diff --git a/appengine-plugin/modules/uploads.php b/appengine-plugin/modules/uploads.php index e5e2eae..ee09325 100644 --- a/appengine-plugin/modules/uploads.php +++ b/appengine-plugin/modules/uploads.php @@ -148,14 +148,12 @@ public static function authenticate( $user, $username, $password ) { return $user; } - $user_id = absint( $_GET['gae_auth_user'] ); - $sign_result = self::sign_auth_key( AUTH_KEY . $user_id ); + $user_id = absint( $_GET['gae_auth_user'] ); + $key_name = $_GET['gae_auth_key']; + $string_to_verify = AUTH_KEY . $user_id; + $signature_to_verify = base64_decode($_GET['gae_auth_signature']); - if ( $sign_result['key_name'] !== $_GET['gae_auth_key'] ) { - return $user; - } - - if ( base64_decode( $_GET['gae_auth_signature'] ) !== $sign_result['signature'] ) { + if (self::verify_signed_auth_key($key_name, $string_to_verify, $signature_to_verify) !== true) { return $user; } @@ -487,10 +485,38 @@ private static function sign_auth_key($auth_key) { } } - public static function custom_image_editor( $editors ) { - $editors = [ __NAMESPACE__ . '\\Editor' ] + $editors; - return $editors; - } + private static function verify_signed_auth_key($key_name, $string_to_verify, $signature_to_verify) { + if (self::is_production()) { + + # get list of all valid certificates for GAE project + $public_certificates = AppIdentityService::getPublicCertificates(); + + # find certificate with matching key name + foreach ($public_certificates as $cert) { + if ($cert->getCertificateName() === $key_name) { + + # extract public key from X509 certificate + $public_key = openssl_pkey_get_public($cert->getX509CertificateInPemFormat()); + + # verify the signed data, return true or false + return (openssl_verify($string_to_verify, $signature_to_verify, $public_key, "sha256") === 1); + } + } + + # if no matching certificate, verification fails + return false; + + } else { + // In the development server we are not concerned with trying to generate + // a secure signature. + return (sha1($string_to_verify) === $signature_to_verify); + } + } + + public static function custom_image_editor( $editors ) { + $editors = [ __NAMESPACE__ . '\\Editor' ] + $editors; + return $editors; + } } /** diff --git a/gcs-media-plugin/Uploads/Uploads.php b/gcs-media-plugin/Uploads/Uploads.php index 99b0763..705ed86 100644 --- a/gcs-media-plugin/Uploads/Uploads.php +++ b/gcs-media-plugin/Uploads/Uploads.php @@ -137,7 +137,8 @@ public static function use_https_form() . 'Note:This setting only affects new uploads,' . ' it will not change the HTTP scheme for files previously ' . 'uploaded', - 'gcp') + 'gcp' + ) . '

'; } @@ -151,7 +152,8 @@ public static function validate_bucket($input) add_settings_error( 'gcs_settings', 'invalid-bucket', - __('The bucket does not exist, or is not writable', 'gcp')); + __('The bucket does not exist, or is not writable', 'gcp') + ); return get_option(self::BUCKET_OPTION, ''); } return $input; diff --git a/gcs-media-plugin/gcs.php b/gcs-media-plugin/gcs.php index 7588c1a..161d13e 100644 --- a/gcs-media-plugin/gcs.php +++ b/gcs-media-plugin/gcs.php @@ -53,12 +53,12 @@ function options_page_view() + // output setting sections and their fields (sections are + // registered for "gcs", each field is registered to a specific + // section) + do_settings_sections('gcs'); + // output save settings button + submit_button(__('Save Settings', 'gcs')); ?>