
  1302. */
  1303. function wp_notify_moderator($comment_id) {
  1304. global $wpdb;
  1305. if ( 0 == get_option( 'moderation_notify' ) )
  1306. return true;
  1307. $comment = get_comment($comment_id);
  1308. $post = get_post($comment->comment_post_ID);
  1309. $user = get_userdata( $post->post_author );
  1310. // Send to the administration and to the post author if the author can modify the comment.
  1311. $emails = array( get_option( 'admin_email' ) );
  1312. if ( user_can( $user->ID, 'edit_comment', $comment_id ) && ! empty( $user->user_email ) ) {
  1313. if ( 0 !== strcasecmp( $user->user_email, get_option( 'admin_email' ) ) )
  1314. $emails[] = $user->user_email;
  1315. }
  1316. $comment_author_domain = @gethostbyaddr($comment->comment_author_IP);
  1317. $comments_waiting = $wpdb->get_var("SELECT count(comment_ID) FROM $wpdb->comments WHERE comment_approved = '0'");
  1318. // The blogname option is escaped with esc_html on the way into the database in sanitize_option
  1319. // we want to reverse this for the plain text arena of emails.
  1320. $blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
  1321. switch ( $comment->comment_type ) {
  1322. case 'trackback':
  1323. $notify_message = sprintf( __('A new trackback on the post "%s" is waiting for your approval'), $post->post_title ) . "\r\n";
  1324. $notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
  1325. $notify_message .= sprintf( __('Website : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
  1326. $notify_message .= sprintf( __('URL : %s'), $comment->comment_author_url ) . "\r\n";
  1327. $notify_message .= __('Trackback excerpt: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
  1328. break;
  1329. case 'pingback':
  1330. $notify_message = sprintf( __('A new pingback on the post "%s" is waiting for your approval'), $post->post_title ) . "\r\n";
  1331. $notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
  1332. $notify_message .= sprintf( __('Website : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
  1333. $notify_message .= sprintf( __('URL : %s'), $comment->comment_author_url ) . "\r\n";
  1334. $notify_message .= __('Pingback excerpt: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
  1335. break;
  1336. default: // Comments
  1337. $notify_message = sprintf( __('A new comment on the post "%s" is waiting for your approval'), $post->post_title ) . "\r\n";
  1338. $notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
  1339. $notify_message .= sprintf( __('Author : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
  1340. $notify_message .= sprintf( __('E-mail : %s'), $comment->comment_author_email ) . "\r\n";
  1341. $notify_message .= sprintf( __('URL : %s'), $comment->comment_author_url ) . "\r\n";
  1342. $notify_message .= sprintf( __('Whois : http://whois.arin.net/rest/ip/%s'), $comment->comment_author_IP ) . "\r\n";
  1343. $notify_message .= __('Comment: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
  1344. break;
  1345. }
  1346. $notify_message .= sprintf( __('Approve it: %s'), admin_url("comment.php?action=approve&c=$comment_id") ) . "\r\n";
  1347. if ( EMPTY_TRASH_DAYS )
  1348. $notify_message .= sprintf( __('Trash it: %s'), admin_url("comment.php?action=trash&c=$comment_id") ) . "\r\n";
  1349. else
  1350. $notify_message .= sprintf( __('Delete it: %s'), admin_url("comment.php?action=delete&c=$comment_id") ) . "\r\n";
  1351. $notify_message .= sprintf( __('Spam it: %s'), admin_url("comment.php?action=spam&c=$comment_id") ) . "\r\n";
  1352. $notify_message .= sprintf( _n('Currently %s comment is waiting for approval. Please visit the moderation panel:',
  1353. 'Currently %s comments are waiting for approval. Please visit the moderation panel:', $comments_waiting), number_format_i18n($comments_waiting) ) . "\r\n";
  1354. $notify_message .= admin_url("edit-comments.php?comment_status=moderated") . "\r\n";
  1355. $subject = sprintf( __('[%1$s] Please moderate: "%2$s"'), $blogname, $post->post_title );
  1356. $message_headers = '';
  1357. /**
  1358. * Filter the list of recipients for comment moderation emails.
  1359. *
  1360. * @since 3.7.0
  1361. *
  1362. * @param array $emails List of email addresses to notify for comment moderation.
  1363. * @param int $comment_id Comment ID.
