[ Index ]

PHP Cross Reference of WordPress Trunk (Updated Daily)

title

Body

[close]

/wp-includes/ -> class-wp-recovery-mode-cookie-service.php (source)

   1  <?php
   2  /**
   3   * Error Protection API: WP_Recovery_Mode_Cookie_Service class
   4   *
   5   * @package WordPress
   6   * @since   5.2.0
   7   */
   8  
   9  /**
  10   * Core class used to set, validate, and clear cookies that identify a Recovery Mode session.
  11   *
  12   * @since 5.2.0
  13   */
  14  final class WP_Recovery_Mode_Cookie_Service {
  15  
  16      /**
  17       * Checks whether the recovery mode cookie is set.
  18       *
  19       * @since 5.2.0
  20       *
  21       * @return bool True if the cookie is set, false otherwise.
  22       */
  23  	public function is_cookie_set() {
  24          return ! empty( $_COOKIE[ RECOVERY_MODE_COOKIE ] );
  25      }
  26  
  27      /**
  28       * Sets the recovery mode cookie.
  29       *
  30       * This must be immediately followed by exiting the request.
  31       *
  32       * @since 5.2.0
  33       */
  34  	public function set_cookie() {
  35  
  36          $value = $this->generate_cookie();
  37  
  38          /**
  39           * Filter the length of time a Recovery Mode cookie is valid for.
  40           *
  41           * @since 5.2.0
  42           *
  43           * @param int $length Length in seconds.
  44           */
  45          $length = apply_filters( 'recovery_mode_cookie_length', WEEK_IN_SECONDS );
  46          $expire = time() + $length;
  47  
  48          setcookie( RECOVERY_MODE_COOKIE, $value, $expire, COOKIEPATH, COOKIE_DOMAIN, is_ssl(), true );
  49  
  50          if ( COOKIEPATH !== SITECOOKIEPATH ) {
  51              setcookie( RECOVERY_MODE_COOKIE, $value, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, is_ssl(), true );
  52          }
  53      }
  54  
  55      /**
  56       * Clears the recovery mode cookie.
  57       *
  58       * @since 5.2.0
  59       */
  60  	public function clear_cookie() {
  61          setcookie( RECOVERY_MODE_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
  62          setcookie( RECOVERY_MODE_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
  63      }
  64  
  65      /**
  66       * Validates the recovery mode cookie.
  67       *
  68       * @since 5.2.0
  69       *
  70       * @param string $cookie Optionally specify the cookie string.
  71       *                       If omitted, it will be retrieved from the super global.
  72       * @return true|WP_Error True on success, error object on failure.
  73       */
  74  	public function validate_cookie( $cookie = '' ) {
  75  
  76          if ( ! $cookie ) {
  77              if ( empty( $_COOKIE[ RECOVERY_MODE_COOKIE ] ) ) {
  78                  return new WP_Error( 'no_cookie', __( 'No cookie present.' ) );
  79              }
  80  
  81              $cookie = $_COOKIE[ RECOVERY_MODE_COOKIE ];
  82          }
  83  
  84          $parts = $this->parse_cookie( $cookie );
  85  
  86          if ( is_wp_error( $parts ) ) {
  87              return $parts;
  88          }
  89  
  90          list( , $created_at, $random, $signature ) = $parts;
  91  
  92          if ( ! ctype_digit( $created_at ) ) {
  93              return new WP_Error( 'invalid_created_at', __( 'Invalid cookie format.' ) );
  94          }
  95  
  96          /** This filter is documented in wp-includes/class-wp-recovery-mode-cookie-service.php */
  97          $length = apply_filters( 'recovery_mode_cookie_length', WEEK_IN_SECONDS );
  98  
  99          if ( time() > $created_at + $length ) {
 100              return new WP_Error( 'expired', __( 'Cookie expired.' ) );
 101          }
 102  
 103          $to_sign = sprintf( 'recovery_mode|%s|%s', $created_at, $random );
 104          $hashed  = $this->recovery_mode_hash( $to_sign );
 105  
 106          if ( ! hash_equals( $signature, $hashed ) ) {
 107              return new WP_Error( 'signature_mismatch', __( 'Invalid cookie.' ) );
 108          }
 109  
 110          return true;
 111      }
 112  
 113      /**
 114       * Gets the session identifier from the cookie.
 115       *
 116       * The cookie should be validated before calling this API.
 117       *
 118       * @since 5.2.0
 119       *
 120       * @param string $cookie Optionally specify the cookie string.
 121       *                       If omitted, it will be retrieved from the super global.
