Make WordPress Core

Changeset 49393


Ignore:
Timestamp:
10/29/2020 06:41:43 PM (4 years ago)
Author:
whyisjake
Message:

General: WordPress updates

  • XML-RPC: Improve error messages for unprivileged users.
  • External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
  • Embeds: Disable embeds on deactivated Multisite sites.
  • Coding standards: Modify escaping functions to avoid potential false positives.
  • XML-RPC: Return error message if attachment ID is incorrect.
  • Upgrade/install: Improve logic check when determining installation status.
  • Meta: Sanitize meta key before checking protection status.
  • Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 5.3 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Location:
branches/5.3
Files:
1 added
18 edited

Legend:

Unmodified
Added
Removed
  • branches/5.3

  • branches/5.3/src/js/_enqueues/admin/custom-background.js

    r43347 r49393  
    127127                // Grab the selected attachment.
    128128                var attachment = frame.state().get('selection').first();
     129                var nonceValue = $( '#_wpnonce' ).val() || '';
    129130
    130131                // Run an AJAX request to set the background image.
     
    132133                    action: 'set-background-image',
    133134                    attachment_id: attachment.id,
     135                    _ajax_nonce: nonceValue,
    134136                    size: 'full'
    135137                }).done( function() {
  • branches/5.3/src/js/_enqueues/deprecated/media-gallery.js

    r43347 r49393  
    1212     */
    1313    $( 'body' ).bind( 'click.wp-gallery', function(e) {
    14         var target = $( e.target ), id, img_size;
     14        var target = $( e.target ), id, img_size, nonceValue;
    1515
    1616        if ( target.hasClass( 'wp-set-header' ) ) {
     
    2222            id = target.data( 'attachment-id' );
    2323            img_size = $( 'input[name="attachments[' + id + '][image-size]"]:checked').val();
     24            nonceValue = $( '#_wpnonce' ).val() && '';
    2425
    2526            /**
     
    2930                action: 'set-background-image',
    3031                attachment_id: id,
     32                _ajax_nonce: nonceValue,
    3133                size: img_size
    3234            }, function() {
  • branches/5.3/src/wp-admin/admin-header.php

    r45932 r49393  
    8383?>
    8484<script type="text/javascript">
    85 addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
    86 var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
    87     pagenow = '<?php echo $current_screen->id; ?>',
    88     typenow = '<?php echo $current_screen->post_type; ?>',
    89     adminpage = '<?php echo $admin_body_class; ?>',
    90     thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
    91     decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
     85addLoadEvent = function(func){if(typeof jQuery!=='undefined')jQuery(document).ready(func);else if(typeof wpOnload!=='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
     86var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
     87    pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
     88    typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
     89    adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
     90    thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
     91    decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
    9292    isRtl = <?php echo (int) is_rtl(); ?>;
    9393</script>
  • branches/5.3/src/wp-admin/includes/class-custom-background.php

    r46088 r49393  
    582582     */
    583583    public function wp_set_background_image() {
     584        check_ajax_referer( 'custom-background' );
     585
    584586        if ( ! current_user_can( 'edit_theme_options' ) || ! isset( $_POST['attachment_id'] ) ) {
    585587            exit;
  • branches/5.3/src/wp-admin/includes/class-custom-image-header.php

    r45932 r49393  
    344344<script type="text/javascript">
    345345(function($){
    346     var default_color = '<?php echo $default_color; ?>',
     346    var default_color = '<?php echo esc_js( $default_color ); ?>',
    347347        header_text_fields;
    348348
  • branches/5.3/src/wp-admin/includes/media.php

    r47959 r49393  
    532532    <script type="text/javascript">
    533533    addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
    534     var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
     534    var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
    535535    isRtl = <?php echo (int) is_rtl(); ?>;
    536536    </script>
  • branches/5.3/src/wp-admin/includes/ms.php

