Changeset 47648
- Timestamp:
- 04/29/2020 04:15:39 PM (5 years ago)
- Location:
- branches/4.9
- Files:
-
- 10 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/4.9
- Property svn:mergeinfo changed
/trunk merged: 47633-47635,47637-47638
- Property svn:mergeinfo changed
-
branches/4.9/src/wp-includes/cache.php
r41688 r47648 669 669 echo '<ul>'; 670 670 foreach ($this->cache as $group => $cache) { 671 echo "<li><strong>Group:</strong> $group - ( ". number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';671 echo '<li><strong>Group:</strong> ' . esc_html( $group ) . ' - ( ' . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>'; 672 672 } 673 673 echo '</ul>'; -
branches/4.9/src/wp-includes/class-wp-customize-manager.php
r43707 r47648 2860 2860 add_filter( 'wp_save_post_revision_post_has_changed', array( $this, '_filter_revision_post_has_changed' ), 5, 3 ); 2861 2861 2862 // Update the changeset post. The publish_customize_changeset action will cause the settings in the changeset to be saved via WP_Customize_Setting::save(). 2863 $has_kses = ( false !== has_filter( 'content_save_pre', 'wp_filter_post_kses' ) ); 2864 if ( $has_kses ) { 2865 kses_remove_filters(); // Prevent KSES from corrupting JSON in post_content. 2866 } 2867 2868 // Note that updating a post with publish status will trigger WP_Customize_Manager::publish_changeset_values(). 2862 /* 2863 * Update the changeset post. The publish_customize_changeset action will cause the settings in the 2864 * changeset to be saved via WP_Customize_Setting::save(). Updating a post with publish status will 2865 * trigger WP_Customize_Manager::publish_changeset_values(). 2866 */ 2867 add_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5, 3 ); 2869 2868 if ( $changeset_post_id ) { 2870 2869 if ( $args['autosave'] && 'auto-draft' !== get_post_status( $changeset_post_id ) ) { … … 2893 2892 } 2894 2893 } 2895 if ( $has_kses ) { 2896 kses_init_filters();2897 } 2894 2895 remove_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5 ); 2896 2898 2897 $this->_changeset_data = null; // Reset so WP_Customize_Manager::changeset_data() will re-populate with updated contents. 2899 2898 … … 2910 2909 2911 2910 return $response; 2911 } 2912 2913 /** 2914 * Preserve the initial JSON post_content passed to save into the post. 2915 * 2916 * This is needed to prevent KSES and other {@see 'content_save_pre'} filters 2917 * from corrupting JSON data. 2918 * 2919 * Note that WP_Customize_Manager::validate_setting_values() have already 2920 * run on the setting values being serialized as JSON into the post content 2921 * so it is pre-sanitized. 2922 * 2923 * Also, the sanitization logic is re-run through the respective 2924 * WP_Customize_Setting::sanitize() method when being read out of the 2925 * changeset, via WP_Customize_Manager::post_value(), and this sanitized 2926 * value will also be sent into WP_Customize_Setting::update() for 2927 * persisting to the DB. 2928 * 2929 * Multiple users can collaborate on a single changeset, where one user may 2930 * have the unfiltered_html capability but another may not. A user with 2931 * unfiltered_html may add a script tag to some field which needs to be kept 2932 * intact even when another user updates the changeset to modify another field 2933 * when they do not have unfiltered_html. 2934 * 2935 * @since 5.4.1 2936 * 2937 * @param array $data An array of slashed and processed post data. 2938 * @param array $postarr An array of sanitized (and slashed) but otherwise unmodified post data. 2939 * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed post data as originally passed to wp_insert_post(). 2940 * @return array Filtered post data. 2941 */ 2942 public function preserve_insert_changeset_post_content( $data, $postarr, $unsanitized_postarr ) { 2943 if ( 2944 isset( $data['post_type'] ) && 2945 isset( $unsanitized_postarr['post_content'] ) && 2946 'customize_changeset' === $data['post_type'] || 2947 ( 2948 'revision' === $data['post_type'] && 2949 ! empty( $data['post_parent'] ) && 2950 'customize_changeset' === get_post_type( $data['post_parent'] ) 2951 ) 2952 ) { 2953 $data['post_content'] = $unsanitized_postarr['post_content']; 2954 } 2955 return $data; 2912 2956 } 2913 2957 -
