diff options
| author | Jake Spurlock <whyisjake@git.wordpress.org> | 2020-10-29 19:01:42 +0000 |
|---|---|---|
| committer | Jake Spurlock <whyisjake@git.wordpress.org> | 2020-10-29 19:01:42 +0000 |
| commit | 05a7b2bce228e1b9c8356f1286975dd542d9c6aa (patch) | |
| tree | 5db5aec662887ef1b2027303ec2586771e84bf21 | |
| parent | 87ed4449f3698f39e20ca5252de0a213c8adec7a (diff) | |
| download | wordpress-05a7b2bce228e1b9c8356f1286975dd542d9c6aa.tar.gz wordpress-05a7b2bce228e1b9c8356f1286975dd542d9c6aa.zip | |
General: WordPress updates
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.
Brings the changes from [49380,49382-49388] to the 4.5 branch.
Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.
git-svn-id: https://develop.svn.wordpress.org/branches/4.5@49401 602fd350-edb4-49c9-b593-d223f7449a82
| -rw-r--r-- | src/wp-admin/admin-header.php | 14 | ||||
| -rw-r--r-- | src/wp-admin/custom-background.php | 1 | ||||
| -rw-r--r-- | src/wp-admin/custom-header.php | 2 | ||||
| -rw-r--r-- | src/wp-admin/includes/media.php | 2 | ||||
| -rw-r--r-- | src/wp-admin/includes/ms.php | 2 | ||||
| -rw-r--r-- | src/wp-admin/includes/template.php | 12 | ||||
| -rw-r--r-- | src/wp-admin/js/custom-background.js | 2 | ||||
| -rw-r--r-- | src/wp-admin/js/media-gallery.js | 4 | ||||
| -rw-r--r-- | src/wp-admin/media-new.php | 4 | ||||
| -rw-r--r-- | src/wp-admin/network/site-users.php | 2 | ||||
| -rw-r--r-- | src/wp-includes/class-wp-xmlrpc-server.php | 19 | ||||
| -rw-r--r-- | src/wp-includes/formatting.php | 13 | ||||
| -rw-r--r-- | src/wp-includes/meta.php | 5 | ||||
| -rw-r--r-- | tests/phpunit/tests/formatting/Utf8UriEncode.php | 2 | ||||
| -rw-r--r-- | tests/phpunit/tests/meta/isProtectedMeta.php | 55 |
15 files changed, 109 insertions, 30 deletions
diff --git a/src/wp-admin/admin-header.php b/src/wp-admin/admin-header.php index e471ff931d..70a9baec16 100644 --- a/src/wp-admin/admin-header.php +++ b/src/wp-admin/admin-header.php @@ -70,13 +70,13 @@ wp_enqueue_script( 'svg-painter' ); $admin_body_class = preg_replace('/[^a-z0-9_-]+/i', '-', $hook_suffix); ?> <script type="text/javascript"> -addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}}; -var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>', - pagenow = '<?php echo $current_screen->id; ?>', - typenow = '<?php echo $current_screen->post_type; ?>', - adminpage = '<?php echo $admin_body_class; ?>', - thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>', - decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>', +addLoadEvent = function(func){if(typeof jQuery!=='undefined')jQuery(document).ready(func);else if(typeof wpOnload!=='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}}; +var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>', + pagenow = '<?php echo esc_js( $current_screen->id ); ?>', + typenow = '<?php echo esc_js( $current_screen->post_type ); ?>', + adminpage = '<?php echo esc_js( $admin_body_class ); ?>', + thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>', + decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>', isRtl = <?php echo (int) is_rtl(); ?>; </script> <meta name="viewport" content="width=device-width,initial-scale=1.0"> diff --git a/src/wp-admin/custom-background.php b/src/wp-admin/custom-background.php index dba32c661e..2e7776c6c3 100644 --- a/src/wp-admin/custom-background.php +++ b/src/wp-admin/custom-background.php @@ -464,6 +464,7 @@ if ( current_theme_supports( 'custom-background', 'default-color' ) ) * @deprecated 3.5.0 */ public function wp_set_background_image() { + check_ajax_referer( 'custom-background' ); if ( ! current_user_can('edit_theme_options') || ! isset( $_POST['attachment_id'] ) ) exit; $attachment_id = absint($_POST['attachment_id']); /** This filter is documented in wp-admin/includes/media.php */ diff --git a/src/wp-admin/custom-header.php b/src/wp-admin/custom-header.php index a46bd94b7f..6ce6a028c1 100644 --- a/src/wp-admin/custom-header.php +++ b/src/wp-admin/custom-header.php @@ -326,7 +326,7 @@ class Custom_Image_Header { ?