    r45932 r49393  
    841841    ?>
    842842<script type="text/javascript">
    843 var tb_pathToImage = "<?php echo includes_url( 'js/thickbox/loadingAnimation.gif', 'relative' ); ?>";
     843var tb_pathToImage = "<?php echo esc_js( includes_url( 'js/thickbox/loadingAnimation.gif', 'relative' ) ); ?>";
    844844</script>
    845845    <?php
  • branches/5.3/src/wp-admin/includes/template.php

    r46315 r49393  
    19681968addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
    19691969function tb_close(){var win=window.dialogArguments||opener||parent||top;win.tb_remove();}
    1970 var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
    1971     pagenow = '<?php echo $current_screen->id; ?>',
    1972     typenow = '<?php echo $current_screen->post_type; ?>',
    1973     adminpage = '<?php echo $admin_body_class; ?>',
    1974     thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
    1975     decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
     1970var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
     1971    pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
     1972    typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
     1973    adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
     1974    thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
     1975    decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
    19761976    isRtl = <?php echo (int) is_rtl(); ?>;
    19771977</script>
  • branches/5.3/src/wp-admin/media-new.php

    r45674 r49393  
    7878
    7979    <script type="text/javascript">
    80     var post_id = <?php echo $post_id; ?>, shortform = 3;
     80    var post_id = <?php echo absint( $post_id ); ?>, shortform = 3;
    8181    </script>
    82     <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" />
     82    <input type="hidden" name="post_id" id="post_id" value="<?php echo absint( $post_id ); ?>" />
    8383    <?php wp_nonce_field( 'media-form' ); ?>
    8484    <div id="media-items" class="hide-if-no-js"></div>
  • branches/5.3/src/wp-admin/network/site-users.php

    r45932 r49393  
    218218
    219219<script type="text/javascript">
    220 var current_site_id = <?php echo $id; ?>;
     220var current_site_id = <?php echo absint( $id ); ?>;
    221221</script>
    222222
  • branches/5.3/src/wp-includes/Requests/Utility/FilteredIterator.php

    r37428 r49393  
    4343        return $value;
    4444    }
     45
     46    /**
     47     * @inheritdoc
     48     */
     49    public function unserialize( $serialized ) {
     50    }
     51
     52    /**
     53     * @inheritdoc
     54     */
     55    public function __unserialize( $serialized ) { // phpcs:ignore PHPCompatibility.FunctionNameRestrictions.ReservedFunctionNames.MethodDoubleUnderscore,PHPCompatibility.FunctionNameRestrictions.NewMagicMethods.__unserializeFound
     56        $this->unserialize( $serialized );
     57    }
    4558}
  • branches/5.3/src/wp-includes/class-wp-xmlrpc-server.php

    r46865 r49393  
    38743874        }
    38753875
     3876        if (
     3877            'publish' === get_post_status( $post_id ) &&
     3878            ! current_user_can( 'edit_post', $post_id ) &&
     3879            post_password_required( $post_id )
     3880        ) {
     3881            return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
     3882        }
     3883
     3884        if (
     3885            'private' === get_post_status( $post_id ) &&
     3886            ! current_user_can( 'read_post', $post_id )
     3887        ) {
     3888            return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
     3889        }
     3890
    38763891        $comment = array(
    38773892            'comment_post_ID' => $post_id,
     
    42874302
    42884303        $attachment = get_post( $attachment_id );
    4289         if ( ! $attachment ) {
     4304        if ( ! $attachment || 'attachment' !== $attachment->post_type ) {
    42904305            return new IXR_Error( 404, __( 'Invalid attachment ID.' ) );
    42914306        }
  • branches/5.3/src/wp-includes/embed.php

    r47959 r49393  
    605605        $site  = reset( $sites );
    606606
    607         if ( $site && (int) $site->blog_id !== get_current_blog_id() ) {
     607        // Do not allow embeds for deleted/archived/spam sites.
     608        if ( ! empty( $site->deleted ) || ! empty( $site->spam ) || ! empty( $site->archived ) ) {
     609            return false;
     610        }
     611
     612        if ( $site && get_current_blog_id() !== (int) $site->blog_id ) {
    608613            switch_to_blog( $site->blog_id );
    609614            $switched_blog = true;
  • branches/5.3/src/wp-includes/functions.php

