Make WordPress Core

Changeset 41434


Ignore:
Timestamp:
09/19/2017 12:12:15 PM (7 years ago)
Author:
johnbillion
Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41415] and [41416] into the 4.4 branch.

See #13377

Location:
branches/4.4
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • branches/4.4

  • branches/4.4/src/wp-admin/includes/class-wp-plugins-list-table.php

    r35445 r41434  
    551551                    if ( current_user_can( 'manage_network_plugins' ) ) {
    552552                        /* translators: %s: plugin name */
    553                         $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( __( 'Network deactivate %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Deactivate' ) . '</a>';
     553                        $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( __( 'Network Deactivate %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Deactivate' ) . '</a>';
    554554                        }
    555555                } else {
    556556                    if ( current_user_can( 'manage_network_plugins' ) ) {
    557557                        /* translators: %s: plugin name */
    558                         $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( __( 'Network Activate %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Activate' ) . '</a>';
     558                        $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( __( 'Network Activate %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Activate' ) . '</a>';
    559559                    }
    560560                    if ( current_user_can( 'delete_plugins' ) && ! is_plugin_active( $plugin_file ) ) {
    561561                        /* translators: %s: plugin name */
    562                         $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&amp;checked[]=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( __( 'Delete %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>';
     562                        $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&amp;checked[]=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( __( 'Delete %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>';
    563563                    }
    564564                }
     
    574574                } elseif ( $is_active ) {
    575575                    /* translators: %s: plugin name */
    576                     $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( __( 'Deactivate %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Deactivate' ) . '</a>';
     576                    $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( __( 'Deactivate %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Deactivate' ) . '</a>';
    577577                } else {
    578578                    /* translators: %s: plugin name */
    579                     $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( __( 'Activate %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Activate' ) . '</a>';
     579                    $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( __( 'Activate %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Activate' ) . '</a>';
    580580
    581581                    if ( ! is_multisite() && current_user_can( 'delete_plugins' ) ) {
    582582                        /* translators: %s: plugin name */
    583                         $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&amp;checked[]=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( __( 'Delete %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>';
     583                        $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&amp;checked[]=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( __( 'Delete %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>';
    584584                    }
    585585                } // end if $is_active
     
    589589            if ( ( ! is_multisite() || $screen->in_admin( 'network' ) ) && current_user_can( 'edit_plugins' ) && is_writable( WP_PLUGIN_DIR . '/' . $plugin_file ) ) {
    590590                /* translators: %s: plugin name */
    591                 $actions['edit'] = '<a href="plugin-editor.php?file=' . $plugin_file . '" class="edit" aria-label="' . esc_attr( sprintf( __( 'Edit %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Edit' ) . '</a>';
     591                $actions['edit'] = '<a href="plugin-editor.php?file=' . urlencode( $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( __( 'Edit %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Edit' ) . '</a>';
    592592            }
    593593        } // end if $context
  • branches/4.4/src/wp-admin/includes/template.php

    r37144 r41434  
    770770    foreach ( array_keys( $templates ) as $template ) {
    771771        $selected = selected( $default, $templates[ $template ], false );
    772         echo "\n\t<option value='" . $templates[ $template ] . "' $selected>$template</option>";
     772        echo "\n\t<option value='" . esc_attr( $templates[ $template ] ) . "' $selected>" . esc_html( $template ) . "</option>";
    773773    }
    774774}
  • branches/4.4/src/wp-admin/plugin-editor.php

    r35107 r41434  
    9797
    9898        if ( ( ! empty( $_GET['networkwide'] ) && ! is_plugin_active_for_network($file) ) || ! is_plugin_active($file) )
    99             activate_plugin($file, "plugin-editor.php?file=$file&phperror=1", ! empty( $_GET['networkwide'] ) ); // we'll override this later if the plugin can be included without fatal error
    100 
    101         wp_redirect( self_admin_url("plugin-editor.php?file=$file&a=te&scrollto=$scrollto") );
     99            activate_plugin($file, "plugin-editor.php?file=" . urlencode( $file ) . "&phperror=1", ! empty( $_GET['networkwide'] ) ); // we'll override this later if the plugin can be included without fatal error
     100
     101        wp_redirect( self_admin_url("plugin-editor.php?file=" . urlencode( $file ) . "&a=te&scrollto=$scrollto") );
    102102        exit;
    103103    }
     
