mainwp-child/class/class-mainwp-child-skeleton-key.php

<?php
namespace MainWP\Child;

class MainWP_Child_Skeleton_Key {
	public static $instance    = null;
	public static $information = array();
	public $plugin_translate   = 'mainwp-child';

	public static function instance() {
		if ( null === self::$instance ) {
			self::$instance = new self();
		}

		return self::$instance;
	}

	public function action() {

		function mainwp_skeleton_key_handle_fatal_error() {
			$error = error_get_last();
			if ( isset( $error['type'] ) && in_array( $error['type'], array( 1, 4, 16, 64, 256 ) ) && isset( $error['message'] ) ) {
				mainwp_child_helper()->write( array( 'error' => 'MainWP_Child fatal error : ' . $error['message'] . ' Line: ' . $error['line'] . ' File: ' . $error['file'] ) );
			}
		}

		register_shutdown_function( 'mainwp_skeleton_key_handle_fatal_error' );

		switch ( $_POST['action'] ) {
			case 'skeleton_key_visit_site_as_browser':
				$information = $this->visit_site_as_browser();
				break;
			case 'save_settings':
				$information = $this->save_settings();
				break;
			default:
				$information = array( 'error' => 'Unknown action' );
		}

		mainwp_child_helper()->write( $information );
		exit();
	}

	protected function visit_site_as_browser() { // phpcs:ignore -- ignore complex method notice.
		if ( ! isset( $_POST['url'] ) || ! is_string( $_POST['url'] ) || strlen( $_POST['url'] ) < 2 ) {
			return array( 'error' => 'Missing url' );
		}

		if ( ! isset( $_POST['args'] ) || ! is_array( $_POST['args'] ) ) {
			return array( 'error' => 'Missing args' );
		}

		$_POST = stripslashes_deep( $_POST );

		$args = $_POST['args'];

		$current_user = wp_get_current_user();

		$url = '/' . $_POST['url'];

		$expiration = time() + 600;
		$manager    = WP_Session_Tokens::get_instance( $current_user->ID );
		$token      = $manager->create( $expiration );

		$secure = is_ssl();
		if ( $secure ) {
			$auth_cookie_name = SECURE_AUTH_COOKIE;
			$scheme           = 'secure_auth';
		} else {
			$auth_cookie_name = AUTH_COOKIE;
			$scheme           = 'auth';
		}
		$auth_cookie                  = wp_generate_auth_cookie( $current_user->ID, $expiration, $scheme, $token );
		$logged_in_cookie             = wp_generate_auth_cookie( $current_user->ID, $expiration, 'logged_in', $token );
		$_COOKIE[ $auth_cookie_name ] = $auth_cookie;
		$_COOKIE[ LOGGED_IN_COOKIE ]  = $logged_in_cookie;
		$post_args                    = array();
		$post_args['body']            = array();
		$post_args['redirection']     = 5;
		$post_args['decompress']      = false;
		$post_args['cookies']         = array(
			new WP_Http_Cookie(
				array(
					'name'  => $auth_cookie_name,
					'value' => $auth_cookie,
				)
			),
			new WP_Http_Cookie(
				array(
					'name'  => LOGGED_IN_COOKIE,
					'value' => $logged_in_cookie,
				)
			),
		);

		if ( isset( $args['get'] ) ) {
			$get_args = $args['get'];
			parse_str( $args['get'], $get_args );
		}

		if ( ! isset( $get_args ) || ! is_array( $get_args ) ) {
			$get_args = array();
		}

		$get_args['skeleton_keyuse_nonce_key']  = intval( time() );
		$get_args['skeleton_keyuse_nonce_hmac'] = hash_hmac( 'sha256', $get_args['skeleton_keyuse_nonce_key'], NONCE_KEY );

		$good_nonce = null;
		if ( isset( $args['nonce'] ) && ! empty( $args['nonce'] ) ) {
			parse_str( $args['nonce'], $temp_nonce );
			$good_nonce = $this->wp_create_nonce_recursive( $temp_nonce );
			$get_args   = array_merge( $get_args, $good_nonce );
		}

		if ( isset( $args['post'] ) ) {
			parse_str( $args['post'], $temp_post );
			if ( ! isset( $temp_post ) || ! is_array( $temp_post ) ) {
				$temp_post = array();
			}

			if ( ! empty( $good_nonce ) ) {
				$temp_post = array_merge( $temp_post, $good_nonce );
			}

