WordPress.org

Make WordPress Core

Ticket #16923: 16923.patch

File 16923.patch, 8.0 KB (added by dd32, 7 years ago)
  • wp-admin/includes/class-wp-upgrader.php

     
    389389                $this->strings['process_success'] = __('Plugin installed successfully.');
    390390        }
    391391
    392         function install($package) {
     392        function install($package, $referer = '') {
    393393
    394394                $this->init();
    395395                $this->install_strings();
    396396
     397                // Malware check
     398                if ( false !== strpos($package, '://') ) {
     399                        $malware = wp_passes_malware_check($package, $referer);
     400                        if ( is_wp_error($malware) ) {;
     401                                //$this->skin->header();
     402                                $this->skin->before();
     403                                $this->skin->error( $malware );
     404                                $this->skin->after();
     405                                //$this->skin->footer();
     406                                return $malware;
     407                        }
     408                }
     409
    397410                $this->run(array(
    398411                                        'package' => $package,
    399412                                        'destination' => WP_PLUGIN_DIR,
  • wp-admin/includes/plugin-install.php

     
    136136/**
    137137 * Upload from zip
    138138 * @since 2.8.0
    139  *
    140  * @param string $page
    141139 */
    142 function install_plugins_upload( $page = 1 ) {
     140function install_plugins_upload() {
    143141?>
    144142        <h4><?php _e('Install a plugin in .zip format') ?></h4>
    145143        <p class="install-help"><?php _e('If you have a plugin in a .zip format, you may install it by uploading it here.') ?></p>
     
    151149        </form>
    152150<?php
    153151}
    154 add_action('install_plugins_upload', 'install_plugins_upload', 10, 1);
     152add_action('install_plugins_upload', 'install_plugins_upload');
    155153
    156154/**
     155 * Sideload from arbitrary URL
     156 * @since 3.1.0
     157 */
     158function install_plugins_url() {
     159        $url = !empty($_GET['url']) ? stripslashes($_GET['url']) : '';
     160?>
     161        <h4><?php _e('Install a plugin from a URL') ?></h4>
     162        <p class="install-help"><?php _e('If you have the URL to a plugin in .zip format, you may install it by providing the URL here.') ?></p>
     163        <?php
     164        if ( !empty($url) ) {
     165               
     166        }
     167        ?>
     168        <form method="post" action="<?php echo self_admin_url('update.php?action=sideload-plugin') ?>">
     169                <?php wp_nonce_field( 'plugin-sideload' ) ?>
     170                <label class="screen-reader-text" for="pluginzip"><?php _e('URL to Plugin zip file'); ?></label>
     171                <input type="input" type="text" class="large-text" id="pluginurl" name="pluginurl" value="<?php echo esc_attr($url); ?>" />
     172                <input type="submit" class="button" value="<?php esc_attr_e('Install Now') ?>" />
     173        </form>
     174<?php
     175}
     176add_action('install_plugins_url', 'install_plugins_url');
     177
     178/**
    157179 * Display plugin content based on plugin list.
    158180 *
    159181 * @since 2.7.0
  • wp-admin/includes/update.php

     
    309316}
    310317add_action( 'admin_notices', 'maintenance_nag' );
    311318
     319/**
     320 * Runs a supplied URL against the WordPress Malware checking API.
     321 *
     322 * The WordPress.org Malware checking API is designed to block known spam sites, These sites might for
     323 * example, either provide themes/plugins which insert hidden links, or insert backdoors into themes/plugins.
     324 *
     325 * A Filter is available for sites/plugins to extend upon this API check, 'malware_check_api' and should return
     326 * the same values as expexted from this function.
     327 * This function will also check if the URL redirects to another site, and run that through the malware checking API as well.
     328 *
     329 * @param string $url The URL to check against
     330 * @param string $ref The Referer of who has asked for the item to be installed
     331 * @return bool|object True on success, WP_Error instance upon failure
     332 */
     333function wp_passes_malware_check($url, $ref = '') {
     334        $_url = parse_url($url);
     335        if ( !$_url || empty($_url['host']) || empty($_url['path']) )
     336                return new WP_Error('invalid_url', __('An invalid URL was passed'));
     337
     338        // First check if this URL is a redirection
     339        $site = wp_remote_head($url, array( 'timeout' => 10 ) );
     340        if ( ! is_wp_error($site) && isset($site['headers']['location']) ) // If it is, Save an API call and check the redirection directly
     341                return wp_passes_malware_check($site['headers']['location']);
     342
     343        if ( ! empty( $ref ) )
     344                $ref = '&ref=' . urlencode($ref);
     345
     346        $api = wp_remote_get('http://api.wordpress.org/themes/malware-check/1.0/?url=' . urlencode($url) . $ref, array( 'timeout' => 10 ) );
     347        if ( is_wp_error($api) )
     348                return $api;
     349
     350        switch ( $api['body'] ) {
     351                default: // default: The response was malformed, This could be raised by a faulty proxy or intercepted request (..or .org server failure)
     352                case '-1': //  unknown URL. This URL should never have reached the API.
     353                        return new WP_Error('invalid_url', __('An invalid URL was passed'));
     354
     355                case '0': // blacklisted URL.
     356                        return new WP_Error('blacklisted_malware', sprintf(__("The URL specified has been blacklisted by WordPress.org's Malware checking service due to security concerns, Please see the <a href='%s'>Codex</a> for more information."), 'http://codex.wordpress.org/spammy_themes_and_plugins') ); //@TODO Codex link & Wording.
     357
     358                case '1': // Passes the checks.
     359                        return apply_filters('malware_check_api', true, $url);
     360        }
     361}
     362
    312363?>
  • wp-admin/update.php

