[ Index ]

PHP Cross Reference of WordPress Trunk (Updated Daily)

Search

title

Body

[close]

/wp-includes/ -> class-wp-recovery-mode-cookie-service.php (source)

   1  <?php
   2  /**
   3   * Error Protection API: WP_Recovery_Mode_Cookie_Service class
   4   *
   5   * @package WordPress
   6   * @since 5.2.0
   7   */
   8  
   9  /**
  10   * Core class used to set, validate, and clear cookies that identify a Recovery Mode session.
  11   *
  12   * @since 5.2.0
  13   */
  14  #[AllowDynamicProperties]
  15  final class WP_Recovery_Mode_Cookie_Service {
  16  
  17      /**
  18       * Checks whether the recovery mode cookie is set.
  19       *
  20       * @since 5.2.0
  21       *
  22       * @return bool True if the cookie is set, false otherwise.
  23       */
  24  	public function is_cookie_set() {
  25          return ! empty( $_COOKIE[ RECOVERY_MODE_COOKIE ] );
  26      }
  27  
  28      /**
  29       * Sets the recovery mode cookie.
  30       *
  31       * This must be immediately followed by exiting the request.
  32       *
  33       * @since 5.2.0
  34       */
  35  	public function set_cookie() {
  36  
  37          $value = $this->generate_cookie();
  38  
  39          /**
  40           * Filters the length of time a Recovery Mode cookie is valid for.
  41           *
  42           * @since 5.2.0
  43           *
  44           * @param int $length Length in seconds.
  45           */
  46          $length = apply_filters( 'recovery_mode_cookie_length', WEEK_IN_SECONDS );
  47  
  48          $expire = time() + $length;
  49  
  50          setcookie( RECOVERY_MODE_COOKIE, $value, $expire, COOKIEPATH, COOKIE_DOMAIN, is_ssl(), true );
  51  
  52          if ( COOKIEPATH !== SITECOOKIEPATH ) {
  53              setcookie( RECOVERY_MODE_COOKIE, $value, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, is_ssl(), true );
  54          }
  55      }
  56  
  57      /**
  58       * Clears the recovery mode cookie.
  59       *
  60       * @since 5.2.0
  61       */
  62  	public function clear_cookie() {
  63          setcookie( RECOVERY_MODE_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
  64          setcookie( RECOVERY_MODE_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
  65      }
  66  
  67      /**
  68       * Validates the recovery mode cookie.
  69       *
  70       * @since 5.2.0
  71       *
  72       * @param string $cookie Optionally specify the cookie string.
  73       *                       If omitted, it will be retrieved from the super global.
  74       * @return true|WP_Error True on success, error object on failure.
  75       */
  76  	public function validate_cookie( $cookie = '' ) {
  77  
  78          if ( ! $cookie ) {
  79              if ( empty( $_COOKIE[ RECOVERY_MODE_COOKIE ] ) ) {
  80                  return new WP_Error( 'no_cookie', __( 'No cookie present.' ) );
  81              }
  82  
  83              $cookie = $_COOKIE[ RECOVERY_MODE_COOKIE ];
  84          }
  85  
  86          $parts = $this->parse_cookie( $cookie );
  87  
  88          if ( is_wp_error( $parts ) ) {
  89              return $parts;
  90          }
  91  
  92          list( , $created_at, $random, $signature ) = $parts;
  93  
  94          if ( ! ctype_digit( $created_at ) ) {
  95              return new WP_Error( 'invalid_created_at', __( 'Invalid cookie format.' ) );
  96          }
  97  
  98          /** This filter is documented in wp-includes/class-wp-recovery-mode-cookie-service.php */
  99          $length = apply_filters( 'recovery_mode_cookie_length', WEEK_IN_SECONDS );
 100  
 101          if ( time() > $created_at + $length ) {
 102              return new WP_Error( 'expired', __( 'Cookie expired.' ) );
 103          }
 104  
 105          $to_sign = sprintf( 'recovery_mode|%s|%s', $created_at, $random );
 106          $hashed  = $this->recovery_mode_hash( $to_sign );
 107  
 108          if ( ! hash_equals( $signature, $hashed ) ) {
 109              return new WP_Error( 'signature_mismatch', __( 'Invalid cookie.' ) );
 110          }
 111  
 112          return true;
 113      }
 114  
 115      /**
 116       * Gets the session identifier from the cookie.
 117       *
 118       * The cookie should be validated before calling this API.
 119       *
 120       * @since 5.2.0
 121       *
 122       * @param string $cookie Optionally specify the cookie string.
 123       *                       If omitted, it will be retrieved from the super global.
 124       * @return string|WP_Error Session ID on success, or error object on failure.
 125       */
 126  	public function get_session_id_from_cookie( $cookie = '' ) {
 127          if ( ! $cookie ) {
 128              if ( empty( $_COOKIE[ RECOVERY_MODE_COOKIE ] ) ) {