			$post_args['body'] = $temp_post;
		}

		$post_args['timeout'] = 25;

		$full_url = add_query_arg( $get_args, get_site_url() . $url );

		add_filter( 'http_request_args', array( MainWP_Helper::get_class_name(), 'reject_unsafe_urls' ), 99, 2 );

		$response = wp_remote_post( $full_url, $post_args );

		if ( is_wp_error( $response ) ) {
			return array( 'error' => 'wp_remote_post error: ' . $response->get_error_message() );
		}

		$received_content = wp_remote_retrieve_body( $response );

		if ( preg_match( '/<mainwp>(.*)<\/mainwp>/', $received_content, $received_result ) > 0 ) {
			$received_content_mainwp = json_decode( base64_decode( $received_result[1] ), true ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions -- base64_encode function is used for begin reasons.
			if ( isset( $received_content_mainwp['error'] ) ) {
				return array( 'error' => $received_content_mainwp['error'] );
			}
		}

		$search_ok_counter   = 0;
		$search_fail_counter = 0;

		if ( isset( $args['search']['ok'] ) ) {
			foreach ( $args['search']['ok'] as $search ) {
				if ( preg_match( '/' . preg_quote( $search, '/' ) . '/i', $received_content ) ) {
					++ $search_ok_counter;
				}
			}
		}

		if ( isset( $args['search']['fail'] ) ) {
			foreach ( $args['search']['fail'] as $search ) {
				if ( preg_match( '/' . preg_quote( $search, '/' ) . '/i', $received_content ) ) {
					++ $search_fail_counter;
				}
			}
		}
		unset( $get_args['skeleton_keyuse_nonce_key'] );
		unset( $get_args['skeleton_keyuse_nonce_hmac'] );

		return array(
			'success'             => 1,
			'content'             => $received_content,
			'url'                 => $full_url,
			'get'                 => $get_args,
			'post'                => $post_args['body'],
			'search_ok_counter'   => $search_ok_counter,
			'search_fail_counter' => $search_fail_counter,
		);
	}

	private function wp_create_nonce_recursive( $array ) {
		foreach ( $array as $key => $value ) {
			if ( is_array( $array[ $key ] ) ) {
				$array[ $key ] = $this->wp_create_nonce_recursive( $array[ $key ] );
			} else {
				$array[ $key ] = wp_create_nonce( $array[ $key ] );
			}
		}

		return $array;
	}

	public function save_settings() {
		$settings = isset( $_POST['settings'] ) ? $_POST['settings'] : array();

		if ( ! is_array( $settings ) || empty( $settings ) ) {
			return array( 'error' => __( 'Invalid data. Please check and try again.', 'mainwp-child' ) );
		}

		$whitelist_options = array(
			'general' => array( 'blogname', 'blogdescription', 'gmt_offset', 'date_format', 'time_format', 'start_of_week', 'timezone_string', 'WPLANG' ),
		);

		if ( ! is_multisite() ) {
			if ( ! defined( 'WP_SITEURL' ) ) {
				$whitelist_options['general'][] = 'siteurl';
			}
			if ( ! defined( 'WP_HOME' ) ) {
				$whitelist_options['general'][] = 'home';
			}

			$whitelist_options['general'][] = 'admin_email';
			$whitelist_options['general'][] = 'users_can_register';
			$whitelist_options['general'][] = 'default_role';
		}

		$whitelist_general = $whitelist_options['general'];

		if ( ! empty( $settings['WPLANG'] ) ) {
			require_once ABSPATH . 'wp-admin/includes/translation-install.php';
			if ( wp_can_install_language_pack() ) {
				$language = wp_download_language_pack( $settings['WPLANG'] );
				if ( $language ) {
					$settings['WPLANG'] = $language;
				}
			}
		}

