| [ Index ] |
PHP Cross Reference of WordPress Trunk (Updated Daily) |
[Summary view] [Print] [Text view]
1 <?php 2 /** 3 * Error Protection API: WP_Recovery_Mode_Cookie_Service class 4 * 5 * @package WordPress 6 * @since 5.2.0 7 */ 8 9 /** 10 * Core class used to set, validate, and clear cookies that identify a Recovery Mode session. 11 * 12 * @since 5.2.0 13 */ 14 #[AllowDynamicProperties] 15 final class WP_Recovery_Mode_Cookie_Service { 16 17 /** 18 * Checks whether the recovery mode cookie is set. 19 * 20 * @since 5.2.0 21 * 22 * @return bool True if the cookie is set, false otherwise. 23 */ 24 public function is_cookie_set() { 25 return ! empty( $_COOKIE[ RECOVERY_MODE_COOKIE ] ); 26 } 27 28 /** 29 * Sets the recovery mode cookie. 30 * 31 * This must be immediately followed by exiting the request. 32 * 33 * @since 5.2.0 34 */ 35 public function set_cookie() { 36 37 $value = $this->generate_cookie(); 38 39 /** 40 * Filters the length of time a Recovery Mode cookie is valid for. 41 * 42 * @since 5.2.0 43 * 44 * @param int $length Length in seconds. 45 */ 46 $length = apply_filters( 'recovery_mode_cookie_length', WEEK_IN_SECONDS ); 47 48 $expire = time() + $length; 49 50 setcookie( RECOVERY_MODE_COOKIE, $value, $expire, COOKIEPATH, COOKIE_DOMAIN, is_ssl(), true ); 51 52 if ( COOKIEPATH !== SITECOOKIEPATH ) { 53 setcookie( RECOVERY_MODE_COOKIE, $value, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, is_ssl(), true ); 54 } 55 } 56 57 /** 58 * Clears the recovery mode cookie. 59 * 60 * @since 5.2.0 61 */ 62 public function clear_cookie() { 63 setcookie( RECOVERY_MODE_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN ); 64 setcookie( RECOVERY_MODE_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN ); 65 } 66 67 /** 68 * Validates the recovery mode cookie. 69 * 70 * @since 5.2.0 71 * 72 * @param string $cookie Optionally specify the cookie string. 73 * If omitted, it will be retrieved from the super global. 74 * @return true|WP_Error True on success, error object on failure. 75 */ 76 public function validate_cookie( $cookie = '' ) { 77 78 if ( ! $cookie ) { 79 if ( empty( $_COOKIE[ RECOVERY_MODE_COOKIE ] ) ) { 80 return new WP_Error( 'no_cookie', __( 'No cookie present.' ) ); 81 } 82 83 $cookie = $_COOKIE[ RECOVERY_MODE_COOKIE ]; 84 } 85 86 $parts = $this->parse_cookie( $cookie ); 87 88 if ( is_wp_error( $parts ) ) { 89 return $parts; 90 } 91 92 list( , $created_at, $random, $signature ) = $parts; 93 94 if ( ! ctype_digit( $created_at ) ) { 95 return new WP_Error( 'invalid_created_at', __( 'Invalid cookie format.' ) ); 96 } 97 98 /** This filter is documented in wp-includes/class-wp-recovery-mode-cookie-service.php */ 99 $length = apply_filters( 'recovery_mode_cookie_length', WEEK_IN_SECONDS ); 100 101 if ( time() > $created_at + $length ) { 102 return new WP_Error( 'expired', __( 'Cookie expired.' ) ); 103 } 104 105 $to_sign = sprintf( 'recovery_mode|%s|%s', $created_at, $random ); 106 $hashed = $this->recovery_mode_hash( $to_sign ); 107 108 if ( ! hash_equals( $signature, $hashed ) ) { 109 return new WP_Error( 'signature_mismatch', __( 'Invalid cookie.' ) ); 110 } 111 112 return true; 113 } 114 115 /** 116 * Gets the session identifier from the cookie. 117 * 118 * The cookie should be validated before calling this API. 119 * 120 * @since 5.2.0 121 * 122 * @param string $cookie Optionally specify the cookie string. 123 * If omitted, it will be retrieved from the super global. 124 * @return string|WP_Error Session ID on success, or error object on failure. 