Changeset 46493

Timestamp:

10/14/2019 06:38:34 PM (6 years ago)

Author:

whyisjake

Message:

Backporting several bug fixes.

• Query: Remove the static query property.
• HTTP API: Protect against hex interpretation.
• Filesystem API: Prevent directory travelersals when creating new folders.
• Administration: Ensure that admin referer nonce is valid.
• REST API: Send a Vary: Origin header on GET requests.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 5.0 branch.

Location:

branches/4.9

Files:

• src/wp-includes/class-wp-query.php (modified) (2 diffs)
• src/wp-includes/class-wp.php (modified) (1 diff)
• src/wp-includes/functions.php (modified) (1 diff)
• src/wp-includes/http.php (modified) (1 diff)
• src/wp-includes/pluggable.php (modified) (3 diffs)
• src/wp-includes/rest-api.php (modified) (1 diff)
• tests/phpunit/tests/auth.php (modified) (1 diff)
• tests/phpunit/tests/query/vars.php (modified) (1 diff)

branches/4.9/src/wp-includes/class-wp-query.php

@@ -530 +530 @@
             , 'attachment_id'
             , 'name'
-            , 'static'
             , 'pagename'
             , 'page_id'
@@ -765 +764 @@
             // post is being queried.
             $this->is_single = true;
-        } elseif ( '' != $qv['static'] || '' != $qv['pagename'] || !empty($qv['page_id']) ) {
+        } elseif ( '' != $qv['pagename'] || !empty($qv['page_id']) ) {
             $this->is_page = true;
             $this->is_single = false;

branches/4.9/src/wp-includes/class-wp.php

@@ -15 +15 @@
      * @var array
      */
-    public $public_query_vars = array('m', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'static', 'pagename', 'page_id', 'error', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
+    public $public_query_vars = array( 'm', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'pagename', 'page_id', 'error', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
 
     /**

branches/4.9/src/wp-includes/functions.php

@@ -1613 +1613 @@
     if ( file_exists( $target ) )
         return @is_dir( $target );
+
+    // Do not allow path traversals.
+    if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
+        return false;
+    }
 
     // We need to find the permissions of the parent folder that exists and inherit that.

branches/4.9/src/wp-includes/http.php

@@ -542 +542 @@
         } else {
             $ip = gethostbyname( $host );
-            if ( $ip === $host ) // Error condition for gethostbyname()
-                $ip = false;
+            if ( $ip === $host ) { // Error condition for gethostbyname()
+                return false;
+            }
         }
         if ( $ip ) {

branches/4.9/src/wp-includes/pluggable.php

@@ -1080 +1080 @@
  */
 function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
-    if ( -1 == $action )
+    if ( -1 === $action )
         _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
 
@@ -1098 +1098 @@
     do_action( 'check_admin_referer', $action, $result );
 
-    if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
+    if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
         wp_nonce_ays( $action );
         die();
@@ -2646 +2646 @@
 }
 endif;
-

branches/4.9/src/wp-includes/rest-api.php

@@ -545 +545 @@
         header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
         header( 'Access-Control-Allow-Credentials: true' );
-        header( 'Vary: Origin' );
+        header( 'Vary: Origin', false );
+    } elseif ( ! headers_sent() && 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) {
+        header( 'Vary: Origin', false );
     }
 

branches/4.9/tests/phpunit/tests/auth.php

@@ -164 +164 @@
     }
 
+    public function test_check_admin_referer_with_default_action_as_string_not_doing_it_wrong() {
+        // A valid nonce needs to be set so the check doesn't die()
+        $_REQUEST['_wpnonce'] = wp_create_nonce( '-1' );
+        $result               = check_admin_referer( '-1' );
+        $this->assertSame( 1, $result );
+
+        unset( $_REQUEST['_wpnonce'] );
+    }
+
     /**
      * @ticket 36361

branches/4.9/tests/phpunit/tests/query/vars.php

@@ -17 +17 @@
         do_action( 'init' );
 
-        $this->assertEquals( array(
+        $this->assertEquals(
+            array(
 
-            // Static public query vars:
-            'm',
-            'p',
-            'posts',
-            'w',
-            'cat',
-            'withcomments',
-            'withoutcomments',
-            's',
-            'search',
-            'exact',
-            'sentence',
-            'calendar',
-            'page',
-            'paged',
-            'more',
-            'tb',
-            'pb',
-            'author',
-            'order',
-            'orderby',
-            'year',
-            'monthnum',
-            'day',
-            'hour',
-            'minute',
-            'second',
-            'name',
-            'category_name',
-            'tag',
-            'feed',
-            'author_name',
-            'static',
-            'pagename',
-            'page_id',
-            'error',
-            'attachment',
-            'attachment_id',
-            'subpost',
-            'subpost_id',
-            'preview',
-            'robots',
-            'taxonomy',
-            'term',
-            'cpage',
-            'post_type',
-            'embed',
+                // Static public query vars:
+                'm',
+                'p',
+                'posts',
+                'w',
+                'cat',
+                'withcomments',
+                'withoutcomments',
+                's',
+                'search',
+                'exact',
+                'sentence',
+                'calendar',
+                'page',
+                'paged',
+                'more',
+                'tb',
+                'pb',
+                'author',
+                'order',
+                'orderby',
+                'year',
+                'monthnum',
+                'day',
+                'hour',
+                'minute',
+                'second',
+                'name',
+                'category_name',
+                'tag',
+                'feed',
+                'author_name',
+                'pagename',
+                'page_id',
+                'error',
+                'attachment',
+                'attachment_id',
+                'subpost',
+                'subpost_id',
+                'preview',
+                'robots',
+                'taxonomy',
+                'term',
+                'cpage',
+                'post_type',
+                'embed',
 
-            // Dynamically added public query vars:
-            'post_format',
-            'rest_route',
+                // Dynamically added public query vars:
+                'post_format',
+                'rest_route',
 
-        ), $wp->public_query_vars, 'Care should be taken when introducing new public query vars. See https://core.trac.wordpress.org/ticket/35115' );
+            ),
+            $wp->public_query_vars,
+            'Care should be taken when introducing new public query vars. See https://core.trac.wordpress.org/ticket/35115'
+        );
     }