protect.php — Jetpack – WP Security, Backup, Speed, & Growth 8.6.1

jetpack / modules / protect.php

jetpack / modules Last commit date

calypsoify 6 years ago carousel 6 years ago comment-likes 7 years ago comments 6 years ago contact-form 6 years ago custom-css 6 years ago custom-post-types 6 years ago geo-location 6 years ago google-analytics 6 years ago infinite-scroll 6 years ago lazy-images 6 years ago likes 6 years ago markdown 6 years ago masterbar 6 years ago memberships 6 years ago photon 6 years ago photon-cdn 6 years ago plugin-search 7 years ago post-by-email 6 years ago protect 6 years ago publicize 6 years ago pwa 6 years ago related-posts 6 years ago scan 6 years ago search 6 years ago seo-tools 6 years ago sharedaddy 6 years ago shortcodes 6 years ago simple-payments 6 years ago site-icon 6 years ago sitemaps 6 years ago sso 6 years ago subscriptions 6 years ago theme-tools 6 years ago tiled-gallery 6 years ago verification-tools 6 years ago videopress 6 years ago widget-visibility 6 years ago widgets 6 years ago woocommerce-analytics 6 years ago wordads 6 years ago wpcom-block-editor 6 years ago wpcom-tos 6 years ago .eslintrc.js 6 years ago after-the-deadline.php 7 years ago carousel.php 7 years ago comment-likes.php 6 years ago comments.php 6 years ago contact-form.php 7 years ago copy-post.php 6 years ago custom-content-types.php 6 years ago custom-css.php 7 years ago enhanced-distribution.php 9 years ago geo-location.php 7 years ago google-analytics.php 8 years ago gravatar-hovercards.php 6 years ago infinite-scroll.php 6 years ago json-api.php 9 years ago latex.php 6 years ago lazy-images.php 6 years ago likes.php 6 years ago markdown.php 9 years ago masterbar.php 7 years ago minileven.php 6 years ago mobile-push.php 10 years ago module-extras.php 6 years ago module-headings.php 6 years ago module-info.php 6 years ago monitor.php 6 years ago notes.php 6 years ago photon-cdn.php 6 years ago photon.php 6 years ago plugin-search.php 6 years ago post-by-email.php 6 years ago protect.php 6 years ago publicize.php 6 years ago pwa.php 6 years ago related-posts.php 7 years ago search.php 6 years ago seo-tools.php 7 years ago sharedaddy.php 6 years ago shortcodes.php 6 years ago shortlinks.php 7 years ago sitemaps.php 7 years ago sso.php 6 years ago stats.php 6 years ago subscriptions.php 6 years ago theme-tools.php 6 years ago tiled-gallery.php 7 years ago vaultpress.php 7 years ago verification-tools.php 7 years ago videopress.php 7 years ago widget-visibility.php 7 years ago widgets.php 7 years ago woocommerce-analytics.php 6 years ago wordads.php 7 years ago wpgroho.js 6 years ago

protect.php

909 lines

1	<?php
2	/**
3	* Module Name: Protect
4	* Module Description: Enabling brute force protection will prevent bots and hackers from attempting to log in to your website with common username and password combinations.
