Make WordPress Core

Changeset 41399


Ignore:
Timestamp:
09/19/2017 10:10:35 AM (7 years ago)
Author:
johnbillion
Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Props kawauso, Mte90 for initial patches

Fixes #13377

Location:
trunk/src/wp-admin
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-plugins-list-table.php

    r41290 r41399  
    599599                    if ( current_user_can( 'manage_network_plugins' ) ) {
    600600                        /* translators: %s: plugin name */
    601                         $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( _x( 'Network Deactivate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Deactivate' ) . '</a>';
     601                        $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( _x( 'Network Deactivate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Deactivate' ) . '</a>';
    602602                        }
    603603                } else {
    604604                    if ( current_user_can( 'manage_network_plugins' ) ) {
    605605                        /* translators: %s: plugin name */
    606                         $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( _x( 'Network Activate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Activate' ) . '</a>';
     606                        $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( _x( 'Network Activate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Activate' ) . '</a>';
    607607                    }
    608608                    if ( current_user_can( 'delete_plugins' ) && ! is_plugin_active( $plugin_file ) ) {
    609609                        /* translators: %s: plugin name */
    610                         $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&amp;checked[]=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( _x( 'Delete %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>';
     610                        $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&amp;checked[]=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( _x( 'Delete %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>';
    611611                    }
    612612                }
     
    623623                    if ( current_user_can( 'deactivate_plugin', $plugin_file ) ) {
    624624                        /* translators: %s: plugin name */
    625                         $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( _x( 'Deactivate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Deactivate' ) . '</a>';
     625                        $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( _x( 'Deactivate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Deactivate' ) . '</a>';
    626626                    }
    627627                } else {
    628628                    if ( current_user_can( 'activate_plugin', $plugin_file ) ) {
    629629                        /* translators: %s: plugin name */
    630                         $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( _x( 'Activate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Activate' ) . '</a>';
     630                        $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( _x( 'Activate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Activate' ) . '</a>';
    631631                    }
    632632
    633633                    if ( ! is_multisite() && current_user_can( 'delete_plugins' ) ) {
    634634                        /* translators: %s: plugin name */
    635                         $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&amp;checked[]=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( _x( 'Delete %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>';
     635                        $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&amp;checked[]=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( _x( 'Delete %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>';
    636636                    }
    637637                } // end if $is_active
  • trunk/src/wp-admin/includes/template.php

    r41221 r41399  
    773773    foreach ( array_keys( $templates ) as $template ) {
    774774        $selected = selected( $default, $templates[ $template ], false );
    775         echo "\n\t<option value='" . $templates[ $template ] . "' $selected>$template</option>";
     775        echo "\n\t<option value='" . esc_attr( $templates[ $template ] ) . "' $selected>" . esc_html( $template ) . "</option>";
    776776    }
    777777}
  • trunk/src/wp-admin/plugin-editor.php

    r41376 r41399  
    3838$plugin = '';
    3939if ( isset( $_REQUEST['file'] ) ) {
    40     $file = sanitize_text_field( $_REQUEST['file'] );
     40    $file = wp_unslash( $_REQUEST['file'] );
    4141}
    4242
    4343if ( isset( $_REQUEST['plugin'] ) ) {
    44     $plugin = sanitize_text_field( $_REQUEST['plugin'] );
     44    $plugin = wp_unslash( $_REQUEST['plugin'] );
    4545}
    4646
     
    108108
    109109        if ( ( ! empty( $_GET['networkwide'] ) && ! is_plugin_active_for_network( $file ) ) || ! is_plugin_active( $file ) ) {
    110             activate_plugin( $plugin, "plugin-editor.php?file=$file&phperror=1", ! empty( $_GET['networkwide'] ) );
     110            activate_plugin( $plugin, "plugin-editor.php?file=" . urlencode( $file ) . "&phperror=1", ! empty( $_GET['networkwide'] ) );
    111111        } // we'll override this later if the plugin can be included without fatal error
    112112
    113         wp_redirect( self_admin_url("plugin-editor.php?file=$file&plugin=$plugin&a=te&scrollto=$scrollto") );
     113        wp_redirect( self_admin_url( 'plugin-editor.php?file=' . urlencode( $file ) . '&plugin=' . urlencode( $plugin ) . "&a=te&scrollto=$scrollto" ) );
    114114        exit;
    115115    }
     
