WordPress/wp-includes/pluggable.php

1750 lines
59 KiB
PHP
Raw Normal View History

<?php
/**
* These functions can be replaced via plugins. If plugins do not redefine these
* functions, then these will be used instead.
*
* @package WordPress
*/
if ( !function_exists('wp_set_current_user') ) :
/**
* Changes the current user by ID or name.
*
* Set $id to null and specify a name if you do not know a user's ID.
*
* Some WordPress functionality is based on the current user and not based on
* the signed in user. Therefore, it opens the ability to edit and perform
* actions on users who aren't signed in.
*
* @since 2.0.3
* @global object $current_user The current user object which holds the user data.
* @uses do_action() Calls 'set_current_user' hook after setting the current user.
*
* @param int $id User ID
* @param string $name User's username
* @return WP_User Current user User object
*/
function wp_set_current_user($id, $name = '') {
global $current_user;
if ( isset( $current_user ) && ( $current_user instanceof WP_User ) && ( $id == $current_user->ID ) )
return $current_user;
$current_user = new WP_User( $id, $name );
setup_userdata( $current_user->ID );
do_action('set_current_user');
return $current_user;
}
endif;
if ( !function_exists('wp_get_current_user') ) :
/**
* Retrieve the current user object.
*
* @since 2.0.3
*
* @return WP_User Current user WP_User object
*/
function wp_get_current_user() {
global $current_user;
get_currentuserinfo();
return $current_user;
}
endif;
if ( !function_exists('get_currentuserinfo') ) :
/**
* Populate global variables with information about the currently logged in user.
*
* Will set the current user, if the current user is not set. The current user
* will be set to the logged in person. If no user is logged in, then it will
* set the current user to 0, which is invalid and won't have any permissions.
*
* @since 0.71
* @uses $current_user Checks if the current user is set
* @uses wp_validate_auth_cookie() Retrieves current logged in user.
*
* @return bool|null False on XMLRPC Request and invalid auth cookie. Null when current user set
*/
function get_currentuserinfo() {
global $current_user;
if ( ! empty( $current_user ) ) {
if ( $current_user instanceof WP_User )
return;
// Upgrade stdClass to WP_User
if ( is_object( $current_user ) && isset( $current_user->ID ) ) {
$cur_id = $current_user->ID;
$current_user = null;
wp_set_current_user( $cur_id );
return;
}
// $current_user has a junk value. Force to WP_User with ID 0.
$current_user = null;
wp_set_current_user( 0 );
return false;
}
if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST ) {
wp_set_current_user( 0 );
return false;
}
if ( ! $user = wp_validate_auth_cookie() ) {
if ( is_blog_admin() || is_network_admin() || empty( $_COOKIE[LOGGED_IN_COOKIE] ) || !$user = wp_validate_auth_cookie( $_COOKIE[LOGGED_IN_COOKIE], 'logged_in' ) ) {
wp_set_current_user( 0 );
return false;
}
}
wp_set_current_user( $user );
}
endif;
if ( !function_exists('get_userdata') ) :
/**
* Retrieve user info by user ID.
*
* @since 0.71
*
* @param int $user_id User ID
* @return bool|object False on failure, WP_User object on success
*/
function get_userdata( $user_id ) {
return get_user_by( 'id', $user_id );
}
endif;
if ( !function_exists('get_user_by') ) :
/**
* Retrieve user info by a given field
*
* @since 2.8.0
*
* @param string $field The field to retrieve the user with. id | slug | email | login
* @param int|string $value A value for $field. A user ID, slug, email address, or login name.
* @return bool|object False on failure, WP_User object on success
*/
function get_user_by( $field, $value ) {
$userdata = WP_User::get_data_by( $field, $value );
if ( !$userdata )
return false;
$user = new WP_User;
$user->init( $userdata );
return $user;
}
endif;
if ( !function_exists('cache_users') ) :
/**
* Retrieve info for user lists to prevent multiple queries by get_userdata()
*
* @since 3.0.0
*
* @param array $user_ids User ID numbers list
*/
function cache_users( $user_ids ) {
global $wpdb;
$clean = _get_non_cached_ids( $user_ids, 'users' );
if ( empty( $clean ) )
return;
$list = implode( ',', $clean );
$users = $wpdb->get_results( "SELECT * FROM $wpdb->users WHERE ID IN ($list)" );
$ids = array();
foreach ( $users as $user ) {
update_user_caches( $user );
$ids[] = $user->ID;
}
update_meta_cache( 'user', $ids );
}
endif;
if ( !function_exists( 'wp_mail' ) ) :
/**
* Send mail, similar to PHP's mail
*
* A true return value does not automatically mean that the user received the
* email successfully. It just only means that the method used was able to
* process the request without any errors.
*
* Using the two 'wp_mail_from' and 'wp_mail_from_name' hooks allow from
* creating a from address like 'Name <email@address.com>' when both are set. If
* just 'wp_mail_from' is set, then just the email address will be used with no
* name.
*
* The default content type is 'text/plain' which does not allow using HTML.
* However, you can set the content type of the email by using the
* 'wp_mail_content_type' filter.
*
* The default charset is based on the charset used on the blog. The charset can
* be set using the 'wp_mail_charset' filter.
*
* @since 1.2.1
* @uses apply_filters() Calls 'wp_mail' hook on an array of all of the parameters.
* @uses apply_filters() Calls 'wp_mail_from' hook to get the from email address.
* @uses apply_filters() Calls 'wp_mail_from_name' hook to get the from address name.
* @uses apply_filters() Calls 'wp_mail_content_type' hook to get the email content type.
* @uses apply_filters() Calls 'wp_mail_charset' hook to get the email charset
* @uses do_action_ref_array() Calls 'phpmailer_init' hook on the reference to
* phpmailer object.
* @uses PHPMailer
*
* @param string|array $to Array or comma-separated list of email addresses to send message.
* @param string $subject Email subject
* @param string $message Message contents
* @param string|array $headers Optional. Additional headers.
* @param string|array $attachments Optional. Files to attach.
* @return bool Whether the email contents were sent successfully.
*/
function wp_mail( $to, $subject, $message, $headers = '', $attachments = array() ) {
// Compact the input, apply the filters, and extract them back out
extract( apply_filters( 'wp_mail', compact( 'to', 'subject', 'message', 'headers', 'attachments' ) ) );
if ( !is_array($attachments) )
$attachments = explode( "\n", str_replace( "\r\n", "\n", $attachments ) );
global $phpmailer;
// (Re)create it, if it's gone missing
if ( !is_object( $phpmailer ) || !is_a( $phpmailer, 'PHPMailer' ) ) {
require_once ABSPATH . WPINC . '/class-phpmailer.php';
require_once ABSPATH . WPINC . '/class-smtp.php';
$phpmailer = new PHPMailer( true );
}
// Headers
if ( empty( $headers ) ) {
$headers = array();
} else {
if ( !is_array( $headers ) ) {
// Explode the headers out, so this function can take both
// string headers and an array of headers.