  1364. */
  1365. $emails = apply_filters( 'comment_moderation_recipients', $emails, $comment_id );
  1366. /**
  1367. * Filter the comment moderation email text.
  1368. *
  1369. * @since 1.5.2
  1370. *
  1371. * @param string $notify_message Text of the comment moderation email.
  1372. * @param int $comment_id Comment ID.
  1373. */
  1374. $notify_message = apply_filters( 'comment_moderation_text', $notify_message, $comment_id );
  1375. /**
  1376. * Filter the comment moderation email subject.
  1377. *
  1378. * @since 1.5.2
  1379. *
  1380. * @param string $subject Subject of the comment moderation email.
  1381. * @param int $comment_id Comment ID.
  1382. */
  1383. $subject = apply_filters( 'comment_moderation_subject', $subject, $comment_id );
  1384. /**
  1385. * Filter the comment moderation email headers.
  1386. *
  1387. * @since 2.8.0
  1388. *
  1389. * @param string $message_headers Headers for the comment moderation email.
  1390. * @param int $comment_id Comment ID.
  1391. */
  1392. $message_headers = apply_filters( 'comment_moderation_headers', $message_headers, $comment_id );
  1393. foreach ( $emails as $email ) {
  1394. @wp_mail( $email, wp_specialchars_decode( $subject ), $notify_message, $message_headers );
  1395. }
  1396. return true;
  1397. }
  1398. endif;
  1399. if ( !function_exists('wp_password_change_notification') ) :
  1400. /**
  1401. * Notify the blog admin of a user changing password, normally via email.
  1402. *
  1403. * @since 2.7.0
  1404. *
  1405. * @param object $user User Object
  1406. */
  1407. function wp_password_change_notification(&$user) {
  1408. // send a copy of password change notification to the admin
  1409. // but check to see if it's the admin whose password we're changing, and skip this
  1410. if ( 0 !== strcasecmp( $user->user_email, get_option( 'admin_email' ) ) ) {
  1411. $message = sprintf(__('Password Lost and Changed for user: %s'), $user->user_login) . "\r\n";
  1412. // The blogname option is escaped with esc_html on the way into the database in sanitize_option
  1413. // we want to reverse this for the plain text arena of emails.
  1414. $blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
  1415. wp_mail(get_option('admin_email'), sprintf(__('[%s] Password Lost/Changed'), $blogname), $message);
  1416. }
  1417. }
  1418. endif;
  1419. if ( !function_exists('wp_new_user_notification') ) :
  1420. /**
  1421. * Email login credentials to a newly-registered user.
  1422. *
  1423. * A new user registration notification is also sent to admin email.
  1424. *
  1425. * @since 2.0.0
  1426. *
  1427. * @param int $user_id User ID.
  1428. * @param string $plaintext_pass Optional. The user's plaintext password. Default empty.
  1429. */
  1430. function wp_new_user_notification($user_id, $plaintext_pass = '') {
  1431. $user = get_userdata( $user_id );
  1432. // The blogname option is escaped with esc_html on the way into the database in sanitize_option
  1433. // we want to reverse this for the plain text arena of emails.
  1434. $blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
  1435. $message = sprintf(__('New user registration on your site %s:'), $blogname) . "\r\n\r\n";
  1436. $message .= sprintf(__('Username: %s'), $user->user_login) . "\r\n\r\n";
  1437. $message .= sprintf(__('E-mail: %s'), $user->user_email) . "\r\n";
  1438. @wp_mail(get_option('admin_email'), sprintf(__('[%s] New User Registration'), $blogname), $message);
  1439. if ( empty($plaintext_pass) )
  1440. return;
  1441. $message = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
  1442. $message .= sprintf(__('Password: %s'), $plaintext_pass) . "\r\n";
  1443. $message .= wp_login_url() . "\r\n";
  1444. wp_mail($user->user_email, sprintf(__('[%s] Your username and password'), $blogname), $message);
  1445. }
  1446. endif;
  1447. if ( !function_exists('wp_nonce_tick') ) :
  1448. /**
  1449. * Get the time-dependent variable for nonce creation.
  1450. *
  1451. * A nonce has a lifespan of two ticks. Nonces in their second tick may be
  1452. * updated, e.g. by autosave.
  1453. *
  1454. * @since 2.5.0
  1455. *
  1456. * @return float Float value rounded up to the next highest integer.