    r46980 r49393  
    17071707        }
    17081708
    1709         if ( ! $wpdb->get_results( "DESCRIBE $table;" ) ) {
     1709        $described_table = $wpdb->get_results( "DESCRIBE $table;" );
     1710        if ( is_array( $described_table ) && count( $described_table ) === 0 ) {
    17101711            continue;
    17111712        }
  • branches/5.3/src/wp-includes/meta.php

    r46186 r49393  
    10371037 * @return bool Whether the meta key is considered protected.
    10381038 */
    1039 function is_protected_meta( $meta_key, $meta_type = null ) {
    1040     $protected = ( '_' == $meta_key[0] );
     1039function is_protected_meta( $meta_key, $meta_type = '' ) {
     1040    $sanitized_key = preg_replace( "/[^\x20-\x7E\p{L}]/", '', $meta_key );
     1041    $protected     = strlen( $sanitized_key ) > 0 && ( '_' === $sanitized_key[0] );
    10411042
    10421043    /**
  • branches/5.3/tests/phpunit/tests/functions.php

    r46980 r49393  
    255255            $this->assertFalse( is_serialized( $case ), "Test data: $case" );
    256256        }
     257    }
     258
     259    /**
     260     * @dataProvider data_serialize_deserialize_objects
     261     */
     262    function test_deserialize_request_utility_filtered_iterator_objects( $value ) {
     263        $serialized = maybe_serialize( $value );
     264        if ( is_array( $value ) ) {
     265            $deserialized = unserialize( $serialized );
     266            $this->assertNotEquals( reset( $value )->count(), reset( $deserialized )->count() );
     267        } elseif ( get_class( $value ) === 'Requests_Utility_FilteredIterator' ) {
     268            $this->assertNotEquals( $value->count(), unserialize( $serialized )->count() );
     269        } else {
     270            $this->assertEquals( $value->count(), unserialize( $serialized )->count() );
     271        }
     272    }
     273
     274    function data_serialize_deserialize_objects() {
     275        return array(
     276            array( new Requests_Utility_FilteredIterator( array( 1 ), 'md5' ) ),
     277            array( new Requests_Utility_FilteredIterator( array( 1, 2 ), 'sha1' ) ),
     278            array( new ArrayIterator( array( 1, 2, 3 ) ) ),
     279            array( array( new Requests_Utility_FilteredIterator( array( 1 ), 'md5' ) ) ),
     280        );
    257281    }
    258282
  • branches/5.3/tests/phpunit/tests/multisite/site.php

    r47319 r49393  
    489489        }
    490490
     491        function test_content_from_spam_blog_is_not_available() {
     492            $spam_blog_id = self::factory()->blog->create();
     493            switch_to_blog( $spam_blog_id );
     494            $post_data      = array(
     495                'post_title'   => 'Hello World!',
     496                'post_content' => 'Hello world content',
     497            );
     498            $post_id        = self::factory()->post->create( $post_data );
     499            $post           = get_post( $post_id );
     500            $spam_permalink = site_url() . '/?p=' . $post->ID;
     501            $spam_embed_url = get_post_embed_url( $post_id );
     502
     503            restore_current_blog();
     504            $this->assertNotEmpty( $spam_permalink );
     505            $this->assertEquals( $post_data['post_title'], $post->post_title );
     506
     507            update_blog_status( $spam_blog_id, 'spam', 1 );
     508
     509            $post_id = self::factory()->post->create(
     510                array(
     511                    'post_content' => "\n $spam_permalink \n",
     512                )
     513            );
     514            $post    = get_post( $post_id );
     515            $content = apply_filters( 'the_content', $post->post_content );
     516
     517            $this->assertNotContains( $post_data['post_title'], $content );
     518            $this->assertNotContains( "src=\"{$spam_embed_url}#?", $content );
     519        }
     520
    491521        function test_update_blog_status_make_spam_blog_action() {
    492522            global $test_action_counter;
Note: See TracChangeset for help on using the changeset viewer.