5	* Sort Order: 1
6	* Recommendation Order: 4
7	* First Introduced: 3.4
8	* Requires Connection: Yes
9	* Auto Activate: Yes
10	* Module Tags: Recommended
11	* Feature: Security
12	* Additional Search Queries: security, jetpack protect, secure, protection, botnet, brute force, protect, login, bot, password, passwords, strong passwords, strong password, wp-login.php, protect admin
13	*/
14
15	use Automattic\Jetpack\Constants;
16	use Automattic\Jetpack\Connection\Utils as Connection_Utils;
17
18	include_once JETPACK__PLUGIN_DIR . 'modules/protect/shared-functions.php';
19
20	class Jetpack_Protect_Module {
21
22	private static $__instance = null;
23	public $api_key;
24	public $api_key_error;
25	public $whitelist;
26	public $whitelist_error;
27	public $whitelist_saved;
28	private $user_ip;
29	private $local_host;
30	private $api_endpoint;
31	public $last_request;
32	public $last_response_raw;
33	public $last_response;
34	private $block_login_with_math;
35
36	/**
37	* Singleton implementation
38	*
39	* @return object
40	*/
41	public static function instance() {
42	if ( ! is_a( self::$__instance, 'Jetpack_Protect_Module' ) ) {
43	self::$__instance = new Jetpack_Protect_Module();
44	}
45
46	return self::$__instance;
47	}
48
49	/**
50	* Registers actions
51	*/
52	private function __construct() {
53	add_action( 'jetpack_activate_module_protect', array ( $this, 'on_activation' ) );
54	add_action( 'jetpack_deactivate_module_protect', array ( $this, 'on_deactivation' ) );
55	add_action( 'jetpack_modules_loaded', array ( $this, 'modules_loaded' ) );
56	add_action( 'login_form', array ( $this, 'check_use_math' ), 0 );
57	add_filter( 'authenticate', array ( $this, 'check_preauth' ), 10, 3 );
58	add_action( 'wp_login', array ( $this, 'log_successful_login' ), 10, 2 );
59	add_action( 'wp_login_failed', array ( $this, 'log_failed_attempt' ) );
60	add_action( 'admin_init', array ( $this, 'maybe_update_headers' ) );
61	add_action( 'admin_init', array ( $this, 'maybe_display_security_warning' ) );
62
63	// This is a backup in case $pagenow fails for some reason
64	add_action( 'login_form', array ( $this, 'check_login_ability' ), 1 );
65
66	// Load math fallback after math page form submission
67	if ( isset( $_POST[ 'jetpack_protect_process_math_form' ] ) ) {
68	include_once dirname( __FILE__ ) . '/protect/math-fallback.php';
69	new Jetpack_Protect_Math_Authenticate;
70	}
71
72	// Runs a script every day to clean up expired transients so they don't
73	// clog up our users' databases
74	require_once( JETPACK__PLUGIN_DIR . '/modules/protect/transient-cleanup.php' );
75	}
76
77	/**
78	* On module activation, try to get an api key
79	*/
80	public function on_activation() {
81	if ( is_multisite() && is_main_site() && get_site_option( 'jetpack_protect_active', 0 ) == 0 ) {
82	update_site_option( 'jetpack_protect_active', 1 );
83	}
84
85	update_site_option( 'jetpack_protect_activating', 'activating' );
86
87	// Get BruteProtect's counter number
88	Jetpack_Protect_Module::protect_call( 'check_key' );
89	}
90
91	/**
92	* On module deactivation, unset protect_active
93	*/
94	public function on_deactivation() {
95	if ( is_multisite() && is_main_site() ) {
96	update_site_option( 'jetpack_protect_active', 0 );
97	}
98	}
99
100	public function maybe_get_protect_key() {
101	if ( get_site_option( 'jetpack_protect_activating', false ) && ! get_site_option( 'jetpack_protect_key', false ) ) {
102	$key = $this->get_protect_key();
103	delete_site_option( 'jetpack_protect_activating' );
104	return $key;
105	}
106
107	return get_site_option( 'jetpack_protect_key' );
108	}
109
110	/**
111	* Sends a "check_key" API call once a day. This call allows us to track IP-related
112	* headers for this server via the Protect API, in order to better identify the source
113	* IP for login attempts
114	*/
115	public function maybe_update_headers( $force = false ) {
116	$updated_recently = $this->get_transient( 'jpp_headers_updated_recently' );
117
118	if ( ! $force ) {
119	if ( isset( $_GET['protect_update_headers'] ) ) {
120	$force = true;
121	}
122	}
123
124	// check that current user is admin so we prevent a lower level user from adding
125	// a trusted header, allowing them to brute force an admin account
126	if ( ( $updated_recently && ! $force ) \|\| ! current_user_can( 'update_plugins' ) ) {
127	return;
128	}
129
130	$response = Jetpack_Protect_Module::protect_call( 'check_key' );
131	$this->set_transient( 'jpp_headers_updated_recently', 1, DAY_IN_SECONDS );
132
133	if ( isset( $response['msg'] ) && $response['msg'] ) {
134	update_site_option( 'trusted_ip_header', json_decode( $response['msg'] ) );
135	}
136
137	}
138
139	public function maybe_display_security_warning() {
140	if ( is_multisite() && current_user_can( 'manage_network' ) ) {
141	if ( ! function_exists( 'is_plugin_active_for_network' ) ) {
142	require_once( ABSPATH . '/wp-admin/includes/plugin.php' );
143	}
144
145	if ( ! is_plugin_active_for_network( plugin_basename( JETPACK__PLUGIN_FILE ) ) ) {
146	add_action( 'load-index.php', array( $this, 'prepare_jetpack_protect_multisite_notice' ) );
147	add_action( 'wp_ajax_jetpack-protect-dismiss-multisite-banner', array( $this, 'ajax_dismiss_handler' ) );
148	}
149	}
150	}
151
152	public function prepare_jetpack_protect_multisite_notice() {
153	$dismissed = get_site_option( 'jetpack_dismissed_protect_multisite_banner' );
154	if ( $dismissed ) {
155	return;
156	}
157
158	add_action( 'admin_notices', array ( $this, 'admin_jetpack_manage_notice' ) );
159	}
160
161	public function ajax_dismiss_handler() {
162	check_ajax_referer( 'jetpack_protect_multisite_banner_opt_out' );
163
164	if ( ! current_user_can( 'manage_network' ) ) {
165	wp_send_json_error( new WP_Error( 'insufficient_permissions' ) );
166	}
167
168	update_site_option( 'jetpack_dismissed_protect_multisite_banner', true );
169
170	wp_send_json_success();
171	}
172
173	/**
174	* Displays a warning about Jetpack Protect's network activation requirement.
