<?php
/*
Plugin Name: Simple Nonces for WordPress
Plugin URI: http://thecodecave.com
Description: The SN4WP plugin replaces the referer check with nonces that perform the same function.
Author: Brian Layman
Version: 0.1a
Author URI: http://www.TheCodeCave.com

Copyright 2006 Brian Layman

Created       - 25/APR/2006
Last Modified - 25/APR/2006
Contributors: (Put your name & Initials at the top)
  Brian Layman - BL - http://www.TheCodeCave.com


History:
  25/APR/2006 - BL - Created

License - If this helps you - Great! Use it, modify it share it.

Indemnity -
    Use this file at your own risk.  The internet has an near infinite combination
    of hardware and software.  If this application operates outside its expected
    nature it is not my fault.  There is no way to prevent all unforeseen attacks
    on a website.  It is is quite probable there are many attacks that can get
    around this plugin.  In fact, you should just stop right now and
    delete this plugin.  For if it causes blue smoke to be emitted from your
    network card, if it resets your home site to HowToKillMyBoss.com, opens a
    hole in your website larger than was there before the use of this plugin,
    or it makes your sister break up with her lawyer boyfriend and start dating
    a caver, it is not my fault.  (Actually that last one might be an
    improvement, but it is still not my fault.)

 Donations - If this plugin file really helps you out, feel free to make a $5
    (US) donation via Paypal to Brian@TheCodeCave.com or just send a Thank
    You via email to that address and include your country of origin. Or even
    better yet, add me to your blog roll.

  -----
  Notes taken while making this plugin...

  What does the referrer check do?
    Checks to see if an admin action was initiated from an admin page.

  What is protected by the referer check?
    Only certain actions are protected by the referer check.
    The common thread seems to be that the action must be a single destructive step.
    The protected actions include:  (An * indicates it was added with verison 2.02)
      Categories - Delete
      Link Manager - Assign, visiblity, move, add, editlink, delete
      Options - Update
      Plugins - Activate, Deactivate
      Posts - Post*, editattachment*, editpost*, Delete, deletecomment, unapprovecomment
      Profile - Post
      Themes - Activate, Deactivate
      User-edit - Switchposts, update*
      Users - Promote, dodelete, delete adduser
      Additionally the akismet plugin's configuration page
    Note that these actions consist of the the "final commit" steps.  For instance the
    "linkedit" action  that brings up the form allowing you to edit a link is not protected.
    However, the "editlink" action that posts the changes IS protected. Please keep this in
    mind when testing this plugin.


  Can a referrer be wrong?
    Yes, many proxies strip or replace the referer.  Additionally referers can be forged,
    but the fact that a login cookie is also required makes such attacks difficult.  The
    referer check, when working CAN protect you from some attacks.  That's why this plug
    in does not disable it by default.

  Can a referer check be simulated in a plugin? And if so how?
    While we cannot check to see if each individual action came from an admin page, we
    can ensure that an admin page was recently used by that user.  If that user just
    accessed an admin page, allow the action to succeed.

  Problem: All action links change pages before taking effect.  So the page last viewed
    by the user by the time the admin referer check hits is ALWAYS an admin page.
  Solution: Create CurrentPage and LastPage scheme that tracks where the user was.
    This way we verify that an admin page was recently used.

  Problem: An admin could close their admin page without logging out.
  Solution: The nonce times out after 5 minutes. They are vulnerable for 5 minutes if
    they forget to log out.

  Problem: An admin could leave the admin area and go back to their blog without
    logging out.
  Solution: None - Admins often use one tab to admin their blog, and another to view it.
    Likewise, the preview has a non admin context.

*/

// ***************************************************************************************
//  Defined Constants
// ***************************************************************************************
  define(INVALID_MESSAGE1, 'INVALID NONCE UPON REGEN');
  define(INVALID_MESSAGE2, 'THE NEXT EVALUATION MUST FAIL');
  define(YES, 1);
  define(NO, 0);
  define(DEFAULT_TIMEOUT, 5);
  define(DEFAULT_POSTTIMEOUT, 10);
  define(DEBUGGING, YES);


// ***************************************************************************************
//  Pluggable Function replacements
// ***************************************************************************************

