WordPress.org

Make WordPress Core

Changeset 46490


Ignore:
Timestamp:
10/14/2019 06:16:02 PM (5 weeks ago)
Author:
whyisjake
Message:

Backporting several bug fixes.

  • Query: Remove the static query property.
  • HTTP API: Protect against hex interpretation.
  • Filesystem API: Prevent directory travelersals when creating new folders.
  • Administration: Ensure that admin referer nonce is valid.
  • REST API: Send a Vary: Origin header on GET requests.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 5.1 branch.

Location:
branches/5.1
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • branches/5.1/src/wp-includes/class-wp-query.php

    r44518 r46490  
    530530            'attachment_id',
    531531            'name',
    532             'static',
    533532            'pagename',
    534533            'page_id',
     
    794793            // post is being queried.
    795794            $this->is_single = true;
    796         } elseif ( '' != $qv['static'] || '' != $qv['pagename'] || ! empty( $qv['page_id'] ) ) {
     795        } elseif ( '' != $qv['pagename'] || ! empty( $qv['page_id'] ) ) {
    797796            $this->is_page   = true;
    798797            $this->is_single = false;
  • branches/5.1/src/wp-includes/class-wp.php

    r44048 r46490  
    1515     * @var string[]
    1616     */
    17     public $public_query_vars = array( 'm', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'static', 'pagename', 'page_id', 'error', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
     17    public $public_query_vars = array( 'm', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'pagename', 'page_id', 'error', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
    1818
    1919    /**
  • branches/5.1/src/wp-includes/functions.php

    r44831 r46490  
    17861786    if ( file_exists( $target ) ) {
    17871787        return @is_dir( $target );
     1788    }
     1789
     1790    // Do not allow path traversals.
     1791    if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
     1792        return false;
    17881793    }
    17891794
  • branches/5.1/src/wp-includes/http.php

    r42894 r46490  
    556556            $ip = gethostbyname( $host );
    557557            if ( $ip === $host ) { // Error condition for gethostbyname()
    558                 $ip = false;
     558                return false;
    559559            }
    560560        }
  • branches/5.1/src/wp-includes/pluggable.php

    r45973 r46490  
    10931093     */
    10941094    function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
    1095         if ( -1 == $action ) {
     1095        if ( -1 === $action ) {
    10961096            _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
    10971097        }
     
    11121112        do_action( 'check_admin_referer', $action, $result );
    11131113
    1114         if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
     1114        if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
    11151115            wp_nonce_ays( $action );
    11161116            die();
  • branches/5.1/src/wp-includes/rest-api.php

    r44698 r46490  
    588588        header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
    589589        header( 'Access-Control-Allow-Credentials: true' );
    590         header( 'Vary: Origin' );
     590        header( 'Vary: Origin', false );
     591    } elseif ( ! headers_sent() && 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) {
     592        header( 'Vary: Origin', false );
    591593    }
    592594
  • branches/5.1/tests/phpunit/tests/auth.php

    r43571 r46490  
    166166    }
    167167
     168    public function test_check_admin_referer_with_default_action_as_string_not_doing_it_wrong() {
     169        // A valid nonce needs to be set so the check doesn't die()
     170        $_REQUEST['_wpnonce'] = wp_create_nonce( '-1' );
     171        $result               = check_admin_referer( '-1' );
     172        $this->assertSame( 1, $result );
     173
     174        unset( $_REQUEST['_wpnonce'] );
     175    }
     176
    168177    /**
    169178     * @ticket 36361
  • branches/5.1/tests/phpunit/tests/query/vars.php

    r43571 r46490  
    5252                'feed',
    5353                'author_name',
    54                 'static',
    5554                'pagename',
    5655                'page_id',
Note: See TracChangeset for help on using the changeset viewer.