Make WordPress Core

Ticket #46615: 46615.2-2.diff

File 46615.2-2.diff, 3.9 KB (added by dd32, 6 years ago)

46615.2.diff contained a logic error and simply disabled softfail rather than disabling signature verifications.

  • src/wp-admin/includes/class-core-upgrader.php

    diff --git a/src/wp-admin/includes/class-core-upgrader.php b/src/wp-admin/includes/class-core-upgrader.php
    index bef173c23b..977f6ec9c6 100644
    a b class Core_Upgrader extends WP_Upgrader { 
    121121                        return new WP_Error( 'locked', $this->strings['locked'] );
    122122                }
    123123
    124                 $download = $this->download_package( $current->packages->$to_download );
     124                $download = $this->download_package( $current->packages->$to_download, true );
    125125
    126126                // Allow for signature soft-fail.
    127127                // WARNING: This may be removed in the future.
  • src/wp-admin/includes/class-wp-upgrader.php

    diff --git a/src/wp-admin/includes/class-wp-upgrader.php b/src/wp-admin/includes/class-wp-upgrader.php
    index 7fbecbae0d..cd41df8b9f 100644
    a b class WP_Upgrader { 
    246246         *
    247247         * @param string $package The URI of the package. If this is the full path to an
    248248         *                        existing local file, it will be returned untouched.
     249         * @param bool   $check_signatures Whether to validate signatures. Default false.
    249250         * @return string|WP_Error The full path to the downloaded package file, or a WP_Error object.
    250251         */
    251         public function download_package( $package ) {
     252        public function download_package( $package, $check_signatures = false ) {
    252253
    253254                /**
    254255                 * Filters whether to return the package.
    class WP_Upgrader { 
    275276
    276277                $this->skin->feedback( 'downloading_package', $package );
    277278
    278                 $download_file = download_url( $package, 300, true );
     279                $download_file = download_url( $package, 300, ( $check_signatures ? true : null ) );
    279280
    280281                if ( is_wp_error( $download_file ) && ! $download_file->get_error_data( 'softfail-filename' ) ) {
    281282                        return new WP_Error( 'download_failed', $this->strings['download_failed'], $download_file->get_error_message() );
    class WP_Upgrader { 
    730731                 * Download the package (Note, This just returns the filename
    731732                 * of the file if the package is a local file)
    732733                 */
    733                 $download = $this->download_package( $options['package'] );
     734                $download = $this->download_package( $options['package'], true );
    734735
    735736                // Allow for signature soft-fail.
    736737                // WARNING: This may be removed in the future.
  • src/wp-admin/includes/file.php

    diff --git a/src/wp-admin/includes/file.php b/src/wp-admin/includes/file.php
    index 11e5f9231f..f01d091e76 100644
    a b function wp_handle_sideload( &$file, $overrides = false, $time = null ) { 
    970970 *
    971971 * @param string $url                The URL of the file to download.
    972972 * @param int    $timeout            The timeout for the request to download the file. Default 300 seconds.
    973  * @param bool   $signature_softfail Whether to allow Signature Verification to softfail. Default true.
     973 * @param bool   $signature_softfail Whether to allow Signature Verification to softfail. Default null (No verification performed).
    974974 * @return string|WP_Error Filename on success, WP_Error on failure.
    975975 */
    976 function download_url( $url, $timeout = 300, $signature_softfail = true ) {
     976function download_url( $url, $timeout = 300, $signature_softfail = null ) {
    977977        //WARNING: The file is not automatically deleted, The script must unlink() the file.
    978978        if ( ! $url ) {
    979979                return new WP_Error( 'http_no_url', __( 'Invalid URL Provided.' ) );
    function download_url( $url, $timeout = 300, $signature_softfail = true ) { 
    10451045         * @param array List of hostnames.
    10461046         */
    10471047        $signed_hostnames       = apply_filters( 'wp_signature_hosts', array( 'wordpress.org', 'downloads.wordpress.org', 's.w.org' ) );
    1048         $signature_verification = in_array( parse_url( $url, PHP_URL_HOST ), $signed_hostnames, true );
     1048        $signature_verification = in_array( parse_url( $url, PHP_URL_HOST ), $signed_hostnames, true ) && ! is_null( $signature_softfail );
    10491049
    10501050        // Perform the valiation
    10511051        if ( $signature_verification ) {