 129                  return new WP_Error( 'no_cookie', __( 'No cookie present.' ) );
 130              }
 131  
 132              $cookie = $_COOKIE[ RECOVERY_MODE_COOKIE ];
 133          }
 134  
 135          $parts = $this->parse_cookie( $cookie );
 136          if ( is_wp_error( $parts ) ) {
 137              return $parts;
 138          }
 139  
 140          list( , , $random ) = $parts;
 141  
 142          return sha1( $random );
 143      }
 144  
 145      /**
 146       * Parses the cookie into its four parts.
 147       *
 148       * @since 5.2.0
 149       *
 150       * @param string $cookie Cookie content.
 151       * @return array|WP_Error Cookie parts array, or error object on failure.
 152       */
 153  	private function parse_cookie( $cookie ) {
 154          $cookie = base64_decode( $cookie );
 155          $parts  = explode( '|', $cookie );
 156  
 157          if ( 4 !== count( $parts ) ) {
 158              return new WP_Error( 'invalid_format', __( 'Invalid cookie format.' ) );
 159          }
 160  
 161          return $parts;
 162      }
 163  
 164      /**
 165       * Generates the recovery mode cookie value.
 166       *
 167       * The cookie is a base64 encoded string with the following format:
 168       *
 169       * recovery_mode|iat|rand|signature
 170       *
 171       * Where "recovery_mode" is a constant string,
 172       * iat is the time the cookie was generated at,
 173       * rand is a randomly generated password that is also used as a session identifier
 174       * and signature is an hmac of the preceding 3 parts.
 175       *
 176       * @since 5.2.0
 177       *
 178       * @return string Generated cookie content.
 179       */
 180  	private function generate_cookie() {
 181          $to_sign = sprintf( 'recovery_mode|%s|%s', time(), wp_generate_password( 20, false ) );
 182          $signed  = $this->recovery_mode_hash( $to_sign );
 183  
 184          return base64_encode( sprintf( '%s|%s', $to_sign, $signed ) );
 185      }
 186  
 187      /**
 188       * Gets a form of `wp_hash()` specific to Recovery Mode.
 189       *
 190       * We cannot use `wp_hash()` because it is defined in `pluggable.php` which is not loaded until after plugins are loaded,
 191       * which is too late to verify the recovery mode cookie.
 192       *
 193       * This tries to use the `AUTH` salts first, but if they aren't valid specific salts will be generated and stored.
 194       *
 195       * @since 5.2.0
 196       *
 197       * @param string $data Data to hash.
 198       * @return string|false The hashed $data, or false on failure.
 199       */
 200  	private function recovery_mode_hash( $data ) {
 201          $default_keys = array_unique(
 202              array(
 203                  'put your unique phrase here',
 204                  /*
 205                   * translators: This string should only be translated if wp-config-sample.php is localized.
 206                   * You can check the localized release package or
 207                   * https://i18n.svn.wordpress.org/<locale code>/branches/<wp version>/dist/wp-config-sample.php
 208                   */
 209                  __( 'put your unique phrase here' ),
 210              )
 211          );
 212  
 213          if ( ! defined( 'AUTH_KEY' ) || in_array( AUTH_KEY, $default_keys, true ) ) {
 214              $auth_key = get_site_option( 'recovery_mode_auth_key' );
 215  
 216              if ( ! $auth_key ) {
 217                  if ( ! function_exists( 'wp_generate_password' ) ) {
 218                      require_once  ABSPATH . WPINC . '/pluggable.php';
 219                  }
 220  
 221                  $auth_key = wp_generate_password( 64, true, true );
 222                  update_site_option( 'recovery_mode_auth_key', $auth_key );
 223              }
 224          } else {
 225              $auth_key = AUTH_KEY;
 226          }
 227  
 228          if ( ! defined( 'AUTH_SALT' ) || in_array( AUTH_SALT, $default_keys, true ) || AUTH_SALT === $auth_key ) {
 229              $auth_salt = get_site_option( 'recovery_mode_auth_salt' );
 230  
 231              if ( ! $auth_salt ) {
 232                  if ( ! function_exists( 'wp_generate_password' ) ) {
 233                      require_once  ABSPATH . WPINC . '/pluggable.php';
 234                  }
 235  
 236                  $auth_salt = wp_generate_password( 64, true, true );
 237                  update_site_option( 'recovery_mode_auth_salt', $auth_salt );
 238              }
 239          } else {
 240              $auth_salt = AUTH_SALT;
 241          }
 242  
 243          $secret = $auth_key . $auth_salt;
 244  
 245          return hash_hmac( 'sha1', $data, $secret );
 246      }
 247  }


Generated : Sat Dec 21 08:20:01 2024 Cross-referenced by PHPXref