WordPress.org
Get WordPress

Make WordPress Core

Changeset 46503


Ignore:
Timestamp:
10/14/2019 07:26:08 PM (6 years ago)
Author:
whyisjake
Message:

Backporting several bug fixes.

  • Query: Remove the static query property.
  • HTTP API: Protect against hex interpretation.
  • Filesystem API: Prevent directory travelersals when creating new folders.
  • Administration: Ensure that admin referer nonce is valid.
  • REST API: Send a Vary: Origin header on GET requests.
  • Customizer: Properly sanitize background images.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 3.9 branch.

Location:
branches/3.9
Files:
7 edited

Legend:

Unmodified
Added
Removed

  • branches/3.9/package.json

    r46033 r46503  
    2121    "grunt-contrib-jshint": "~0.8.0",
    2222    "grunt-cssjanus": "~0.2.2",
    23     "grunt-sass": "~0.10.0",
     23    "grunt-sass": "~1.0.0",
    2424    "grunt-autoprefixer": "~0.7.1",
    2525    "grunt-jsvalidate": "~0.2.2",

  • branches/3.9/src/wp-includes/class-wp.php

    r44071 r46503  
    1616     * @var array
    1717     */
    18     var $public_query_vars = array('m', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'static', 'pagename', 'page_id', 'error', 'comments_popup', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type');
     18    public $public_query_vars = array( 'm', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'pagename', 'page_id', 'error', 'comments_popup', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
    1919
    2020    /**

  • branches/3.9/src/wp-includes/functions.php

    r44010 r46503  
    14201420    if ( file_exists( $target ) )
    14211421        return @is_dir( $target );
     1422
     1423    // Do not allow path traversals.
     1424    if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
     1425        return false;
     1426    }
    14221427
    14231428    // We need to find the permissions of the parent folder that exists and inherit that.

  • branches/3.9/src/wp-includes/http.php

    r37121 r46503  
    477477        } else {
    478478            $ip = gethostbyname( $host );
    479             if ( $ip === $host ) // Error condition for gethostbyname()
    480                 $ip = false;
     479            if ( $ip === $host ) { // Error condition for gethostbyname()
     480                return false;
     481            }
    481482        }
    482483        if ( $ip ) {

  • branches/3.9/src/wp-includes/pluggable.php

    r45986 r46503  
    10071007 * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
    10081008 */
    1009 function check_admin_referer($action = -1, $query_arg = '_wpnonce') {
    1010     if ( -1 == $action )
    1011         _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2' );
     1009function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
     1010    if ( -1 === $action )
     1011        _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
    10121012
    10131013    $adminurl = strtolower(admin_url());
     
    10281028     */
    10291029    do_action( 'check_admin_referer', $action, $result );
     1030
     1031    if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
     1032        wp_nonce_ays( $action );
     1033        die();
     1034    }
     1035
    10301036    return $result;
    10311037}
     
    10421048 */
    10431049function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
     1050    if ( -1 === $action )
     1051        _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
     1052
    10441053    $nonce = '';
    10451054
     
    22202229}
    22212230endif;
    2222 
    2223 if ( ! function_exists( 'hash_equals' ) ) :
    2224 /**
    2225  * Compare two strings in constant time.
    2226  *
    2227  * This function is NOT pluggable. It is in this file (in addition to
    2228  * compat.php) to prevent errors if, during an update, pluggable.php
    2229  * copies over but compat.php does not.
    2230  *
    2231  * This function was added in PHP 5.6.
    2232  * It can leak the length of a string.
    2233  *
    2234  * @since 3.9.2
    2235  *
    2236  * @param string $a Expected string.
    2237  * @param string $b Actual string.
    2238  * @return bool Whether strings are equal.
    2239  */
    2240 function hash_equals( $a, $b ) {
    2241     $a_length = strlen( $a );
    2242     if ( $a_length !== strlen( $b ) ) {
    2243         return false;
    2244     }
    2245     $result = 0;
    2246 
    2247     // Do not attempt to "optimize" this.
    2248     for ( $i = 0; $i < $a_length; $i++ ) {
    2249         $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
    2250     }
    2251 
    2252     return $result === 0;
    2253 }
    2254 endif;

  • branches/3.9/src/wp-includes/query.php

    r39964 r46503  
    13991399            , 'attachment_id'
    14001400            , 'name'
    1401             , 'static'
    14021401            , 'pagename'
    14031402            , 'page_id'
     
    15071506            // post is being queried.
    15081507            $this->is_single = true;
    1509         } elseif ( '' != $qv['static'] || '' != $qv['pagename'] || !empty($qv['page_id']) ) {
     1508        } elseif ( '' != $qv['pagename'] || !empty($qv['page_id']) ) {
    15101509            $this->is_page = true;
    15111510            $this->is_single = false;

  • branches/3.9/tests/phpunit/tests/auth.php

    r30468 r46503  
    9494    }
    9595
     96    /**
     97     * @ticket 29217
     98     */
     99    function test_wp_verify_nonce_with_empty_arg() {
     100        $this->assertFalse( wp_verify_nonce( '' ) );
     101        $this->assertFalse( wp_verify_nonce( null ) );
     102    }
     103
     104    /**
     105     * @ticket 29542
     106     */
     107    function test_wp_verify_nonce_with_integer_arg() {
     108        $this->assertFalse( wp_verify_nonce( 1 ) );
     109    }
     110
     111    /**
     112     * @ticket 36361
     113     */
     114    public function test_check_admin_referer_with_no_action_triggers_doing_it_wrong() {
     115        $this->setExpectedIncorrectUsage( 'check_admin_referer' );
     116
     117        // A valid nonce needs to be set so the check doesn't die()
     118        $_REQUEST['_wpnonce'] = wp_create_nonce( -1 );
     119        $result = check_admin_referer();
     120        $this->assertSame( 1, $result );
     121
     122        unset( $_REQUEST['_wpnonce'] );
     123    }
     124
     125    /**
     126     * @ticket 36361
     127     */
     128    public function test_check_ajax_referer_with_no_action_triggers_doing_it_wrong() {
     129        $this->setExpectedIncorrectUsage( 'check_ajax_referer' );
     130
     131        // A valid nonce needs to be set so the check doesn't die()
     132        $_REQUEST['_wpnonce'] = wp_create_nonce( -1 );
     133        $result = check_ajax_referer();
     134        $this->assertSame( 1, $result );
     135
     136        unset( $_REQUEST['_wpnonce'] );
     137    }
     138
    96139    function test_password_length_limit() {
    97140        $passwords = array(
Note: See TracChangeset for help on using the changeset viewer.