175	* Attaches some custom JS to Core's `is-dismissible` UI to save the dismissed state.
176	*/
177	public function admin_jetpack_manage_notice() {
178	?>
179	<div class="jetpack-protect-warning notice notice-warning is-dismissible" data-dismiss-nonce="<?php echo esc_attr( wp_create_nonce( 'jetpack_protect_multisite_banner_opt_out' ) ); ?>">
180	<h2><?php esc_html_e( 'Jetpack Brute Force Attack Prevention cannot keep your site secure', 'jetpack' ); ?></h2>
181
182	<p><?php esc_html_e( "Thanks for activating Jetpack's brute force attack prevention feature! To start protecting your whole WordPress Multisite Network, please network activate the Jetpack plugin. Due to the way logins are handled on WordPress Multisite Networks, Jetpack must be network activated in order for the brute force attack prevention feature to work properly.", 'jetpack' ); ?></p>
183
184	<p>
185	<a class="button-primary" href="<?php echo esc_url( network_admin_url( 'plugins.php' ) ); ?>">
186	<?php esc_html_e( 'View Network Admin', 'jetpack' ); ?>
187	</a>
188	<a class="button" href="<?php echo esc_url( __( 'https://jetpack.com/support/multisite-protect', 'jetpack' ) ); ?>" target="_blank">
189	<?php esc_html_e( 'Learn More' ); ?>
190	</a>
191	</p>
192	</div>
193	<script>
194	jQuery( function( $ ) {
195	$( '.jetpack-protect-warning' ).on( 'click', 'button.notice-dismiss', function( event ) {
196	event.preventDefault();
197
198	wp.ajax.post(
199	'jetpack-protect-dismiss-multisite-banner',
200	{
201	_wpnonce: $( event.delegateTarget ).data( 'dismiss-nonce' ),
202	}
203	).fail( function( error ) { <?php
204	// A failure here is really strange, and there's not really anything a site owner can do to fix one.