  1457. */
  1458. function wp_nonce_tick() {
  1459. /**
  1460. * Filter the lifespan of nonces in seconds.
  1461. *
  1462. * @since 2.5.0
  1463. *
  1464. * @param int $lifespan Lifespan of nonces in seconds. Default 86,400 seconds, or one day.
  1465. */
  1466. $nonce_life = apply_filters( 'nonce_life', DAY_IN_SECONDS );
  1467. return ceil(time() / ( $nonce_life / 2 ));
  1468. }
  1469. endif;
  1470. if ( !function_exists('wp_verify_nonce') ) :
  1471. /**
  1472. * Verify that correct nonce was used with time limit.
  1473. *
  1474. * The user is given an amount of time to use the token, so therefore, since the
  1475. * UID and $action remain the same, the independent variable is the time.
  1476. *
  1477. * @since 2.0.3
  1478. *
  1479. * @param string $nonce Nonce that was used in the form to verify
  1480. * @param string|int $action Should give context to what is taking place and be the same when nonce was created.
  1481. * @return bool Whether the nonce check passed or failed.
  1482. */
  1483. function wp_verify_nonce( $nonce, $action = -1 ) {
  1484. $nonce = (string) $nonce;
  1485. $user = wp_get_current_user();
  1486. $uid = (int) $user->ID;
  1487. if ( ! $uid ) {
  1488. /**
  1489. * Filter whether the user who generated the nonce is logged out.
  1490. *
  1491. * @since 3.5.0
  1492. *
  1493. * @param int $uid ID of the nonce-owning user.
  1494. * @param string $action The nonce action.
  1495. */
  1496. $uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
  1497. }
  1498. if ( empty( $nonce ) ) {
  1499. return false;
  1500. }
  1501. $token = wp_get_session_token();
  1502. $i = wp_nonce_tick();
  1503. // Nonce generated 0-12 hours ago
  1504. $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 );
  1505. if ( hash_equals( $expected, $nonce ) ) {
  1506. return 1;
  1507. }
  1508. // Nonce generated 12-24 hours ago
  1509. $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
  1510. if ( hash_equals( $expected, $nonce ) ) {
  1511. return 2;
  1512. }
  1513. // Invalid nonce
  1514. return false;
  1515. }
  1516. endif;
  1517. if ( !function_exists('wp_create_nonce') ) :
  1518. /**
  1519. * Creates a cryptographic token tied to a specific action, user, and window of time.
  1520. *
  1521. * @since 2.0.3
  1522. *
  1523. * @param string|int $action Scalar value to add context to the nonce.
  1524. * @return string The token.
  1525. */
  1526. function wp_create_nonce($action = -1) {
  1527. $user = wp_get_current_user();
  1528. $uid = (int) $user->ID;
  1529. if ( ! $uid ) {
  1530. /** This filter is documented in wp-includes/pluggable.php */
  1531. $uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
  1532. }
  1533. $token = wp_get_session_token();
  1534. $i = wp_nonce_tick();
  1535. return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
  1536. }
  1537. endif;
  1538. if ( !function_exists('wp_salt') ) :
  1539. /**
  1540. * Get salt to add to hashes.
  1541. *
  1542. * Salts are created using secret keys. Secret keys are located in two places:
  1543. * in the database and in the wp-config.php file. The secret key in the database
  1544. * is randomly generated and will be appended to the secret keys in wp-config.php.
  1545. *
  1546. * The secret keys in wp-config.php should be updated to strong, random keys to maximize
  1547. * security. Below is an example of how the secret key constants are defined.
  1548. * Do not paste this example directly into wp-config.php. Instead, have a
  1549. * {@link https://api.wordpress.org/secret-key/1.1/salt/ secret key created} just
  1550. * for you.