branches/4.9/src/wp-includes/class-wp-query.php
r46493 r47648 760 760 } elseif ( $qv['p'] ) { 761 761 $this->is_single = true; 762 } elseif ( ('' !== $qv['hour']) && ('' !== $qv['minute']) &&('' !== $qv['second']) && ('' != $qv['year']) && ('' != $qv['monthnum']) && ('' != $qv['day']) ) {763 // If year, month, day, hour, minute, and second are set, a single764 // post is being queried.765 $this->is_single = true;766 762 } elseif ( '' != $qv['pagename'] || !empty($qv['page_id']) ) { 767 763 $this->is_page = true; -
branches/4.9/src/wp-includes/formatting.php
r45994 r47648 1777 1777 $filename_raw = $filename; 1778 1778 $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", "%", "+", chr(0)); 1779 1780 // Check for support for utf8 in the installed PCRE library once and store the result in a static. 1781 static $utf8_pcre = null; 1782 if ( ! isset( $utf8_pcre ) ) { 1783 // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged 1784 $utf8_pcre = @preg_match( '/^./u', 'a' ); 1785 } 1786 1787 if ( ! seems_utf8( $filename ) ) { 1788 $_ext = pathinfo( $filename, PATHINFO_EXTENSION ); 1789 $_name = pathinfo( $filename, PATHINFO_FILENAME ); 1790 $filename = sanitize_title_with_dashes( $_name ) . '.' . $_ext; 1791 } 1792 1793 if ( $utf8_pcre ) { 1794 $filename = preg_replace( "#\x{00a0}#siu", ' ', $filename ); 1795 } 1796 1779 1797 /** 1780 1798 * Filters the list of characters to remove from a filename. … … 1786 1804 */ 1787 1805 $special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw ); 1788 $filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );1789 1806 $filename = str_replace( $special_chars, '', $filename ); 1790 1807 $filename = str_replace( array( '%20', '+' ), '-', $filename ); -
branches/4.9/src/wp-includes/post.php
r43707 r47648 3137 3137 global $wpdb; 3138 3138 3139 // Capture original pre-sanitized array for passing into filters. 3140 $unsanitized_postarr = $postarr; 3141 3139 3142 $user_id = get_current_user_id(); 3140 3143 … … 3433 3436 * 3434 3437 * @since 3.9.0 3438 * @since 5.4.1 `$unsanitized_postarr` argument added. 3435 3439 * 3436 * @param array $data An array of sanitized attachment post data. 3437 * @param array $postarr An array of unsanitized attachment post data. 3440 * @param array $data An array of slashed, sanitized, and processed attachment post data. 3441 * @param array $postarr An array of slashed and sanitized attachment post data, but not processed. 3442 * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed attachment post data 3443 * as originally passed to wp_insert_post(). 3438 3444 */ 3439 $data = apply_filters( 'wp_insert_attachment_data', $data, $postarr );3445 $data = apply_filters( 'wp_insert_attachment_data', $data, $postarr, $unsanitized_postarr ); 3440 3446 } else { 3441 3447 /** … … 3443 3449 * 3444 3450 * @since 2.7.0 3451 * @since 5.4.1 `$unsanitized_postarr` argument added. 3445 3452 * 3446 * @param array $data An array of slashed post data. 3447 * @param array $postarr An array of sanitized, but otherwise unmodified post data. 3453 * @param array $data An array of slashed, sanitized, and processed post data. 3454 * @param array $postarr An array of sanitized (and slashed) but otherwise unmodified post data. 3455 * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed post data as 3456 * originally passed to wp_insert_post(). 3448 3457 */ 3449 $data = apply_filters( 'wp_insert_post_data', $data, $postarr );3458 $data = apply_filters( 'wp_insert_post_data', $data, $postarr, $unsanitized_postarr ); 3450 3459 } 3451 3460 $data = wp_unslash( $data ); -
branches/4.9/src/wp-includes/user.php
r43708 r47648 1693 1693 1694 1694 if ( $update ) { 1695 if ( $user_email !== $old_user_data->user_email ) {1695 if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) { 1696 1696 $data['user_activation_key'] = ''; 1697 1697 } -
branches/4.9/tests/phpunit/tests/customize/manager.php