205	// Just log the error for now to help debugging. ?>
206
207	if ( 'function' === typeof error.done && '-1' === error.responseText ) {
208	console.error( 'Notice dismissal failed: check_ajax_referer' );
209	} else {
210	console.error( 'Notice dismissal failed: ' + JSON.stringify( error ) );
211	}
212	} )
213	} );
214	} );
215	</script>
216	<?php
217	}
218
219	/**
220	* Request an api key from wordpress.com
221	*
222	* @return bool \| string
223	*/
224	public function get_protect_key() {
225
226	$protect_blog_id = Jetpack_Protect_Module::get_main_blog_jetpack_id();
227
228	// If we can't find the the blog id, that means we are on multisite, and the main site never connected
229	// the protect api key is linked to the main blog id - instruct the user to connect their main blog
230	if ( ! $protect_blog_id ) {
231	$this->api_key_error = __( 'Your main blog is not connected to WordPress.com. Please connect to get an API key.', 'jetpack' );
232
233	return false;
234	}
235
236	$request = array (
237	'jetpack_blog_id' => $protect_blog_id,
238	'bruteprotect_api_key' => get_site_option( 'bruteprotect_api_key' ),
239	'multisite' => '0',
240	);
241
242	// Send the number of blogs on the network if we are on multisite
243	if ( is_multisite() ) {
244	$request['multisite'] = get_blog_count();
245	if ( ! $request['multisite'] ) {
246	global $wpdb;
247	$request['multisite'] = $wpdb->get_var( "SELECT COUNT(blog_id) as c FROM $wpdb->blogs WHERE spam = '0' AND deleted = '0' and archived = '0'" );
248	}
249	}
250
251	// Request the key
252	$xml = new Jetpack_IXR_Client( array (
253	'user_id' => get_current_user_id()
254	) );
255	$xml->query( 'jetpack.protect.requestKey', $request );
256
257	// Hmm, can't talk to wordpress.com
258	if ( $xml->isError() ) {
259	$code = $xml->getErrorCode();
260	$message = $xml->getErrorMessage();
261	$this->api_key_error = sprintf( __( 'Error connecting to WordPress.com. Code: %1$s, %2$s', 'jetpack' ), $code, $message );
262
263	return false;
264	}
265
266	$response = $xml->getResponse();
267
268	// Hmm. Can't talk to the protect servers ( api.bruteprotect.com )
269	if ( ! isset( $response['data'] ) ) {
270	$this->api_key_error = __( 'No reply from Jetpack servers', 'jetpack' );
271
272	return false;
273	}
274
275	// There was an issue generating the key
276	if ( empty( $response['success'] ) ) {
277	$this->api_key_error = $response['data'];
278
279	return false;
280	}
281
282	// Key generation successful!
283	$active_plugins = Jetpack::get_active_plugins();
284
285	// We only want to deactivate BruteProtect if we successfully get a key
286	if ( in_array( 'bruteprotect/bruteprotect.php', $active_plugins ) ) {
287	Jetpack_Client_Server::deactivate_plugin( 'bruteprotect/bruteprotect.php', 'BruteProtect' );
288	}
289
290	$key = $response['data'];
291	update_site_option( 'jetpack_protect_key', $key );
292
293	return $key;
294	}
295
296	/**
297	* Called via WP action wp_login_failed to log failed attempt with the api
298	*
299	* Fires custom, plugable action jpp_log_failed_attempt with the IP
300	*
301	* @return void
302	*/
303	function log_failed_attempt( $login_user = null ) {
304
305	/**
306	* Fires before every failed login attempt.
307	*
308	* @module protect
309	*
310	* @since 3.4.0
311	*
312	* @param array Information about failed login attempt
313	* [
314	* 'login' => (string) Username or email used in failed login attempt
315	* ]
316	*/
317	do_action( 'jpp_log_failed_attempt', array( 'login' => $login_user ) );
318
319	if ( isset( $_COOKIE['jpp_math_pass'] ) ) {
320
321	$transient = $this->get_transient( 'jpp_math_pass_' . $_COOKIE['jpp_math_pass'] );
322	$transient--;
323
324	if ( ! $transient \|\| $transient < 1 ) {
325	$this->delete_transient( 'jpp_math_pass_' . $_COOKIE['jpp_math_pass'] );
326	setcookie( 'jpp_math_pass', 0, time() - DAY_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN, false );
327	} else {
328	$this->set_transient( 'jpp_math_pass_' . $_COOKIE['jpp_math_pass'], $transient, DAY_IN_SECONDS );
329	}
330
331	}
332	$this->protect_call( 'failed_attempt' );
333	}
334
335	/**
336	* Set up the Protect configuration page
337	*/
338	public function modules_loaded() {
339	Jetpack::enable_module_configurable( __FILE__ );
340	}
341
342	/**
343	* Logs a successful login back to our servers, this allows us to make sure we're not blocking
344	* a busy IP that has a lot of good logins along with some forgotten passwords. Also saves current user's ip
345	* to the ip address whitelist
346	*/
347	public function log_successful_login( $user_login, $user = null ) {
348	if ( ! $user ) { // For do_action( 'wp_login' ) calls that lacked passing the 2nd arg.
349	$user = get_user_by( 'login', $user_login );
350	}
351
352	$this->protect_call( 'successful_login', array ( 'roles' => $user->roles ) );
353	}
354
355
356	/**
357	* Checks for loginability BEFORE authentication so that bots don't get to go around the log in form.
