get_access_token(); $secret = ''; if ( $blog_token && ! is_wp_error( $blog_token ) && ! empty( $blog_token->secret ) ) { // Blog tokens are stored as "key.secret"; sign with the secret part only, matching the // rest of the connection stack. Require exactly two non-empty parts so a malformed token // fails closed rather than signing links the fetch path could never honor. $parts = explode( '.', (string) $blog_token->secret, 2 ); if ( count( $parts ) === 2 && '' !== $parts[0] && '' !== $parts[1] ) { $secret = $parts[1]; } } /** * Filters the secret used to sign Forms unauthenticated file-download links. * * Defaults to the Jetpack blog token secret. Environments without a usable blog token * (e.g. WordPress.com Simple) can return their own stable, secret value here so that * download links can still be signed and verified. * * @since 16.0 * * @param string $secret The signing secret. Empty string if none is available. */ return (string) apply_filters( 'jetpack_unauth_file_download_signing_key', $secret ); } /** * Generate a signed token authorizing the download of a given file. * * Unlike a WordPress nonce, the token is not tied to a specific user or session, so a link * generated by one logged-in editor works for any logged-in editor. The expiry timestamp is * part of the signed payload, so it cannot be tampered with to extend access. * * @since 16.0 * * @param int $file_id The file ID. * @param int $expires Unix timestamp at which the link stops being valid. * @param string $version The token scheme version. Defaults to the current scheme. * * @return string The hex-encoded HMAC-SHA256 token, or an empty string if there is no signing key. */ function generate_download_token( $file_id, $expires, $version = DOWNLOAD_TOKEN_VERSION ) { $key = get_download_signing_key(); if ( '' === $key ) { return ''; } $payload = 'jetpack_unauth_file_download|' . $version . '|' . (int) $file_id . '|' . (int) $expires; return hash_hmac( 'sha256', $payload, $key ); } /** * Verify a download token against the expected signature using a constant-time comparison. * * Expiry is checked separately by the caller so it can surface a distinct "expired" message. * Fails closed when no signing key is available (i.e. the site is not connected). * * @since 16.0 * * @param int $file_id The file ID. * @param int $expires Unix timestamp the token was signed with. * @param string $token The token supplied in the request. * @param string $version The token scheme version the token was signed with. * * @return bool True if the token matches. */ function verify_download_token( $file_id, $expires, $token, $version = DOWNLOAD_TOKEN_VERSION ) { $expected = generate_download_token( $file_id, $expires, $version ); return '' !== $expected && is_string( $token ) && '' !== $token && hash_equals( $expected, $token ); } /** * Get the file download URL filter callback. * * @param string $url The file download URL. * @param int $file_id The file ID. * * @return string The file download URL. */ function filter_get_download_url( $url, $file_id ) { $expires = time() + DOWNLOAD_LINK_LIFETIME; $token = generate_download_token( $file_id, $expires ); if ( '' === $token ) { // No signing key (disconnected site, or WP.com Simple without the signing-key filter // wired). Return the passthrough so callers omit the link instead of handing out one // that can never work, and leave a breadcrumb for operators. error_log( 'Jetpack Forms: unable to sign file download link; no signing key available.' ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log return $url; } return add_query_arg( array( 'action' => 'jetpack_unauth_file_download', 'file_id' => $file_id, 'expires' => $expires, 'token_version' => DOWNLOAD_TOKEN_VERSION, 'token' => $token, ), admin_url( 'admin-ajax.php' ) ); } /** * Reject a download request with the generic invalid-link error and a debug code, then exit. * * The message stays generic so it leaks nothing to the requester and stays actionable (a token * can be rejected simply because the blog token rotated on reconnect), while the appended code * identifies which check failed, so a user-reported screenshot is enough to locate the cause: * * 1 - Missing or unrecognized token_version. * 2 - Token signature did not verify. * 3 - Legacy nonce did not verify. * 4 - No token and no legacy nonce supplied. * * @since 16.0 * * @param int $code Number identifying the failing check. * * @return void Terminates the request via wp_die(). */ function invalid_download_link( $code ) { wp_die( esc_html( sprintf( /* translators: %d: error code used for debugging. */ __( 'This download link is no longer valid. Reload the responses page to get a fresh link. (%d)', 'jetpack' ), (int) $code ) ), '', array( 'response' => 403 ) ); } /** * Authorize a download request and return the requested file ID. * * Holds the security-critical gate (capability check, then either the current signed-token * scheme or the legacy nonce fallback). Terminates the request via wp_die() on any failure and * only returns when the caller is allowed to download the file. Kept separate from the * file-serving logic in handle_file_download() so each branch is unit-testable without the * headers/exit of the serving path. * * @since 16.0 * * @return int The validated file ID. */ function authorize_file_download() { if ( ! current_user_can( 'edit_pages' ) ) { wp_die( esc_html__( 'Sorry, you are not allowed to access this page.', 'jetpack' ), '', array( 'response' => 403 ) ); } $file_id = isset( $_GET['file_id'] ) ? absint( wp_unslash( $_GET['file_id'] ) ) : 0; if ( ! $file_id ) { wp_die( esc_html__( 'Invalid file request.', 'jetpack' ), '', array( 'response' => 400 ) ); } $token = isset( $_GET['token'] ) ? sanitize_text_field( wp_unslash( $_GET['token'] ) ) : ''; if ( '' !== $token ) { // Current scheme: a site-signed, expiring token. Future schemes can branch on the version. $token_version = isset( $_GET['token_version'] ) ? sanitize_text_field( wp_unslash( $_GET['token_version'] ) ) : ''; if ( DOWNLOAD_TOKEN_VERSION !