Ticket #43308: wordpress-mitigate-cve-2018-6389.patch

wp-admin/load-scripts.php

@@ -5 +5 @@
  *
  * Set this to error_reporting( -1 ) for debugging.
  */
-error_reporting( 0 );
+error_reporting(0);
 
 /** Set ABSPATH for execution */
 if ( ! defined( 'ABSPATH' ) ) {
         define( 'ABSPATH', dirname( dirname( __FILE__ ) ) . '/' );
 }
 
-define( 'WPINC', 'wp-includes' );
-
 $load = $_GET['load'];
-if ( is_array( $load ) ) {
+if ( is_array( $load ) )
         $load = implode( '', $load );
-}
 
 $load = preg_replace( '/[^a-z0-9,_-]+/i', '', $load );
 $load = array_unique( explode( ',', $load ) );
 
-if ( empty( $load ) ) {
+if ( empty($load) )
         exit;
+
+function get_file($path) {
+
+        if ( function_exists('realpath') )
+                $path = realpath($path);
+
+        if ( ! $path || ! @is_file($path) )
+                return false;
+
+        return @file_get_contents($path);
 }
 
-require( ABSPATH . 'wp-admin/includes/noop.php' );
-require( ABSPATH . WPINC . '/script-loader.php' );
-require( ABSPATH . WPINC . '/version.php' );
+require( ABSPATH . 'wp-admin/admin.php' );
 
 $compress       = ( isset( $_GET['c'] ) && $_GET['c'] );
 $force_gzip     = ( $compress && 'gzip' == $_GET['c'] );

wp-admin/load-styles.php

@@ -5 +5 @@
  *
  * Set this to error_reporting( -1 ) for debugging
  */
-error_reporting( 0 );
+error_reporting(0);
 
 /** Set ABSPATH for execution */
 if ( ! defined( 'ABSPATH' ) ) {
         define( 'ABSPATH', dirname( dirname( __FILE__ ) ) . '/' );
 }
 
-define( 'WPINC', 'wp-includes' );
-
-require( ABSPATH . 'wp-admin/includes/noop.php' );
-require( ABSPATH . WPINC . '/script-loader.php' );
-require( ABSPATH . WPINC . '/version.php' );
-
 $load = $_GET['load'];
 if ( is_array( $load ) ) {
         $load = implode( '', $load );
@@ -25 +19 @@
 $load = preg_replace( '/[^a-z0-9,_-]+/i', '', $load );
 $load = array_unique( explode( ',', $load ) );
 
-if ( empty( $load ) ) {
+if ( empty($load) )
         exit;
+
+function get_file($path) {
+
+        if ( function_exists('realpath') )
+                $path = realpath($path);
+
+        if ( ! $path || ! @is_file($path) )
+                return false;
+
+        return @file_get_contents($path);
 }
 
+require( ABSPATH . 'wp-admin/admin.php' );
+
 $compress       = ( isset( $_GET['c'] ) && $_GET['c'] );
 $force_gzip     = ( $compress && 'gzip' == $_GET['c'] );
 $rtl            = ( isset( $_GET['dir'] ) && 'rtl' == $_GET['dir'] );

deleted file wp-admin/includes/noop.php

@@ -1 @@
-<?php
-/**
- * Noop functions for load-scripts.php and load-styles.php.
- *
- * @package WordPress
- * @subpackage Administration
- * @since 4.4.0
- */
-
-/**
- * @ignore
- */
-function __() {}
-
-/**
- * @ignore
- */
-function _x() {}
-
-/**
- * @ignore
- */
-function add_filter() {}
-
-/**
- * @ignore
- */
-function esc_attr() {}
-
-/**
- * @ignore
- */
-function apply_filters() {}
-
-/**
- * @ignore
- */
-function get_option() {}
-
-/**
- * @ignore
- */
-function is_lighttpd_before_150() {}
-
-/**
- * @ignore
- */
-function add_action() {}
-
-/**
- * @ignore
- */
-function did_action() {}
-
-/**
- * @ignore
- */
-function do_action_ref_array() {}
-
-/**
- * @ignore
- */
-function get_bloginfo() {}
-
-/**
- * @ignore
- */
-function is_admin() {
-        return true;}
-
-/**
- * @ignore
- */
-function site_url() {}
-
-/**
- * @ignore
- */
-function admin_url() {}
-
-/**
- * @ignore
- */
-function home_url() {}
-
-/**
- * @ignore
- */
-function includes_url() {}
-
-/**
- * @ignore
- */
-function wp_guess_url() {}
-
-if ( ! function_exists( 'json_encode' ) ) :
-        /**
-         * @ignore
-         */
-        function json_encode() {}
-endif;
-
-function get_file( $path ) {
-
-        if ( function_exists( 'realpath' ) ) {
-                $path = realpath( $path );
-        }
-
-        if ( ! $path || ! @is_file( $path ) ) {
-                return '';
-        }
-
-        return @file_get_contents( $path );
-}