1<?php
  2/**
  3 * Error Protection API: WP_Recovery_Mode_Cookie_Service class
  4 *
  5 * @package WordPress
  6 * @since 5.2.0
  7 */
  8
  9/**
 10 * Core class used to set, validate, and clear cookies that identify a Recovery Mode session.
 11 *
 12 * @since 5.2.0
 13 */
 14#[AllowDynamicProperties]
 15final class WP_Recovery_Mode_Cookie_Service {
 16
 17	/**
 18	 * Checks whether the recovery mode cookie is set.
 19	 *
 20	 * @since 5.2.0
 21	 *
 22	 * @return bool True if the cookie is set, false otherwise.
 23	 */
 24	public function is_cookie_set() {
 25		return ! empty( $_COOKIE[ RECOVERY_MODE_COOKIE ] );
 26	}
 27
 28	/**
 29	 * Sets the recovery mode cookie.
 30	 *
 31	 * This must be immediately followed by exiting the request.
 32	 *
 33	 * @since 5.2.0
 34	 */
 35	public function set_cookie() {
 36
 37		$value = $this->generate_cookie();
 38
 39		/**
 40		 * Filters the length of time a Recovery Mode cookie is valid for.
 41		 *
 42		 * @since 5.2.0
 43		 *
 44		 * @param int $length Length in seconds.
 45		 */
 46		$length = apply_filters( 'recovery_mode_cookie_length', WEEK_IN_SECONDS );
 47
 48		$expire = time() + $length;
 49
 50		setcookie( RECOVERY_MODE_COOKIE, $value, $expire, COOKIEPATH, COOKIE_DOMAIN, is_ssl(), true );
 51
 52		if ( COOKIEPATH !== SITECOOKIEPATH ) {
 53			setcookie( RECOVERY_MODE_COOKIE, $value, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, is_ssl(), true );
 54		}
 55	}
 56
 57	/**
 58	 * Clears the recovery mode cookie.
 59	 *
 60	 * @since 5.2.0
 61	 */
 62	public function clear_cookie() {
 63		setcookie( RECOVERY_MODE_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
 64		setcookie( RECOVERY_MODE_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
 65	}
 66
 67	/**
 68	 * Validates the recovery mode cookie.
 69	 *
 70	 * @since 5.2.0
 71	 *
 72	 * @param string $cookie Optionally specify the cookie string.
 73	 *                       If omitted, it will be retrieved from the super global.
 74	 * @return true|WP_Error True on success, error object on failure.
 75	 */
 76	public function validate_cookie( $cookie = '' ) {
 77
 78		if ( ! $cookie ) {
 79			if ( empty( $_COOKIE[ RECOVERY_MODE_COOKIE ] ) ) {
 80				return new WP_Error( 'no_cookie', __( 'No cookie present.' ) );
 81			}
 82
 83			$cookie = $_COOKIE[ RECOVERY_MODE_COOKIE ];
 84		}
 85
 86		$parts = $this->parse_cookie( $cookie );
 87
 88		if ( is_wp_error( $parts ) ) {
 89			return $parts;
 90		}
 91
 92		list( , $created_at, $random, $signature ) = $parts;
 93
 94		if ( ! ctype_digit( $created_at ) ) {
 95			return new WP_Error( 'invalid_created_at', __( 'Invalid cookie format.' ) );
 96		}
 97
 98		/** This filter is documented in wp-includes/class-wp-recovery-mode-cookie-service.php */
 99		$length = apply_filters( 'recovery_mode_cookie_length', WEEK_IN_SECONDS );
100
101		if ( time() > $created_at + $length ) {
102			return new WP_Error( 'expired', __( 'Cookie expired.' ) );
103		}
104
105		$to_sign = sprintf( 'recovery_mode|%s|%s', $created_at, $random );
106		$hashed  = $this->recovery_mode_hash( $to_sign );
107
108		if ( ! hash_equals( $signature, $hashed ) ) {
109			return new WP_Error( 'signature_mismatch', __( 'Invalid cookie.' ) );
110		}
111
112		return true;
113	}
114
115	/**
116	 * Gets the session identifier from the cookie.
117	 *
118	 * The cookie should be validated before calling this API.
119	 *
120	 * @since 5.2.0
121	 *
122	 * @param string $cookie Optionally specify the cookie string.
123	 *                       If omitted, it will be retrieved from the super global.
124	 * @return string|WP_Error Session ID on success, or error object on failure.