r42620 r47648 1091 1091 1092 1092 /** 1093 * Test saving changeset post without Kses or other content_save_pre filters mutating content. 1094 * 1095 * @covers WP_Customize_Manager::save_changeset_post() 1096 */ 1097 public function test_save_changeset_post_without_kses_corrupting_json() { 1098 global $wp_customize; 1099 $lesser_admin_user_id = self::factory()->user->create( array( 'role' => 'administrator' ) ); 1100 1101 $uuid = wp_generate_uuid4(); 1102 $wp_customize = new WP_Customize_Manager( 1103 array( 1104 'changeset_uuid' => $uuid, 1105 ) 1106 ); 1107 1108 add_filter( 'map_meta_cap', array( $this, 'filter_map_meta_cap_to_disallow_unfiltered_html' ), 10, 2 ); 1109 kses_init(); 1110 add_filter( 'content_save_pre', 'capital_P_dangit' ); 1111 add_post_type_support( 'customize_changeset', 'revisions' ); 1112 1113 $options = array( 1114 'custom_html_1' => '<script>document.write(" Wordpress 1")</script>', 1115 'custom_html_2' => '<script>document.write(" Wordpress 2")</script>', 1116 'custom_html_3' => '<script>document.write(" Wordpress 3")</script>', 1117 ); 1118 1119 // Populate setting as user who can bypass content_save_pre filter. 1120 wp_set_current_user( self::$admin_user_id ); 1121 $wp_customize = $this->get_manager_for_testing_json_corruption_protection( $uuid ); 1122 $wp_customize->set_post_value( 'custom_html_1', $options['custom_html_1'] ); 1123 $wp_customize->save_changeset_post( 1124 array( 1125 'status' => 'draft', 1126 ) 1127 ); 1128 1129 // Populate setting as user who cannot bypass content_save_pre filter. 1130 wp_set_current_user( $lesser_admin_user_id ); 1131 $wp_customize = $this->get_manager_for_testing_json_corruption_protection( $uuid ); 1132 $wp_customize->set_post_value( 'custom_html_2', $options['custom_html_2'] ); 1133 $wp_customize->save_changeset_post( 1134 array( 1135 'autosave' => true, 1136 ) 1137 ); 1138 1139 /* 1140 * Ensure that the unsanitized value (the "POST data") is preserved in the autosave revision. 1141 * The value is sent through the sanitize function when it is read from the changeset. 1142 */ 1143 $autosave_revision = wp_get_post_autosave( $wp_customize->changeset_post_id(), get_current_user_id() ); 1144 $saved_data = json_decode( $autosave_revision->post_content, true ); 1145 $this->assertEquals( $options['custom_html_1'], $saved_data['custom_html_1']['value'] ); 1146 $this->assertEquals( $options['custom_html_2'], $saved_data['custom_html_2']['value'] ); 1147 1148 // Update post to discard autosave. 1149 $wp_customize->save_changeset_post( 1150 array( 1151 'status' => 'draft', 1152 ) 1153 ); 1154 1155 /* 1156 * Ensure that the unsanitized value (the "POST data") is preserved in the post content. 1157 * The value is sent through the sanitize function when it is read from the changeset. 1158 */ 1159 $wp_customize = $this->get_manager_for_testing_json_corruption_protection( $uuid ); 1160 $saved_data = json_decode( get_post( $wp_customize->changeset_post_id() )->post_content, true ); 1161 $this->assertEquals( $options['custom_html_1'], $saved_data['custom_html_1']['value'] ); 1162 $this->assertEquals( $options['custom_html_2'], $saved_data['custom_html_2']['value'] ); 1163 1164 /* 1165 * Ensure that the unsanitized value (the "POST data") is preserved in the revisions' content. 1166 * The value is sent through the sanitize function when it is read from the changeset. 1167 */ 1168 $revisions = wp_get_post_revisions( $wp_customize->changeset_post_id() ); 1169 $revision = array_shift( $revisions ); 1170 $saved_data = json_decode( $revision->post_content, true ); 1171 $this->assertEquals( $options['custom_html_1'], $saved_data['custom_html_1']['value'] ); 1172 $this->assertEquals( $options['custom_html_2'], $saved_data['custom_html_2']['value'] ); 1173 1174 /* 1175 * Now when publishing the changeset, the unsanitized values will be read from the changeset 1176 * and sanitized according to the capabilities of the users who originally updated each 1177 * setting in the changeset to begin with. 1178 */ 1179 wp_set_current_user( $lesser_admin_user_id ); 1180 $wp_customize = $this->get_manager_for_testing_json_corruption_protection( $uuid ); 1181 $wp_customize->set_post_value( 'custom_html_3', $options['custom_html_3'] ); 1182 $wp_customize->save_changeset_post( 1183 array( 1184 'status' => 'publish', 1185 ) 1186 ); 1187 1188 // User saved as one who can bypass content_save_pre filter. 