  1551. *
  1552. * define('AUTH_KEY', ' Xakm<o xQy rw4EMsLKM-?!T+,PFF})H4lzcW57AF0U@N@< >M%G4Yt>f`z]MON');
  1553. * define('SECURE_AUTH_KEY', 'LzJ}op]mr|6+![P}Ak:uNdJCJZd>(Hx.-Mh#Tz)pCIU#uGEnfFz|f ;;eU%/U^O~');
  1554. * define('LOGGED_IN_KEY', '|i|Ux`9<p-h$aFf(qnT:sDO:D1P^wZ$$/Ra@miTJi9G;ddp_<q}6H1)o|a +&JCM');
  1555. * define('NONCE_KEY', '%:R{[P|,s.KuMltH5}cI;/k<Gx~j!f0I)m_sIyu+&NJZ)-iO>z7X>QYR0Z_XnZ@|');
  1556. * define('AUTH_SALT', 'eZyT)-Naw]F8CwA*VaW#q*|.)g@o}||wf~@C-YSt}(dh_r6EbI#A,y|nU2{B#JBW');
  1557. * define('SECURE_AUTH_SALT', '!=oLUTXh,QW=H `}`L|9/^4-3 STz},T(w}W<I`.JjPi)<Bmf1v,HpGe}T1:Xt7n');
  1558. * define('LOGGED_IN_SALT', '+XSqHc;@Q*K_b|Z?NC[3H!!EONbh.n<+=uKR:>*c(u`g~EJBf#8u#R{mUEZrozmm');
  1559. * define('NONCE_SALT', 'h`GXHhD>SLWVfg1(1(N{;.V!MoE(SfbA_ksP@&`+AycHcAV$+?@3q+rxV{%^VyKT');
  1560. *
  1561. * Salting passwords helps against tools which has stored hashed values of
  1562. * common dictionary strings. The added values makes it harder to crack.
  1563. *
  1564. * @since 2.5.0
  1565. *
  1566. * @link https://api.wordpress.org/secret-key/1.1/salt/ Create secrets for wp-config.php
  1567. *
  1568. * @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce)
  1569. * @return string Salt value
  1570. */
  1571. function wp_salt( $scheme = 'auth' ) {
  1572. static $cached_salts = array();
  1573. if ( isset( $cached_salts[ $scheme ] ) ) {
  1574. /**
  1575. * Filter the WordPress salt.
  1576. *
  1577. * @since 2.5.0
  1578. *
  1579. * @param string $cached_salt Cached salt for the given scheme.
  1580. * @param string $scheme Authentication scheme. Values include 'auth',
  1581. * 'secure_auth', 'logged_in', and 'nonce'.
  1582. */
  1583. return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme );
  1584. }
  1585. static $duplicated_keys;
  1586. if ( null === $duplicated_keys ) {
  1587. $duplicated_keys = array( 'put your unique phrase here' => true );
  1588. foreach ( array( 'AUTH', 'SECURE_AUTH', 'LOGGED_IN', 'NONCE', 'SECRET' ) as $first ) {
  1589. foreach ( array( 'KEY', 'SALT' ) as $second ) {
  1590. if ( ! defined( "{$first}_{$second}" ) ) {
  1591. continue;
  1592. }
  1593. $value = constant( "{$first}_{$second}" );
  1594. $duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] );
  1595. }
  1596. }
  1597. }
  1598. $values = array(
  1599. 'key' => '',
  1600. 'salt' => ''
  1601. );
  1602. if ( defined( 'SECRET_KEY' ) && SECRET_KEY && empty( $duplicated_keys[ SECRET_KEY ] ) ) {
  1603. $values['key'] = SECRET_KEY;
  1604. }
  1605. if ( 'auth' == $scheme && defined( 'SECRET_SALT' ) && SECRET_SALT && empty( $duplicated_keys[ SECRET_SALT ] ) ) {
  1606. $values['salt'] = SECRET_SALT;
  1607. }
  1608. if ( in_array( $scheme, array( 'auth', 'secure_auth', 'logged_in', 'nonce' ) ) ) {
  1609. foreach ( array( 'key', 'salt' ) as $type ) {
  1610. $const = strtoupper( "{$scheme}_{$type}" );
  1611. if ( defined( $const ) && constant( $const ) && empty( $duplicated_keys[ constant( $const ) ] ) ) {
  1612. $values[ $type ] = constant( $const );
  1613. } elseif ( ! $values[ $type ] ) {
  1614. $values[ $type ] = get_site_option( "{$scheme}_{$type}" );
  1615. if ( ! $values[ $type ] ) {
  1616. $values[ $type ] = wp_generate_password( 64, true, true );
  1617. update_site_option( "{$scheme}_{$type}", $values[ $type ] );
  1618. }
  1619. }
  1620. }
  1621. } else {
  1622. if ( ! $values['key'] ) {
  1623. $values['key'] = get_site_option( 'secret_key' );
  1624. if ( ! $values['key'] ) {
  1625. $values['key'] = wp_generate_password( 64, true, true );
  1626. update_site_option( 'secret_key', $values['key'] );
  1627. }
  1628. }
  1629. $values['salt'] = hash_hmac( 'md5', $scheme, $values['key'] );
  1630. }
  1631. $cached_salts[ $scheme ] = $values['key'] . $values['salt'];
  1632. /** This filter is documented in wp-includes/pluggable.php */
  1633. return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme );
  1634. }
  1635. endif;
  1636. if ( !function_exists('wp_hash') ) :
  1637. /**
  1638. * Get hash of given string.
