Fix a bug in CloudFront signing and in fmp-status script.

bin/fpm-status.sh

@@ -18,4 +18,4 @@
 # last request cpu:     0.00
 # last request memory:  2097152
 
-env -i SCRIPT_NAME=/status SCRIPT_FILENAME=/status QUERY_STRING="full&html" REQUEST_METHOD=GET cgi-fcgi -bind -connect /sock/fpm.sock
+env -i SCRIPT_NAME=/status SCRIPT_FILENAME=/status QUERY_STRING="full" REQUEST_METHOD=GET cgi-fcgi -bind -connect /sock/fpm.sock

public/app/themes/clarity/inc/amazon-s3-and-cloudfront-signing.php

@@ -95,6 +95,27 @@ public function urlSafeBase64Encode(string $value): string
         );
     }
 
+    /**
+     * Url safe base64 decode a string.
+     * 
+     * Replace safe characters -, _ and ~ with the unsafe characters +, = and /.
+     * Required for CloudFront cookies (and URLs).
+     * 
+     * @param string $value The string to decode.
+     * @return string The decoded string.
+     */
+
+    public function urlSafeBase64Decode(string $value): string
+    {
+        return base64_decode(
+            str_replace(
+                ['-', '_', '~'],
+                ['+', '=', '/'],
+                $value
+            )
+        );
+    }
+
     /**
      * Get the remaining time from the user's CloudFront cookie.
      * 
@@ -108,13 +129,13 @@ public function remainingTimeFromCookie(): int
         $remaining_time = 0;
 
         try {
-            $policy = $_COOKIE['CloudFront-Policy'] ?? null;
+            $policy_base64 = $_COOKIE['CloudFront-Policy'] ?? null;
 
-            if (!$policy) {
+            if (!$policy_base64) {
                 return $remaining_time;
             }
 
-            preg_match('/"AWS:EpochTime":(\d+)}/', $policy, $matches);
+            preg_match('/"AWS:EpochTime":(\d+)}/', $this->urlSafeBase64Decode($policy_base64), $matches);
             $remaining_time =  isset($matches[1]) ? $matches[1] - $this->now : 0;
         } catch (Exception $e) {
             if (is_plugin_active('wp-sentry/wp-sentry.php')) {