1189 $this->assertContains( '<script>', get_option( 'custom_html_1' ) ); 1190 $this->assertContains( 'Wordpress', get_option( 'custom_html_1' ) ); // phpcs:ignore WordPress.WP.CapitalPDangit.Misspelled 1191 1192 // User saved as one who cannot bypass content_save_pre filter. 1193 $this->assertNotContains( '<script>', get_option( 'custom_html_2' ) ); 1194 $this->assertContains( 'WordPress', get_option( 'custom_html_2' ) ); 1195 1196 // User saved as one who also cannot bypass content_save_pre filter. 1197 $this->assertNotContains( '<script>', get_option( 'custom_html_3' ) ); 1198 $this->assertContains( 'WordPress', get_option( 'custom_html_3' ) ); 1199 } 1200 1201 /** 1202 * Get a manager for testing JSON corruption protection. 1203 * 1204 * @param string $uuid UUID. 1205 * @return WP_Customize_Manager Manager. 1206 */ 1207 private function get_manager_for_testing_json_corruption_protection( $uuid ) { 1208 global $wp_customize; 1209 $wp_customize = new WP_Customize_Manager( 1210 array( 1211 'changeset_uuid' => $uuid, 1212 ) 1213 ); 1214 for ( $i = 0; $i < 5; $i++ ) { 1215 $wp_customize->add_setting( 1216 sprintf( 'custom_html_%d', $i ), 1217 array( 1218 'type' => 'option', 1219 'sanitize_callback' => array( $this, 'apply_content_save_pre_filters_if_not_main_admin_user' ), 1220 ) 1221 ); 1222 } 1223 return $wp_customize; 1224 } 1225 1226 /** 1227 * Sanitize content with Kses if the current user is not the main admin. 1228 * 1229 * @since 5.4.1 1230 * 1231 * @param string $content Content to sanitize. 1232 * @return string Sanitized content. 1233 */ 1234 public function apply_content_save_pre_filters_if_not_main_admin_user( $content ) { 1235 if ( get_current_user_id() !== self::$admin_user_id ) { 1236 $content = apply_filters( 'content_save_pre', $content ); 1237 } 1238 return $content; 1239 } 1240 1241 /** 1242 * Filter map_meta_cap to disallow unfiltered_html. 1243 * 1244 * @since 5.4.1 1245 * 1246 * @param array $caps User's capabilities. 1247 * @param string $cap Requested cap. 1248 * @return array Caps. 1249 */ 1250 public function filter_map_meta_cap_to_disallow_unfiltered_html( $caps, $cap ) { 1251 if ( 'unfiltered_html' === $cap ) { 1252 $caps = array( 'do_not_allow' ); 1253 } 1254 return $caps; 1255 } 1256 1257 /** 1093 1258 * Call count for customize_changeset_save_data filter. 1094 1259 * -
branches/4.9/tests/phpunit/tests/formatting/SanitizeFileName.php
r37756 r47648 68 68 $this->assertEquals( 'no-extension', sanitize_file_name( '_.no-extension' ) ); 69 69 } 70 71 /** 72 * @dataProvider data_wp_filenames 73 */ 74 function test_replaces_invalid_utf8_characters( $input, $expected ) { 75 $this->assertEquals( $expected, sanitize_file_name( $input ) ); 76 } 77 78 function data_wp_filenames() { 79 return array( 80 array( urldecode( '%B1myfile.png' ), 'myfile.png' ), 81 array( urldecode( '%B1myfile' ), 'myfile' ), 82 array( 'demo bar.png', 'demo-bar.png' ), 83 array( 'demo' . json_decode( '"\u00a0"' ) . 'bar.png', 'demo-bar.png' ), 84 ); 85 } 70 86 } -
branches/4.9/tests/phpunit/tests/user.php
r43459 r47648 918 918 } 919 919 920 function test_changing_email_invalidates_password_reset_key() {920 public function test_changing_email_invalidates_password_reset_key() { 921 921 global $wpdb; 922 922 … … 943 943 'user_nicename' => 'cat', 944 944 'user_email' => 'foo@bar.dev', 945 ); 946 wp_update_user( $userdata ); 947 948 $user = get_userdata( $user->ID ); 949 $this->assertEmpty( $user->user_activation_key ); 950 } 951 952 public function test_changing_password_invalidates_password_reset_key() { 953 global $wpdb; 954 955 $user = $this->author; 956 $wpdb->update( $wpdb->users, array( 'user_activation_key' => 'key' ), array( 'ID' => $user->ID ) ); 957 clean_user_cache( $user ); 958 959 $user = get_userdata( $user->ID ); 960 $this->assertEquals( 'key', $user->user_activation_key ); 961 962 $userdata = array( 963 'ID' => $user->ID, 964 'user_pass' => 'password', 945 965 ); 946 966 wp_update_user( $userdata );
Note: See TracChangeset
for help on using the changeset viewer.