From b69d7a79b4cf4438a804ce47df78474f68552d3a Mon Sep 17 00:00:00 2001
From: "J. Maurice" <j@wiz.biz>
Date: Sun, 19 Nov 2017 19:45:49 +0900
Subject: [PATCH 1/3] Verify AppIdentityService signatures against all valid
 certificates

---
 appengine-plugin/modules/uploads.php | 40 +++++++++++++++++++++++-----
 1 file changed, 33 insertions(+), 7 deletions(-)

diff --git a/appengine-plugin/modules/uploads.php b/appengine-plugin/modules/uploads.php
index e5e2eae..171d2b2 100644
--- a/appengine-plugin/modules/uploads.php
+++ b/appengine-plugin/modules/uploads.php
@@ -148,14 +148,12 @@ public static function authenticate( $user, $username, $password ) {
 			return $user;
 		}
 
-		$user_id     = absint( $_GET['gae_auth_user'] );
-		$sign_result = self::sign_auth_key( AUTH_KEY . $user_id );
+		$user_id             = absint( $_GET['gae_auth_user'] );
+		$key_name            = $_GET['gae_auth_key'];
+		$string_to_verify    = AUTH_KEY . $user_id;
+		$signature_to_verify = base64_decode($_GET['gae_auth_signature']);
 
-		if ( $sign_result['key_name'] !== $_GET['gae_auth_key'] ) {
-			return $user;
-		}
-
-		if ( base64_decode( $_GET['gae_auth_signature'] ) !== $sign_result['signature'] ) {
+		if (self::verify_signed_auth_key($key_name, $string_to_verify, $signature_to_verify) !== true) {
 			return $user;
 		}
 
@@ -487,6 +485,34 @@ private static function sign_auth_key($auth_key) {
     }
   }
 
+	private static function verify_signed_auth_key($key_name, $string_to_verify, $signature_to_verify) {
+		if (self::is_production()) {
+
+			# get list of all valid certificates for GAE project
+			$public_certificates = AppIdentityService::getPublicCertificates();
+
+			# find certificate with matching key name
+			foreach ($public_certificates as $cert) {
+				if ($cert->getCertificateName() === $key_name) {
+
+					# extract public key from X509 certificate
+					$public_key = openssl_pkey_get_public($cert->getX509CertificateInPemFormat());
+
+					# verify the signed data, return true or false
+					return (openssl_verify($string_to_verify, $signature_to_verify, $public_key, "sha256") === 1);
+				}
+			}
+
+			# if no matching certificate, verification fails
+			return false;
+
+		} else {
+			// In the development server we are not concerned with trying to generate
+			// a secure signature.
+			return (sha1($string_to_verify) === $signature_to_verify);
+		}
+	}
+
 	public static function custom_image_editor( $editors ) {
 		$editors = [ __NAMESPACE__ . '\\Editor' ] + $editors;
 		return $editors;

From 87ab4fe3eba8c572edc651173e0564fd6c4815ed Mon Sep 17 00:00:00 2001
From: Takashi Matsuo <tmatsuo@google.com>
Date: Mon, 20 Nov 2017 10:33:08 -0800
Subject: [PATCH 2/3] Tab to spaces

---
 appengine-plugin/modules/uploads.php | 50 ++++++++++++++--------------
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/appengine-plugin/modules/uploads.php b/appengine-plugin/modules/uploads.php
index 171d2b2..ee09325 100644
--- a/appengine-plugin/modules/uploads.php
+++ b/appengine-plugin/modules/uploads.php
@@ -485,38 +485,38 @@ private static function sign_auth_key($auth_key) {
     }
   }
 
-	private static function verify_signed_auth_key($key_name, $string_to_verify, $signature_to_verify) {
-		if (self::is_production()) {
+  private static function verify_signed_auth_key($key_name, $string_to_verify, $signature_to_verify) {
+    if (self::is_production()) {
 
-			# get list of all valid certificates for GAE project
-			$public_certificates = AppIdentityService::getPublicCertificates();
+      # get list of all valid certificates for GAE project
+      $public_certificates = AppIdentityService::getPublicCertificates();
 