358	*
359	* If we are using our math fallback, authenticate via math-fallback.php
360	*
361	* @param string $user
362	* @param string $username
363	* @param string $password
364	*
365	* @return string $user
366	*/
367	function check_preauth( $user = 'Not Used By Protect', $username = 'Not Used By Protect', $password = 'Not Used By Protect' ) {
368	$allow_login = $this->check_login_ability( true );
369	$use_math = $this->get_transient( 'brute_use_math' );
370
371	if ( ! $allow_login ) {
372	$this->block_with_math();
373	}
374
375	if ( ( 1 == $use_math \|\| 1 == $this->block_login_with_math ) && isset( $_POST['log'] ) ) {
376	include_once dirname( __FILE__ ) . '/protect/math-fallback.php';
377	Jetpack_Protect_Math_Authenticate::math_authenticate();
378	}
379
380	return $user;
381	}
382
383	/**
384	* Get all IP headers so that we can process on our server...
385	*
386	* @return string
387	*/
388	function get_headers() {
389	$ip_related_headers = array (
390	'GD_PHP_HANDLER',
391	'HTTP_AKAMAI_ORIGIN_HOP',
392	'HTTP_CF_CONNECTING_IP',
393	'HTTP_CLIENT_IP',
394	'HTTP_FASTLY_CLIENT_IP',
395	'HTTP_FORWARDED',
396	'HTTP_FORWARDED_FOR',
397	'HTTP_INCAP_CLIENT_IP',
398	'HTTP_TRUE_CLIENT_IP',
399	'HTTP_X_CLIENTIP',
400	'HTTP_X_CLUSTER_CLIENT_IP',
401	'HTTP_X_FORWARDED',
402	'HTTP_X_FORWARDED_FOR',
403	'HTTP_X_IP_TRAIL',
404	'HTTP_X_REAL_IP',
405	'HTTP_X_VARNISH',
406	'REMOTE_ADDR'
407	);
408
409	foreach ( $ip_related_headers as $header ) {
410	if ( ! empty( $_SERVER[ $header ] ) ) {
411	$output[ $header ] = $_SERVER[ $header ];
412	}
413	}
414
415	return $output;
416	}
417
418	/*
419	* Checks if the IP address has been whitelisted
420	*
421	* @param string $ip
422	*
423	* @return bool
424	*/
425	function ip_is_whitelisted( $ip ) {
426	// If we found an exact match in wp-config
427	if ( defined( 'JETPACK_IP_ADDRESS_OK' ) && JETPACK_IP_ADDRESS_OK == $ip ) {
428	return true;
429	}
430
431	$whitelist = jetpack_protect_get_local_whitelist();
432
433	if ( is_multisite() ) {
434	$whitelist = array_merge( $whitelist, get_site_option( 'jetpack_protect_global_whitelist', array () ) );
435	}
436
437	if ( ! empty( $whitelist ) ) :
438	foreach ( $whitelist as $item ) :
439	// If the IPs are an exact match
440	if ( ! $item->range && isset( $item->ip_address ) && $item->ip_address == $ip ) {
441	return true;
442	}
443
444	if ( $item->range && isset( $item->range_low ) && isset( $item->range_high ) ) {
445	if ( jetpack_protect_ip_address_is_in_range( $ip, $item->range_low, $item->range_high ) ) {
446	return true;
447	}
448	}
449	endforeach;
450	endif;
451
452	return false;
453	}
454
455	/**
456	* Checks the status for a given IP. API results are cached as transients
457	*
458	* @param bool $preauth Whether or not we are checking prior to authorization
459	*
460	* @return bool Either returns true, fires $this->kill_login, or includes a math fallback and returns false
461	*/
462	function check_login_ability( $preauth = false ) {
463
464	/**
465	* JETPACK_ALWAYS_PROTECT_LOGIN will always disable the login page, and use a page provided by Jetpack.
466	*/
467	if ( Constants::is_true( 'JETPACK_ALWAYS_PROTECT_LOGIN' ) ) {
468	$this->kill_login();
469	}
470
471	if ( $this->is_current_ip_whitelisted() ) {
472	return true;
473	}
474
475	$status = $this->get_cached_status();
476
477	if ( empty( $status ) ) {
478	// If we've reached this point, this means that the IP isn't cached.