== $token_version ) { invalid_download_link( 1 ); } $expires = isset( $_GET['expires'] ) ? absint( wp_unslash( $_GET['expires'] ) ) : 0; // A link is valid up to and including its expiry second; expired once time passes it. if ( ! $expires || $expires < time() ) { wp_die( esc_html__( 'This download link has expired. Reload the responses page to get a fresh link.', 'jetpack' ), '', array( 'response' => 410 ) ); } // $token_version was asserted equal to DOWNLOAD_TOKEN_VERSION above; pass the constant so // a future multi-version branch can't accidentally feed the request value back in. if ( ! verify_download_token( $file_id, $expires, $token, DOWNLOAD_TOKEN_VERSION ) ) { invalid_download_link( 2 ); } } elseif ( isset( $_GET['_wpnonce'] ) ) { /* * Backward compatibility for legacy per-file nonce links that may still be circulating * in already-sent emails. WordPress nonces are only valid for ~24h, so these links * expire on their own shortly after the signed-token scheme ships. * * @todo Remove this legacy nonce fallback in Jetpack 16.3 or later; links signed under * the old scheme self-expire within ~24h of the signed-token scheme shipping. */ if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'jetpack_unauth_file_download_nonce_' . $file_id ) ) { invalid_download_link( 3 ); } } else { invalid_download_link( 4 ); } return $file_id; } /** * Handle file download requests from the admin page. * * @return never This method never returns as it exits directly */ function handle_file_download() { $file_id = authorize_file_download(); /** * Get the file content that we send to the user to download. * * @since 14.6 * * @param array $file_content The file content. * @param string $file_id The file ID. * * @return array|\WP_Error The file array, containing the content, name and type. */ $file = apply_filters( 'jetpack_unauth_file_upload_get_file', array(), $file_id ); if ( is_wp_error( $file ) || empty( $file ) || ! is_array( $file ) ) { wp_die( esc_html__( 'Error retrieving file content.', 'jetpack' ) ); } // Given $file can be manipulated by a filter, make sure everything is as it should be. $file['content'] = $file['content'] ?? ''; $file['type'] = $file['type'] ?? 'application/octet-stream'; $file['name'] = $file['name'] ?? ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- The request is already authorized in authorize_file_download() before reaching here. $is_preview = isset( $_GET['preview'] ) && 'true' === $_GET['preview'] && is_file_type_previewable( $file['type'] ); // Clean output buffer if ( ob_get_length() ) { ob_clean(); } // Set headers for download header( 'Content-Type: ' . $file['type'] ); if ( ! $is_preview ) { // Forcing the file to be downloaded is important to prevent XSS attacks. header( 'Content-Disposition: attachment; filename="' . sanitize_file_name( $file['name'] ) . '"' ); } else { // For preview mode, use inline disposition header( 'Content-Disposition: inline; filename="' . sanitize_file_name( $file['name'] ) . '"' ); } header( 'Content-Length: ' . strlen( $file['content'] ) ); header( 'Content-Transfer-Encoding: binary' ); header( 'Cache-Control: no-cache, must-revalidate, max-age=0' ); header( 'Pragma: no-cache' ); header( 'Expires: 0' ); // Output file content and exit echo $file['content']; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Binary file data exit( 0 ); } /** * Get the file content. * * @param array $file_content The file content, name and type. * @param integer $file_id The file ID. * @return array|\WP_Error The file content, name and type */ function get_file_content( $file_content, $file_id ) { if ( ( new \Automattic\Jetpack\Status\Host() )->is_wpcom_simple() ) { return $file_content; } $blog_id = \Jetpack_Options::get_option( 'id' ); $request_url = sprintf( '/sites/%d/unauth-file-upload/%s', $blog_id, $file_id ); $response = \Automattic\Jetpack\Connection\Client::wpcom_json_api_request_as_blog( $request_url, 'v2', array( 'method' => 'GET', ), null, 'wpcom' ); $file_content = wp_remote_retrieve_body( $response ); if ( is_wp_error( $response ) || empty( $file_content ) ) { return new \WP_Error( 'jetpack_unauth_file_upload_error', esc_html__( 'Error retrieving file content.', 'jetpack' ) ); } try { $content = json_decode( $file_content, true, 3, defined( 'JSON_THROW_ON_ERROR' ) ? \JSON_THROW_ON_ERROR : 0 ); // phpcs:ignore PHPCompatibility.Constants.NewConstants.json_throw_on_errorFound if ( isset( $content['message'] ) ) { return new \WP_Error( 'jetpack_unauth_file_upload_error', esc_html__( 'Error retrieving file content.', 'jetpack' ) ); } } catch ( \Exception $e ) { // phpcs:ignore Generic.CodeAnalysis.EmptyStatement.DetectedCatch // If the file is not JSON, we assume it's a binary file. } $content_disposition = wp_remote_retrieve_header( $response, 'content-disposition' ); $filename = ''; if ( $content_disposition ) { // Match the filename using a regular expression if ( preg_match( '/filename="([^"]+)"/', $content_disposition, $matches ) ) { $filename = $matches[1]; // Extract the filename } } $type = wp_remote_retrieve_header( $response, 'content-type' ); if ( empty( $type ) ) { $type = 'application/octet-stream'; // Default to binary if no content type is found } return array( 'content' => $file_content, 'type' => $type, 'name' => $filename, ); } /** * Check which file type is previewable in the browser without downloading them. * * Allow images with extensions jpg, jpeg, png, gif, webp and pdf files. * * @param string $file_type The MIME type of the file. * @return bool True if the file is previable, false otherwise. */ function is_file_type_previewable( $file_type ) { $previable_types = array( 'image/jpeg', 'image/png', 'image/gif', 'image/webp', 'application/pdf', ); return in_array( $file_type, $previable_types, true ); }