    192192        if ( is_writeable( $real_file ) ) {
    193193            /* translators: %s: plugin file name */
    194             echo sprintf( __( 'Editing %s (active)' ), '<strong>' . $file . '</strong>' );
     194            echo sprintf( __( 'Editing %s (active)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    195195        } else {
    196196            /* translators: %s: plugin file name */
    197             echo sprintf( __( 'Browsing %s (active)' ), '<strong>' . $file . '</strong>' );
     197            echo sprintf( __( 'Browsing %s (active)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    198198        }
    199199    } else {
    200200        if ( is_writeable( $real_file ) ) {
    201201            /* translators: %s: plugin file name */
    202             echo sprintf( __( 'Editing %s (inactive)' ), '<strong>' . $file . '</strong>' );
     202            echo sprintf( __( 'Editing %s (inactive)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    203203        } else {
    204204            /* translators: %s: plugin file name */
    205             echo sprintf( __( 'Browsing %s (inactive)' ), '<strong>' . $file . '</strong>' );
     205            echo sprintf( __( 'Browsing %s (inactive)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    206206        }
    207207    }
     
    248248    }
    249249?>
    250         <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo $plugin_file ?></a></li>
     250        <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo esc_html( $plugin_file ); ?></a></li>
    251251<?php endforeach; ?>
    252252    </ul>
  • branches/4.4/src/wp-admin/plugins.php

    r40173 r41434  
    1818$action = $wp_list_table->current_action();
    1919
    20 $plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : '';
     20$plugin = isset($_REQUEST['plugin']) ? wp_unslash( $_REQUEST['plugin'] ) : '';
    2121$s = isset($_REQUEST['s']) ? urlencode($_REQUEST['s']) : '';
    2222
     
    4040            check_admin_referer('activate-plugin_' . $plugin);
    4141
    42             $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . $plugin), is_network_admin() );
     42            $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . urlencode( $plugin ) ), is_network_admin() );
    4343            if ( is_wp_error( $result ) ) {
    4444                if ( 'unexpected_output' == $result->get_error_code() ) {
    45                     $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . $plugin . "&plugin_status=$status&paged=$page&s=$s");
     45                    $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . urlencode( $plugin ) . "&plugin_status=$status&paged=$page&s=$s");
    4646                    wp_redirect(add_query_arg('_error_nonce', wp_create_nonce('plugin-activation-error_' . $plugin), $redirect));
    4747                    exit;
     
    7474            check_admin_referer('bulk-plugins');
    7575
    76             $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
     76            $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
    7777
    7878            if ( is_network_admin() ) {
     
    123123
    124124            if ( isset( $_GET['plugins'] ) )
    125                 $plugins = explode( ',', $_GET['plugins'] );
     125                $plugins = explode( ',', wp_unslash( $_GET['plugins'] ) );
    126126            elseif ( isset( $_POST['checked'] ) )
    127                 $plugins = (array) $_POST['checked'];
     127                $plugins = (array) wp_unslash( $_POST['checked'] );
    128128            else
    129129                $plugins = array();
     
    198198            check_admin_referer('bulk-plugins');
    199199
    200             $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
     200            $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
    201201            // Do not deactivate plugins which are already deactivated.
    202202            if ( is_network_admin() ) {
     
    235235
    236236            //$_POST = from the plugin form; $_GET = from the FTP details screen.
    237             $plugins = isset( $_REQUEST['checked'] ) ? (array) $_REQUEST['checked'] : array();
     237            $plugins = isset( $_REQUEST['checked'] ) ? (array) wp_unslash( $_REQUEST['checked'] ) : array();
    238238            if ( empty( $plugins ) ) {
    239239                wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") );
  • branches/4.4/src/wp-admin/theme-editor.php

    r35180 r41434  
    100100    $file = $allowed_files['style.css'];
    101101} else {
    102     $relative_file = $file;
     102    $relative_file = wp_unslash( $file );
    103103    $file = $theme->get_stylesheet_directory() . '/' . $relative_file;
    104104}
     
    157157<?php endif;
    158158
    159 $description = get_file_description( $relative_file );
     159$file_description = get_file_description( $relative_file );
    160160$file_show = array_search( $file, array_filter( $allowed_files ) );
    161 if ( $description != $file_show )
    162     $description .= ' <span>(' . $file_show . ')</span>';
     161$description = esc_html( $file_description );
     162if ( $file_description != $file_show ) {
     163    $description .= ' <span>(' . esc_html( $file_show ) . ')</span>';
     164}
    163165?>
    164166<div class="wrap">
     
    231233        }
    232234       
    233         $file_description = get_file_description( $filename );
     235        $file_description = esc_html( get_file_description( $filename ) );
    234236        if ( $filename !== basename( $absolute_filename ) || $file_description !== $filename ) {
    235             $file_description .= '<br /><span class="nonessential">(' . $filename . ')</span>';
     237            $file_description .= '<br /><span class="nonessential">(' . esc_html( $filename ) . ')</span>';
    236238        }
    237239
Note: See TracChangeset for help on using the changeset viewer.