-			# find certificate with matching key name
-			foreach ($public_certificates as $cert) {
-				if ($cert->getCertificateName() === $key_name) {
+      # find certificate with matching key name
+      foreach ($public_certificates as $cert) {
+        if ($cert->getCertificateName() === $key_name) {
 
-					# extract public key from X509 certificate
-					$public_key = openssl_pkey_get_public($cert->getX509CertificateInPemFormat());
+          # extract public key from X509 certificate
+          $public_key = openssl_pkey_get_public($cert->getX509CertificateInPemFormat());
 
-					# verify the signed data, return true or false
-					return (openssl_verify($string_to_verify, $signature_to_verify, $public_key, "sha256") === 1);
-				}
-			}
+          # verify the signed data, return true or false
+          return (openssl_verify($string_to_verify, $signature_to_verify, $public_key, "sha256") === 1);
+        }
+      }
 
-			# if no matching certificate, verification fails
-			return false;
+      # if no matching certificate, verification fails
+      return false;
 
-		} else {
-			// In the development server we are not concerned with trying to generate
-			// a secure signature.
-			return (sha1($string_to_verify) === $signature_to_verify);
-		}
-	}
+    } else {
+      // In the development server we are not concerned with trying to generate
+      // a secure signature.
+      return (sha1($string_to_verify) === $signature_to_verify);
+    }
+  }
 
-	public static function custom_image_editor( $editors ) {
-		$editors = [ __NAMESPACE__ . '\\Editor' ] + $editors;
-		return $editors;
-	}
+  public static function custom_image_editor( $editors ) {
+    $editors = [ __NAMESPACE__ . '\\Editor' ] + $editors;
+      return $editors;
+  }
 }
 
 /**

From dc1d36f914410145fa9a66ca4e78afc19813d266 Mon Sep 17 00:00:00 2001
From: Takashi Matsuo <tmatsuo@google.com>
Date: Mon, 20 Nov 2017 10:38:12 -0800
Subject: [PATCH 3/3] CS fixes

---
 gcs-media-plugin/Uploads/Uploads.php |  6 ++++--
 gcs-media-plugin/gcs.php             | 12 ++++++------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/gcs-media-plugin/Uploads/Uploads.php b/gcs-media-plugin/Uploads/Uploads.php
index 99b0763..705ed86 100644
--- a/gcs-media-plugin/Uploads/Uploads.php
+++ b/gcs-media-plugin/Uploads/Uploads.php
@@ -137,7 +137,8 @@ public static function use_https_form()
                 . '<strong>Note:</strong>This setting only affects new uploads,'
                 . ' it will not change the HTTP scheme for files previously '
                 . 'uploaded',
-                'gcp')
+                'gcp'
+            )
             . '</p>';
     }
 
@@ -151,7 +152,8 @@ public static function validate_bucket($input)
             add_settings_error(
                 'gcs_settings',
                 'invalid-bucket',
-                __('The bucket does not exist, or is not writable', 'gcp'));
+                __('The bucket does not exist, or is not writable', 'gcp')
+            );
             return get_option(self::BUCKET_OPTION, '');
         }
         return $input;
diff --git a/gcs-media-plugin/gcs.php b/gcs-media-plugin/gcs.php
index 7588c1a..161d13e 100644
--- a/gcs-media-plugin/gcs.php
+++ b/gcs-media-plugin/gcs.php
@@ -53,12 +53,12 @@ function options_page_view()
             <?php
             // output security fields for the registered setting "gcs_settings"
             settings_fields('gcs_settings');
-            // output setting sections and their fields (sections are
-            // registered for "gcs", each field is registered to a specific
-            // section)
-            do_settings_sections('gcs');
-            // output save settings button
-            submit_button(__('Save Settings', 'gcs')); ?>
+    // output setting sections and their fields (sections are
+    // registered for "gcs", each field is registered to a specific
+    // section)
+    do_settings_sections('gcs');
+    // output save settings button
+    submit_button(__('Save Settings', 'gcs')); ?>
         </form>
     </div>
     <?php