Make WordPress Core


Ignore:
Timestamp:
10/14/2019 07:31:55 PM (5 years ago)
Author:
whyisjake
Message:

Backporting several bug fixes.

  • Query: Remove the static query property.
  • HTTP API: Protect against hex interpretation.
  • Filesystem API: Prevent directory travelersals when creating new folders.
  • Administration: Ensure that admin referer nonce is valid.
  • REST API: Send a Vary: Origin header on GET requests.
  • Customizer: Properly sanitize background images.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 3.7 branch.

Location:
branches/3.7
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/3.7

  • branches/3.7/src

  • branches/3.7/src/wp-includes/pluggable.php

    r45988 r46505  
    809809 * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
    810810 */
    811 function check_admin_referer($action = -1, $query_arg = '_wpnonce') {
    812     if ( -1 == $action )
    813         _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2' );
     811function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
     812    if ( -1 === $action )
     813        _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
    814814
    815815    $adminurl = strtolower(admin_url());
    816816    $referer = strtolower(wp_get_referer());
    817817    $result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
    818     if ( !$result && !(-1 == $action && strpos($referer, $adminurl) === 0) ) {
    819         wp_nonce_ays($action);
     818
     819    /**
     820     * Fires once the admin request has been validated or not.
     821     *
     822     * @since 1.5.1
     823     *
     824     * @param string $action The nonce action.
     825     * @param bool   $result Whether the admin request nonce was validated.
     826     */
     827    do_action( 'check_admin_referer', $action, $result );
     828
     829    if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
     830        wp_nonce_ays( $action );
    820831        die();
    821832    }
    822     do_action('check_admin_referer', $action, $result);
     833
    823834    return $result;
    824835}
     
    835846 */
    836847function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
     848    if ( -1 === $action )
     849        _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
     850
    837851    $nonce = '';
    838852
     
    18121826}
    18131827endif;
    1814 
    1815 if ( ! function_exists( 'hash_equals' ) ) :
    1816 /**
    1817  * Compare two strings in constant time.
    1818  *
    1819  * This function is NOT pluggable. It is in this file (in addition to
    1820  * compat.php) to prevent errors if, during an update, pluggable.php
    1821  * copies over but compat.php does not.
    1822  *
    1823  * This function was added in PHP 5.6.
    1824  * It can leak the length of a string.
    1825  *
    1826  * @since 3.9.2
    1827  *
    1828  * @param string $a Expected string.
    1829  * @param string $b Actual string.
    1830  * @return bool Whether strings are equal.
    1831  */
    1832 function hash_equals( $a, $b ) {
    1833     $a_length = strlen( $a );
    1834     if ( $a_length !== strlen( $b ) ) {
    1835         return false;
    1836     }
    1837     $result = 0;
    1838 
    1839     // Do not attempt to "optimize" this.
    1840     for ( $i = 0; $i < $a_length; $i++ ) {
    1841         $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
    1842     }
    1843 
    1844     return $result === 0;
    1845 }
    1846 endif;
Note: See TracChangeset for help on using the changeset viewer.