// Replace or add onto the admin referrer check with a timed nonce that ensures an admin
// page was accessed within the last 5 minutes.
if ( !function_exists('check_admin_referer') ) :
  function check_admin_referer() {
    $disablereferer = get_option( 'disablereferer');
    if ($disablereferer <> YES) {
      $adminurl = strtolower(get_settings('siteurl')).'/wp-admin';
      $referer = strtolower($_SERVER['HTTP_REFERER']);
      if (!strstr($referer, $adminurl) && !($referer === "")) {
        die(__('You did not come from an admin page or you are using a proxy.  WordPress cannot verify your identity.'));
      }
    }
    // Everywhere that the admin check is done, the nonce is verified.
    verify_user_nonce();
    do_action('check_admin_referer');
}
endif;


// Clear the nonce if the user logs out.
if ( !function_exists('wp_clearcookie') ) :
  function wp_clearcookie() {
    global $user_ID;

    // Clear all nonce info
    update_user_option($user_ID, 'lastpageviewed', '');
    update_user_option($user_ID, 'curpageviewed', '');
    update_user_option($user_ID, 'nonce', '');
    if (DEBUGGING == YES) update_user_option($user_ID, 'noncedecoded', '');

    setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
    setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
    setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
    setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
  }
endif;



// ***************************************************************************************
//  Helper Functions
// ***************************************************************************************
// ***************************************************************************************
//   SN4WP_config_page()
//
//   Adds the config page to the plugin submenu.
//
// ***************************************************************************************
function SN4WP_config_page() {
  global $wpdb;
  if ( function_exists('add_submenu_page') )
    add_submenu_page('plugins.php', __('SN4WP for Wordpress Configuration'), __('SN4WP Configuration'), 1, __FILE__, 'SN4WP_config');
} // SN4WP_config_page

// ***************************************************************************************
//   SN4WP_config
//
//   Displays and stores the values from a form that allows all plugin options to be
//   configured.
//
// ***************************************************************************************
function SN4WP_config() {
  if ( isset($_POST['submit']) ) {
    check_admin_referer();

    $timeout = $_POST['timeout'];
    update_option('sn4wp_timeout', $timeout);

    $posttimeout = $_POST['posttimeout'];
    update_option('sn4wp_posttimeout', $posttimeout);

    $disablereferer = $_POST['disablereferer'];
    update_option('sn4wp_disablereferer', $disablereferer);

    $onlyoneip = $_POST['onlyoneip'];
    update_option('sn4wp_onlyoneip', $onlyoneip);

    // Pump through two more nonce assignments in order to clear and 
    // revalidate the current nonce structure.
    assign_user_nonce();
    assign_user_nonce();
  }
  else {
    $timeout = get_option('sn4wp_timeout');
    if ($timeout <= 0) $timeout = DEFAULT_TIMEOUT;
    $posttimeout = get_option('sn4wp_posttimeout');
    if ($posttimeout <= 0) $posttimeout = DEFAULT_POSTTIMEOUT;
    $disablereferer = $_POST['disablereferer'];
    $onlyoneip = $_POST['onlyoneip'];
  }
 ?>

  <div class="wrap">
    <h2><?php _e('Simple Nonces for WordPress'); ?></h2>
    <p>This plugin adds security to your site by providing an admin user time out and several other security checks.</p>

    <form action="" method="post" id="SN4WP_config" style="margin: auto; width: 25em; ">
      <h3>Global Settings</h3>
      <p>
        <label for="timeout"><?php _e('How long can an admin remain logged in?'); ?></label><br/>
        <label for="timeout">Minutes: </label><input id="timeout" name="timeout" type="text" size="3" maxlength="3" value="<?php $timeout = get_option('sn4wp_timeout');if ($timeout <= 0) $timeout = DEFAULT_TIMEOUT;echo $timeout ?>" style="font-family: 'Courier New', Courier, mono; font-size: 1.5em;" />
      </p>

      <p>
        <label for="posttimeout"><?php _e('To allow a longer time for editing posts, change it here. (This also allows attackers a longer oportunity to try to delete posts.)'); ?></label><br/>
        <label for="posttimeout">Minutes:</label><input id="posttimeout" name="posttimeout" type="text" size="3" maxlength="3" value="<?php $posttimeout = get_option('sn4wp_posttimeout');if ($posttimeout <= 0) $posttimeout = DEFAULT_POSTTIMEOUT;echo $posttimeout ?>" style="font-family: 'Courier New', Courier, mono; font-size: 1.5em;" />
      </p>

      <p>
        <label for="disablereferer"><?php _e('You can disable the referer check if your browser cannot provide this information.'); ?></label><br/>
        <label for="disablereferer">Disable the referer check? </label><INPUT NAME="disablereferer" ID="disablereferer" TYPE=checkbox VALUE="1" <?php $disablereferer = get_option('sn4wp_disablereferer');if ($disablereferer == YES) echo "checked"; ?>>
      </p>