     
    113113
    114114                $type = 'web'; //Install plugin type, From Web or an Upload.
    115115
    116                 $upgrader = new Plugin_Upgrader( new Plugin_Installer_Skin( compact('title', 'url', 'nonce', 'plugin', 'api') ) );
     116                $upgrader = new Plugin_Upgrader( new Plugin_Installer_Skin( compact('type', 'title', 'url', 'nonce', 'plugin', 'api') ) );
    117117                $upgrader->install($api->download_link);
    118118
    119119                include(ABSPATH . 'wp-admin/admin-footer.php');
     
    142142
    143143                include(ABSPATH . 'wp-admin/admin-footer.php');
    144144
     145        } elseif ( 'sideload-plugin' == $action ) {
     146
     147                if ( ! current_user_can('install_plugins') )
     148                        wp_die(__('You do not have sufficient permissions to install plugins for this site.'));
     149
     150                check_admin_referer('plugin-sideload');
     151
     152                $download_url = esc_url_raw( stripslashes( $_POST['pluginurl'] ) );
     153
     154                $title = __('Plugin Install');
     155                $parent_file = 'plugins.php';
     156                $submenu_file = 'plugin-install.php';
     157                require_once(ABSPATH . 'wp-admin/admin-header.php');
     158
     159                $title = sprintf( __('Installing Plugin from URL: %s'), $download_url );
     160                $nonce = 'plugin-sideload';
     161                $url = 'update.php?action=sideload-plugin&pluginurl=' . urlencode( stripslashes( $_POST['pluginurl'] ) );
     162                $type = 'web';
     163
     164                $upgrader = new Plugin_Upgrader( new Plugin_Installer_Skin( compact('type', 'title', 'url', 'nonce') ) );
     165                $upgrader->install( $download_url );
     166
     167                include(ABSPATH . 'wp-admin/admin-footer.php');
     168
    145169        } elseif ( 'upgrade-theme' == $action ) {
    146170
    147171                if ( ! current_user_can('update_themes') )
     
    213237                $url = 'update.php?action=install-theme&theme=' . $theme;
    214238                $type = 'web'; //Install theme type, From Web or an Upload.
    215239
    216                 $upgrader = new Theme_Upgrader( new Theme_Installer_Skin( compact('title', 'url', 'nonce', 'plugin', 'api') ) );
     240                $upgrader = new Theme_Upgrader( new Theme_Installer_Skin( compact('type', 'title', 'url', 'nonce', 'theme', 'api') ) );
    217241                $upgrader->install($api->download_link);
    218242
    219243                include(ABSPATH . 'wp-admin/admin-footer.php');
     
    237261                $title = sprintf( __('Installing Theme from uploaded file: %s'), basename( $file_upload->filename ) );
    238262                $nonce = 'theme-upload';
    239263                $url = add_query_arg(array('package' => $file_upload->filename), 'update.php?action=upload-theme');
    240                 $type = 'upload'; //Install plugin type, From Web or an Upload.
     264                $type = 'upload'; //Install theme type, From Web or an Upload.
    241265
    242266                $upgrader = new Theme_Upgrader( new Theme_Installer_Skin( compact('type', 'title', 'nonce', 'url') ) );
    243267                $upgrader->install( $file_upload->package );