Changeset 46504 for branches/3.8/src/wp-includes/pluggable.php

Timestamp:

10/14/2019 07:29:52 PM (6 years ago)

Author:

whyisjake

Message:

Backporting several bug fixes.

• Query: Remove the static query property.
• HTTP API: Protect against hex interpretation.
• Filesystem API: Prevent directory travelersals when creating new folders.
• Administration: Ensure that admin referer nonce is valid.
• REST API: Send a Vary: Origin header on GET requests.
• Customizer: Properly sanitize background images.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 3.8 branch.

Location:

branches/3.8

Files:

• . (modified) (1 prop)
• src/wp-includes/pluggable.php (modified) (3 diffs)

branches/3.8/src/wp-includes/pluggable.php

@@ -806 +806 @@
  * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
  */
-function check_admin_referer($action = -1, $query_arg = '_wpnonce') {
-    if ( -1 == $action )
-        _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2' );
+function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
+    if ( -1 === $action )
+        _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
 
     $adminurl = strtolower(admin_url());
     $referer = strtolower(wp_get_referer());
     $result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
-    if ( !$result && !(-1 == $action && strpos($referer, $adminurl) === 0) ) {
-        wp_nonce_ays($action);
+
+    /**
+     * Fires once the admin request has been validated or not.
+     *
+     * @since 1.5.1
+     *
+     * @param string $action The nonce action.
+     * @param bool   $result Whether the admin request nonce was validated.
+     */
+    do_action( 'check_admin_referer', $action, $result );
+
+    if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
+        wp_nonce_ays( $action );
         die();
     }
-    do_action('check_admin_referer', $action, $result);
+
     return $result;
 }
@@ -832 +843 @@
  */
 function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
+    if ( -1 === $action )
+        _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
+
     $nonce = '';
 
@@ -1858 +1872 @@
 }
 endif;
-
-if ( ! function_exists( 'hash_equals' ) ) :
-/**
- * Compare two strings in constant time.
- *
- * This function is NOT pluggable. It is in this file (in addition to
- * compat.php) to prevent errors if, during an update, pluggable.php
- * copies over but compat.php does not.
- *
- * This function was added in PHP 5.6.
- * It can leak the length of a string.
- *
- * @since 3.9.2
- *
- * @param string $a Expected string.
- * @param string $b Actual string.
- * @return bool Whether strings are equal.
- */
-function hash_equals( $a, $b ) {
-    $a_length = strlen( $a );
-    if ( $a_length !== strlen( $b ) ) {
-        return false;
-    }
-    $result = 0;
-
-    // Do not attempt to "optimize" this.
-    for ( $i = 0; $i < $a_length; $i++ ) {
-        $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
-    }
-
-    return $result === 0;
-}
-endif;