WordPress.org

Make WordPress Core

Changeset 46918


Ignore:
Timestamp:
12/12/2019 06:56:36 PM (8 months ago)
Author:
SergeyBiryukov
Message:

Ensure that a user can publish_posts before making a post sticky.

Props: danielbachhuber, whyisjake, peterwilson, xknown.

Brings r46893 to the 4.9 branch.

Update wp_kses_bad_protocol() to recognize : on uri attributes,

wp_kses_bad_protocol() makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 4.9 branch.

Props: xknown, nickdaugherty, peterwilsoncc.

Location:
branches/4.9
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/4.9

  • branches/4.9/src/wp-includes/kses.php

    r46005 r46918  
    13861386function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) {
    13871387    $string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
    1388     $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
     1388    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;|:/i', $string, 2 );
    13891389    if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {
    13901390        $string = trim( $string2[1] );
  • branches/4.9/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

    r43715 r46918  
    492492        }
    493493
    494         if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
     494        if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
    495495            return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
    496496        }
     
    634634        }
    635635
    636         if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
     636        if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
    637637            return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
    638638        }
     
    923923     */
    924924    protected function prepare_item_for_database( $request ) {
    925         $prepared_post = new stdClass;
     925        $prepared_post = new stdClass();
    926926
    927927        // Post ID.
  • branches/4.9/tests/phpunit/tests/kses.php

    r46005 r46918  
    170170        }
    171171
     172        $bad_not_normalized = array(
     173            'dummy:alert(1)',
     174            'javascript:alert(1)',
     175            'javascript&CoLon;alert(1)',
     176            'javascript:alert(1);',
     177            'javascript:alert(1);',
     178            'javascript:alert(1);',
     179            'javascript&#0000058alert(1);',
     180            'jav    ascript:alert(1);',
     181            'javascript:javascript:alert(1);',
     182            'javascript:javascript:alert(1);',
     183            'javascript&#0000058javascript:alert(1);',
     184            'javascript:javascript&#0000058alert(1);',
     185            'javascript&#58alert(1)',
     186        );
     187        foreach ( $bad_not_normalized as $k => $x ) {
     188            $result = wp_kses_bad_protocol( $x, wp_allowed_protocols() );
     189            if ( ! empty( $result ) && 'alert(1);' !== $result && 'alert(1)' !== $result ) {
     190                $this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
     191            }
     192        }
     193
    172194        $safe = array(
    173195            'dummy:alert(1)',
Note: See TracChangeset for help on using the changeset viewer.