		$updated = false;
		foreach ( $settings as $option => $value ) {
			if ( in_array( $option, $whitelist_general ) ) {
				if ( ! is_array( $value ) ) {
					$value = trim( $value );
				}
				$value = wp_unslash( $value );
				update_option( $option, $value );
				$updated = true;
			}
		}

		if ( ! $updated ) {
			return false;
		}

		return array( 'result' => 'ok' );
	}

}
Merge with branches 2015-09-22 20:51:35 +02:00			`<?php`
Refactoring 2020-05-05 20:13:38 +07:00			`namespace MainWP\Child;`
Merge with branches 2015-09-22 20:51:35 +02:00
code cleanup 2015-10-15 22:52:37 +10:00			`class MainWP_Child_Skeleton_Key {`
[CodeFactor] Apply fixes 2020-03-26 19:45:07 +00:00			`public static $instance = null;`
Merge with branches 2015-09-22 20:51:35 +02:00			`public static $information = array();`
[CodeFactor] Apply fixes 2020-03-26 19:45:07 +00:00			`public $plugin_translate = 'mainwp-child';`
Merge with branches 2015-09-22 20:51:35 +02:00
Refactoring 2020-05-06 20:22:11 +07:00			`public static function instance() {`
[CodeFactor] Apply fixes 2020-03-26 14:05:04 +00:00			`if ( null === self::$instance ) {`
Refactoring 2020-05-07 01:03:56 +07:00			`self::$instance = new self();`
Merge with branches 2015-09-22 20:51:35 +02:00			`}`

[CodeFactor] Apply fixes 2020-03-26 14:05:04 +00:00			`return self::$instance;`
Merge with branches 2015-09-22 20:51:35 +02:00			`}`

			`public function action() {`
[CodeFactor] Apply fixes to commit acdfa23 [ci skip] [skip ci] 2020-05-07 16:27:57 +00:00
Merge with branches 2015-09-22 20:51:35 +02:00			`function mainwp_skeleton_key_handle_fatal_error() {`
			`$error = error_get_last();`
Fixed: CodeFactor issues 2020-04-17 18:55:52 +02:00			`if ( isset( $error['type'] ) && in_array( $error['type'], array( 1, 4, 16, 64, 256 ) ) && isset( $error['message'] ) ) {`
Refactoring 2020-05-07 19:34:36 +07:00			`mainwp_child_helper()->write( array( 'error' => 'MainWP_Child fatal error : ' . $error['message'] . ' Line: ' . $error['line'] . ' File: ' . $error['file'] ) );`
Merge with branches 2015-09-22 20:51:35 +02:00			`}`
			`}`

code cleanup 2015-10-15 22:52:37 +10:00			`register_shutdown_function( 'mainwp_skeleton_key_handle_fatal_error' );`
Merge with branches 2015-09-22 20:51:35 +02:00
			`switch ( $_POST['action'] ) {`
			`case 'skeleton_key_visit_site_as_browser':`
			`$information = $this->visit_site_as_browser();`
			`break;`
merge + new version 2017-08-24 20:41:12 +02:00			`case 'save_settings':`
			`$information = $this->save_settings();`
			`break;`
Merge with branches 2015-09-22 20:51:35 +02:00			`default:`
			`$information = array( 'error' => 'Unknown action' );`
			`}`
code cleanup 2015-10-15 22:52:37 +10:00
Refactoring 2020-05-07 19:34:36 +07:00			`mainwp_child_helper()->write( $information );`
Merge with branches 2015-09-22 20:51:35 +02:00			`exit();`
			`}`

Refactoring 2020-05-20 01:07:47 +07:00			`protected function visit_site_as_browser() { // phpcs:ignore -- ignore complex method notice.`
Merge with branches 2015-09-22 20:51:35 +02:00			`if ( ! isset( $_POST['url'] ) \|\| ! is_string( $_POST['url'] ) \|\| strlen( $_POST['url'] ) < 2 ) {`
			`return array( 'error' => 'Missing url' );`
			`}`

			`if ( ! isset( $_POST['args'] ) \|\| ! is_array( $_POST['args'] ) ) {`
			`return array( 'error' => 'Missing args' );`
			`}`