$tempheaders = explode( "\n", str_replace( "\r\n", "\n", $headers ) );
} else {
$tempheaders = $headers;
}
$headers = array();
$cc = array();
$bcc = array();
// If it's actually got contents
if ( !empty( $tempheaders ) ) {
// Iterate through the raw headers
foreach ( (array) $tempheaders as $header ) {
if ( strpos($header, ':') === false ) {
if ( false !== stripos( $header, 'boundary=' ) ) {
$parts = preg_split('/boundary=/i', trim( $header ) );
$boundary = trim( str_replace( array( "'", '"' ), '', $parts[1] ) );
}
continue;
}
// Explode them out
list( $name, $content ) = explode( ':', trim( $header ), 2 );
// Cleanup crew
$name = trim( $name );
$content = trim( $content );
switch ( strtolower( $name ) ) {
// Mainly for legacy -- process a From: header if it's there
case 'from':
if ( strpos($content, '<' ) !== false ) {
// So... making my life hard again?
$from_name = substr( $content, 0, strpos( $content, '<' ) - 1 );
$from_name = str_replace( '"', '', $from_name );
$from_name = trim( $from_name );
$from_email = substr( $content, strpos( $content, '<' ) + 1 );
$from_email = str_replace( '>', '', $from_email );
$from_email = trim( $from_email );
} else {
$from_email = trim( $content );
}
break;
case 'content-type':
if ( strpos( $content, ';' ) !== false ) {
list( $type, $charset ) = explode( ';', $content );
$content_type = trim( $type );
if ( false !== stripos( $charset, 'charset=' ) ) {
$charset = trim( str_replace( array( 'charset=', '"' ), '', $charset ) );
} elseif ( false !== stripos( $charset, 'boundary=' ) ) {
$boundary = trim( str_replace( array( 'BOUNDARY=', 'boundary=', '"' ), '', $charset ) );
$charset = '';
}
} else {
$content_type = trim( $content );
}
break;
case 'cc':
$cc = array_merge( (array) $cc, explode( ',', $content ) );
break;
case 'bcc':
$bcc = array_merge( (array) $bcc, explode( ',', $content ) );
break;
default:
// Add it to our grand headers array
$headers[trim( $name )] = trim( $content );
break;
}
}
}
}
// Empty out the values that may be set
$phpmailer->ClearAddresses();
$phpmailer->ClearAllRecipients();
$phpmailer->ClearAttachments();
$phpmailer->ClearBCCs();
$phpmailer->ClearCCs();
$phpmailer->ClearCustomHeaders();
$phpmailer->ClearReplyTos();
// From email and name
// If we don't have a name from the input headers
if ( !isset( $from_name ) )
$from_name = 'WordPress';
/* If we don't have an email from the input headers default to wordpress@$sitename
* Some hosts will block outgoing mail from this address if it doesn't exist but
* there's no easy alternative. Defaulting to admin_email might appear to be another
* option but some hosts may refuse to relay mail from an unknown domain. See
* http://trac.wordpress.org/ticket/5007.
*/
if ( !isset( $from_email ) ) {
// Get the site domain and get rid of www.
$sitename = strtolower( $_SERVER['SERVER_NAME'] );
if ( substr( $sitename, 0, 4 ) == 'www.' ) {
$sitename = substr( $sitename, 4 );
}
$from_email = 'wordpress@' . $sitename;
}
// Plugin authors can override the potentially troublesome default
$phpmailer->From = apply_filters( 'wp_mail_from' , $from_email );
$phpmailer->FromName = apply_filters( 'wp_mail_from_name', $from_name );
// Set destination addresses
if ( !is_array( $to ) )
$to = explode( ',', $to );
foreach ( (array) $to as $recipient ) {
try {
// Break $recipient into name and address parts if in the format "Foo <bar@baz.com>"
$recipient_name = '';
if( preg_match( '/(.*)<(.+)>/', $recipient, $matches ) ) {
if ( count( $matches ) == 3 ) {
$recipient_name = $matches[1];
$recipient = $matches[2];
}
}
$phpmailer->AddAddress( $recipient, $recipient_name);
} catch ( phpmailerException $e ) {
continue;
}
}
// Set mail's subject and body
$phpmailer->Subject = $subject;
$phpmailer->Body = $message;
// Add any CC and BCC recipients
if ( !empty( $cc ) ) {
foreach ( (array) $cc as $recipient ) {
try {
// Break $recipient into name and address parts if in the format "Foo <bar@baz.com>"
$recipient_name = '';
if( preg_match( '/(.*)<(.+)>/', $recipient, $matches ) ) {
if ( count( $matches ) == 3 ) {
$recipient_name = $matches[1];
$recipient = $matches[2];
}
}
$phpmailer->AddCc( $recipient, $recipient_name );
} catch ( phpmailerException $e ) {
continue;
}
}
}
if ( !empty( $bcc ) ) {
foreach ( (array) $bcc as $recipient) {
try {
// Break $recipient into name and address parts if in the format "Foo <bar@baz.com>"
$recipient_name = '';
if( preg_match( '/(.*)<(.+)>/', $recipient, $matches ) ) {
if ( count( $matches ) == 3 ) {
$recipient_name = $matches[1];
$recipient = $matches[2];
}
}
$phpmailer->AddBcc( $recipient, $recipient_name );
} catch ( phpmailerException $e ) {
continue;
}
}
}
// Set to use PHP's mail()
$phpmailer->IsMail();
// Set Content-Type and charset
// If we don't have a content-type from the input headers
if ( !isset( $content_type ) )
$content_type = 'text/plain';
$content_type = apply_filters( 'wp_mail_content_type', $content_type );
$phpmailer->ContentType = $content_type;
// Set whether it's plaintext, depending on $content_type
if ( 'text/html' == $content_type )
$phpmailer->IsHTML( true );
// If we don't have a charset from the input headers
if ( !isset( $charset ) )
$charset = get_bloginfo( 'charset' );
// Set the content-type and charset
$phpmailer->CharSet = apply_filters( 'wp_mail_charset', $charset );
// Set custom headers
if ( !empty( $headers ) ) {
foreach( (array) $headers as $name => $content ) {
$phpmailer->AddCustomHeader( sprintf( '%1$s: %2$s', $name, $content ) );
}
if ( false !== stripos( $content_type, 'multipart' ) && ! empty($boundary) )
$phpmailer->AddCustomHeader( sprintf( "Content-Type: %s;\n\t boundary=\"%s\"", $content_type, $boundary ) );
}
if ( !empty( $attachments ) ) {
foreach ( $attachments as $attachment ) {
try {
$phpmailer->AddAttachment($attachment);
} catch ( phpmailerException $e ) {
continue;
}
}
}
do_action_ref_array( 'phpmailer_init', array( &$phpmailer ) );
// Send!
try {
$phpmailer->Send();
} catch ( phpmailerException $e ) {
return false;
}
return true;
}
endif;
if ( !function_exists('wp_authenticate') ) :
/**
* Checks a user's login information and logs them in if it checks out.
*
* @since 2.5.0
*
* @param string $username User's username
* @param string $password User's password
* @return WP_Error|WP_User WP_User object if login successful, otherwise WP_Error object.
*/
function wp_authenticate($username, $password) {
$username = sanitize_user($username);
$password = trim($password);
$user = apply_filters('authenticate', null, $username, $password);
if ( $user == null ) {
// TODO what should the error message be? (Or would these even happen?)
// Only needed if all authentication handlers fail to return anything.
