WordPress.org

Make WordPress Core

Ticket #46615: 46615.3.diff

File 46615.3.diff, 5.5 KB (added by dd32, 6 months ago)
  • src/wp-admin/includes/class-core-upgrader.php

    diff --git a/src/wp-admin/includes/class-core-upgrader.php b/src/wp-admin/includes/class-core-upgrader.php
    index bef173c23b..977f6ec9c6 100644
    a b public function upgrade( $current, $args = array() ) { 
    121121                        return new WP_Error( 'locked', $this->strings['locked'] );
    122122                }
    123123
    124                 $download = $this->download_package( $current->packages->$to_download );
     124                $download = $this->download_package( $current->packages->$to_download, true );
    125125
    126126                // Allow for signature soft-fail.
    127127                // WARNING: This may be removed in the future.
  • src/wp-admin/includes/class-wp-upgrader.php

    diff --git a/src/wp-admin/includes/class-wp-upgrader.php b/src/wp-admin/includes/class-wp-upgrader.php
    index 7fbecbae0d..f85bbd6289 100644
    a b public function fs_connect( $directories = array(), $allow_relaxed_file_ownershi 
    244244         *
    245245         * @since 2.8.0
    246246         *
    247          * @param string $package The URI of the package. If this is the full path to an
    248          *                        existing local file, it will be returned untouched.
     247         * @param string $package          The URI of the package. If this is the full path to an
     248         *                                 existing local file, it will be returned untouched.
     249         * @param bool   $check_signatures Whether to validate file signatures. Default false.
    249250         * @return string|WP_Error The full path to the downloaded package file, or a WP_Error object.
    250251         */
    251         public function download_package( $package ) {
     252        public function download_package( $package, $check_signatures = false ) {
    252253
    253254                /**
    254255                 * Filters whether to return the package.
    public function download_package( $package ) { 
    275276
    276277                $this->skin->feedback( 'downloading_package', $package );
    277278
    278                 $download_file = download_url( $package, 300, true );
     279                $download_file = download_url( $package, 300, $check_signatures );
    279280
    280281                if ( is_wp_error( $download_file ) && ! $download_file->get_error_data( 'softfail-filename' ) ) {
    281282                        return new WP_Error( 'download_failed', $this->strings['download_failed'], $download_file->get_error_message() );
    public function run( $options ) { 
    730731                 * Download the package (Note, This just returns the filename
    731732                 * of the file if the package is a local file)
    732733                 */
    733                 $download = $this->download_package( $options['package'] );
     734                $download = $this->download_package( $options['package'], true );
    734735
    735736                // Allow for signature soft-fail.
    736737                // WARNING: This may be removed in the future.
  • src/wp-admin/includes/file.php

    diff --git a/src/wp-admin/includes/file.php b/src/wp-admin/includes/file.php
    index 3c245a2226..dbddec14e5 100644
    a b function wp_handle_sideload( &$file, $overrides = false, $time = null ) { 
    968968 * @since 2.5.0
    969969 * @since 5.2.0 Signature Verification with SoftFail was added.
    970970 *
    971  * @param string $url                The URL of the file to download.
    972  * @param int    $timeout            The timeout for the request to download the file. Default 300 seconds.
    973  * @param bool   $signature_softfail Whether to allow Signature Verification to softfail. Default true.
     971 * @param string $url                    The URL of the file to download.
     972 * @param int    $timeout                The timeout for the request to download the file. Default 300 seconds.
     973 * @param bool   $signature_verification Whether to perform Signature Verification. Default false.
    974974 * @return string|WP_Error Filename on success, WP_Error on failure.
    975975 */
    976 function download_url( $url, $timeout = 300, $signature_softfail = true ) {
     976function download_url( $url, $timeout = 300, $signature_verification = false ) {
    977977        //WARNING: The file is not automatically deleted, The script must unlink() the file.
    978978        if ( ! $url ) {
    979979                return new WP_Error( 'http_no_url', __( 'Invalid URL Provided.' ) );
    function download_url( $url, $timeout = 300, $signature_softfail = true ) { 
    10371037                }
    10381038        }
    10391039
    1040         /**
    1041          * Filters the list of hosts which should have Signature Verification attempted on.
    1042          *
    1043          * @since 5.2.0
    1044          *
    1045          * @param array List of hostnames.
    1046          */
    1047         $signed_hostnames       = apply_filters( 'wp_signature_hosts', array( 'wordpress.org', 'downloads.wordpress.org', 's.w.org' ) );
    1048         $signature_verification = in_array( parse_url( $url, PHP_URL_HOST ), $signed_hostnames, true );
     1040        // If the caller expects signature verification to occur, check to see if this URL supports it.
     1041        if ( $signature_verification ) {
     1042                /**
     1043                 * Filters the list of hosts which should have Signature Verification attempteds on.
     1044                 *
     1045                 * @since 5.2.0
     1046                 *
     1047                 * @param array List of hostnames.
     1048                 */
     1049                $signed_hostnames       = apply_filters( 'wp_signature_hosts', array( 'wordpress.org', 'downloads.wordpress.org', 's.w.org' ) );
     1050                $signature_verification = in_array( parse_url( $url, PHP_URL_HOST ), $signed_hostnames, true );
     1051        }
    10491052
    1050         // Perform the valiation
     1053        // Perform signature valiation if supported.
    10511054        if ( $signature_verification ) {
    10521055                $signature = wp_remote_retrieve_header( $response, 'x-content-signature' );
    10531056                if ( ! $signature ) {
    function download_url( $url, $timeout = 300, $signature_softfail = true ) { 
    10751078                         * @param bool   $signature_softfail If a softfail is allowed.
    10761079                         * @param string $url                The url being accessed.
    10771080                         */
    1078                         apply_filters( 'wp_signature_softfail', $signature_softfail, $url )
     1081                        apply_filters( 'wp_signature_softfail', true, $url )
    10791082                ) {
    10801083                        $signature_verification->add_data( $tmpfname, 'softfail-filename' );
    10811084                } else {