Make WordPress Core

Changeset 41449


Ignore:
Timestamp:
09/19/2017 01:43:28 PM (6 years ago)
Author:
johnbillion
Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41434] with changes to the 3.9 branch.

See #13377

Location:
branches/3.9
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • branches/3.9

  • branches/3.9/src/wp-admin/includes/class-wp-plugins-list-table.php

    r27507 r41449  
    377377                if ( $is_active ) {
    378378                    if ( current_user_can( 'manage_network_plugins' ) )
    379                         $actions['deactivate'] = '<a href="' . wp_nonce_url('plugins.php?action=deactivate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Deactivate this plugin') . '">' . __('Network Deactivate') . '</a>';
     379                        $actions['deactivate'] = '<a href="' . wp_nonce_url('plugins.php?action=deactivate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Deactivate this plugin') . '">' . __('Network Deactivate') . '</a>';
    380380                } else {
    381381                    if ( current_user_can( 'manage_network_plugins' ) )
    382                         $actions['activate'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin for all sites in this network') . '" class="edit">' . __('Network Activate') . '</a>';
     382                        $actions['activate'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin for all sites in this network') . '" class="edit">' . __('Network Activate') . '</a>';
    383383                    if ( current_user_can( 'delete_plugins' ) && ! is_plugin_active( $plugin_file ) )
    384                         $actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&amp;checked[]=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>';
     384                        $actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&amp;checked[]=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>';
    385385                }
    386386            } else {
    387387                if ( $is_active ) {
    388                     $actions['deactivate'] = '<a href="' . wp_nonce_url('plugins.php?action=deactivate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Deactivate this plugin') . '">' . __('Deactivate') . '</a>';
     388                    $actions['deactivate'] = '<a href="' . wp_nonce_url('plugins.php?action=deactivate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Deactivate this plugin') . '">' . __('Deactivate') . '</a>';
    389389                } else {
    390                     $actions['activate'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin') . '" class="edit">' . __('Activate') . '</a>';
     390                    $actions['activate'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin') . '" class="edit">' . __('Activate') . '</a>';
    391391
    392392                    if ( ! is_multisite() && current_user_can('delete_plugins') )
    393                         $actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&amp;checked[]=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>';
     393                        $actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&amp;checked[]=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>';
    394394                } // end if $is_active
    395395             } // end if $screen->in_admin( 'network' )
    396396
    397397            if ( ( ! is_multisite() || $screen->in_admin( 'network' ) ) && current_user_can('edit_plugins') && is_writable(WP_PLUGIN_DIR . '/' . $plugin_file) )
    398                 $actions['edit'] = '<a href="plugin-editor.php?file=' . $plugin_file . '" title="' . esc_attr__('Open this file in the Plugin Editor') . '" class="edit">' . __('Edit') . '</a>';
     398                $actions['edit'] = '<a href="plugin-editor.php?file=' . urlencode( $plugin_file ) . '" title="' . esc_attr__('Open this file in the Plugin Editor') . '" class="edit">' . __('Edit') . '</a>';
    399399        } // end if $context
    400400
  • branches/3.9/src/wp-admin/includes/template.php

    r32204 r41449  
    750750    foreach ( array_keys( $templates ) as $template ) {
    751751        $selected = selected( $default, $templates[ $template ], false );
    752         echo "\n\t<option value='" . $templates[ $template ] . "' $selected>$template</option>";
     752        echo "\n\t<option value='" . esc_attr( $templates[ $template ] ) . "' $selected>" . esc_html( $template ) . "</option>";
    753753    }
    754754}
  • branches/3.9/src/wp-admin/plugin-editor.php

    r27506 r41449  
    9696
    9797        if ( ( ! empty( $_GET['networkwide'] ) && ! is_plugin_active_for_network($file) ) || ! is_plugin_active($file) )
    98             activate_plugin($file, "plugin-editor.php?file=$file&phperror=1", ! empty( $_GET['networkwide'] ) ); // we'll override this later if the plugin can be included without fatal error
    99 
    100         wp_redirect( self_admin_url("plugin-editor.php?file=$file&a=te&scrollto=$scrollto") );
     98            activate_plugin($file, "plugin-editor.php?file=" . urlencode( $file ) . "&phperror=1", ! empty( $_GET['networkwide'] ) ); // we'll override this later if the plugin can be included without fatal error
     99
     100        wp_redirect( self_admin_url("plugin-editor.php?file=" . urlencode( $file ) . "&a=te&scrollto=$scrollto") );
    101101        exit;
    102102    }
     
