WordPress.org

Make WordPress Core

Ticket #16923: 16923.patch

File 16923.patch, 8.0 KB (added by dd32, 4 years ago)
  • wp-admin/includes/class-wp-upgrader.php

     
    389389                $this->strings['process_success'] = __('Plugin installed successfully.'); 
    390390        } 
    391391 
    392         function install($package) { 
     392        function install($package, $referer = '') { 
    393393 
    394394                $this->init(); 
    395395                $this->install_strings(); 
    396396 
     397                // Malware check 
     398                if ( false !== strpos($package, '://') ) { 
     399                        $malware = wp_passes_malware_check($package, $referer); 
     400                        if ( is_wp_error($malware) ) {; 
     401                                //$this->skin->header(); 
     402                                $this->skin->before(); 
     403                                $this->skin->error( $malware ); 
     404                                $this->skin->after(); 
     405                                //$this->skin->footer(); 
     406                                return $malware; 
     407                        } 
     408                } 
     409 
    397410                $this->run(array( 
    398411                                        'package' => $package, 
    399412                                        'destination' => WP_PLUGIN_DIR, 
  • wp-admin/includes/plugin-install.php

     
    136136/** 
    137137 * Upload from zip 
    138138 * @since 2.8.0 
    139  * 
    140  * @param string $page 
    141139 */ 
    142 function install_plugins_upload( $page = 1 ) { 
     140function install_plugins_upload() { 
    143141?> 
    144142        <h4><?php _e('Install a plugin in .zip format') ?></h4> 
    145143        <p class="install-help"><?php _e('If you have a plugin in a .zip format, you may install it by uploading it here.') ?></p> 
     
    151149        </form> 
    152150<?php 
    153151} 
    154 add_action('install_plugins_upload', 'install_plugins_upload', 10, 1); 
     152add_action('install_plugins_upload', 'install_plugins_upload'); 
    155153 
    156154/** 
     155 * Sideload from arbitrary URL 
     156 * @since 3.1.0 
     157 */ 
     158function install_plugins_url() { 
     159        $url = !empty($_GET['url']) ? stripslashes($_GET['url']) : ''; 
     160?> 
     161        <h4><?php _e('Install a plugin from a URL') ?></h4> 
     162        <p class="install-help"><?php _e('If you have the URL to a plugin in .zip format, you may install it by providing the URL here.') ?></p> 
     163        <?php 
     164        if ( !empty($url) ) { 
     165                 
     166        } 
     167        ?> 
     168        <form method="post" action="<?php echo self_admin_url('update.php?action=sideload-plugin') ?>"> 
     169                <?php wp_nonce_field( 'plugin-sideload' ) ?> 
     170                <label class="screen-reader-text" for="pluginzip"><?php _e('URL to Plugin zip file'); ?></label> 
     171                <input type="input" type="text" class="large-text" id="pluginurl" name="pluginurl" value="<?php echo esc_attr($url); ?>" /> 
     172                <input type="submit" class="button" value="<?php esc_attr_e('Install Now') ?>" /> 
     173        </form> 
     174<?php 
     175} 
     176add_action('install_plugins_url', 'install_plugins_url'); 
     177 
     178/** 
    157179 * Display plugin content based on plugin list. 
    158180 * 
    159181 * @since 2.7.0 
  • wp-admin/includes/update.php

     
    309316} 
    310317add_action( 'admin_notices', 'maintenance_nag' ); 
    311318 
     319/** 
     320 * Runs a supplied URL against the WordPress Malware checking API. 
     321 * 
     322 * The WordPress.org Malware checking API is designed to block known spam sites, These sites might for 
     323 * example, either provide themes/plugins which insert hidden links, or insert backdoors into themes/plugins. 
     324 * 
     325 * A Filter is available for sites/plugins to extend upon this API check, 'malware_check_api' and should return 
     326 * the same values as expexted from this function. 
     327 * This function will also check if the URL redirects to another site, and run that through the malware checking API as well. 
     328 * 
     329 * @param string $url The URL to check against 
     330 * @param string $ref The Referer of who has asked for the item to be installed 
     331 * @return bool|object True on success, WP_Error instance upon failure 
     332 */ 
     333function wp_passes_malware_check($url, $ref = '') { 
     334        $_url = parse_url($url); 
     335        if ( !$_url || empty($_url['host']) || empty($_url['path']) ) 
     336                return new WP_Error('invalid_url', __('An invalid URL was passed')); 
     337 
     338        // First check if this URL is a redirection 
     339        $site = wp_remote_head($url, array( 'timeout' => 10 ) ); 
     340        if ( ! is_wp_error($site) && isset($site['headers']['location']) ) // If it is, Save an API call and check the redirection directly 
     341                return wp_passes_malware_check($site['headers']['location']); 
     342 
     343        if ( ! empty( $ref ) ) 
     344                $ref = '&ref=' . urlencode($ref); 
     345 
     346        $api = wp_remote_get('http://api.wordpress.org/themes/malware-check/1.0/?url=' . urlencode($url) . $ref, array( 'timeout' => 10 ) ); 
     347        if ( is_wp_error($api) ) 
     348                return $api; 
     349 
     350        switch ( $api['body'] ) { 
     351                default: // default: The response was malformed, This could be raised by a faulty proxy or intercepted request (..or .org server failure) 
     352                case '-1': //  unknown URL. This URL should never have reached the API. 
     353                        return new WP_Error('invalid_url', __('An invalid URL was passed')); 
     354 
     355                case '0': // blacklisted URL. 
     356                        return new WP_Error('blacklisted_malware', sprintf(__("The URL specified has been blacklisted by WordPress.org's Malware checking service due to security concerns, Please see the <a href='%s'>Codex</a> for more information."), 'http://codex.wordpress.org/spammy_themes_and_plugins') ); //@TODO Codex link & Wording. 
     357 
     358                case '1': // Passes the checks. 
     359                        return apply_filters('malware_check_api', true, $url); 
     360        } 
     361} 
     362 
    312363?> 
  • wp-admin/update.php