479	// Now we check with the Protect API to see if we should allow login
480	$response = $this->protect_call( $action = 'check_ip' );
481
482	if ( isset( $response['math'] ) && ! function_exists( 'brute_math_authenticate' ) ) {
483	include_once dirname( __FILE__ ) . '/protect/math-fallback.php';
484	new Jetpack_Protect_Math_Authenticate;
485
486	return false;
487	}
488
489	$status = $response['status'];
490	}
491
492	if ( 'blocked' == $status ) {
493	$this->block_with_math();
494	}
495
496	if ( 'blocked-hard' == $status ) {
497	$this->kill_login();
498	}
499
500	return true;
501	}
502
503	function is_current_ip_whitelisted() {
504	$ip = jetpack_protect_get_ip();
505
506	// Server is misconfigured and we can't get an IP
507	if ( ! $ip && class_exists( 'Jetpack' ) ) {
508	Jetpack::deactivate_module( 'protect' );
509	ob_start();
510	Jetpack::state( 'message', 'protect_misconfigured_ip' );
511	ob_end_clean();
512	return true;
513	}
514
515	/**
516	* Short-circuit check_login_ability.
517	*
518	* If there is an alternate way to validate the current IP such as
519	* a hard-coded list of IP addresses, we can short-circuit the rest
520	* of the login ability checks and return true here.
521	*
522	* @module protect
523	*
524	* @since 4.4.0
525	*
526	* @param bool false Should we allow all logins for the current ip? Default: false
527	*/
528	if ( apply_filters( 'jpp_allow_login', false, $ip ) ) {
529	return true;
530	}
531
532	if ( jetpack_protect_ip_is_private( $ip ) ) {
533	return true;
534	}
535
536	if ( $this->ip_is_whitelisted( $ip ) ) {
537	return true;
538	}
539	}
540
541	function has_login_ability() {
542	if ( $this->is_current_ip_whitelisted() ) {
543	return true;
544	}
545	$status = $this->get_cached_status();
546	if ( empty( $status ) \|\| $status === 'ok' ) {
547	return true;
548	}
549	return false;
550	}
551
552	function get_cached_status() {
553	$transient_name = $this->get_transient_name();
554	$value = $this->get_transient( $transient_name );
555	if ( isset( $value['status'] ) ) {
556	return $value['status'];
557	}
558	return '';
559	}
560
561	function block_with_math() {
562	/**
563	* By default, Protect will allow a user who has been blocked for too
564	* many failed logins to start answering math questions to continue logging in
565	*
566	* For added security, you can disable this.
567	*
568	* @module protect
569	*
570	* @since 3.6.0
571	*
572	* @param bool Whether to allow math for blocked users or not.
573	*/
574
575	$this->block_login_with_math = 1;
576	/**
577	* Allow Math fallback for blocked IPs.
578	*
579	* @module protect
580	*
581	* @since 3.6.0
582	*
583	* @param bool true Should we fallback to the Math questions when an IP is blocked. Default to true.
584	*/
585	$allow_math_fallback_on_fail = apply_filters( 'jpp_use_captcha_when_blocked', true );
586	if ( ! $allow_math_fallback_on_fail ) {
587	$this->kill_login();
588	}
589	include_once dirname( __FILE__ ) . '/protect/math-fallback.php';
590	new Jetpack_Protect_Math_Authenticate;
591
592	return false;
593	}
594
595	/*
596	* Kill a login attempt
597	*/
598	function kill_login() {
599	if (
600	isset( $_GET['action'], $_GET['_wpnonce'] ) &&
601	'logout' === $_GET['action'] &&
602	wp_verify_nonce( $_GET['_wpnonce'], 'log-out' ) &&
603	wp_get_current_user()
604
605	) {
606	// Allow users to logout
607	return;
608	}
609
610	$ip = jetpack_protect_get_ip();
611	/**
612	* Fires before every killed login.
613	*
614	* @module protect
615	*
616	* @since 3.4.0
617	*
618	* @param string $ip IP flagged by Protect.
619	*/
620	do_action( 'jpp_kill_login', $ip );
621
622	if( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) {
623	$die_string = sprintf( __( 'Your IP (%1$s) has been flagged for potential security violations.', 'jetpack' ), str_replace( 'http://', '', esc_url( 'http://' . $ip ) ) );
624	wp_die(
625	$die_string,
626	__( 'Login Blocked by Jetpack', 'jetpack' ),
627	array ( 'response' => 403 )
628	);
629	}
630
631	require_once dirname( __FILE__ ) . '/protect/blocked-login-page.php';
632	$blocked_login_page = Jetpack_Protect_Blocked_Login_Page::instance( $ip );
633
634	if ( $blocked_login_page->is_blocked_user_valid() ) {
635	return;
636	}
637
638	$blocked_login_page->render_and_die();
639	}
640
641	/*
642	* Checks if the protect API call has failed, and if so initiates the math captcha fallback.