    184184    if ( is_plugin_active($plugin) ) {
    185185        if ( is_writeable($real_file) )
    186             echo sprintf(__('Editing <strong>%s</strong> (active)'), $file);
     186            echo sprintf(__('Editing <strong>%s</strong> (active)'), esc_html( $file ) );
    187187        else
    188             echo sprintf(__('Browsing <strong>%s</strong> (active)'), $file);
     188            echo sprintf(__('Browsing <strong>%s</strong> (active)'), esc_html( $file ) );
    189189    } else {
    190190        if ( is_writeable($real_file) )
    191             echo sprintf(__('Editing <strong>%s</strong> (inactive)'), $file);
     191            echo sprintf(__('Editing <strong>%s</strong> (inactive)'), esc_html( $file ) );
    192192        else
    193             echo sprintf(__('Browsing <strong>%s</strong> (inactive)'), $file);
     193            echo sprintf(__('Browsing <strong>%s</strong> (inactive)'), esc_html( $file ) );
    194194    }
    195195    ?></big>
     
    235235    }
    236236?>
    237         <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo $plugin_file ?></a></li>
     237        <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo esc_html( $plugin_file ); ?></a></li>
    238238<?php endforeach; ?>
    239239    </ul>
  • branches/3.9/src/wp-admin/plugins.php

    r40178 r41449  
    1818$action = $wp_list_table->current_action();
    1919
    20 $plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : '';
     20$plugin = isset($_REQUEST['plugin']) ? wp_unslash( $_REQUEST['plugin'] ) : '';
    2121$s = isset($_REQUEST['s']) ? urlencode($_REQUEST['s']) : '';
    2222
     
    3838            check_admin_referer('activate-plugin_' . $plugin);
    3939
    40             $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . $plugin), is_network_admin() );
     40            $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . urlencode( $plugin ) ), is_network_admin() );
    4141            if ( is_wp_error( $result ) ) {
    4242                if ( 'unexpected_output' == $result->get_error_code() ) {
    43                     $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . $plugin . "&plugin_status=$status&paged=$page&s=$s");
     43                    $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . urlencode( $plugin ) . "&plugin_status=$status&paged=$page&s=$s");
    4444                    wp_redirect(add_query_arg('_error_nonce', wp_create_nonce('plugin-activation-error_' . $plugin), $redirect));
    4545                    exit;
     
    6868            check_admin_referer('bulk-plugins');
    6969
    70             $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
     70            $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
    7171
    7272            if ( is_network_admin() ) {
     
    108108
    109109            if ( isset( $_GET['plugins'] ) )
    110                 $plugins = explode( ',', $_GET['plugins'] );
     110                $plugins = explode( ',', wp_unslash( $_GET['plugins'] ) );
    111111            elseif ( isset( $_POST['checked'] ) )
    112                 $plugins = (array) $_POST['checked'];
     112                $plugins = (array) wp_unslash( $_POST['checked'] );
    113113            else
    114114                $plugins = array();
     
    182182            check_admin_referer('bulk-plugins');
    183183
    184             $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
     184            $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
    185185            // Do not deactivate plugins which are already deactivated.
    186186            if ( is_network_admin() ) {
     
    214214
    215215            //$_POST = from the plugin form; $_GET = from the FTP details screen.
    216             $plugins = isset( $_REQUEST['checked'] ) ? (array) $_REQUEST['checked'] : array();
     216            $plugins = isset( $_REQUEST['checked'] ) ? (array) wp_unslash( $_REQUEST['checked'] ) : array();
    217217            if ( empty( $plugins ) ) {
    218218                wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") );
  • branches/3.9/src/wp-admin/theme-editor.php

    r27369 r41449  
    6969    $file = $allowed_files['style.css'];
    7070} else {
    71     $relative_file = $file;
     71    $relative_file = wp_unslash( $file );
    7272    $file = $theme->get_stylesheet_directory() . '/' . $relative_file;
    7373}
     
    128128<?php endif;
    129129
    130 $description = get_file_description( $file );
     130$file_description = get_file_description( $relative_file );
    131131$file_show = array_search( $file, array_filter( $allowed_files ) );
    132 if ( $description != $file_show )
    133     $description .= ' <span>(' . $file_show . ')</span>';
     132$description = esc_html( $file_description );
     133if ( $file_description != $file_show ) {
     134    $description .= ' <span>(' . esc_html( $file_show ) . ')</span>';
     135}
    134136?>
    135137<div class="wrap">
     
    180182            echo "\t</ul>\n\t<h3>" . _x( 'Styles', 'Theme stylesheets in theme editor' ) . "</h3>\n\t<ul>\n";
    181183
    182         $file_description = get_file_description( $absolute_filename );
     184        $file_description = esc_html( get_file_description( $filename ) );
    183185        if ( $file_description != basename( $filename ) )
    184             $file_description .= '<br /><span class="nonessential">(' . $filename . ')</span>';
     186            $file_description .= '<br /><span class="nonessential">(' . esc_html( $filename ) . ')</span>';
    185187
    186188        if ( $absolute_filename == $file )
Note: See TracChangeset for help on using the changeset viewer.