$user = new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Invalid username or incorrect password.'));
}
$ignore_codes = array('empty_username', 'empty_password');
if (is_wp_error($user) && !in_array($user->get_error_code(), $ignore_codes) ) {
do_action('wp_login_failed', $username);
}
return $user;
}
endif;
if ( !function_exists('wp_logout') ) :
/**
* Log the current user out.
*
* @since 2.5.0
*/
function wp_logout() {
wp_clear_auth_cookie();
do_action('wp_logout');
}
endif;
if ( !function_exists('wp_validate_auth_cookie') ) :
/**
* Validates authentication cookie.
*
* The checks include making sure that the authentication cookie is set and
* pulling in the contents (if $cookie is not used).
*
* Makes sure the cookie is not expired. Verifies the hash in cookie is what is
* should be and compares the two.
*
* @since 2.5
*
* @param string $cookie Optional. If used, will validate contents instead of cookie's
* @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
* @return bool|int False if invalid cookie, User ID if valid.
*/
function wp_validate_auth_cookie($cookie = '', $scheme = '') {
if ( ! $cookie_elements = wp_parse_auth_cookie($cookie, $scheme) ) {
do_action('auth_cookie_malformed', $cookie, $scheme);
return false;
}
extract($cookie_elements, EXTR_OVERWRITE);
$expired = $expiration;
// Allow a grace period for POST and AJAX requests
if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] )
$expired += HOUR_IN_SECONDS;
// Quick check to see if an honest cookie has expired
if ( $expired < time() ) {
do_action('auth_cookie_expired', $cookie_elements);
return false;
}
$user = get_user_by('login', $username);
if ( ! $user ) {
do_action('auth_cookie_bad_username', $cookie_elements);
return false;
}
$pass_frag = substr($user->user_pass, 8, 4);
$key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);
$hash = hash_hmac('md5', $username . '|' . $expiration, $key);
if ( $hmac != $hash ) {
do_action('auth_cookie_bad_hash', $cookie_elements);
return false;
}
if ( $expiration < time() ) // AJAX/POST grace period set above
$GLOBALS['login_grace_period'] = 1;
do_action('auth_cookie_valid', $cookie_elements, $user);
return $user->ID;
}
endif;
if ( !function_exists('wp_generate_auth_cookie') ) :
/**
* Generate authentication cookie contents.
*
* @since 2.5
* @uses apply_filters() Calls 'auth_cookie' hook on $cookie contents, User ID
* and expiration of cookie.
*
* @param int $user_id User ID
* @param int $expiration Cookie expiration in seconds
* @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
* @return string Authentication cookie contents
*/
function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') {
$user = get_userdata($user_id);
$pass_frag = substr($user->user_pass, 8, 4);
$key = wp_hash($user->user_login . $pass_frag . '|' . $expiration, $scheme);
$hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);
$cookie = $user->user_login . '|' . $expiration . '|' . $hash;
return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $scheme);
}
endif;
if ( !function_exists('wp_parse_auth_cookie') ) :
/**
* Parse a cookie into its components
*
* @since 2.7
*
* @param string $cookie
* @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
* @return array Authentication cookie components
*/
function wp_parse_auth_cookie($cookie = '', $scheme = '') {
if ( empty($cookie) ) {
switch ($scheme){
case 'auth':
$cookie_name = AUTH_COOKIE;
break;
case 'secure_auth':
$cookie_name = SECURE_AUTH_COOKIE;
break;
case "logged_in":
$cookie_name = LOGGED_IN_COOKIE;
break;
default:
if ( is_ssl() ) {
$cookie_name = SECURE_AUTH_COOKIE;
$scheme = 'secure_auth';
} else {
$cookie_name = AUTH_COOKIE;
$scheme = 'auth';
}
}
if ( empty($_COOKIE[$cookie_name]) )
return false;
$cookie = $_COOKIE[$cookie_name];
}
$cookie_elements = explode('|', $cookie);
if ( count($cookie_elements) != 3 )
return false;
list($username, $expiration, $hmac) = $cookie_elements;
return compact('username', 'expiration', 'hmac', 'scheme');
}
endif;
if ( !function_exists('wp_set_auth_cookie') ) :
/**
* Sets the authentication cookies based User ID.
*
* The $remember parameter increases the time that the cookie will be kept. The
* default the cookie is kept without remembering is two days. When $remember is
* set, the cookies will be kept for 14 days or two weeks.
*
* @since 2.5
*
* @param int $user_id User ID
* @param bool $remember Whether to remember the user
*/
function wp_set_auth_cookie($user_id, $remember = false, $secure = '') {
if ( $remember ) {
$expiration = $expire = time() + apply_filters('auth_cookie_expiration', 14 * DAY_IN_SECONDS, $user_id, $remember);
} else {
$expiration = time() + apply_filters('auth_cookie_expiration', 2 * DAY_IN_SECONDS, $user_id, $remember);
$expire = 0;
}
if ( '' === $secure )
$secure = is_ssl();
$secure = apply_filters('secure_auth_cookie', $secure, $user_id);
$secure_logged_in_cookie = apply_filters('secure_logged_in_cookie', false, $user_id, $secure);
if ( $secure ) {
$auth_cookie_name = SECURE_AUTH_COOKIE;
$scheme = 'secure_auth';
} else {
$auth_cookie_name = AUTH_COOKIE;
$scheme = 'auth';
}
$auth_cookie = wp_generate_auth_cookie($user_id, $expiration, $scheme);
$logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in');
do_action('set_auth_cookie', $auth_cookie, $expire, $expiration, $user_id, $scheme);
do_action('set_logged_in_cookie', $logged_in_cookie, $expire, $expiration, $user_id, 'logged_in');
setcookie($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
setcookie($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true);
if ( COOKIEPATH != SITECOOKIEPATH )
setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true);
}
endif;
if ( !function_exists('wp_clear_auth_cookie') ) :
/**
* Removes all of the cookies associated with authentication.
*
* @since 2.5
*/
function wp_clear_auth_cookie() {
do_action('clear_auth_cookie');
setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN );
setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN );
setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
// Old cookies
setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
// Even older cookies
setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
}
endif;
if ( !function_exists('is_user_logged_in') ) :
/**
* Checks if the current visitor is a logged in user.
*
* @since 2.0.0
*
* @return bool True if user is logged in, false if not logged in.
*/
function is_user_logged_in() {
$user = wp_get_current_user();
if ( ! $user->exists() )
return false;
return true;
}
endif;
if ( !function_exists('auth_redirect') ) :
/**
* Checks if a user is logged in, if not it redirects them to the login page.