  1639. *
  1640. * @since 2.0.3
  1641. *
  1642. * @param string $data Plain text to hash
  1643. * @return string Hash of $data
  1644. */
  1645. function wp_hash($data, $scheme = 'auth') {
  1646. $salt = wp_salt($scheme);
  1647. return hash_hmac('md5', $data, $salt);
  1648. }
  1649. endif;
  1650. if ( !function_exists('wp_hash_password') ) :
  1651. /**
  1652. * Create a hash (encrypt) of a plain text password.
  1653. *
  1654. * For integration with other applications, this function can be overwritten to
  1655. * instead use the other package password checking algorithm.
  1656. *
  1657. * @since 2.5.0
  1658. *
  1659. * @global object $wp_hasher PHPass object
  1660. * @uses PasswordHash::HashPassword
  1661. *
  1662. * @param string $password Plain text user password to hash
  1663. * @return string The hash string of the password
  1664. */
  1665. function wp_hash_password($password) {
  1666. global $wp_hasher;
  1667. if ( empty($wp_hasher) ) {
  1668. require_once( ABSPATH . WPINC . '/class-phpass.php');
  1669. // By default, use the portable hash from phpass
  1670. $wp_hasher = new PasswordHash(8, true);
  1671. }
  1672. return $wp_hasher->HashPassword( trim( $password ) );
  1673. }
  1674. endif;
  1675. if ( !function_exists('wp_check_password') ) :
  1676. /**
  1677. * Checks the plaintext password against the encrypted Password.
  1678. *
  1679. * Maintains compatibility between old version and the new cookie authentication
  1680. * protocol using PHPass library. The $hash parameter is the encrypted password
  1681. * and the function compares the plain text password when encrypted similarly
  1682. * against the already encrypted password to see if they match.
  1683. *
  1684. * For integration with other applications, this function can be overwritten to
  1685. * instead use the other package password checking algorithm.
  1686. *
  1687. * @since 2.5.0
  1688. *
  1689. * @global object $wp_hasher PHPass object used for checking the password
  1690. * against the $hash + $password
  1691. * @uses PasswordHash::CheckPassword
  1692. *
  1693. * @param string $password Plaintext user's password
  1694. * @param string $hash Hash of the user's password to check against.
  1695. * @return bool False, if the $password does not match the hashed password
  1696. */
  1697. function wp_check_password($password, $hash, $user_id = '') {
  1698. global $wp_hasher;
  1699. // If the hash is still md5...
  1700. if ( strlen($hash) <= 32 ) {
  1701. $check = hash_equals( $hash, md5( $password ) );
  1702. if ( $check && $user_id ) {
  1703. // Rehash using new hash.
  1704. wp_set_password($password, $user_id);
  1705. $hash = wp_hash_password($password);
  1706. }
  1707. /**
  1708. * Filter whether the plaintext password matches the encrypted password.
  1709. *
  1710. * @since 2.5.0
  1711. *
  1712. * @param bool $check Whether the passwords match.
  1713. * @param string $password The plaintext password.
  1714. * @param string $hash The hashed password.
  1715. * @param int $user_id User ID.
  1716. */
  1717. return apply_filters( 'check_password', $check, $password, $hash, $user_id );
  1718. }
  1719. // If the stored hash is longer than an MD5, presume the
  1720. // new style phpass portable hash.
  1721. if ( empty($wp_hasher) ) {
  1722. require_once( ABSPATH . WPINC . '/class-phpass.php');
  1723. // By default, use the portable hash from phpass
  1724. $wp_hasher = new PasswordHash(8, true);
  1725. }
  1726. $check = $wp_hasher->CheckPassword($password, $hash);
  1727. /** This filter is documented in wp-includes/pluggable.php */
  1728. return apply_filters( 'check_password', $check, $password, $hash, $user_id );
  1729. }
  1730. endif;
  1731. if ( !function_exists('wp_generate_password') ) :
  1732. /**
  1733. * Generates a random password drawn from the defined set of characters.