125 */ 126 public function get_session_id_from_cookie( $cookie = '' ) { 127 if ( ! $cookie ) { 128 if ( empty( $_COOKIE[ RECOVERY_MODE_COOKIE ] ) ) { 129 return new WP_Error( 'no_cookie', __( 'No cookie present.' ) ); 130 } 131 132 $cookie = $_COOKIE[ RECOVERY_MODE_COOKIE ]; 133 } 134 135 $parts = $this->parse_cookie( $cookie ); 136 if ( is_wp_error( $parts ) ) { 137 return $parts; 138 } 139 140 list( , , $random ) = $parts; 141 142 return sha1( $random ); 143 } 144 145 /** 146 * Parses the cookie into its four parts. 147 * 148 * @since 5.2.0 149 * 150 * @param string $cookie Cookie content. 151 * @return array|WP_Error Cookie parts array, or error object on failure. 152 */ 153 private function parse_cookie( $cookie ) { 154 $cookie = base64_decode( $cookie ); 155 $parts = explode( '|', $cookie ); 156 157 if ( 4 !== count( $parts ) ) { 158 return new WP_Error( 'invalid_format', __( 'Invalid cookie format.' ) ); 159 } 160 161 return $parts; 162 } 163 164 /** 165 * Generates the recovery mode cookie value. 166 * 167 * The cookie is a base64 encoded string with the following format: 168 * 169 * recovery_mode|iat|rand|signature 170 * 171 * Where "recovery_mode" is a constant string, 172 * iat is the time the cookie was generated at, 173 * rand is a randomly generated password that is also used as a session identifier 174 * and signature is an hmac of the preceding 3 parts. 175 * 176 * @since 5.2.0 177 * 178 * @return string Generated cookie content. 179 */ 180 private function generate_cookie() { 181 $to_sign = sprintf( 'recovery_mode|%s|%s', time(), wp_generate_password( 20, false ) ); 182 $signed = $this->recovery_mode_hash( $to_sign ); 183 184 return base64_encode( sprintf( '%s|%s', $to_sign, $signed ) ); 185 } 186 187 /** 188 * Gets a form of `wp_hash()` specific to Recovery Mode. 189 * 190 * We cannot use `wp_hash()` because it is defined in `pluggable.php` which is not loaded until after plugins are loaded, 191 * which is too late to verify the recovery mode cookie. 192 * 193 * This tries to use the `AUTH` salts first, but if they aren't valid specific salts will be generated and stored. 194 * 195 * @since 5.2.0 196 * 197 * @param string $data Data to hash. 198 * @return string|false The hashed $data, or false on failure. 199 */ 200 private function recovery_mode_hash( $data ) { 201 $default_keys = array_unique( 202 array( 203 'put your unique phrase here', 204 /* 205 * translators: This string should only be translated if wp-config-sample.php is localized. 206 * You can check the localized release package or 207 * https://i18n.svn.wordpress.org/<locale code>/branches/<wp version>/dist/wp-config-sample.php 208 */ 209 __( 'put your unique phrase here' ), 210 ) 211 ); 212 213 if ( ! defined( 'AUTH_KEY' ) || in_array( AUTH_KEY, $default_keys, true ) ) { 214 $auth_key = get_site_option( 'recovery_mode_auth_key' ); 215 216 if ( ! $auth_key ) { 217 if ( ! function_exists( 'wp_generate_password' ) ) { 218 require_once ABSPATH . WPINC . '/pluggable.php'; 219 } 220 221 $auth_key = wp_generate_password( 64, true, true ); 222 update_site_option( 'recovery_mode_auth_key', $auth_key ); 223 } 224 } else { 225 $auth_key = AUTH_KEY; 226 } 227 228 if ( ! defined( 'AUTH_SALT' ) || in_array( AUTH_SALT, $default_keys, true ) || AUTH_SALT === $auth_key ) { 229 $auth_salt = get_site_option( 'recovery_mode_auth_salt' ); 230 231 if ( ! $auth_salt ) { 232 if ( ! function_exists( 'wp_generate_password' ) ) { 233 require_once ABSPATH . WPINC . '/pluggable.php'; 234 } 235 236 $auth_salt = wp_generate_password( 64, true, true ); 237 update_site_option( 'recovery_mode_auth_salt', $auth_salt ); 238 } 239 } else { 240 $auth_salt = AUTH_SALT; 241 } 242 243 $secret = $auth_key . $auth_salt; 244 245 return hash_hmac( 'sha1', $data, $secret ); 246 } 247 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated : Fri Apr 26 08:20:02 2024 | Cross-referenced by PHPXref |