> <script type="text/javascript"> (function($){ - var default_color = '<?php echo $default_color; ?>', + var default_color = '<?php echo esc_js( $default_color ); ?>', header_text_fields; function pickColor(color) { diff --git a/src/wp-admin/includes/media.php b/src/wp-admin/includes/media.php index daf490227a..99435c6c05 100644 --- a/src/wp-admin/includes/media.php +++ b/src/wp-admin/includes/media.php @@ -464,7 +464,7 @@ wp_enqueue_style( 'ie' ); ?> <script type="text/javascript"> addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}}; -var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup', +var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup', isRtl = <?php echo (int) is_rtl(); ?>; </script> <?php diff --git a/src/wp-admin/includes/ms.php b/src/wp-admin/includes/ms.php index 6e8fb07ea3..daa4e7c4b6 100644 --- a/src/wp-admin/includes/ms.php +++ b/src/wp-admin/includes/ms.php @@ -989,7 +989,7 @@ function can_edit_network( $site_id ) { function _thickbox_path_admin_subfolder() { ?> <script type="text/javascript"> -var tb_pathToImage = "<?php echo includes_url( 'js/thickbox/loadingAnimation.gif', 'relative' ); ?>"; +var tb_pathToImage = "<?php echo esc_js( includes_url( 'js/thickbox/loadingAnimation.gif', 'relative' ) ); ?>"; </script> <?php } diff --git a/src/wp-admin/includes/template.php b/src/wp-admin/includes/template.php index f57f249954..326a8590ab 100644 --- a/src/wp-admin/includes/template.php +++ b/src/wp-admin/includes/template.php @@ -1584,12 +1584,12 @@ wp_enqueue_style( 'colors' ); <script type="text/javascript"> addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}}; function tb_close(){var win=window.dialogArguments||opener||parent||top;win.tb_remove();} -var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>', - pagenow = '<?php echo $current_screen->id; ?>', - typenow = '<?php echo $current_screen->post_type; ?>', - adminpage = '<?php echo $admin_body_class; ?>', - thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>', - decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>', +var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>', + pagenow = '<?php echo esc_js( $current_screen->id ); ?>', + typenow = '<?php echo esc_js( $current_screen->post_type ); ?>', + adminpage = '<?php echo esc_js( $admin_body_class ); ?>', + thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>', + decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>', isRtl = <?php echo (int) is_rtl(); ?>; </script> <?php diff --git a/src/wp-admin/js/custom-background.js b/src/wp-admin/js/custom-background.js index 81fd59170c..8d15e69193 100644 --- a/src/wp-admin/js/custom-background.js +++ b/src/wp-admin/js/custom-background.js @@ -56,11 +56,13 @@ frame.on( 'select', function() { // Grab the selected attachment. var attachment = frame.state().get('selection').first(); + var nonceValue = $( '#_wpnonce' ).val() || ''; // Run an AJAX request to set the background image. $.post( ajaxurl, { action: 'set-background-image', attachment_id: attachment.id, + _ajax_nonce: nonceValue, size: 'full' }).done( function() { // When the request completes, reload the window. diff --git a/src/wp-admin/js/media-gallery.js b/src/wp-admin/js/media-gallery.js index 52da393dcc..8489d5c447 100644 --- a/src/wp-admin/js/media-gallery.js +++ b/src/wp-admin/js/media-gallery.js @@ -1,7 +1,7 @@ /* global ajaxurl */ jQuery(function($){ $( 'body' ).bind( 'click.wp-gallery', function(e){ - var target = $( e.target ), id, img_size; + var target = $( e.target ), id, img_size, nonceValue; if ( target.hasClass( 'wp-set-header' ) ) { ( window.dialogArguments || opener || parent || top ).location.href = target.data( 'location' ); @@ -9,10 +9,12 @@ jQuery(function($){ } else if ( target.hasClass( 'wp-set-background' ) ) { id = target.data( 'attachment-id' ); img_size = $( 'input[name="attachments[' + id + '][image-size]"]:checked').val(); + nonceValue = $( '#_wpnonce' ).val() && ''; jQuery.post(ajaxurl, { action: 'set-background-image', attachment_id: id, + _ajax_nonce: nonceValue, size: img_size }, function(){ var win = window.dialogArguments || opener || parent || top; diff --git a/src/wp-admin/media-new.php b/src/wp-admin/media-new.php index 9d26651e85..3295c1e0be 100644 --- a/src/wp-admin/media-new.php +++ b/src/wp-admin/media-new.php @@ -72,9 +72,9 @@ if ( get_user_setting('uploader') || isset( $_GET['browser-uploader'] ) ) <?php media_upload_form(); ?> <script type="text/javascript"> - var post_id = <?php echo $post_id; ?>, shortform = 3; + var post_id = <?php echo absint( $post_id ); ?>, shortform = 3; </script> - <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" /> + <input type="hidden" name="post_id" id="post_id" value="<?php echo absint( $post_id ); ?>" /> <?php wp_nonce_field('media-form'); ?> <div id="media-items" class="hide-if-no-js"></div> </form> diff --git a/src/wp-admin/network/site-users.php b/src/wp-admin/network/site-users.php index 77122e82c2..02ef76453c 100644 --- a/src/wp-admin/network/site-users.php +++ b/src/wp-admin/network/site-users.php @@ -197,7 +197,7 @@ if ( ! wp_is_large_network( 'users' ) && apply_filters( 'show_network_site_users require( ABSPATH . 'wp-admin/admin-header.php' ); ?> <script type="text/javascript"> -var current_site_id = <?php echo $id; ?>; +var current_site_id = <?php echo absint( $id ); ?>; </script> diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php index 8916e577a3..6312716c73 100644 --- a/src/wp-includes/class-wp-xmlrpc-server.php +++ b/src/wp-includes/class-wp-xmlrpc-server.php @@ -3571,6 +3571,21 @@ class wp_xmlrpc_server extends IXR_Server { return new IXR_Error( 403, __( 'Sorry, comments are closed for this item.' ) ); } + if ( + 'publish' === get_post_status( $post_id ) && + ! current_user_can( 'edit_post', $post_id ) && + post_password_required( $post_id ) + ) { + return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) ); + } + + if ( + 'private' === get_post_status( $post_id ) && + ! current_user_can( 'read_post', $post_id ) + ) { + return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) ); + } + $comment = array(); $comment['comment_post_ID'] = $post_id; @@ -3949,8 +3964,10 @@ class wp_xmlrpc_server extends IXR_Server { /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ do_action( 'xmlrpc_call', 'wp.getMediaItem' ); - if ( ! $attachment = get_post($attachment_id) ) + $attachment = get_post( $attachment_id ); + if ( ! $attachment || 'attachment' !