  1734. *
  1735. * @since 2.5.0
  1736. *
  1737. * @param int $length Optional. The length of password to generate. Default 12.
  1738. * @param bool $special_chars Optional. Whether to include standard special characters.
  1739. * Default true.
  1740. * @param bool $extra_special_chars Optional. Whether to include other special characters.
  1741. * Used when generating secret keys and salts. Default false.
  1742. * @return string The random password.
  1743. */
  1744. function wp_generate_password( $length = 12, $special_chars = true, $extra_special_chars = false ) {
  1745. $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
  1746. if ( $special_chars )
  1747. $chars .= '!@#$%^&*()';
  1748. if ( $extra_special_chars )
  1749. $chars .= '-_ []{}<>~`+=,.;:/?|';
  1750. $password = '';
  1751. for ( $i = 0; $i < $length; $i++ ) {
  1752. $password .= substr($chars, wp_rand(0, strlen($chars) - 1), 1);
  1753. }
  1754. /**
  1755. * Filter the randomly-generated password.
  1756. *
  1757. * @since 3.0.0
  1758. *
  1759. * @param string $password The generated password.
  1760. */
  1761. return apply_filters( 'random_password', $password );
  1762. }
  1763. endif;
  1764. if ( !function_exists('wp_rand') ) :
  1765. /**
  1766. * Generates a random number
  1767. *
  1768. * @since 2.6.2
  1769. *
  1770. * @param int $min Lower limit for the generated number
  1771. * @param int $max Upper limit for the generated number
  1772. * @return int A random number between min and max
  1773. */
  1774. function wp_rand( $min = 0, $max = 0 ) {
  1775. global $rnd_value;
  1776. // Reset $rnd_value after 14 uses
  1777. // 32(md5) + 40(sha1) + 40(sha1) / 8 = 14 random numbers from $rnd_value
  1778. if ( strlen($rnd_value) < 8 ) {
  1779. if ( defined( 'WP_SETUP_CONFIG' ) )
  1780. static $seed = '';
  1781. else
  1782. $seed = get_transient('random_seed');
  1783. $rnd_value = md5( uniqid(microtime() . mt_rand(), true ) . $seed );
  1784. $rnd_value .= sha1($rnd_value);
  1785. $rnd_value .= sha1($rnd_value . $seed);
  1786. $seed = md5($seed . $rnd_value);
  1787. if ( ! defined( 'WP_SETUP_CONFIG' ) )
  1788. set_transient('random_seed', $seed);
  1789. }
  1790. // Take the first 8 digits for our value
  1791. $value = substr($rnd_value, 0, 8);
  1792. // Strip the first eight, leaving the remainder for the next call to wp_rand().
  1793. $rnd_value = substr($rnd_value, 8);
  1794. $value = abs(hexdec($value));
  1795. // Some misconfigured 32bit environments (Entropy PHP, for example) truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them to floats.
  1796. $max_random_number = 3000000000 === 2147483647 ? (float) "4294967295" : 4294967295; // 4294967295 = 0xffffffff
  1797. // Reduce the value to be within the min - max range
  1798. if ( $max != 0 )
  1799. $value = $min + ( $max - $min + 1 ) * $value / ( $max_random_number + 1 );
  1800. return abs(intval($value));
  1801. }
  1802. endif;
  1803. if ( !function_exists('wp_set_password') ) :
  1804. /**
  1805. * Updates the user's password with a new encrypted one.
  1806. *
  1807. * For integration with other applications, this function can be overwritten to
  1808. * instead use the other package password checking algorithm.
  1809. *
  1810. * Please note: This function should be used sparingly and is really only meant for single-time
  1811. * application. Leveraging this improperly in a plugin or theme could result in an endless loop
  1812. * of password resets if precautions are not taken to ensure it does not execute on every page load.
  1813. *
  1814. * @since 2.5.0
  1815. *
  1816. * @global wpdb $wpdb WordPress database abstraction object.