      <p>
        <label for="onlyoneip"><?php _e('Admins use only one ip per session.  Blocking other ip addresses can prevent attacks.  Some eastern European countries will not support this.'); ?></label><br/>
        <label for="onlyoneip">Force 1 IP per admin session? </label><INPUT NAME="onlyoneip" ID="onlyoneip" TYPE=checkbox VALUE="1" <?php $onlyoneip = get_option('sn4wp_onlyoneip');if ($onlyoneip == YES) echo "checked"; ?>>
      </p>

      <p class="submit">
        <input type="submit" name="submit" value="<?php _e('Submit &raquo;'); ?>" />
      </p>
    </form>
  </div>
<?php
}  // SN4WP_config

// ***************************************************************************************
//   SN4WP_warning
//
//   Displays an eye catching warning intended for the post page warning the user of the
//   admin action timeout period.
//
// ***************************************************************************************
function SN4WP_warning() {
  $posttimeout = get_option('sn4wp_posttimeout');
  if ($posttimeout <= 0) $posttimeout = 10;
  echo "
    <div id='SN4WP-warning' class='updated fade-ff0000'><p><strong>".__('You must save your post at least once every ' . $posttimeout . ' minutes or all changes will be lost.')."</strong> </p></div>
    <style type='text/css'>
    #adminmenu { margin-bottom: 5em; }
    #SN4WP-warning { position: absolute; top: 7em; }
    </style>
    ";
}  // SN4WP_warning

// ***************************************************************************************
//   assign_user_nonce
//
//   Creates a user level nonce and records it, and all relevant information in the user
//   options.
//
// ***************************************************************************************
function assign_user_nonce() {
  global $pagenow, $user_ID, $user_pass_md5;

  $curtime = time(); // (in seconds)
  $lastpageviewed = get_user_option( 'curpageviewed', $user_ID );
  $curpageviewed = $pagenow;
  $onlyoneip = get_option( 'sn4wp_onlyoneip');

  if (($lastpageviewed === 'post.php') && ($curpageviewed === 'post.php')) {
    $timeout = get_option('sn4wp_posttimeout');
    if ($timeout <= 0) $timeout = DEFAULT_POSTTIMEOUT;
  }
  else {
    $timeout = get_option('sn4wp_timeout');
    if ($timeout <= 0) $timeout = DEFAULT_TIMEOUT;
  }

  $timeout = $timeout * 60; // Convert time out to seconds.
  if ($onlyoneip == YES) {
    $salt = $_SERVER['REMOTE_ADDR'];
  }
  else {
    $salt = $user_pass_md5;
  }

  $oldnonce = get_user_option( 'nonce', $user_ID );
  // Degrade the cur page to the last pageviewed at this point
  $noncetime = get_user_option( 'noncetime', $user_ID );

  if (DEBUGGING == YES) $noncedecoded = get_user_option( 'noncedecoded', $user_ID );

  // This routine is called from every display of the admin menu.
  // EVERY admin action in WP results in an admin menu display.
  // That means a faked request from off site, hits this assign_user_nonce and then
  // it hits verify_user_nonce. Without any special checking in the nonce creation,
  // the verify nonce would always succeed.
  // Therefore we must make certain that previous screen/nonce was also valid, and
  // otherwise create a nonce that cannot succeed. If we did come from an adminpage
  // then a valid nonce should be created for the current page.
  // This if statement translates to:
  // If we have expired or the nonce is invalid, do our thing - UNLESS we already got in here last time around.
  if ((($curtime - $noncetime) > $timeout) || ((!(substr(md5($noncetime . DB_PASSWORD . $salt . $lastpageviewed), -20, 20) === $oldnonce))) && (!($curpageviewed === INVALID_MESSAGE2))) {
    // If the previous nonce is expired or invalid, force new nonce to fail to evaluate too.
    // This enforces that you came from a valid admin context.
    if (DEBUGGING == YES) {
      echo "Creation check failed: Time Passed: ". ($curtime - $noncetime)." timeout: $timeout, curtime: $curtime, NonceTime: $noncetime<br/>";
      echo "Creation check failed: noncedecoded: $noncedecoded ------ $oldnonce<br/>";
      echo "Creation check failed: compared to: $noncetime . ". DB_PASSWORD . " . $salt . $curpageviewed ------ " . substr(md5($noncetime . DB_PASSWORD . $salt . $curpageviewed), -20, 20) . "<br/>";
    }
    $lastpageviewed = INVALID_MESSAGE1;
    $curpageviewed = INVALID_MESSAGE2;
  }