 122       * @return string|WP_Error Session ID on success, or error object on failure.
 123       */
 124  	public function get_session_id_from_cookie( $cookie = '' ) {
 125          if ( ! $cookie ) {
 126              if ( empty( $_COOKIE[ RECOVERY_MODE_COOKIE ] ) ) {
 127                  return new WP_Error( 'no_cookie', __( 'No cookie present.' ) );
 128              }
 129  
 130              $cookie = $_COOKIE[ RECOVERY_MODE_COOKIE ];
 131          }
 132  
 133          $parts = $this->parse_cookie( $cookie );
 134          if ( is_wp_error( $parts ) ) {
 135              return $parts;
 136          }
 137  
 138          list( , , $random ) = $parts;
 139  
 140          return sha1( $random );
 141      }
 142  
 143      /**
 144       * Parses the cookie into its four parts.
 145       *
 146       * @since 5.2.0
 147       *
 148       * @param string $cookie Cookie content.
 149       * @return array|WP_Error Cookie parts array, or error object on failure.
 150       */
 151  	private function parse_cookie( $cookie ) {
 152          $cookie = base64_decode( $cookie );
 153          $parts  = explode( '|', $cookie );
 154  
 155          if ( 4 !== count( $parts ) ) {
 156              return new WP_Error( 'invalid_format', __( 'Invalid cookie format.' ) );
 157          }
 158  
 159          return $parts;
 160      }
 161  
 162      /**
 163       * Generates the recovery mode cookie value.
 164       *
 165       * The cookie is a base64 encoded string with the following format:
 166       *
 167       * recovery_mode|iat|rand|signature
 168       *
 169       * Where "recovery_mode" is a constant string,
 170       * iat is the time the cookie was generated at,
 171       * rand is a randomly generated password that is also used as a session identifier
 172       * and signature is an hmac of the preceding 3 parts.
 173       *
 174       * @since 5.2.0
 175       *
 176       * @return string Generated cookie content.
 177       */
 178  	private function generate_cookie() {
 179          $to_sign = sprintf( 'recovery_mode|%s|%s', time(), wp_generate_password( 20, false ) );
 180          $signed  = $this->recovery_mode_hash( $to_sign );
 181  
 182          return base64_encode( sprintf( '%s|%s', $to_sign, $signed ) );
 183      }
 184  
 185      /**
 186       * Gets a form of `wp_hash()` specific to Recovery Mode.
 187       *
 188       * We cannot use `wp_hash()` because it is defined in `pluggable.php` which is not loaded until after plugins are loaded,
 189       * which is too late to verify the recovery mode cookie.
 190       *
 191       * This tries to use the `AUTH` salts first, but if they aren't valid specific salts will be generated and stored.
 192       *
 193       * @since 5.2.0
 194       *
 195       * @param string $data Data to hash.
 196       * @return string|false The hashed $data, or false on failure.
 197       */
 198  	private function recovery_mode_hash( $data ) {
 199          if ( ! defined( 'AUTH_KEY' ) || AUTH_KEY === 'put your unique phrase here' ) {
 200              $auth_key = get_site_option( 'recovery_mode_auth_key' );
 201  
 202              if ( ! $auth_key ) {
 203                  if ( ! function_exists( 'wp_generate_password' ) ) {
 204                      require_once  ABSPATH . WPINC . '/pluggable.php';
 205                  }
 206  
 207                  $auth_key = wp_generate_password( 64, true, true );
 208                  update_site_option( 'recovery_mode_auth_key', $auth_key );
 209              }
 210          } else {
 211              $auth_key = AUTH_KEY;
 212          }
 213  
 214          if ( ! defined( 'AUTH_SALT' ) || AUTH_SALT === 'put your unique phrase here' || AUTH_SALT === $auth_key ) {
 215              $auth_salt = get_site_option( 'recovery_mode_auth_salt' );
 216  
 217              if ( ! $auth_salt ) {
 218                  if ( ! function_exists( 'wp_generate_password' ) ) {
 219                      require_once  ABSPATH . WPINC . '/pluggable.php';
 220                  }
 221  
 222                  $auth_salt = wp_generate_password( 64, true, true );
 223                  update_site_option( 'recovery_mode_auth_salt', $auth_salt );
 224              }
 225          } else {
 226              $auth_salt = AUTH_SALT;
 227          }
 228  
 229          $secret = $auth_key . $auth_salt;
 230  
 231          return hash_hmac( 'sha1', $data, $secret );
 232      }
 233  }


Generated: Sat Nov 23 20:47:33 2019 Cross-referenced by PHPXref 0.7