  1817. *
  1818. * @param string $password The plaintext new user password
  1819. * @param int $user_id User ID
  1820. */
  1821. function wp_set_password( $password, $user_id ) {
  1822. global $wpdb;
  1823. $hash = wp_hash_password( $password );
  1824. $wpdb->update($wpdb->users, array('user_pass' => $hash, 'user_activation_key' => ''), array('ID' => $user_id) );
  1825. wp_cache_delete($user_id, 'users');
  1826. }
  1827. endif;
  1828. if ( !function_exists( 'get_avatar' ) ) :
  1829. /**
  1830. * Retrieve the avatar for a user who provided a user ID or email address.
  1831. *
  1832. * @since 2.5.0
  1833. *
  1834. * @param int|string|object $id_or_email A user ID, email address, or comment object
  1835. * @param int $size Size of the avatar image
  1836. * @param string $default URL to a default image to use if no avatar is available
  1837. * @param string $alt Alternative text to use in image tag. Defaults to blank
  1838. * @return false|string `<img>` tag for the user's avatar.
  1839. */
  1840. function get_avatar( $id_or_email, $size = '96', $default = '', $alt = false ) {
  1841. if ( ! get_option('show_avatars') )
  1842. return false;
  1843. if ( false === $alt)
  1844. $safe_alt = '';
  1845. else
  1846. $safe_alt = esc_attr( $alt );
  1847. if ( !is_numeric($size) )
  1848. $size = '96';
  1849. $email = '';
  1850. if ( is_numeric($id_or_email) ) {
  1851. $id = (int) $id_or_email;
  1852. $user = get_userdata($id);
  1853. if ( $user )
  1854. $email = $user->user_email;
  1855. } elseif ( is_object($id_or_email) ) {
  1856. // No avatar for pingbacks or trackbacks
  1857. /**
  1858. * Filter the list of allowed comment types for retrieving avatars.
  1859. *
  1860. * @since 3.0.0
  1861. *
  1862. * @param array $types An array of content types. Default only contains 'comment'.
  1863. */
  1864. $allowed_comment_types = apply_filters( 'get_avatar_comment_types', array( 'comment' ) );
  1865. if ( ! empty( $id_or_email->comment_type ) && ! in_array( $id_or_email->comment_type, (array) $allowed_comment_types ) )
  1866. return false;
  1867. if ( ! empty( $id_or_email->user_id ) ) {
  1868. $id = (int) $id_or_email->user_id;
  1869. $user = get_userdata($id);
  1870. if ( $user )
  1871. $email = $user->user_email;
  1872. }
  1873. if ( ! $email && ! empty( $id_or_email->comment_author_email ) )
  1874. $email = $id_or_email->comment_author_email;
  1875. } else {
  1876. $email = $id_or_email;
  1877. }
  1878. if ( empty($default) ) {
  1879. $avatar_default = get_option('avatar_default');
  1880. if ( empty($avatar_default) )
  1881. $default = 'mystery';
  1882. else
  1883. $default = $avatar_default;
  1884. }
  1885. if ( !empty($email) )
  1886. $email_hash = md5( strtolower( trim( $email ) ) );
  1887. if ( is_ssl() ) {
  1888. $host = 'https://secure.gravatar.com';
  1889. } else {
  1890. if ( !empty($email) )
  1891. $host = sprintf( "http://%d.gravatar.com", ( hexdec( $email_hash[0] ) % 2 ) );
  1892. else
  1893. $host = 'http://0.gravatar.com';
  1894. }
  1895. if ( 'mystery' == $default )
  1896. $default = "$host/avatar/ad516503a11cd5ca435acc9bb6523536?s={$size}"; // ad516503a11cd5ca435acc9bb6523536 == md5('unknown@gravatar.com')
  1897. elseif ( 'blank' == $default )
  1898. $default = $email ? 'blank' : includes_url( 'images/blank.gif' );
  1899. elseif ( !empty($email) && 'gravatar_default' == $default )
  1900. $default = '';
  1901. elseif ( 'gravatar_default' == $default )
  1902. $default = "$host/avatar/?s={$size}";
  1903. elseif ( empty($email) )
  1904. $default = "$host/avatar/?d=$default&amp;s={$size}";
  1905. elseif ( strpos($default, 'http://') === 0 )
  1906. $default = add_query_arg( 's', $size, $default );
  1907. if ( !empty($email) ) {
  1908. $out = "$host/avatar/";
  1909. $out .= $email_hash;
  1910. $out .= '?s='.$size;
  1911. $out .= '&amp;d=' . urlencode( $default );
  1912. $rating = get_option('avatar_rating');
  1913. if ( !empty( $rating ) )
  1914. $out .= "&amp;r={$rating}";
  1915. $out = str_replace( '&#038;', '&amp;', esc_url( $out ) );
  1916. $avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo' height='{$size}' width='{$size}' />";
  1917. } else {
  1918. $out = esc_url( $default );
  1919. $avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
  1920. }
  1921. /**
  1922. * Filter the avatar to retrieve.