  // NOTE: A PLUGIN OPTION WILL BE ADDED ENABLE INCLUDING THE USER'S IP ADDRESS IN THE NONCE
  $nonce= substr(md5($curtime . DB_PASSWORD . $salt . $curpageviewed), -20, 20);

  // Store the information needed to keep this rolling "last page" check valid.
  update_user_option($user_ID, 'lastpageviewed', $lastpageviewed);
  update_user_option($user_ID, 'curpageviewed', $curpageviewed);
  update_user_option($user_ID, 'noncetime', $curtime);
  update_user_option($user_ID, 'nonce', $nonce);
  if (DEBUGGING == YES) update_user_option($user_ID, 'noncedecoded', "$curtime . ". DB_PASSWORD . " . $salt . $curpageviewed");
}  // assign_user_nonce

// ***************************************************************************************
//   verify_user_nonce
//
//   If the nonce was created within the time out period and matches all criteria,
//   this call succeeds. Otherwise, a die() is issued.
//
//   This routine is called from the check_admin_referrer function.
//
// ***************************************************************************************
function verify_user_nonce() {
  global $pagenow, $user_ID, $user_pass_md5;
  $curtime = time(); // (in seconds)
  $lastpageviewed = get_user_option( 'lastpageviewed', $user_ID );
  $curpageviewed = get_user_option( 'curpageviewed', $user_ID );
  $onlyoneip = get_option( 'sn4wp_onlyoneip');
  if (($lastpageviewed === 'post.php') && ($curpageviewed === 'post.php')) {
    $timeout = get_option('sn4wp_posttimeout');
    if ($timeout <= 0) $timeout = 10;
  }
  else {
    $timeout = get_option('sn4wp_timeout');
    if ($timeout <= 0) $timeout = 5;
  }
  $timeout = $timeout * 60; // Convert time out to seconds.

  if ($onlyoneip == YES) {
    $salt = $_SERVER['REMOTE_ADDR'];
  }
  else {
    $salt = $user_pass_md5;
  }

  // Get the nonce and the page used to create it
  // This is now "Last Page" because the menu was redisplayed since the nonce was created.
  $oldnonce = get_user_option( 'nonce', $user_ID );
  $noncetime = get_user_option( 'noncetime', $user_ID );
  if (DEBUGGING == YES) $noncedecoded = get_user_option( 'noncedecoded', $user_ID );

  //Allow for expanding range, but only do one check if we can
  if ((($curtime - $noncetime) > $timeout) || ((!(substr(md5($noncetime . DB_PASSWORD . $salt . $lastpageviewed), -20, 20) === $oldnonce)))) {
    if (DEBUGGING == YES) {
      echo "Time Passed: ". ($curtime - $noncetime)." timeout: $timeout, curtime: $curtime, NonceTime: $noncetime<br/>";
      echo "Action Denied: $curtime . ". DB_PASSWORD . " . $salt . $lastpageviewed ------ " . substr(md5($curtime . DB_PASSWORD . $salt . $lastpageviewed), -20, 20) . "<br/>";
      echo "Compared to: $noncedecoded ------ $oldnonce<br/>";
    }

    // Since we are about to cancel out, let's take some extra time and verify we are not editing a post.
    // This will increase the risk but is really needed because editing just takes longer.
    // If we are editing a post, triple the allowed time.
   die('Your access has timed out after ' . $timeout/60 . ' minutes of inactivity.  Click <a href="index.php" title="Return to the Dashboard">here</a> to try again.');
  }
  else {
    if (DEBUGGING == YES) echo "Action Allowed: $curtime . ". DB_PASSWORD . " . $salt . $curpageviewed ------ " . substr(md5($curtime . DB_PASSWORD . $salt . $lastpageviewed), -20, 20) . "<br/>";
  }
}  // verify_user_nonce



// ***************************************************************************************
//  Initialization
// ***************************************************************************************

// If viewing the post page, display a warning that they must save or loose their work
if (( $pagenow === 'post.php') && !isset($_POST['submit']) ) {
  add_action('admin_footer', 'SN4WP_warning');
}

// Add the configuration page
add_action('admin_menu', 'SN4WP_config_page');

// Connect the nonce generation with the admin menu display
add_action('admin_menu', 'assign_user_nonce');

?>