*
* @since 1.5
*/
function auth_redirect() {
// Checks if a user is logged in, if not redirects them to the login page
$secure = ( is_ssl() || force_ssl_admin() );
$secure = apply_filters('secure_auth_redirect', $secure);
// If https is required and request is http, redirect
if ( $secure && !is_ssl() && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin') ) {
if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {
wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
exit();
} else {
wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
exit();
}
}
if ( is_user_admin() )
$scheme = 'logged_in';
else
$scheme = apply_filters( 'auth_redirect_scheme', '' );
if ( $user_id = wp_validate_auth_cookie( '', $scheme) ) {
do_action('auth_redirect', $user_id);
// If the user wants ssl but the session is not ssl, redirect.
if ( !$secure && get_user_option('use_ssl', $user_id) && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin') ) {
if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {
wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
exit();
} else {
wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
exit();
}
}
return; // The cookie is good so we're done
}
// The cookie is no good so force login
nocache_headers();
Change all core API to expect unslashed rather than slashed arguments. The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now. Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet. Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed. Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary. Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core. Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests. Plugins should use wp_unslash() on data being passed to core API. Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer. Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data. Remove many no longer necessary calls to $wpdb->escape() and esc_sql(). In wp_get_referer() and wp_get_original_referer(), return unslashed data. Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget. Switch several queries over to prepare(). Expect something to break. Props alexkingorg see #21767 git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-14 23:51:06 +01:00
$redirect = ( strpos( $_SERVER['REQUEST_URI'], '/options.php' ) && wp_get_referer() ) ? wp_get_referer() : set_url_scheme( 'http://' . wp_unslash( $_SERVER['HTTP_HOST'] ) . wp_unslash( $_SERVER['REQUEST_URI'] ) );
$login_url = wp_login_url($redirect, true);
wp_redirect($login_url);
exit();
}
endif;
if ( !function_exists('check_admin_referer') ) :
/**
* Makes sure that a user was referred from another admin page.
*
* To avoid security exploits.
*
* @since 1.2.0
* @uses do_action() Calls 'check_admin_referer' on $action.
*
* @param string $action Action nonce
* @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
*/
function check_admin_referer($action = -1, $query_arg = '_wpnonce') {
if ( -1 == $action )
_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2' );
$adminurl = strtolower(admin_url());
$referer = strtolower(wp_get_referer());
$result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
if ( !$result && !(-1 == $action && strpos($referer, $adminurl) === 0) ) {
wp_nonce_ays($action);
die();
}
do_action('check_admin_referer', $action, $result);
return $result;
}
endif;
if ( !function_exists('check_ajax_referer') ) :
/**
* Verifies the AJAX request to prevent processing requests external of the blog.
*
* @since 2.0.3
*
* @param string $action Action nonce
* @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
*/
function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
if ( $query_arg )
$nonce = $_REQUEST[$query_arg];
else
$nonce = isset($_REQUEST['_ajax_nonce']) ? $_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce'];
$result = wp_verify_nonce( $nonce, $action );
if ( $die && false == $result ) {
if ( defined( 'DOING_AJAX' ) && DOING_AJAX )
wp_die( -1 );
else
die( '-1' );
}
do_action('check_ajax_referer', $action, $result);
return $result;
}
endif;
if ( !function_exists('wp_redirect') ) :
/**
* Redirects to another page.
*
* @since 1.5.1
* @uses apply_filters() Calls 'wp_redirect' hook on $location and $status.
*
* @param string $location The path to redirect to
* @param int $status Status code to use
* @return bool False if $location is not set
*/
function wp_redirect($location, $status = 302) {
global $is_IIS;
$location = apply_filters('wp_redirect', $location, $status);
$status = apply_filters('wp_redirect_status', $status, $location);
if ( !$location ) // allows the wp_redirect filter to cancel a redirect
return false;
$location = wp_sanitize_redirect($location);
if ( !$is_IIS && php_sapi_name() != 'cgi-fcgi' )
status_header($status); // This causes problems on IIS and some FastCGI setups
header("Location: $location", true, $status);
}
endif;
if ( !function_exists('wp_sanitize_redirect') ) :
/**
* Sanitizes a URL for use in a redirect.
*
* @since 2.3
*
* @return string redirect-sanitized URL
**/
function wp_sanitize_redirect($location) {
$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!]|i', '', $location);
$location = wp_kses_no_null($location);
// remove %0d and %0a from location
$strip = array('%0d', '%0a', '%0D', '%0A');
$location = _deep_replace($strip, $location);
return $location;
}
endif;
if ( !function_exists('wp_safe_redirect') ) :
/**
* Performs a safe (local) redirect, using wp_redirect().
*
* Checks whether the $location is using an allowed host, if it has an absolute
* path. A plugin can therefore set or remove allowed host(s) to or from the
* list.
*
* If the host is not allowed, then the redirect is to wp-admin on the siteurl
* instead. This prevents malicious redirects which redirect to another host,
* but only used in a few places.
*
* @since 2.3
* @uses wp_validate_redirect() To validate the redirect is to an allowed host.
*
* @return void Does not return anything
**/
function wp_safe_redirect($location, $status = 302) {
// Need to look at the URL the way it will end up in wp_redirect()
$location = wp_sanitize_redirect($location);
$location = wp_validate_redirect($location, admin_url());
wp_redirect($location, $status);
}
endif;
if ( !function_exists('wp_validate_redirect') ) :
/**
* Validates a URL for use in a redirect.
*
* Checks whether the $location is using an allowed host, if it has an absolute
* path. A plugin can therefore set or remove allowed host(s) to or from the
* list.
*
* If the host is not allowed, then the redirect is to $default supplied
*
* @since 2.8.1
* @uses apply_filters() Calls 'allowed_redirect_hosts' on an array containing
* WordPress host string and $location host string.
*
* @param string $location The redirect to validate
* @param string $default The value to return if $location is not allowed
* @return string redirect-sanitized URL
**/
function wp_validate_redirect($location, $default = '') {
// browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
if ( substr($location, 0, 2) == '//' )
$location = 'http:' . $location;
// In php 5 parse_url may fail if the URL query part contains http://, bug #38143
$test = ( $cut = strpos($location, '?') ) ? substr( $location, 0, $cut ) : $location;
$lp = parse_url($test);
// Give up if malformed URL
if ( false === $lp )
return $default;
// Allow only http and https schemes. No data:, etc.
if ( isset($lp['scheme']) && !('http' == $lp['scheme'] || 'https' == $lp['scheme']) )
return $default;
// Reject if scheme is set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
if ( isset($lp['scheme']) && !isset($lp['host']) )
return $default;
$wpp = parse_url(home_url());
$allowed_hosts = (array) apply_filters('allowed_redirect_hosts', array($wpp['host']), isset($lp['host']) ? $lp['host'] : '');
if ( isset($lp['host']) && ( !in_array($lp['host'], $allowed_hosts) && $lp['host'] != strtolower($wpp['host'])) )
$location = $default;
return $location;
}
endif;
if ( ! function_exists('wp_notify_postauthor') ) :
/**
* Notify an author of a comment/trackback/pingback to one of their posts.
*
* @since 1.0.0
*
* @param int $comment_id Comment ID
* @param string $comment_type Optional. The comment type either 'comment' (default), 'trackback', or 'pingback'
* @return bool False if user email does not exist. True on completion.
*/
function wp_notify_postauthor( $comment_id, $comment_type = '' ) {
$comment = get_comment( $comment_id );
$post = get_post( $comment->comment_post_ID );
$author = get_userdata( $post->post_author );
// The post author is no longer a member of the blog
if ( ! is_user_member_of_blog( $post->post_author ) )
return false;
// The comment was left by the author
if ( $comment->user_id == $post->post_author )
return false;
// The author moderated a comment on his own post
if ( $post->post_author == get_current_user_id() )
return false;
// If there's no email to send the comment to
if ( '' == $author->user_email )
return false;
$comment_author_domain = @gethostbyaddr($comment->comment_author_IP);
// The blogname option is escaped with esc_html on the way into the database in sanitize_option
// we want to reverse this for the plain text arena of emails.
$blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
if ( empty( $comment_type ) ) $comment_type = 'comment';
if ('comment' == $comment_type) {
$notify_message = sprintf( __( 'New comment on your post "%s"' ), $post->post_title ) . "\r\n";
/* translators: 1: comment author, 2: author IP, 3: author domain */
$notify_message .= sprintf( __('Author : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
$notify_message .= sprintf( __('E-mail : %s'), $comment->comment_author_email ) . "\r\n";
$notify_message .= sprintf( __('URL : %s'), $comment->comment_author_url ) . "\r\n";
$notify_message .= sprintf( __('Whois : http://whois.arin.net/rest/ip/%s'), $comment->comment_author_IP ) . "\r\n";
$notify_message .= __('Comment: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
$notify_message .= __('You can see all comments on this post here: ') . "\r\n";
/* translators: 1: blog name, 2: post title */
$subject = sprintf( __('[%1$s] Comment: "%2$s"'), $blogname, $post->post_title );
} elseif ('trackback' == $comment_type) {
$notify_message = sprintf( __( 'New trackback on your post "%s"' ), $post->post_title ) . "\r\n";
/* translators: 1: website name, 2: author IP, 3: author domain */
$notify_message .= sprintf( __('Website: %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
$notify_message .= sprintf( __('URL : %s'), $comment->comment_author_url ) . "\r\n";
$notify_message .= __('Excerpt: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
$notify_message .= __('You can see all trackbacks on this post here: ') . "\r\n";
/* translators: 1: blog name, 2: post title */
$subject = sprintf( __('[%1$s] Trackback: "%2$s"'), $blogname, $post->post_title );
} elseif ('pingback' == $comment_type) {
$notify_message = sprintf( __( 'New pingback on your post "%s"' ), $post->post_title ) . "\r\n";
/* translators: 1: comment author, 2: author IP, 3: author domain */
$notify_message .= sprintf( __('Website: %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
$notify_message .= sprintf( __('URL : %s'), $comment->comment_author_url ) . "\r\n";
$notify_message .= __('Excerpt: ') . "\r\n" . sprintf('[...] %s [...]', $comment->comment_content ) . "\r\n\r\n";
$notify_message .= __('You can see all pingbacks on this post here: ') . "\r\n";
/* translators: 1: blog name, 2: post title */
$subject = sprintf( __('[%1$s] Pingback: "%2$s"'), $blogname, $post->post_title );
}
$notify_message .= get_permalink($comment->comment_post_ID) . "#comments\r\n\r\n";
$notify_message .= sprintf( __('Permalink: %s'), get_permalink( $comment->comment_post_ID ) . '#comment-' . $comment_id ) . "\r\n";
if ( EMPTY_TRASH_DAYS )
$notify_message .= sprintf( __('Trash it: %s'), admin_url("comment.php?action=trash&c=$comment_id") ) . "\r\n";
else
$notify_message .= sprintf( __('Delete it: %s'), admin_url("comment.php?action=delete&c=$comment_id") ) . "\r\n";
$notify_message .= sprintf( __('Spam it: %s'), admin_url("comment.php?action=spam&c=$comment_id") ) . "\r\n";
$wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME']));
if ( '' == $comment->comment_author ) {
$from = "From: \"$blogname\" <$wp_email>";
if ( '' != $comment->comment_author_email )
$reply_to = "Reply-To: $comment->comment_author_email";
} else {
$from = "From: \"$comment->comment_author\" <$wp_email>";
if ( '' != $comment->comment_author_email )
$reply_to = "Reply-To: \"$comment->comment_author_email\" <$comment->comment_author_email>";
}
$message_headers = "$from\n"
. "Content-Type: text/plain; charset=\"" . get_option('blog_charset') . "\"\n";
if ( isset($reply_to) )
$message_headers .= $reply_to . "\n";
$notify_message = apply_filters('comment_notification_text', $notify_message, $comment_id);
$subject = apply_filters('comment_notification_subject', $subject, $comment_id);
$message_headers = apply_filters('comment_notification_headers', $message_headers, $comment_id);
@wp_mail( $author->user_email, $subject, $notify_message, $message_headers );
return true;
}
endif;
if ( !function_exists('wp_notify_moderator') ) :
/**
* Notifies the moderator of the blog about a new comment that is awaiting approval.
*
* @since 1.0
* @uses $wpdb
*
* @param int $comment_id Comment ID
* @return bool Always returns true
*/
function wp_notify_moderator($comment_id) {
global $wpdb;
if ( 0 == get_option( 'moderation_notify' ) )
return true;
$comment = get_comment($comment_id);
$post = get_post($comment->comment_post_ID);
$user = get_userdata( $post->post_author );
// Send to the administration and to the post author if the author can modify the comment.
$email_to = array( get_option('admin_email') );
if ( user_can($user->ID, 'edit_comment', $comment_id) && !empty($user->user_email) && ( get_option('admin_email') != $user->user_email) )
$email_to[] = $user->user_email;
$comment_author_domain = @gethostbyaddr($comment->comment_author_IP);
$comments_waiting = $wpdb->get_var("SELECT count(comment_ID) FROM $wpdb->comments WHERE comment_approved = '0'");
// The blogname option is escaped with esc_html on the way into the database in sanitize_option
// we want to reverse this for the plain text arena of emails.
$blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
switch ($comment->comment_type)
{
case 'trackback':
$notify_message = sprintf( __('A new trackback on the post "%s" is waiting for your approval'), $post->post_title ) . "\r\n";
$notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
$notify_message .= sprintf( __('Website : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
$notify_message .= sprintf( __('URL : %s'), $comment->comment_author_url ) . "\r\n";
$notify_message .= __('Trackback excerpt: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
break;
case 'pingback':
$notify_message = sprintf( __('A new pingback on the post "%s" is waiting for your approval'), $post->post_title ) . "\r\n";
$notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
$notify_message .= sprintf( __('Website : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
$notify_message .= sprintf( __('URL : %s'), $comment->comment_author_url ) . "\r\n";
$notify_message .= __('Pingback excerpt: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
break;
default: //Comments
$notify_message = sprintf( __('A new comment on the post "%s" is waiting for your approval'), $post->post_title ) . "\r\n";
$notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
$notify_message .= sprintf( __('Author : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
$notify_message .= sprintf( __('E-mail : %s'), $comment->comment_author_email ) . "\r\n";
$notify_message .= sprintf( __('URL : %s'), $comment->comment_author_url ) . "\r\n";
$notify_message .= sprintf( __('Whois : http://whois.arin.net/rest/ip/%s'), $comment->comment_author_IP ) . "\r\n";
$notify_message .= __('Comment: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
break;
}
$notify_message .= sprintf( __('Approve it: %s'), admin_url("comment.php?action=approve&c=$comment_id") ) . "\r\n";
if ( EMPTY_TRASH_DAYS )
$notify_message .= sprintf( __('Trash it: %s'), admin_url("comment.php?action=trash&c=$comment_id") ) . "\r\n";
else
$notify_message .= sprintf( __('Delete it: %s'), admin_url("comment.php?action=delete&c=$comment_id") ) . "\r\n";
$notify_message .= sprintf( __('Spam it: %s'), admin_url("comment.php?action=spam&c=$comment_id") ) . "\r\n";
$notify_message .= sprintf( _n('Currently %s comment is waiting for approval. Please visit the moderation panel:',
'Currently %s comments are waiting for approval. Please visit the moderation panel:', $comments_waiting), number_format_i18n($comments_waiting) ) . "\r\n";
$notify_message .= admin_url("edit-comments.php?comment_status=moderated") . "\r\n";
$subject = sprintf( __('[%1$s] Please moderate: "%2$s"'), $blogname, $post->post_title );
$message_headers = '';
$notify_message = apply_filters('comment_moderation_text', $notify_message, $comment_id);
$subject = apply_filters('comment_moderation_subject', $subject, $comment_id);
$message_headers = apply_filters('comment_moderation_headers', $message_headers);
foreach ( $email_to as $email )
@wp_mail($email, $subject, $notify_message, $message_headers);
return true;
}
endif;
if ( !function_exists('wp_password_change_notification') ) :
/**
* Notify the blog admin of a user changing password, normally via email.