			`$_POST = stripslashes_deep( $_POST );`

			`$args = $_POST['args'];`

			`$current_user = wp_get_current_user();`

			`$url = '/' . $_POST['url'];`

merge branch01 + fix invalid security fix for admin user 2016-12-29 22:19:20 +01:00			`$expiration = time() + 600;`
Merge with branches 2015-09-22 20:51:35 +02:00			`$manager = WP_Session_Tokens::get_instance( $current_user->ID );`
			`$token = $manager->create( $expiration );`

merge + new version 2017-08-24 20:41:12 +02:00			`$secure = is_ssl();`
			`if ( $secure ) {`
			`$auth_cookie_name = SECURE_AUTH_COOKIE;`
[CodeFactor] Apply fixes 2020-03-26 19:45:07 +00:00			`$scheme = 'secure_auth';`
merge + new version 2017-08-24 20:41:12 +02:00			`} else {`
			`$auth_cookie_name = AUTH_COOKIE;`
[CodeFactor] Apply fixes 2020-03-26 19:45:07 +00:00			`$scheme = 'auth';`
merge + new version 2017-08-24 20:41:12 +02:00			`}`
[CodeFactor] Apply fixes 2020-03-26 19:45:07 +00:00			`$auth_cookie = wp_generate_auth_cookie( $current_user->ID, $expiration, $scheme, $token );`
			`$logged_in_cookie = wp_generate_auth_cookie( $current_user->ID, $expiration, 'logged_in', $token );`
			`$_COOKIE[ $auth_cookie_name ] = $auth_cookie;`
			`$_COOKIE[ LOGGED_IN_COOKIE ] = $logged_in_cookie;`
			`$post_args = array();`
			`$post_args['body'] = array();`
			`$post_args['redirection'] = 5;`
Fixed: CodeFactor issues 2020-04-17 18:55:52 +02:00			`$post_args['decompress'] = false;`
[CodeFactor] Apply fixes 2020-03-26 19:45:07 +00:00			`$post_args['cookies'] = array(`
Fixed: CodeFactor issues 2020-04-17 18:55:52 +02:00			`new WP_Http_Cookie(`
			`array(`
			`'name' => $auth_cookie_name,`
			`'value' => $auth_cookie,`
			`)`
			`),`
			`new WP_Http_Cookie(`
			`array(`
			`'name' => LOGGED_IN_COOKIE,`
			`'value' => $logged_in_cookie,`
			`)`
			`),`
Merge with branches 2015-09-22 20:51:35 +02:00			`);`

			`if ( isset( $args['get'] ) ) {`
			`$get_args = $args['get'];`
			`parse_str( $args['get'], $get_args );`
			`}`

			`if ( ! isset( $get_args ) \|\| ! is_array( $get_args ) ) {`
			`$get_args = array();`
			`}`

			`$get_args['skeleton_keyuse_nonce_key'] = intval( time() );`
			`$get_args['skeleton_keyuse_nonce_hmac'] = hash_hmac( 'sha256', $get_args['skeleton_keyuse_nonce_key'], NONCE_KEY );`

			`$good_nonce = null;`
			`if ( isset( $args['nonce'] ) && ! empty( $args['nonce'] ) ) {`
			`parse_str( $args['nonce'], $temp_nonce );`
			`$good_nonce = $this->wp_create_nonce_recursive( $temp_nonce );`
			`$get_args = array_merge( $get_args, $good_nonce );`
			`}`

			`if ( isset( $args['post'] ) ) {`
			`parse_str( $args['post'], $temp_post );`
			`if ( ! isset( $temp_post ) \|\| ! is_array( $temp_post ) ) {`
			`$temp_post = array();`
			`}`

			`if ( ! empty( $good_nonce ) ) {`
			`$temp_post = array_merge( $temp_post, $good_nonce );`
			`}`

			`$post_args['body'] = $temp_post;`
			`}`

merge + new version 2017-08-24 20:41:12 +02:00			`$post_args['timeout'] = 25;`

Merge with branches 2015-09-22 20:51:35 +02:00			`$full_url = add_query_arg( $get_args, get_site_url() . $url );`

