Changeset 3145
- Timestamp:
- 05/14/2016 01:27:51 PM (8 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
sites/trunk/common/includes/wporg-sso/class-wporg-sso.php
r2338 r3145 3 3 /** 4 4 * Single Sign-On (SSO) handling for WordPress/bbPress/GlotPress instances under *.wordpress.org. 5 * 5 * 6 6 * @author stephdau 7 7 */ 8 8 class WPOrg_SSO { 9 9 const SSO_HOST = 'login.wordpress.org'; 10 10 11 11 public $sso_host_url; 12 12 public $sso_login_url; 13 13 public $sso_signup_url; 14 14 15 15 public $host; 16 16 public $script; 17 17 18 18 /** 19 19 * Constructor, instantiate common properties … … 23 23 $this->sso_login_url = $this->sso_host_url . '/'; 24 24 $this->sso_signup_url = 'https://wordpress.org/support/register.php'; // For now 25 25 26 26 if ( ! empty( $_SERVER['HTTP_HOST'] ) ) { 27 27 $this->host = $_SERVER['HTTP_HOST']; … … 29 29 } 30 30 } 31 31 32 32 /** 33 33 * Checks if the requested redirect_to URL is part of the wordpress.org empire, adds it as an redirect host if so. … … 35 35 * @param array $hosts Currently allowed hosts 36 36 * @return array $hosts Edited lists of allowed hosts 37 * 37 * 38 38 * @example add_filter( 'allowed_redirect_hosts', array( &$this, 'add_allowed_redirect_host' ) ); 39 39 */ … … 47 47 $host = self::SSO_HOST; 48 48 } 49 49 50 50 // If we got a host by now, it's a safe wordpress.org-based one, add it to the list of allowed redirects 51 51 if ( ! empty( $host ) && ! in_array( $host, $hosts ) ){ 52 52 $hosts[] = $host; 53 53 } 54 54 55 55 // Return list of allowed hosts 56 56 return $hosts; 57 57 } 58 58 59 59 /** 60 60 * Returns the SSO login URL, with redirect_to as requested, if deemed valid. 61 * 61 * 62 62 * @param string $redirect_to 63 63 * @param string $filter_redirect_to When used with the WP login_url filter, the redirect_to is passed as a 2nd arg instead. 64 64 * @return string 65 * 65 * 66 66 * @example Use directly, or through add_action( 'login_url', array( &$wporg_sso, 'login_url' ), 10, 2 ); 67 67 */ … … 77 77 } 78 78 return $login_url; 79 79 80 80 } 81 82 81 82 83 83 /** 84 84 * Tests if the current process has $_SERVER['HTTP_HOST'] or not (EG: cron'd processes do not). 85 * 85 * 86 86 * @return boolean 87 87 */ … … 89 89 return ( ! empty( $this->host ) ); 90 90 } 91 91 92 92 /** 93 93 * Get a safe redirect URL (ie: a wordpress.org-based one) from $_REQUEST['redirect_to'] or a safe alternative. 94 * 94 * 95 95 * @return string Safe redirect URL from $_REQUEST['redirect_to'] 96 96 */ … … 98 98 // Setup a default redirect to URL, with a safe version to only change if validation succeeds below. 99 99 $redirect_to = ! empty( $_GET['action'] ) && in_array( $_GET['action'], array( 'logout', 'loggedout' ) ) ? '/loggedout/' : 'https://wordpress.org/'; 100 100 101 101 if ( ! empty( $_REQUEST['redirect_to'] ) ) { 102 102 // User is requesting a further redirect afterward, let's make sure it's a legit target. 103 $redirect_to_requested = function_exists( 'wp_sanitize_redirect' ) ? wp_sanitize_redirect( $ _REQUEST['redirect_to'] ) : $_REQUEST['redirect_to'];103 $redirect_to_requested = function_exists( 'wp_sanitize_redirect' ) ? wp_sanitize_redirect( $redirect_to ) : $redirect_to; 104 104 if ( $this->_is_valid_targeted_domain( $redirect_to_requested ) ) { 105 105 $redirect_to = $redirect_to_requested; … … 118 118 } 119 119 } 120 120 121 121 return $redirect_to; 122 122 } 123 123 124 124 /** 125 125 * Tests if the passed host/domain, or URL, is part of the WordPress.org domain. 126 * 126 * 127 127 * @param unknown $string A domain, hostname, or URL 128 128 * @return boolean True is ok, false if not … … 132 132 $string = ''; 133 133 } 134 134 135 135 if ( strstr( $string , '/' ) ) { 136 136 $url = parse_url( $string ); … … 139 139 $host = $string; 140 140 } 141 141 142 142 if ( ! empty( $host ) && strstr( $host , '.' ) ) { 143 143 return ( preg_match( '/^(.+\.)?wordpress\.org$/', $host ) ) ? true : false; 144 144 } 145 145 146 146 return false; 147 147 } … … 149 149 /** 150 150 * Validates if target URL is within our bounds, then redirects to it if so, or to WP.org homepage (returns if headers already sent). 151 * 151 * 152 152 * @param string $to Destination URL 153 153 * @param number $status HTTP redirect status, defaults to 302 154 * 154 * 155 155 * @note: using our own over wp_safe_redirect(), etc, because not all targeted platforms (WP/BB/GP/etc) implement an equivalent, we run early, etc. 156 156 */ … … 159 159 return; 160 160 } 161 161 162 162 if ( ! $this->_is_valid_targeted_domain( $to ) ) { 163 163 $to = $this->_get_safer_redirect_to(); 164 164 } 165 165 166 166 header( 167 167 'Location: ' . $to, … … 169 169 preg_match( '/^30(1|2)$/', $status ) ? $status : 302 170 170 ); 171 171 172 172 die(); 173 173 }
Note: See TracChangeset
for help on using the changeset viewer.