643	*/
644	public function check_use_math() {
645	$use_math = $this->get_transient( 'brute_use_math' );
646	if ( $use_math ) {
647	include_once dirname( __FILE__ ) . '/protect/math-fallback.php';
648	new Jetpack_Protect_Math_Authenticate;
649	}
650	}
651
652	/**
653	* If we're in a multisite network, return the blog ID of the primary blog
654	*
655	* @return int
656	*/
657	public function get_main_blog_id() {
658	if ( ! is_multisite() ) {
659	return false;
660	}
661
662	global $current_site;
663	$primary_blog_id = $current_site->blog_id;
664
665	return $primary_blog_id;
666	}
667
668	/**
669	* Get jetpack blog id, or the jetpack blog id of the main blog in the main network
670	*
671	* @return int
672	*/
673	public function get_main_blog_jetpack_id() {
674	if ( ! is_main_site() ) {
675	switch_to_blog( $this->get_main_blog_id() );
676	$id = Jetpack::get_option( 'id', false );
677	restore_current_blog();
678	} else {
679	$id = Jetpack::get_option( 'id' );
680	}
681
682	return $id;
683	}
684
685	public function check_api_key() {
686	$response = $this->protect_call( 'check_key' );
687
688	if ( isset( $response['ckval'] ) ) {
689	return true;
690	}
691
692	if ( isset( $response['error'] ) ) {
693
694	if ( $response['error'] == 'Invalid API Key' ) {
695	$this->api_key_error = __( 'Your API key is invalid', 'jetpack' );
696	}
697
698	if ( $response['error'] == 'API Key Required' ) {
699	$this->api_key_error = __( 'No API key', 'jetpack' );
700	}
701	}
702
703	$this->api_key_error = __( 'There was an error contacting Jetpack servers.', 'jetpack' );
704
705	return false;
706	}
707
708	/**
709	* Calls over to the api using wp_remote_post
710	*
711	* @param string $action 'check_ip', 'check_key', or 'failed_attempt'
712	* @param array $request Any custom data to post to the api
713	*
714	* @return array
715	*/
716	function protect_call( $action = 'check_ip', $request = array () ) {
717	global $wp_version;
718
719	$api_key = $this->maybe_get_protect_key();
720
721	$user_agent = "WordPress/{$wp_version} \| Jetpack/" . constant( 'JETPACK__VERSION' );
722
723	$request['action'] = $action;
724	$request['ip'] = jetpack_protect_get_ip();
725	$request['host'] = $this->get_local_host();
726	$request['headers'] = json_encode( $this->get_headers() );
727	$request['jetpack_version'] = constant( 'JETPACK__VERSION' );
728	$request['wordpress_version'] = strval( $wp_version );
729	$request['api_key'] = $api_key;
730	$request['multisite'] = "0";
731
732	if ( is_multisite() ) {
733	$request['multisite'] = get_blog_count();
734	}
735
736
737	/**
738	* Filter controls maximum timeout in waiting for reponse from Protect servers.
739	*
740	* @module protect
741	*
742	* @since 4.0.4
743	*
744	* @param int $timeout Max time (in seconds) to wait for a response.