== $attachment->post_type ) { return new IXR_Error( 404, __( 'Invalid attachment ID.' ) ); + } return $this->_prepare_media_item( $attachment ); } diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php index 0d79886b2b..1555bcdc5e 100644 --- a/src/wp-includes/formatting.php +++ b/src/wp-includes/formatting.php @@ -1070,9 +1070,9 @@ function wp_check_invalid_utf8( $string, $strip = false ) { * @return string String with Unicode encoded for URI. */ function utf8_uri_encode( $utf8_string, $length = 0 ) { - $unicode = ''; - $values = array(); - $num_octets = 1; + $unicode = ''; + $values = array(); + $num_octets = 1; $unicode_length = 0; mbstring_binary_safe_encoding(); @@ -1084,9 +1084,10 @@ function utf8_uri_encode( $utf8_string, $length = 0 ) { $value = ord( $utf8_string[ $i ] ); if ( $value < 128 ) { - if ( $length && ( $unicode_length >= $length ) ) + if ( $length && ( $unicode_length >= $length ) ) { break; - $unicode .= chr($value); + } + $unicode .= chr( $value ); $unicode_length++; } else { if ( count( $values ) == 0 ) { @@ -1606,7 +1607,7 @@ function sanitize_title_with_dashes( $title, $raw_title = '', $context = 'displa if (function_exists('mb_strtolower')) { $title = mb_strtolower($title, 'UTF-8'); } - $title = utf8_uri_encode($title, 200); + $title = utf8_uri_encode( $title, 200 ); } $title = strtolower($title); diff --git a/src/wp-includes/meta.php b/src/wp-includes/meta.php index ce74698748..04d47839a4 100644 --- a/src/wp-includes/meta.php +++ b/src/wp-includes/meta.php @@ -916,8 +916,9 @@ function _get_meta_table($type) { * @param string|null $meta_type * @return bool True if the key is protected, false otherwise. */ -function is_protected_meta( $meta_key, $meta_type = null ) { - $protected = ( '_' == $meta_key[0] ); +function is_protected_meta( $meta_key, $meta_type = '' ) { + $sanitized_key = preg_replace( "/[^\x20-\x7E\p{L}]/", '', $meta_key ); + $protected = strlen( $sanitized_key ) > 0 && ( '_' === $sanitized_key[0] ); /** * Filter whether a meta key is protected. diff --git a/tests/phpunit/tests/formatting/Utf8UriEncode.php b/tests/phpunit/tests/formatting/Utf8UriEncode.php index 2389c9a345..e5724441f8 100644 --- a/tests/phpunit/tests/formatting/Utf8UriEncode.php +++ b/tests/phpunit/tests/formatting/Utf8UriEncode.php @@ -12,7 +12,7 @@ class Tests_Formatting_Utf8UriEncode extends WP_UnitTestCase { * @dataProvider data */ function test_percent_encodes_non_reserved_characters( $utf8, $urlencoded ) { - $this->assertEquals($urlencoded, utf8_uri_encode( $utf8 ) ); + $this->assertEquals( $urlencoded, utf8_uri_encode( $utf8 ) ); } /** diff --git a/tests/phpunit/tests/meta/isProtectedMeta.php b/tests/phpunit/tests/meta/isProtectedMeta.php new file mode 100644 index 0000000000..c204d381f5 --- /dev/null +++ b/tests/phpunit/tests/meta/isProtectedMeta.php @@ -0,0 +1,55 @@ +<?php + +/** + * @group meta + * @covers ::is_protected_meta + */ +class Tests_Meta_isProtectedMeta extends WP_UnitTestCase { + + /** + * @dataProvider protected_data + */ + public function test_protected( $key ) { + $this->assertTrue( is_protected_meta( $key ) ); + } + + public function protected_data() { + $protected_keys = array( + array( '_wp_attachment' ), + ); + for ( $i = 0, $max = 31; $i < $max; $i ++ ) { + $protected_keys[] = array( chr( $i ) . '_wp_attachment' ); + } + for ( $i = 127, $max = 159; $i <= $max; $i ++ ) { + $protected_keys[] = array( chr( $i ) . '_wp_attachment' ); + } + $protected_keys[] = array( chr( 95 ) . '_wp_attachment' ); + + return $protected_keys; + } + + /** + * @dataProvider unprotected_data + */ + public function test_unprotected( $key ) { + $this->assertFalse( is_protected_meta( $key ) ); + } + + public function unprotected_data() { + $unprotected_keys = array( + array( 'singleword' ), + array( 'two_words' ), + array( 'ąŌ_not_so_protected_meta' ), + ); + + for ( $i = 32, $max = 94; $i <= $max; $i ++ ) { + $unprotected_keys[] = array( chr( $i ) . '_wp_attachment' ); + } + for ( $i = 96, $max = 126; $i <= $max; $i ++ ) { + $unprotected_keys[] = array( chr( $i ) . '_wp_attachment' ); + } + + return $unprotected_keys; + } + +} |