*
* @since 2.7
*
* @param object $user User Object
*/
function wp_password_change_notification(&$user) {
// send a copy of password change notification to the admin
// but check to see if it's the admin whose password we're changing, and skip this
if ( $user->user_email != get_option('admin_email') ) {
$message = sprintf(__('Password Lost and Changed for user: %s'), $user->user_login) . "\r\n";
// The blogname option is escaped with esc_html on the way into the database in sanitize_option
// we want to reverse this for the plain text arena of emails.
$blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
wp_mail(get_option('admin_email'), sprintf(__('[%s] Password Lost/Changed'), $blogname), $message);
}
}
endif;
if ( !function_exists('wp_new_user_notification') ) :
/**
* Notify the blog admin of a new user, normally via email.
*
* @since 2.0
*
* @param int $user_id User ID
* @param string $plaintext_pass Optional. The user's plaintext password
*/
function wp_new_user_notification($user_id, $plaintext_pass = '') {
$user = get_userdata( $user_id );
Change all core API to expect unslashed rather than slashed arguments. The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now. Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet. Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed. Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary. Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core. Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests. Plugins should use wp_unslash() on data being passed to core API. Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer. Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data. Remove many no longer necessary calls to $wpdb->escape() and esc_sql(). In wp_get_referer() and wp_get_original_referer(), return unslashed data. Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget. Switch several queries over to prepare(). Expect something to break. Props alexkingorg see #21767 git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-14 23:51:06 +01:00
$user_login = $user->user_login;
$user_email = $user->user_email;
// The blogname option is escaped with esc_html on the way into the database in sanitize_option
// we want to reverse this for the plain text arena of emails.
$blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
$message = sprintf(__('New user registration on your site %s:'), $blogname) . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
$message .= sprintf(__('E-mail: %s'), $user_email) . "\r\n";
@wp_mail(get_option('admin_email'), sprintf(__('[%s] New User Registration'), $blogname), $message);
if ( empty($plaintext_pass) )
return;
$message = sprintf(__('Username: %s'), $user_login) . "\r\n";
$message .= sprintf(__('Password: %s'), $plaintext_pass) . "\r\n";
$message .= wp_login_url() . "\r\n";
wp_mail($user_email, sprintf(__('[%s] Your username and password'), $blogname), $message);
}
endif;
if ( !function_exists('wp_nonce_tick') ) :
/**
* Get the time-dependent variable for nonce creation.
*
* A nonce has a lifespan of two ticks. Nonces in their second tick may be
* updated, e.g. by autosave.
*
* @since 2.5
*
* @return int
*/
function wp_nonce_tick() {
$nonce_life = apply_filters( 'nonce_life', DAY_IN_SECONDS );
return ceil(time() / ( $nonce_life / 2 ));
}
endif;
if ( !function_exists('wp_verify_nonce') ) :
/**
* Verify that correct nonce was used with time limit.
*
* The user is given an amount of time to use the token, so therefore, since the
* UID and $action remain the same, the independent variable is the time.
*
* @since 2.0.3
*
* @param string $nonce Nonce that was used in the form to verify
* @param string|int $action Should give context to what is taking place and be the same when nonce was created.
* @return bool Whether the nonce check passed or failed.
*/
function wp_verify_nonce($nonce, $action = -1) {
$user = wp_get_current_user();
$uid = (int) $user->ID;
if ( ! $uid )
$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
$i = wp_nonce_tick();
// Nonce generated 0-12 hours ago
if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) == $nonce )
return 1;
// Nonce generated 12-24 hours ago
if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) == $nonce )
return 2;
// Invalid nonce
return false;
}
endif;
if ( !function_exists('wp_create_nonce') ) :
/**
* Creates a random, one time use token.
*
* @since 2.0.3
*
* @param string|int $action Scalar value to add context to the nonce.
* @return string The one use form token
*/
function wp_create_nonce($action = -1) {
$user = wp_get_current_user();
$uid = (int) $user->ID;
if ( ! $uid )
$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
$i = wp_nonce_tick();
return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10);
}
endif;
if ( !function_exists('wp_salt') ) :
/**
* Get salt to add to hashes.
*
* Salts are created using secret keys. Secret keys are located in two places:
* in the database and in the wp-config.php file. The secret key in the database
* is randomly generated and will be appended to the secret keys in wp-config.php.
*
* The secret keys in wp-config.php should be updated to strong, random keys to maximize
* security. Below is an example of how the secret key constants are defined.
* Do not paste this example directly into wp-config.php. Instead, have a
* {@link https://api.wordpress.org/secret-key/1.1/salt/ secret key created} just
* for you.
*
* <code>
* define('AUTH_KEY', ' Xakm<o xQy rw4EMsLKM-?!T+,PFF})H4lzcW57AF0U@N@< >M%G4Yt>f`z]MON');
* define('SECURE_AUTH_KEY', 'LzJ}op]mr|6+![P}Ak:uNdJCJZd>(Hx.-Mh#Tz)pCIU#uGEnfFz|f ;;eU%/U^O~');
* define('LOGGED_IN_KEY', '|i|Ux`9<p-h$aFf(qnT:sDO:D1P^wZ$$/Ra@miTJi9G;ddp_<q}6H1)o|a +&JCM');
* define('NONCE_KEY', '%:R{[P|,s.KuMltH5}cI;/k<Gx~j!f0I)m_sIyu+&NJZ)-iO>z7X>QYR0Z_XnZ@|');
* define('AUTH_SALT', 'eZyT)-Naw]F8CwA*VaW#q*|.)g@o}||wf~@C-YSt}(dh_r6EbI#A,y|nU2{B#JBW');
* define('SECURE_AUTH_SALT', '!=oLUTXh,QW=H `}`L|9/^4-3 STz},T(w}W<I`.JjPi)<Bmf1v,HpGe}T1:Xt7n');
* define('LOGGED_IN_SALT', '+XSqHc;@Q*K_b|Z?NC[3H!!EONbh.n<+=uKR:>*c(u`g~EJBf#8u#R{mUEZrozmm');
* define('NONCE_SALT', 'h`GXHhD>SLWVfg1(1(N{;.V!MoE(SfbA_ksP@&`+AycHcAV$+?@3q+rxV{%^VyKT');
* </code>
*
* Salting passwords helps against tools which has stored hashed values of
* common dictionary strings. The added values makes it harder to crack.