745	*/
746	$timeout = apply_filters( 'jetpack_protect_connect_timeout', 30 );
747
748	$args = array (
749	'body' => $request,
750	'user-agent' => $user_agent,
751	'httpversion' => '1.0',
752	'timeout' => absint( $timeout )
753	);
754
755	$response_json = wp_remote_post( $this->get_api_host(), $args );
756	$this->last_response_raw = $response_json;
757
758	$transient_name = $this->get_transient_name();
759	$this->delete_transient( $transient_name );
760
761	if ( is_array( $response_json ) ) {
762	$response = json_decode( $response_json['body'], true );
763	}
764
765	if ( isset( $response['blocked_attempts'] ) && $response['blocked_attempts'] ) {
766	update_site_option( 'jetpack_protect_blocked_attempts', $response['blocked_attempts'] );
767	}
768
769	if ( isset( $response['status'] ) && ! isset( $response['error'] ) ) {
770	$response['expire'] = time() + $response['seconds_remaining'];
771	$this->set_transient( $transient_name, $response, $response['seconds_remaining'] );
772	$this->delete_transient( 'brute_use_math' );
773	} else { // Fallback to Math Captcha if no response from API host
774	$this->set_transient( 'brute_use_math', 1, 600 );
775	$response['status'] = 'ok';
776	$response['math'] = true;
777	}
778
779	if ( isset( $response['error'] ) ) {
780	update_site_option( 'jetpack_protect_error', $response['error'] );
781	} else {
782	delete_site_option( 'jetpack_protect_error' );
783	}
784
785	return $response;
786	}
787
788	function get_transient_name() {
789	$headers = $this->get_headers();
790	$header_hash = md5( json_encode( $headers ) );
791
792	return 'jpp_li_' . $header_hash;
793	}
794
795	/**
796	* Wrapper for WordPress set_transient function, our version sets
797	* the transient on the main site in the network if this is a multisite network
798	*
799	* We do it this way (instead of set_site_transient) because of an issue where
800	* sitewide transients are always autoloaded
801	* https://core.trac.wordpress.org/ticket/22846
802	*
803	* @param string $transient Transient name. Expected to not be SQL-escaped. Must be
804	* 45 characters or fewer in length.
805	* @param mixed $value Transient value. Must be serializable if non-scalar.
806	* Expected to not be SQL-escaped.
807	* @param int $expiration Optional. Time until expiration in seconds. Default 0.
808	*
809	* @return bool False if value was not set and true if value was set.
810	*/
811	function set_transient( $transient, $value, $expiration ) {
812	if ( is_multisite() && ! is_main_site() ) {
813	switch_to_blog( $this->get_main_blog_id() );
814	$return = set_transient( $transient, $value, $expiration );
815	restore_current_blog();
816
817	return $return;
818	}
819
820	return set_transient( $transient, $value, $expiration );
821	}
822
823	/**
824	* Wrapper for WordPress delete_transient function, our version deletes
825	* the transient on the main site in the network if this is a multisite network
826	*
827	* @param string $transient Transient name. Expected to not be SQL-escaped.
828	*
829	* @return bool true if successful, false otherwise
830	*/
831	function delete_transient( $transient ) {
832	if ( is_multisite() && ! is_main_site() ) {
833	switch_to_blog( $this->get_main_blog_id() );
834	$return = delete_transient( $transient );
835	restore_current_blog();
836
837	return $return;
838	}
839
840	return delete_transient( $transient );
841	}
842
843	/**
844	* Wrapper for WordPress get_transient function, our version gets
845	* the transient on the main site in the network if this is a multisite network
846	*
847	* @param string $transient Transient name. Expected to not be SQL-escaped.
848	*
849	* @return mixed Value of transient.
850	*/
851	function get_transient( $transient ) {
852	if ( is_multisite() && ! is_main_site() ) {
853	switch_to_blog( $this->get_main_blog_id() );
854	$return = get_transient( $transient );
855	restore_current_blog();
856
857	return $return;
858	}
859
860	return get_transient( $transient );
861	}
862
863	function get_api_host() {
864	if ( isset( $this->api_endpoint ) ) {
865	return $this->api_endpoint;
866	}
867
868	//Check to see if we can use SSL
869	$this->api_endpoint = Connection_Utils::fix_url_for_bad_hosts( JETPACK_PROTECT__API_HOST );
870
871	return $this->api_endpoint;
872	}
873
874	function get_local_host() {
875	if ( isset( $this->local_host ) ) {
876	return $this->local_host;
877	}
878
879	$uri = 'http://' . strtolower( $_SERVER['HTTP_HOST'] );
880
881	if ( is_multisite() ) {
882	$uri = network_home_url();
883	}
884
885	$uridata = wp_parse_url( $uri );
886
887	$domain = $uridata['host'];
888
889	// If we still don't have the site_url, get it
890	if ( ! $domain ) {
891	$uri = get_site_url( 1 );
892	$uridata = wp_parse_url( $uri );
893	$domain = $uridata['host'];
894	}
895
896	$this->local_host = $domain;
897
898	return $this->local_host;
899	}
900
901	}
902
903	$jetpack_protect = Jetpack_Protect_Module::instance();
904
905	global $pagenow;
906	if ( isset( $pagenow ) && 'wp-login.php' == $pagenow ) {
907	$jetpack_protect->check_login_ability();
908	}
909