Changeset 44069 for branches/4.0

Timestamp:

12/13/2018 01:55:22 AM (6 years ago)

Author:

peterwilsoncc

Message:

Multisite: Validate activation links.

Merges [44048] to the 4.0 branch.

Location:

branches/4.0

Files:

• . (modified) (1 prop)
• src/wp-activate.php (modified) (1 diff)
• src/wp-admin/includes/screen.php (modified) (1 diff)
• src/wp-admin/post.php (modified) (2 diffs)
• src/wp-includes/class-wp.php (modified) (1 diff)
• src/wp-includes/ms-deprecated.php (modified) (2 diffs)

branches/4.0/src/wp-activate.php

@@ -27 +27 @@
 $result = null;
 
-if ( ! empty( $_GET['key'] ) ) {
+if ( isset( $_GET['key'] ) && isset( $_POST['key'] ) && $_GET['key'] !== $_POST['key'] ) {
+    wp_die( __( 'A key value mismatch has been detected. Please follow the link provided in your activation email.' ), __( 'An error occurred during the activation' ), 400 );
+} elseif ( ! empty( $_GET['key'] ) ) {
     $key = $_GET['key'];
 } elseif ( ! empty( $_POST['key'] ) ) {

branches/4.0/src/wp-admin/includes/screen.php

@@ -450 +450 @@
             switch ( $base ) {
                 case 'post' :
-                    if ( isset( $_GET['post'] ) )
+                    if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] )
+                        wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
+                    elseif ( isset( $_GET['post'] ) )
                         $post_id = (int) $_GET['post'];
                     elseif ( isset( $_POST['post_ID'] ) )

branches/4.0/src/wp-admin/post.php

@@ -17 +17 @@
 wp_reset_vars( array( 'action' ) );
 
-if ( isset( $_GET['post'] ) )
+if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] )
+    wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
+elseif ( isset( $_GET['post'] ) )
     $post_id = $post_ID = (int) $_GET['post'];
 elseif ( isset( $_POST['post_ID'] ) )
@@ -83 +85 @@
 }
 
+if ( isset( $_POST['post_type'] ) && $post && $post_type !== $_POST['post_type'] ) {
+    wp_die( __( 'A post type mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
+}
+
 if ( isset( $_POST['deletepost'] ) )
     $action = 'delete';

branches/4.0/src/wp-includes/class-wp.php

@@ -266 +266 @@
             if ( isset( $this->extra_query_vars[$wpvar] ) )
                 $this->query_vars[$wpvar] = $this->extra_query_vars[$wpvar];
+            elseif ( isset( $_GET[ $wpvar ] ) && isset( $_POST[ $wpvar ] ) && $_GET[ $wpvar ] !== $_POST[ $wpvar ] )
+                wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
             elseif ( isset( $_POST[$wpvar] ) )
                 $this->query_vars[$wpvar] = $_POST[$wpvar];

branches/4.0/src/wp-includes/ms-deprecated.php

@@ -241 +241 @@
 
     $ref = '';
-    if ( isset( $_GET['ref'] ) )
-        $ref = $_GET['ref'];
-    if ( isset( $_POST['ref'] ) )
-        $ref = $_POST['ref'];
+    if ( isset( $_GET['ref'] ) && isset( $_POST['ref'] ) && $_GET['ref'] !== $_POST['ref'] ) {
+        wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
+    } elseif ( isset( $_POST['ref'] ) ) {
+        $ref = $_POST[ 'ref' ];
+    } elseif ( isset( $_GET['ref'] ) ) {
+        $ref = $_GET[ 'ref' ];
+    }
 
     if ( $ref ) {
@@ -257 +260 @@
 
     $url = wpmu_admin_redirect_add_updated_param( $url );
-    if ( isset( $_GET['redirect'] ) ) {
+    if ( isset( $_GET['redirect'] ) && isset( $_POST['redirect'] ) && $_GET['redirect'] !== $_POST['redirect'] ) {
+        wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
+    } elseif ( isset( $_GET['redirect'] ) ) {
         if ( substr( $_GET['redirect'], 0, 2 ) == 's_' )
             $url .= '&action=blogs&s='. esc_html( substr( $_GET['redirect'], 2 ) );