Refactoring 2020-05-11 20:30:56 +07:00			`add_filter( 'http_request_args', array( MainWP_Helper::get_class_name(), 'reject_unsafe_urls' ), 99, 2 );`
Merge with branch01 * Fixed: an issue with the X-Frame-Options configuration * Fixed: an issue with clearing WP Rocket cache * Fixed: an issue with saving BackWPup settings * Fixed: multiple compatibility issues for the Bulk Settings Manger extension * Fixed: an issue with submitting the Bulk Settings Manger keys on child sites protected with the HTTP Basic Authentication * Fixed: an issue with creating buckets in Backblaze remote option caused by disallowed characters * Fixed: an issue with tokens usage in the UpdraftPlus Webdav remote storage settings * Added: support for new WP Staging plugin options * Updated: update detection process in order to improve performance on some hosts * Updated: disabled site size calculation function as default state * Updated: support for the latest Wordfence version 2018-12-19 17:01:08 +07:00
Merge with branches 2015-09-22 20:51:35 +02:00			`$response = wp_remote_post( $full_url, $post_args );`

			`if ( is_wp_error( $response ) ) {`
			`return array( 'error' => 'wp_remote_post error: ' . $response->get_error_message() );`
			`}`

			`$received_content = wp_remote_retrieve_body( $response );`

			`if ( preg_match( '/<mainwp>(.*)<\/mainwp>/', $received_content, $received_result ) > 0 ) {`
Refactoring 2020-05-08 16:44:48 +07:00			`$received_content_mainwp = json_decode( base64_decode( $received_result[1] ), true ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions -- base64_encode function is used for begin reasons.`
Merge with branches 2015-09-22 20:51:35 +02:00			`if ( isset( $received_content_mainwp['error'] ) ) {`
			`return array( 'error' => $received_content_mainwp['error'] );`
			`}`
			`}`

			`$search_ok_counter = 0;`
			`$search_fail_counter = 0;`

			`if ( isset( $args['search']['ok'] ) ) {`
			`foreach ( $args['search']['ok'] as $search ) {`
			`if ( preg_match( '/' . preg_quote( $search, '/' ) . '/i', $received_content ) ) {`
			`++ $search_ok_counter;`
			`}`
			`}`
			`}`

			`if ( isset( $args['search']['fail'] ) ) {`
			`foreach ( $args['search']['fail'] as $search ) {`
			`if ( preg_match( '/' . preg_quote( $search, '/' ) . '/i', $received_content ) ) {`
			`++ $search_fail_counter;`
			`}`
			`}`
			`}`
			`unset( $get_args['skeleton_keyuse_nonce_key'] );`
			`unset( $get_args['skeleton_keyuse_nonce_hmac'] );`

			`return array(`
			`'success' => 1,`
			`'content' => $received_content,`
			`'url' => $full_url,`
			`'get' => $get_args,`
			`'post' => $post_args['body'],`
			`'search_ok_counter' => $search_ok_counter,`
code cleanup 2015-10-15 22:52:37 +10:00			`'search_fail_counter' => $search_fail_counter,`
Merge with branches 2015-09-22 20:51:35 +02:00			`);`
			`}`

			`private function wp_create_nonce_recursive( $array ) {`
			`foreach ( $array as $key => $value ) {`
			`if ( is_array( $array[ $key ] ) ) {`
			`$array[ $key ] = $this->wp_create_nonce_recursive( $array[ $key ] );`
			`} else {`
			`$array[ $key ] = wp_create_nonce( $array[ $key ] );`
			`}`
			`}`

			`return $array;`
			`}`
merge + new version 2017-08-24 20:41:12 +02:00
			`public function save_settings() {`
Fixed: CodeFactor issues 2020-04-17 18:55:52 +02:00			`$settings = isset( $_POST['settings'] ) ? $_POST['settings'] : array();`
merge + new version 2017-08-24 20:41:12 +02:00
Fixed: CodeFactor issues 2020-04-17 18:55:52 +02:00			`if ( ! is_array( $settings ) \|\| empty( $settings ) ) {`
			`return array( 'error' => __( 'Invalid data. Please check and try again.', 'mainwp-child' ) );`
[CodeFactor] Apply fixes to commit f9a9b37 [ci skip] [skip ci] 2020-03-27 15:13:11 +00:00			`}`
merge + new version 2017-08-24 20:41:12 +02:00
			`$whitelist_options = array(`
			`'general' => array( 'blogname', 'blogdescription', 'gmt_offset', 'date_format', 'time_format', 'start_of_week', 'timezone_string', 'WPLANG' ),`
			`);`