*
* @since 2.5
*
* @link https://api.wordpress.org/secret-key/1.1/salt/ Create secrets for wp-config.php
*
* @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce)
* @return string Salt value
*/
function wp_salt( $scheme = 'auth' ) {
static $cached_salts = array();
if ( isset( $cached_salts[ $scheme ] ) )
return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme );
static $duplicated_keys;
if ( null === $duplicated_keys ) {
$duplicated_keys = array( 'put your unique phrase here' => true );
foreach ( array( 'AUTH', 'SECURE_AUTH', 'LOGGED_IN', 'NONCE', 'SECRET' ) as $first ) {
foreach ( array( 'KEY', 'SALT' ) as $second ) {
if ( ! defined( "{$first}_{$second}" ) )
continue;
$value = constant( "{$first}_{$second}" );
$duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] );
}
}
}
$key = $salt = '';
if ( defined( 'SECRET_KEY' ) && SECRET_KEY && empty( $duplicated_keys[ SECRET_KEY ] ) )
$key = SECRET_KEY;
if ( 'auth' == $scheme && defined( 'SECRET_SALT' ) && SECRET_SALT && empty( $duplicated_keys[ SECRET_SALT ] ) )
$salt = SECRET_SALT;
if ( in_array( $scheme, array( 'auth', 'secure_auth', 'logged_in', 'nonce' ) ) ) {
foreach ( array( 'key', 'salt' ) as $type ) {
$const = strtoupper( "{$scheme}_{$type}" );
if ( defined( $const ) && constant( $const ) && empty( $duplicated_keys[ constant( $const ) ] ) ) {
$$type = constant( $const );
} elseif ( ! $$type ) {
$$type = get_site_option( "{$scheme}_{$type}" );
if ( ! $$type ) {
$$type = wp_generate_password( 64, true, true );
update_site_option( "{$scheme}_{$type}", $$type );
}
}
}
} else {
if ( ! $key ) {
$key = get_site_option( 'secret_key' );
if ( ! $key ) {
$key = wp_generate_password( 64, true, true );
update_site_option( 'secret_key', $key );
}
}
$salt = hash_hmac( 'md5', $scheme, $key );
}
$cached_salts[ $scheme ] = $key . $salt;
return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme );
}
endif;
if ( !function_exists('wp_hash') ) :
/**
* Get hash of given string.
*
* @since 2.0.3
* @uses wp_salt() Get WordPress salt
*
* @param string $data Plain text to hash
* @return string Hash of $data
*/
function wp_hash($data, $scheme = 'auth') {
$salt = wp_salt($scheme);
return hash_hmac('md5', $data, $salt);
}
endif;
if ( !function_exists('wp_hash_password') ) :
/**
* Create a hash (encrypt) of a plain text password.
*
* For integration with other applications, this function can be overwritten to
* instead use the other package password checking algorithm.
*
* @since 2.5
* @global object $wp_hasher PHPass object
* @uses PasswordHash::HashPassword
*
* @param string $password Plain text user password to hash
* @return string The hash string of the password
*/
function wp_hash_password($password) {
global $wp_hasher;
if ( empty($wp_hasher) ) {
require_once( ABSPATH . 'wp-includes/class-phpass.php');
// By default, use the portable hash from phpass
$wp_hasher = new PasswordHash(8, true);
}
return $wp_hasher->HashPassword($password);
}
endif;
if ( !function_exists('wp_check_password') ) :
/**
* Checks the plaintext password against the encrypted Password.
*
* Maintains compatibility between old version and the new cookie authentication
* protocol using PHPass library. The $hash parameter is the encrypted password
* and the function compares the plain text password when encrypted similarly
* against the already encrypted password to see if they match.
*
* For integration with other applications, this function can be overwritten to
* instead use the other package password checking algorithm.
*
* @since 2.5
* @global object $wp_hasher PHPass object used for checking the password
* against the $hash + $password
* @uses PasswordHash::CheckPassword
*
* @param string $password Plaintext user's password
* @param string $hash Hash of the user's password to check against.
* @return bool False, if the $password does not match the hashed password
*/
function wp_check_password($password, $hash, $user_id = '') {
global $wp_hasher;
// If the hash is still md5...
if ( strlen($hash) <= 32 ) {
$check = ( $hash == md5($password) );
if ( $check && $user_id ) {
// Rehash using new hash.
wp_set_password($password, $user_id);
$hash = wp_hash_password($password);
}
return apply_filters('check_password', $check, $password, $hash, $user_id);
}
// If the stored hash is longer than an MD5, presume the
// new style phpass portable hash.
if ( empty($wp_hasher) ) {
require_once( ABSPATH . 'wp-includes/class-phpass.php');
// By default, use the portable hash from phpass
$wp_hasher = new PasswordHash(8, true);
}
$check = $wp_hasher->CheckPassword($password, $hash);
return apply_filters('check_password', $check, $password, $hash, $user_id);
}
endif;
if ( !function_exists('wp_generate_password') ) :
/**
* Generates a random password drawn from the defined set of characters.
*
* @since 2.5
*
* @param int $length The length of password to generate
* @param bool $special_chars Whether to include standard special characters. Default true.
* @param bool $extra_special_chars Whether to include other special characters. Used when
* generating secret keys and salts. Default false.
* @return string The random password
**/
function wp_generate_password( $length = 12, $special_chars = true, $extra_special_chars = false ) {
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
if ( $special_chars )
$chars .= '!@#$%^&*()';
if ( $extra_special_chars )
$chars .= '-_ []{}<>~`+=,.;:/?|';
$password = '';
for ( $i = 0; $i < $length; $i++ ) {
$password .= substr($chars, wp_rand(0, strlen($chars) - 1), 1);
}
// random_password filter was previously in random_password function which was deprecated
return apply_filters('random_password', $password);
}
endif;
if ( !function_exists('wp_rand') ) :
/**
* Generates a random number
*
* @since 2.6.2
*
* @param int $min Lower limit for the generated number
* @param int $max Upper limit for the generated number
* @return int A random number between min and max
*/
function wp_rand( $min = 0, $max = 0 ) {
global $rnd_value;
// Reset $rnd_value after 14 uses
// 32(md5) + 40(sha1) + 40(sha1) / 8 = 14 random numbers from $rnd_value
if ( strlen($rnd_value) < 8 ) {
if ( defined( 'WP_SETUP_CONFIG' ) )
static $seed = '';
else
$seed = get_transient('random_seed');
$rnd_value = md5( uniqid(microtime() . mt_rand(), true ) . $seed );
$rnd_value .= sha1($rnd_value);
$rnd_value .= sha1($rnd_value . $seed);
$seed = md5($seed . $rnd_value);
if ( ! defined( 'WP_SETUP_CONFIG' ) )
set_transient('random_seed', $seed);
}
// Take the first 8 digits for our value
$value = substr($rnd_value, 0, 8);
// Strip the first eight, leaving the remainder for the next call to wp_rand().
$rnd_value = substr($rnd_value, 8);
$value = abs(hexdec($value));
// Some misconfigured 32bit environments (Entropy PHP, for example) truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them to floats.
