Context Navigation

← Previous Changeset
Next Changeset →

Changeset 46505

Timestamp:

10/14/2019 07:31:55 PM (6 years ago)

Author:

whyisjake

Message:

Backporting several bug fixes.

Query: Remove the static query property.
HTTP API: Protect against hex interpretation.
Filesystem API: Prevent directory travelersals when creating new folders.
Administration: Ensure that admin referer nonce is valid.
REST API: Send a Vary: Origin header on GET requests.
Customizer: Properly sanitize background images.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 3.7 branch.

Location:

branches/3.7

Files:

: 8 edited

. (modified) (1 prop)
src (modified) (1 prop)
src/wp-includes/class-wp.php (modified) (1 diff)
src/wp-includes/functions.php (modified) (1 diff)
src/wp-includes/http.php (modified) (1 diff)
src/wp-includes/pluggable.php (modified) (3 diffs)
src/wp-includes/query.php (modified) (2 diffs)
tests/phpunit/tests/auth.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

branches/3.7
- Property svn:mergeinfo changed
  /trunk merged: 46474-46478,46483,46485
branches/3.7/src
- Property svn:mergeinfo changed
  /trunk/src merged: 46474-46478,46483

branches/3.7/src/wp-includes/class-wp.php

r44075	r46505
16	16	* @var array
17	17	*/
18		var $public_query_vars = array('m', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'static', 'pagename', 'page_id', 'error', 'comments_popup', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type');
	18	public $public_query_vars = array( 'm', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'pagename', 'page_id', 'error', 'comments_popup', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
19	19
20	20	/**

branches/3.7/src/wp-includes/functions.php

-                      r44012
+                      r46505
     if ( file_exists( $target ) )
         return @is_dir( $target );
+    // Do not allow path traversals.
+    if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
+        return false;
+    }
     // We need to find the permissions of the parent folder that exists and inherit that.

branches/3.7/src/wp-includes/http.php

-                      r37123
+                      r46505
         } else {
             $ip = gethostbyname( $host );
+            if ( $ip === $host ) // Error condition for gethostbyname()
+                $ip = false;
+            if ( $ip === $host ) { // Error condition for gethostbyname()
+                return false;
+            }
+        }
         if ( $ip ) {

branches/3.7/src/wp-includes/pluggable.php

-                      r45988
+                      r46505
  * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
  */
 function check_admin_referer($action = -1, $query_arg = '_wpnonce') {
     if ( -1 == $action )
         _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2' );
+function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
+    if ( -1 === $action )
+        _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
     $adminurl = strtolower(admin_url());
     $referer = strtolower(wp_get_referer());
     $result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
+    if ( !$result && !(-1 == $action && strpos($referer, $adminurl) === 0) ) {
+        wp_nonce_ays($action);
+    /**
+     * Fires once the admin request has been validated or not.
+     *
+     * @since 1.5.1
+     *
+     * @param string $action The nonce action.
+     * @param bool   $result Whether the admin request nonce was validated.
+     */
+    do_action( 'check_admin_referer', $action, $result );
+    if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
+        wp_nonce_ays( $action );
         die();
+    }
+    do_action('check_admin_referer', $action, $result);
     return $result;
+}
 …
  */
 function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
+    if ( -1 === $action )
+        _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
     $nonce = '';
 …
+}
 endif;
-if ( ! function_exists( 'hash_equals' ) ) :
-/**
- * Compare two strings in constant time.
+ *
- * This function is NOT pluggable. It is in this file (in addition to
- * compat.php) to prevent errors if, during an update, pluggable.php
- * copies over but compat.php does not.
+ *
- * This function was added in PHP 5.6.
- * It can leak the length of a string.
+ *
- * @since 3.9.2
+ *
- * @param string $a Expected string.
- * @param string $b Actual string.
- * @return bool Whether strings are equal.
- */
-function hash_equals( $a, $b ) {
-    $a_length = strlen( $a );
-    if ( $a_length !== strlen( $b ) ) {
-        return false;
+    }
-    $result = 0;
-    // Do not attempt to "optimize" this.
-    for ( $i = 0; $i < $a_length; $i++ ) {
-        $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
+    }
-    return $result === 0;
+}
-endif;

branches/3.7/src/wp-includes/query.php

-                      r39966
+                      r46505
             , 'attachment_id'
             , 'name'
-            , 'static'
             , 'pagename'
             , 'page_id'
 …
             // post is being queried.
             $this->is_single = true;
         } elseif ( '' != $qv['static'] || '' != $qv['pagename'] || !empty($qv['page_id']) ) {
+        } elseif ( '' != $qv['pagename'] || !empty($qv['page_id']) ) {
             $this->is_page = true;
             $this->is_single = false;

branches/3.7/tests/phpunit/tests/auth.php

-                      r30470
+                      r46505
+    }
+    /**
+     * @ticket 29217
+     */
+    function test_wp_verify_nonce_with_empty_arg() {
+        $this->assertFalse( wp_verify_nonce( '' ) );
+        $this->assertFalse( wp_verify_nonce( null ) );
+    }
+    /**
+     * @ticket 29542
+     */
+    function test_wp_verify_nonce_with_integer_arg() {
+        $this->assertFalse( wp_verify_nonce( 1 ) );
+    }
+    /**
+     * @ticket 36361
+     */
+    public function test_check_admin_referer_with_no_action_triggers_doing_it_wrong() {
+        $this->setExpectedIncorrectUsage( 'check_admin_referer' );
+        // A valid nonce needs to be set so the check doesn't die()
+        $_REQUEST['_wpnonce'] = wp_create_nonce( -1 );
+        $result = check_admin_referer();
+        $this->assertSame( 1, $result );
+        unset( $_REQUEST['_wpnonce'] );
+    }
+    /**
+     * @ticket 36361
+     */
+    public function test_check_ajax_referer_with_no_action_triggers_doing_it_wrong() {
+        $this->setExpectedIncorrectUsage( 'check_ajax_referer' );
+        // A valid nonce needs to be set so the check doesn't die()
+        $_REQUEST['_wpnonce'] = wp_create_nonce( -1 );
+        $result = check_ajax_referer();
+        $this->assertSame( 1, $result );
+        unset( $_REQUEST['_wpnonce'] );
+    }
     function test_password_length_limit() {
         $passwords = array(

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core