[CodeFactor] Apply fixes 2020-03-26 17:03:00 +00:00			`if ( ! is_multisite() ) {`
			`if ( ! defined( 'WP_SITEURL' ) ) {`
merge + new version 2017-08-24 20:41:12 +02:00			`$whitelist_options['general'][] = 'siteurl';`
[CodeFactor] Apply fixes to commit f9a9b37 [ci skip] [skip ci] 2020-03-27 15:13:11 +00:00			`}`
[CodeFactor] Apply fixes 2020-03-26 17:03:00 +00:00			`if ( ! defined( 'WP_HOME' ) ) {`
merge + new version 2017-08-24 20:41:12 +02:00			`$whitelist_options['general'][] = 'home';`
[CodeFactor] Apply fixes to commit f9a9b37 [ci skip] [skip ci] 2020-03-27 15:13:11 +00:00			`}`
merge + new version 2017-08-24 20:41:12 +02:00
			`$whitelist_options['general'][] = 'admin_email';`
			`$whitelist_options['general'][] = 'users_can_register';`
			`$whitelist_options['general'][] = 'default_role';`
			`}`

[CodeFactor] Apply fixes 2020-03-26 15:29:54 +00:00			`$whitelist_general = $whitelist_options['general'];`
merge + new version 2017-08-24 20:41:12 +02:00
			`if ( ! empty( $settings['WPLANG'] ) ) {`
[CodeFactor] Apply fixes to commit 7e3b1f2 [ci skip] [skip ci] 2020-03-26 14:11:33 +00:00			`require_once ABSPATH . 'wp-admin/includes/translation-install.php';`
merge + new version 2017-08-24 20:41:12 +02:00			`if ( wp_can_install_language_pack() ) {`
			`$language = wp_download_language_pack( $settings['WPLANG'] );`
			`if ( $language ) {`
			`$settings['WPLANG'] = $language;`
			`}`
			`}`
			`}`

			`$updated = false;`
[CodeFactor] Apply fixes 2020-03-27 14:11:21 +00:00			`foreach ( $settings as $option => $value ) {`
Fixed: CodeFactor issues 2020-04-17 18:55:52 +02:00			`if ( in_array( $option, $whitelist_general ) ) {`
[CodeFactor] Apply fixes to commit 7e3b1f2 [ci skip] [skip ci] 2020-03-26 14:11:33 +00:00			`if ( ! is_array( $value ) ) {`
merge + new version 2017-08-24 20:41:12 +02:00			`$value = trim( $value );`
[CodeFactor] Apply fixes to commit f9a9b37 [ci skip] [skip ci] 2020-03-27 15:13:11 +00:00			`}`
merge + new version 2017-08-24 20:41:12 +02:00			`$value = wp_unslash( $value );`
Fixed: CodeFactor issues 2020-04-17 18:55:52 +02:00			`update_option( $option, $value );`
merge + new version 2017-08-24 20:41:12 +02:00			`$updated = true;`
			`}`
			`}`

[CodeFactor] Apply fixes 2020-03-27 14:11:21 +00:00			`if ( ! $updated ) {`
merge + new version 2017-08-24 20:41:12 +02:00			`return false;`
[CodeFactor] Apply fixes to commit f9a9b37 [ci skip] [skip ci] 2020-03-27 15:13:11 +00:00			`}`
merge + new version 2017-08-24 20:41:12 +02:00
[CodeFactor] Apply fixes 2020-03-26 15:29:54 +00:00			`return array( 'result' => 'ok' );`
merge + new version 2017-08-24 20:41:12 +02:00			`}`

code cleanup 2015-10-15 22:52:37 +10:00			`}`