WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/14/2019 06:38:34 PM (8 weeks ago)
Author:
whyisjake
Message:

Backporting several bug fixes.

  • Query: Remove the static query property.
  • HTTP API: Protect against hex interpretation.
  • Filesystem API: Prevent directory travelersals when creating new folders.
  • Administration: Ensure that admin referer nonce is valid.
  • REST API: Send a Vary: Origin header on GET requests.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 5.0 branch.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/4.9/src/wp-includes/pluggable.php

    r45975 r46493  
    10801080 */
    10811081function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
    1082     if ( -1 == $action )
     1082    if ( -1 === $action )
    10831083        _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
    10841084
     
    10981098    do_action( 'check_admin_referer', $action, $result );
    10991099
    1100     if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
     1100    if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
    11011101        wp_nonce_ays( $action );
    11021102        die();
     
    26462646}
    26472647endif;
    2648 
Note: See TracChangeset for help on using the changeset viewer.