  1923. *
  1924. * @since 2.5.0
  1925. *
  1926. * @param string $avatar Image tag for the user's avatar.
  1927. * @param int|object|string $id_or_email A user ID, email address, or comment object.
  1928. * @param int $size Square avatar width and height in pixels to retrieve.
  1929. * @param string $alt Alternative text to use in the avatar image tag.
  1930. * Default empty.
  1931. */
  1932. return apply_filters( 'get_avatar', $avatar, $id_or_email, $size, $default, $alt );
  1933. }
  1934. endif;
  1935. if ( !function_exists( 'wp_text_diff' ) ) :
  1936. /**
  1937. * Displays a human readable HTML representation of the difference between two strings.
  1938. *
  1939. * The Diff is available for getting the changes between versions. The output is
  1940. * HTML, so the primary use is for displaying the changes. If the two strings
  1941. * are equivalent, then an empty string will be returned.
  1942. *
  1943. * The arguments supported and can be changed are listed below.
  1944. *
  1945. * 'title' : Default is an empty string. Titles the diff in a manner compatible
  1946. * with the output.
  1947. * 'title_left' : Default is an empty string. Change the HTML to the left of the
  1948. * title.
  1949. * 'title_right' : Default is an empty string. Change the HTML to the right of
  1950. * the title.
  1951. *
  1952. * @since 2.6.0
  1953. *
  1954. * @see wp_parse_args() Used to change defaults to user defined settings.
  1955. * @uses Text_Diff
  1956. * @uses WP_Text_Diff_Renderer_Table
  1957. *
  1958. * @param string $left_string "old" (left) version of string
  1959. * @param string $right_string "new" (right) version of string
  1960. * @param string|array $args Optional. Change 'title', 'title_left', and 'title_right' defaults.
  1961. * @return string Empty string if strings are equivalent or HTML with differences.
  1962. */
  1963. function wp_text_diff( $left_string, $right_string, $args = null ) {
  1964. $defaults = array( 'title' => '', 'title_left' => '', 'title_right' => '' );
  1965. $args = wp_parse_args( $args, $defaults );
  1966. if ( !class_exists( 'WP_Text_Diff_Renderer_Table' ) )
  1967. require( ABSPATH . WPINC . '/wp-diff.php' );
  1968. $left_string = normalize_whitespace($left_string);
  1969. $right_string = normalize_whitespace($right_string);
  1970. $left_lines = explode("\n", $left_string);
  1971. $right_lines = explode("\n", $right_string);
  1972. $text_diff = new Text_Diff($left_lines, $right_lines);
  1973. $renderer = new WP_Text_Diff_Renderer_Table( $args );
  1974. $diff = $renderer->render($text_diff);
  1975. if ( !$diff )
  1976. return '';
  1977. $r = "<table class='diff'>\n";
  1978. if ( ! empty( $args[ 'show_split_view' ] ) ) {
  1979. $r .= "<col class='content diffsplit left' /><col class='content diffsplit middle' /><col class='content diffsplit right' />";
  1980. } else {
  1981. $r .= "<col class='content' />";
  1982. }
  1983. if ( $args['title'] || $args['title_left'] || $args['title_right'] )
  1984. $r .= "<thead>";
  1985. if ( $args['title'] )
  1986. $r .= "<tr class='diff-title'><th colspan='4'>$args[title]</th></tr>\n";
  1987. if ( $args['title_left'] || $args['title_right'] ) {
  1988. $r .= "<tr class='diff-sub-title'>\n";
  1989. $r .= "\t<td></td><th>$args[title_left]</th>\n";
  1990. $r .= "\t<td></td><th>$args[title_right]</th>\n";
  1991. $r .= "</tr>\n";
  1992. }
  1993. if ( $args['title'] || $args['title_left'] || $args['title_right'] )
  1994. $r .= "</thead>\n";
  1995. $r .= "<tbody>\n$diff\n</tbody>\n";
  1996. $r .= "</table>";
  1997. return $r;
  1998. }
  1999. endif;