    243243        if ( is_writeable( $real_file ) ) {
    244244            /* translators: %s: plugin file name */
    245             echo sprintf( __( 'Editing %s (active)' ), '<strong>' . $file . '</strong>' );
     245            echo sprintf( __( 'Editing %s (active)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    246246        } else {
    247247            /* translators: %s: plugin file name */
    248             echo sprintf( __( 'Browsing %s (active)' ), '<strong>' . $file . '</strong>' );
     248            echo sprintf( __( 'Browsing %s (active)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    249249        }
    250250    } else {
    251251        if ( is_writeable( $real_file ) ) {
    252252            /* translators: %s: plugin file name */
    253             echo sprintf( __( 'Editing %s (inactive)' ), '<strong>' . $file . '</strong>' );
     253            echo sprintf( __( 'Editing %s (inactive)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    254254        } else {
    255255            /* translators: %s: plugin file name */
    256             echo sprintf( __( 'Browsing %s (inactive)' ), '<strong>' . $file . '</strong>' );
     256            echo sprintf( __( 'Browsing %s (inactive)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    257257        }
    258258    }
     
    299299    }
    300300?>
    301         <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo $plugin_file ?></a></li>
     301        <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo esc_html( $plugin_file ); ?></a></li>
    302302<?php endforeach; ?>
    303303    </ul>
  • trunk/src/wp-admin/plugins.php

    r41290 r41399  
    1818$action = $wp_list_table->current_action();
    1919
    20 $plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : '';
     20$plugin = isset($_REQUEST['plugin']) ? wp_unslash( $_REQUEST['plugin'] ) : '';
    2121$s = isset($_REQUEST['s']) ? urlencode( wp_unslash( $_REQUEST['s'] ) ) : '';
    2222
     
    4141            check_admin_referer('activate-plugin_' . $plugin);
    4242
    43             $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . $plugin), is_network_admin() );
     43            $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . urlencode( $plugin ) ), is_network_admin() );
    4444            if ( is_wp_error( $result ) ) {
    4545                if ( 'unexpected_output' == $result->get_error_code() ) {
    46                     $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . $plugin . "&plugin_status=$status&paged=$page&s=$s");
     46                    $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . urlencode( $plugin ) . "&plugin_status=$status&paged=$page&s=$s");
    4747                    wp_redirect(add_query_arg('_error_nonce', wp_create_nonce('plugin-activation-error_' . $plugin), $redirect));
    4848                    exit;
     
    7575            check_admin_referer('bulk-plugins');
    7676
    77             $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
     77            $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
    7878
    7979            if ( is_network_admin() ) {
     
    128128
    129129            if ( isset( $_GET['plugins'] ) )
    130                 $plugins = explode( ',', $_GET['plugins'] );
     130                $plugins = explode( ',', wp_unslash( $_GET['plugins'] ) );
    131131            elseif ( isset( $_POST['checked'] ) )
    132                 $plugins = (array) $_POST['checked'];
     132                $plugins = (array) wp_unslash( $_POST['checked'] );
    133133            else
    134134                $plugins = array();
     
    206206            check_admin_referer('bulk-plugins');
    207207
    208             $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
     208            $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
    209209            // Do not deactivate plugins which are already deactivated.
    210210            if ( is_network_admin() ) {
     
    251251
    252252            //$_POST = from the plugin form; $_GET = from the FTP details screen.
    253             $plugins = isset( $_REQUEST['checked'] ) ? (array) $_REQUEST['checked'] : array();
     253            $plugins = isset( $_REQUEST['checked'] ) ? (array) wp_unslash( $_REQUEST['checked'] ) : array();
    254254            if ( empty( $plugins ) ) {
    255255                wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") );
     
    385385            if ( isset( $_POST['checked'] ) ) {
    386386                check_admin_referer('bulk-plugins');
    387                 $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
     387                $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
    388388                $sendback = wp_get_referer();
    389389
  • trunk/src/wp-admin/theme-editor.php

    r41376 r41399  
    133133    $file = $allowed_files['style.css'];
    134134} else {
    135     $relative_file = $file;
     135    $relative_file = wp_unslash( $file );
    136136    $file = $theme->get_stylesheet_directory() . '/' . $relative_file;
    137137}
     
    196196<?php endif;
    197197
    198 $description = get_file_description( $relative_file );
     198$file_description = get_file_description( $relative_file );
    199199$file_show = array_search( $file, array_filter( $allowed_files ) );
    200 if ( $description != $file_show )
    201     $description .= ' <span>(' . $file_show . ')</span>';
     200$description = esc_html( $file_description );
     201if ( $file_description != $file_show ) {
     202    $description .= ' <span>(' . esc_html( $file_show ) . ')</span>';
     203}
    202204?>
    203205<div class="wrap">
     
    270272        }
    271273
    272         $file_description = get_file_description( $filename );
     274        $file_description = esc_html( get_file_description( $filename ) );
    273275        if ( $filename !== basename( $absolute_filename ) || $file_description !== $filename ) {
    274             $file_description .= '<br /><span class="nonessential">(' . $filename . ')</span>';
     276            $file_description .= '<br /><span class="nonessential">(' . esc_html( $filename ) . ')</span>';
    275277        }
    276278
Note: See TracChangeset for help on using the changeset viewer.