WordPress.org
Get WordPress

Make WordPress Core

Changeset 47651


Ignore:
Timestamp:
04/29/2020 04:24:40 PM (5 years ago)
Author:
whyisjake
Message:

User: Invalidate user_activation_key on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand sanitize_file_name to have better support for utf8 characters.

Brings the changes in [47634], [47635], [47637], and [47638] to the 4.6 branch.

Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, whyisjake, whyisjake, xknown.

Location:
branches/4.6
Files:
6 edited

Legend:

Unmodified
Added
Removed

  • branches/4.6

  • branches/4.6/src/wp-includes/formatting.php

    r45998 r47651  
    17451745    $filename_raw = $filename;
    17461746    $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", "%", "+", chr(0));
     1747
     1748    // Check for support for utf8 in the installed PCRE library once and store the result in a static.
     1749    static $utf8_pcre = null;
     1750    if ( ! isset( $utf8_pcre ) ) {
     1751        // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
     1752        $utf8_pcre = @preg_match( '/^./u', 'a' );
     1753    }
     1754
     1755    if ( ! seems_utf8( $filename ) ) {
     1756        $_ext     = pathinfo( $filename, PATHINFO_EXTENSION );
     1757        $_name    = pathinfo( $filename, PATHINFO_FILENAME );
     1758        $filename = sanitize_title_with_dashes( $_name ) . '.' . $_ext;
     1759    }
     1760
     1761    if ( $utf8_pcre ) {
     1762        $filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
     1763    }
     1764
    17471765    /**
    17481766     * Filters the list of characters to remove from a filename.
     
    17541772     */
    17551773    $special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
    1756     $filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
    17571774    $filename = str_replace( $special_chars, '', $filename );
    17581775    $filename = str_replace( array( '%20', '+' ), '-', $filename );

  • branches/4.6/src/wp-includes/query.php

    r46496 r47651  
    16331633        } elseif ( $qv['p'] ) {
    16341634            $this->is_single = true;
    1635         } elseif ( ('' !== $qv['hour']) && ('' !== $qv['minute']) &&('' !== $qv['second']) && ('' != $qv['year']) && ('' != $qv['monthnum']) && ('' != $qv['day']) ) {
    1636             // If year, month, day, hour, minute, and second are set, a single
    1637             // post is being queried.
    1638             $this->is_single = true;
    16391635        } elseif ( '' != $qv['pagename'] || !empty($qv['page_id']) ) {
    16401636            $this->is_page = true;

  • branches/4.6/src/wp-includes/user.php

    r38125 r47651  
    16131613
    16141614    if ( $update ) {
    1615         if ( $user_email !== $old_user_data->user_email ) {
     1615        if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) {
    16161616            $data['user_activation_key'] = '';
    16171617        }

  • branches/4.6/tests/phpunit/tests/formatting/SanitizeFileName.php

    r37756 r47651  
    6868        $this->assertEquals( 'no-extension', sanitize_file_name( '_.no-extension' ) );
    6969    }
     70
     71    /**
     72     * @dataProvider data_wp_filenames
     73     */
     74    function test_replaces_invalid_utf8_characters( $input, $expected ) {
     75        $this->assertEquals( $expected, sanitize_file_name( $input ) );
     76    }
     77
     78    function data_wp_filenames() {
     79        return array(
     80            array( urldecode( '%B1myfile.png' ), 'myfile.png' ),
     81            array( urldecode( '%B1myfile' ), 'myfile' ),
     82            array( 'demo bar.png', 'demo-bar.png' ),
     83            array( 'demo' . json_decode( '"\u00a0"' ) . 'bar.png', 'demo-bar.png' ),
     84        );
     85    }
    7086}

  • branches/4.6/tests/phpunit/tests/user.php

    r38005 r47651  
    925925    }
    926926
    927     function test_changing_email_invalidates_password_reset_key() {
     927    public function test_changing_email_invalidates_password_reset_key() {
    928928        global $wpdb;
    929929
     
    950950            'user_nicename' => 'cat',
    951951            'user_email'    => 'foo@bar.dev',
     952        );
     953        wp_update_user( $userdata );
     954
     955        $user = get_userdata( $user->ID );
     956        $this->assertEmpty( $user->user_activation_key );
     957    }
     958
     959    public function test_changing_password_invalidates_password_reset_key() {
     960        global $wpdb;
     961
     962        $user = $this->author;
     963        $wpdb->update( $wpdb->users, array( 'user_activation_key' => 'key' ), array( 'ID' => $user->ID ) );
     964        clean_user_cache( $user );
     965
     966        $user = get_userdata( $user->ID );
     967        $this->assertEquals( 'key', $user->user_activation_key );
     968
     969        $userdata = array(
     970            'ID'        => $user->ID,
     971            'user_pass' => 'password',
    952972        );
    953973        wp_update_user( $userdata );
Note: See TracChangeset for help on using the changeset viewer.