Make WordPress Core

Changeset 47662


Ignore:
Timestamp:
04/29/2020 04:58:19 PM (4 years ago)
Author:
whyisjake
Message:

User: Invalidate user_activation_key on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand sanitize_file_name to have better support for utf8 characters.

Brings the changes in [47634], [47635], [47637], and [47638] to the 3.7 branch.

Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, whyisjake, whyisjake, xknown.

Location:
branches/3.7
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • branches/3.7/src/wp-includes/cache.php

    r25451 r47662  
    589589        echo '<ul>';
    590590        foreach ($this->cache as $group => $cache) {
    591             echo "<li><strong>Group:</strong> $group - ( " . number_format( strlen( serialize( $cache ) ) / 1024, 2 ) . 'k )</li>';
     591            echo '<li><strong>Group:</strong> ' . esc_html( $group ) . ' - ( ' . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';
    592592        }
    593593        echo '</ul>';
  • branches/3.7/src/wp-includes/formatting.php

    r37825 r47662  
    958958    $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", chr(0));
    959959    $special_chars = apply_filters('sanitize_file_name_chars', $special_chars, $filename_raw);
     960
     961    // Check for support for utf8 in the installed PCRE library once and store the result in a static.
     962    static $utf8_pcre = null;
     963    if ( ! isset( $utf8_pcre ) ) {
     964        // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
     965        $utf8_pcre = @preg_match( '/^./u', 'a' );
     966    }
     967
     968    if ( ! seems_utf8( $filename ) ) {
     969        $_ext     = pathinfo( $filename, PATHINFO_EXTENSION );
     970        $_name    = pathinfo( $filename, PATHINFO_FILENAME );
     971        $filename = sanitize_title_with_dashes( $_name ) . '.' . $_ext;
     972    }
     973
     974    if ( $utf8_pcre ) {
     975        $filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
     976    }
     977
    960978    $filename = str_replace($special_chars, '', $filename);
    961979    $filename = preg_replace('/[\s-]+/', '-', $filename);
  • branches/3.7/src/wp-includes/query.php

    r46505 r47662  
    14971497        } elseif ( $qv['p'] ) {
    14981498            $this->is_single = true;
    1499         } elseif ( ('' !== $qv['hour']) && ('' !== $qv['minute']) &&('' !== $qv['second']) && ('' != $qv['year']) && ('' != $qv['monthnum']) && ('' != $qv['day']) ) {
    1500             // If year, month, day, hour, minute, and second are set, a single
    1501             // post is being queried.
    1502             $this->is_single = true;
    15031499        } elseif ( '' != $qv['pagename'] || !empty($qv['page_id']) ) {
    15041500            $this->is_page = true;
  • branches/3.7/src/wp-includes/user.php

    r30434 r47662  
    14161416
    14171417    if ( $update ) {
    1418         if ( $user_email !== $old_user_data->user_email ) {
     1418        if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) {
    14191419            $data['user_activation_key'] = '';
    14201420        }
  • branches/3.7/tests/phpunit/tests/formatting/SanitizeFileName.php

    r37825 r47662  
    4343        $this->assertEquals( 'no-extension', sanitize_file_name( '_.no-extension' ) );
    4444    }
     45
     46    /**
     47     * @dataProvider data_wp_filenames
     48     */
     49    function test_replaces_invalid_utf8_characters( $input, $expected ) {
     50        $this->assertEquals( $expected, sanitize_file_name( $input ) );
     51    }
     52
     53    function data_wp_filenames() {
     54        return array(
     55            array( urldecode( '%B1myfile.png' ), 'myfile.png' ),
     56            array( urldecode( '%B1myfile' ), 'myfile' ),
     57            array( 'demo bar.png', 'demo-bar.png' ),
     58            array( 'demo' . json_decode( '"\u00a0"' ) . 'bar.png', 'demo-bar.png' ),
     59        );
     60    }
    4561}
  • branches/3.7/tests/phpunit/tests/user.php

    r47343 r47662  
    589589    }
    590590
    591     function test_changing_email_invalidates_password_reset_key() {
     591    public function test_changing_email_invalidates_password_reset_key() {
    592592        global $wpdb;
    593593
     
    620620        $this->assertEmpty( $user->user_activation_key );
    621621    }
     622
     623    public function test_changing_password_invalidates_password_reset_key() {
     624        global $wpdb;
     625
     626        $user = $this->factory->user->create_and_get();
     627        $wpdb->update( $wpdb->users, array( 'user_activation_key' => 'key' ), array( 'ID' => $user->ID ) );
     628        clean_user_cache( $user );
     629
     630        $user = get_userdata( $user->ID );
     631        $this->assertEquals( 'key', $user->user_activation_key );
     632
     633        $userdata = array(
     634            'ID'        => $user->ID,
     635            'user_pass' => 'password',
     636        );
     637        wp_update_user( $userdata );
     638
     639        $user = get_userdata( $user->ID );
     640        $this->assertEmpty( $user->user_activation_key );
     641    }
     642
    622643}
Note: See TracChangeset for help on using the changeset viewer.