Changeset 46504

Timestamp:

10/14/2019 07:29:52 PM (6 years ago)

Author:

whyisjake

Message:

Backporting several bug fixes.

• Query: Remove the static query property.
• HTTP API: Protect against hex interpretation.
• Filesystem API: Prevent directory travelersals when creating new folders.
• Administration: Ensure that admin referer nonce is valid.
• REST API: Send a Vary: Origin header on GET requests.
• Customizer: Properly sanitize background images.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 3.8 branch.

Location:

branches/3.8

Files:

• . (modified) (1 prop)
• package.json (modified) (1 diff)
• src/wp-includes/class-wp.php (modified) (1 diff)
• src/wp-includes/functions.php (modified) (1 diff)
• src/wp-includes/http.php (modified) (1 diff)
• src/wp-includes/pluggable.php (modified) (3 diffs)
• src/wp-includes/query.php (modified) (2 diffs)
• tests/phpunit/tests/auth.php (modified) (1 diff)

branches/3.8/package.json

@@ -21 +21 @@
     "grunt-contrib-jshint": "~0.7.0",
     "grunt-cssjanus": "git://github.com/yoavf/grunt-cssjanus.git#e0158f4087d1c4bb5a8d1648a63ef133338b5879",
-    "grunt-sass": "~0.8.0",
+    "grunt-sass": "~1.0.0",
     "matchdep": "~0.1.2"
   }

branches/3.8/src/wp-includes/class-wp.php

@@ -16 +16 @@
      * @var array
      */
-    var $public_query_vars = array('m', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'static', 'pagename', 'page_id', 'error', 'comments_popup', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type');
+    public $public_query_vars = array( 'm', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'pagename', 'page_id', 'error', 'comments_popup', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
 
     /**

branches/3.8/src/wp-includes/functions.php

@@ -1361 +1361 @@
     if ( file_exists( $target ) )
         return @is_dir( $target );
+
+    // Do not allow path traversals.
+    if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
+        return false;
+    }
 
     // We need to find the permissions of the parent folder that exists and inherit that.

branches/3.8/src/wp-includes/http.php

@@ -477 +477 @@
         } else {
             $ip = gethostbyname( $host );
-            if ( $ip === $host ) // Error condition for gethostbyname()
-                $ip = false;
+            if ( $ip === $host ) { // Error condition for gethostbyname()
+                return false;
+            }
         }
         if ( $ip ) {

branches/3.8/src/wp-includes/pluggable.php

@@ -806 +806 @@
  * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
  */
-function check_admin_referer($action = -1, $query_arg = '_wpnonce') {
-    if ( -1 == $action )
-        _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2' );
+function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
+    if ( -1 === $action )
+        _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
 
     $adminurl = strtolower(admin_url());
     $referer = strtolower(wp_get_referer());
     $result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
-    if ( !$result && !(-1 == $action && strpos($referer, $adminurl) === 0) ) {
-        wp_nonce_ays($action);
+
+    /**
+     * Fires once the admin request has been validated or not.
+     *
+     * @since 1.5.1
+     *
+     * @param string $action The nonce action.
+     * @param bool   $result Whether the admin request nonce was validated.
+     */
+    do_action( 'check_admin_referer', $action, $result );
+
+    if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
+        wp_nonce_ays( $action );
         die();
     }
-    do_action('check_admin_referer', $action, $result);
+
     return $result;
 }
@@ -832 +843 @@
  */
 function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
+    if ( -1 === $action )
+        _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
+
     $nonce = '';
 
@@ -1858 +1872 @@
 }
 endif;
-
-if ( ! function_exists( 'hash_equals' ) ) :
-/**
- * Compare two strings in constant time.
- *
- * This function is NOT pluggable. It is in this file (in addition to
- * compat.php) to prevent errors if, during an update, pluggable.php
- * copies over but compat.php does not.
- *
- * This function was added in PHP 5.6.
- * It can leak the length of a string.
- *
- * @since 3.9.2
- *
- * @param string $a Expected string.
- * @param string $b Actual string.
- * @return bool Whether strings are equal.
- */
-function hash_equals( $a, $b ) {
-    $a_length = strlen( $a );
-    if ( $a_length !== strlen( $b ) ) {
-        return false;
-    }
-    $result = 0;
-
-    // Do not attempt to "optimize" this.
-    for ( $i = 0; $i < $a_length; $i++ ) {
-        $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
-    }
-
-    return $result === 0;
-}
-endif;

branches/3.8/src/wp-includes/query.php

@@ -1397 +1397 @@
             , 'attachment_id'
             , 'name'
-            , 'static'
             , 'pagename'
             , 'page_id'
@@ -1505 +1504 @@
             // post is being queried.
             $this->is_single = true;
-        } elseif ( '' != $qv['static'] || '' != $qv['pagename'] || !empty($qv['page_id']) ) {
+        } elseif ( '' != $qv['pagename'] || !empty($qv['page_id']) ) {
             $this->is_page = true;
             $this->is_single = false;

branches/3.8/tests/phpunit/tests/auth.php

@@ -94 +94 @@
     }
 
+    /**
+     * @ticket 29217
+     */
+    function test_wp_verify_nonce_with_empty_arg() {
+        $this->assertFalse( wp_verify_nonce( '' ) );
+        $this->assertFalse( wp_verify_nonce( null ) );
+    }
+
+    /**
+     * @ticket 29542
+     */
+    function test_wp_verify_nonce_with_integer_arg() {
+        $this->assertFalse( wp_verify_nonce( 1 ) );
+    }
+
+    /**
+     * @ticket 36361
+     */
+    public function test_check_admin_referer_with_no_action_triggers_doing_it_wrong() {
+        $this->setExpectedIncorrectUsage( 'check_admin_referer' );
+
+        // A valid nonce needs to be set so the check doesn't die()
+        $_REQUEST['_wpnonce'] = wp_create_nonce( -1 );
+        $result = check_admin_referer();
+        $this->assertSame( 1, $result );
+
+        unset( $_REQUEST['_wpnonce'] );
+    }
+
+    /**
+     * @ticket 36361
+     */
+    public function test_check_ajax_referer_with_no_action_triggers_doing_it_wrong() {
+        $this->setExpectedIncorrectUsage( 'check_ajax_referer' );
+
+        // A valid nonce needs to be set so the check doesn't die()
+        $_REQUEST['_wpnonce'] = wp_create_nonce( -1 );
+        $result = check_ajax_referer();
+        $this->assertSame( 1, $result );
+
+        unset( $_REQUEST['_wpnonce'] );
+    }
+
     function test_password_length_limit() {
         $passwords = array(