$max_random_number = 3000000000 === 2147483647 ? (float) "4294967295" : 4294967295; // 4294967295 = 0xffffffff
// Reduce the value to be within the min - max range
if ( $max != 0 )
$value = $min + ( $max - $min + 1 ) * $value / ( $max_random_number + 1 );
return abs(intval($value));
}
endif;
if ( !function_exists('wp_set_password') ) :
/**
* Updates the user's password with a new encrypted one.
*
* For integration with other applications, this function can be overwritten to
* instead use the other package password checking algorithm.
*
* @since 2.5
* @uses $wpdb WordPress database object for queries
* @uses wp_hash_password() Used to encrypt the user's password before passing to the database
*
* @param string $password The plaintext new user password
* @param int $user_id User ID
*/
function wp_set_password( $password, $user_id ) {
global $wpdb;
$hash = wp_hash_password($password);
$wpdb->update($wpdb->users, array('user_pass' => $hash, 'user_activation_key' => ''), array('ID' => $user_id) );
wp_cache_delete($user_id, 'users');
}
endif;
if ( !function_exists( 'get_avatar' ) ) :
/**
* Retrieve the avatar for a user who provided a user ID or email address.
*
* @since 2.5
* @param int|string|object $id_or_email A user ID, email address, or comment object
* @param int $size Size of the avatar image
* @param string $default URL to a default image to use if no avatar is available
* @param string $alt Alternative text to use in image tag. Defaults to blank
* @return string <img> tag for the user's avatar
*/
function get_avatar( $id_or_email, $size = '96', $default = '', $alt = false ) {
if ( ! get_option('show_avatars') )
return false;
if ( false === $alt)
$safe_alt = '';
else
$safe_alt = esc_attr( $alt );
if ( !is_numeric($size) )
$size = '96';
$email = '';
if ( is_numeric($id_or_email) ) {
$id = (int) $id_or_email;
$user = get_userdata($id);
if ( $user )
$email = $user->user_email;
} elseif ( is_object($id_or_email) ) {
// No avatar for pingbacks or trackbacks
$allowed_comment_types = apply_filters( 'get_avatar_comment_types', array( 'comment' ) );
if ( ! empty( $id_or_email->comment_type ) && ! in_array( $id_or_email->comment_type, (array) $allowed_comment_types ) )
return false;
if ( !empty($id_or_email->user_id) ) {
$id = (int) $id_or_email->user_id;
$user = get_userdata($id);
if ( $user)
$email = $user->user_email;
} elseif ( !empty($id_or_email->comment_author_email) ) {
$email = $id_or_email->comment_author_email;
}
} else {
$email = $id_or_email;
}
if ( empty($default) ) {
$avatar_default = get_option('avatar_default');
if ( empty($avatar_default) )
$default = 'mystery';
else
$default = $avatar_default;
}
if ( !empty($email) )
$email_hash = md5( strtolower( trim( $email ) ) );
if ( is_ssl() ) {
$host = 'https://secure.gravatar.com';
} else {
if ( !empty($email) )
$host = sprintf( "http://%d.gravatar.com", ( hexdec( $email_hash[0] ) % 2 ) );
else
$host = 'http://0.gravatar.com';
}
if ( 'mystery' == $default )
$default = "$host/avatar/ad516503a11cd5ca435acc9bb6523536?s={$size}"; // ad516503a11cd5ca435acc9bb6523536 == md5('unknown@gravatar.com')
elseif ( 'blank' == $default )
$default = $email ? 'blank' : includes_url( 'images/blank.gif' );
elseif ( !empty($email) && 'gravatar_default' == $default )
$default = '';
elseif ( 'gravatar_default' == $default )
$default = "$host/avatar/?s={$size}";
elseif ( empty($email) )
$default = "$host/avatar/?d=$default&amp;s={$size}";
elseif ( strpos($default, 'http://') === 0 )
$default = add_query_arg( 's', $size, $default );
if ( !empty($email) ) {
$out = "$host/avatar/";
$out .= $email_hash;
$out .= '?s='.$size;
$out .= '&amp;d=' . urlencode( $default );
$rating = get_option('avatar_rating');
if ( !empty( $rating ) )
$out .= "&amp;r={$rating}";
$avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo' height='{$size}' width='{$size}' />";
} else {
$avatar = "<img alt='{$safe_alt}' src='{$default}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
}
return apply_filters('get_avatar', $avatar, $id_or_email, $size, $default, $alt);
}
endif;
if ( !function_exists( 'wp_text_diff' ) ) :
/**
* Displays a human readable HTML representation of the difference between two strings.
*
* The Diff is available for getting the changes between versions. The output is
* HTML, so the primary use is for displaying the changes. If the two strings
* are equivalent, then an empty string will be returned.
*
* The arguments supported and can be changed are listed below.
*
* 'title' : Default is an empty string. Titles the diff in a manner compatible
* with the output.
* 'title_left' : Default is an empty string. Change the HTML to the left of the
* title.
* 'title_right' : Default is an empty string. Change the HTML to the right of
* the title.
*
* @since 2.6
* @see wp_parse_args() Used to change defaults to user defined settings.
* @uses Text_Diff
* @uses WP_Text_Diff_Renderer_Table
*
* @param string $left_string "old" (left) version of string
* @param string $right_string "new" (right) version of string
* @param string|array $args Optional. Change 'title', 'title_left', and 'title_right' defaults.
* @return string Empty string if strings are equivalent or HTML with differences.
*/
function wp_text_diff( $left_string, $right_string, $args = null ) {
$defaults = array( 'title' => '', 'title_left' => '', 'title_right' => '' );
$args = wp_parse_args( $args, $defaults );
if ( !class_exists( 'WP_Text_Diff_Renderer_Table' ) )
require( ABSPATH . WPINC . '/wp-diff.php' );
$left_string = normalize_whitespace($left_string);
$right_string = normalize_whitespace($right_string);
$left_lines = explode("\n", $left_string);
$right_lines = explode("\n", $right_string);
$text_diff = new Text_Diff($left_lines, $right_lines);
$renderer = new WP_Text_Diff_Renderer_Table( $args );
$diff = $renderer->render($text_diff);
if ( !$diff )
return '';
$r = "<table class='diff'>\n";
if ( isset( $args[ 'showsplitview' ] ) && 'true' == $args[ 'showsplitview' ] ) {
$r .= "<col class='content diffsplit left' /><col class='content diffsplit middle' /><col class='content diffsplit right' />";
} else {
$r .= "<col class='content' />";
}
if ( $args['title'] || $args['title_left'] || $args['title_right'] )
$r .= "<thead>";
if ( $args['title'] )
$r .= "<tr class='diff-title'><th colspan='4'>$args[title]</th></tr>\n";
if ( $args['title_left'] || $args['title_right'] ) {
$r .= "<tr class='diff-sub-title'>\n";
$r .= "\t<td></td><th>$args[title_left]</th>\n";
$r .= "\t<td></td><th>$args[title_right]</th>\n";
$r .= "</tr>\n";
}
if ( $args['title'] || $args['title_left'] || $args['title_right'] )
$r .= "</thead>\n";
$r .= "<tbody>\n$diff\n</tbody>\n";
$r .= "</table>";
return $r;
}
endif;