     
    113113 
    114114                $type = 'web'; //Install plugin type, From Web or an Upload. 
    115115 
    116                 $upgrader = new Plugin_Upgrader( new Plugin_Installer_Skin( compact('title', 'url', 'nonce', 'plugin', 'api') ) ); 
     116                $upgrader = new Plugin_Upgrader( new Plugin_Installer_Skin( compact('type', 'title', 'url', 'nonce', 'plugin', 'api') ) ); 
    117117                $upgrader->install($api->download_link); 
    118118 
    119119                include(ABSPATH . 'wp-admin/admin-footer.php'); 
     
    142142 
    143143                include(ABSPATH . 'wp-admin/admin-footer.php'); 
    144144 
     145        } elseif ( 'sideload-plugin' == $action ) { 
     146 
     147                if ( ! current_user_can('install_plugins') ) 
     148                        wp_die(__('You do not have sufficient permissions to install plugins for this site.')); 
     149 
     150                check_admin_referer('plugin-sideload'); 
     151 
     152                $download_url = esc_url_raw( stripslashes( $_POST['pluginurl'] ) ); 
     153 
     154                $title = __('Plugin Install'); 
     155                $parent_file = 'plugins.php'; 
     156                $submenu_file = 'plugin-install.php'; 
     157                require_once(ABSPATH . 'wp-admin/admin-header.php'); 
     158 
     159                $title = sprintf( __('Installing Plugin from URL: %s'), $download_url ); 
     160                $nonce = 'plugin-sideload'; 
     161                $url = 'update.php?action=sideload-plugin&pluginurl=' . urlencode( stripslashes( $_POST['pluginurl'] ) ); 
     162                $type = 'web'; 
     163 
     164                $upgrader = new Plugin_Upgrader( new Plugin_Installer_Skin( compact('type', 'title', 'url', 'nonce') ) ); 
     165                $upgrader->install( $download_url ); 
     166 
     167                include(ABSPATH . 'wp-admin/admin-footer.php'); 
     168 
    145169        } elseif ( 'upgrade-theme' == $action ) { 
    146170 
    147171                if ( ! current_user_can('update_themes') ) 
     
    213237                $url = 'update.php?action=install-theme&theme=' . $theme; 
    214238                $type = 'web'; //Install theme type, From Web or an Upload. 
    215239 
    216                 $upgrader = new Theme_Upgrader( new Theme_Installer_Skin( compact('title', 'url', 'nonce', 'plugin', 'api') ) ); 
     240                $upgrader = new Theme_Upgrader( new Theme_Installer_Skin( compact('type', 'title', 'url', 'nonce', 'theme', 'api') ) ); 
    217241                $upgrader->install($api->download_link); 
    218242 
    219243                include(ABSPATH . 'wp-admin/admin-footer.php'); 
     
    237261                $title = sprintf( __('Installing Theme from uploaded file: %s'), basename( $file_upload->filename ) ); 
    238262                $nonce = 'theme-upload'; 
    239263                $url = add_query_arg(array('package' => $file_upload->filename), 'update.php?action=upload-theme'); 
    240                 $type = 'upload'; //Install plugin type, From Web or an Upload. 
     264                $type = 'upload'; //Install theme type, From Web or an Upload. 
    241265 
    242266                $upgrader = new Theme_Upgrader( new Theme_Installer_Skin( compact('type', 'title', 'nonce', 'url') ) ); 
    243267                $upgrader->install( $file_upload->package );