125	 */
126	public function get_session_id_from_cookie( $cookie = '' ) {
127		if ( ! $cookie ) {
128			if ( empty( $_COOKIE[ RECOVERY_MODE_COOKIE ] ) ) {
129				return new WP_Error( 'no_cookie', __( 'No cookie present.' ) );
130			}
131
132			$cookie = $_COOKIE[ RECOVERY_MODE_COOKIE ];
133		}
134
135		$parts = $this->parse_cookie( $cookie );
136		if ( is_wp_error( $parts ) ) {
137			return $parts;
138		}
139
140		list( , , $random ) = $parts;
141
142		return sha1( $random );
143	}
144
145	/**
146	 * Parses the cookie into its four parts.
147	 *
148	 * @since 5.2.0
149	 *
150	 * @param string $cookie Cookie content.
151	 * @return array|WP_Error Cookie parts array, or error object on failure.
152	 */
153	private function parse_cookie( $cookie ) {
154		$cookie = base64_decode( $cookie );
155		$parts  = explode( '|', $cookie );
156
157		if ( 4 !== count( $parts ) ) {
158			return new WP_Error( 'invalid_format', __( 'Invalid cookie format.' ) );
159		}
160
161		return $parts;
162	}
163
164	/**
165	 * Generates the recovery mode cookie value.
166	 *
167	 * The cookie is a base64 encoded string with the following format:
168	 *
169	 * recovery_mode|iat|rand|signature
170	 *
171	 * Where "recovery_mode" is a constant string,
172	 * iat is the time the cookie was generated at,
173	 * rand is a randomly generated password that is also used as a session identifier
174	 * and signature is an hmac of the preceding 3 parts.
175	 *
176	 * @since 5.2.0
177	 *
178	 * @return string Generated cookie content.
179	 */
180	private function generate_cookie() {
181		$to_sign = sprintf( 'recovery_mode|%s|%s', time(), wp_generate_password( 20, false ) );
182		$signed  = $this->recovery_mode_hash( $to_sign );
183
184		return base64_encode( sprintf( '%s|%s', $to_sign, $signed ) );
185	}
186
187	/**
188	 * Gets a form of `wp_hash()` specific to Recovery Mode.
189	 *
190	 * We cannot use `wp_hash()` because it is defined in `pluggable.php` which is not loaded until after plugins are loaded,
191	 * which is too late to verify the recovery mode cookie.
192	 *
193	 * This tries to use the `AUTH` salts first, but if they aren't valid specific salts will be generated and stored.
194	 *
195	 * @since 5.2.0
196	 *
197	 * @param string $data Data to hash.
198	 * @return string|false The hashed $data, or false on failure.
199	 */
200	private function recovery_mode_hash( $data ) {
201		$default_keys = array_unique(
202			array(
203				'put your unique phrase here',
204				/*
205				 * translators: This string should only be translated if wp-config-sample.php is localized.
206				 * You can check the localized release package or
207				 * https://i18n.svn.wordpress.org/<locale code>/branches/<wp version>/dist/wp-config-sample.php
208				 */
209				__( 'put your unique phrase here' ),
210			)
211		);
212
213		if ( ! defined( 'AUTH_KEY' ) || in_array( AUTH_KEY, $default_keys, true ) ) {
214			$auth_key = get_site_option( 'recovery_mode_auth_key' );
215
216			if ( ! $auth_key ) {
217				if ( ! function_exists( 'wp_generate_password' ) ) {
218					require_once ABSPATH . WPINC . '/pluggable.php';
219				}
220
221				$auth_key = wp_generate_password( 64, true, true );
222				update_site_option( 'recovery_mode_auth_key', $auth_key );
223			}
224		} else {
225			$auth_key = AUTH_KEY;
226		}
227
228		if ( ! defined( 'AUTH_SALT' ) || in_array( AUTH_SALT, $default_keys, true ) || AUTH_SALT === $auth_key ) {
229			$auth_salt = get_site_option( 'recovery_mode_auth_salt' );
230
231			if ( ! $auth_salt ) {
232				if ( ! function_exists( 'wp_generate_password' ) ) {
233					require_once ABSPATH . WPINC . '/pluggable.php';
234				}
235
236				$auth_salt = wp_generate_password( 64, true, true );
237				update_site_option( 'recovery_mode_auth_salt', $auth_salt );
238			}
239		} else {
240			$auth_salt = AUTH_SALT;
241		}
242
243		$secret = $auth_key . $auth_salt;
244
245		return hash_hmac( 'sha1', $data, $secret );
246	}
247}
248