Changeset 49397

Timestamp:

10/29/2020 06:52:29 PM (4 years ago)

Author:

whyisjake

Message:

General: WordPress updates

• XML-RPC: Improve error messages for unprivileged users.
• External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
• Embeds: Disable embeds on deactivated Multisite sites.
• Coding standards: Modify escaping functions to avoid potential false positives.
• XML-RPC: Return error message if attachment ID is incorrect.
• Upgrade/install: Improve logic check when determining installation status.
• Meta: Sanitize meta key before checking protection status.
• Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 4.9 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Location:

branches/4.9

Files:

• . (modified) (1 prop)
• src/wp-admin/admin-header.php (modified) (1 diff)
• src/wp-admin/custom-background.php (modified) (1 diff)
• src/wp-admin/custom-header.php (modified) (1 diff)
• src/wp-admin/includes/media.php (modified) (1 diff)
• src/wp-admin/includes/ms.php (modified) (1 diff)
• src/wp-admin/includes/template.php (modified) (1 diff)
• src/wp-admin/js/custom-background.js (modified) (2 diffs)
• src/wp-admin/js/media-gallery.js (modified) (3 diffs)
• src/wp-admin/media-new.php (modified) (1 diff)
• src/wp-admin/network/site-users.php (modified) (1 diff)
• src/wp-includes/Requests/Utility/FilteredIterator.php (modified) (1 diff)
• src/wp-includes/class-wp-xmlrpc-server.php (modified) (2 diffs)
• src/wp-includes/embed.php (modified) (1 diff)
• src/wp-includes/formatting.php (modified) (3 diffs)
• src/wp-includes/meta.php (modified) (1 diff)
• tests/phpunit/tests/formatting/Utf8UriEncode.php (modified) (1 diff)
• tests/phpunit/tests/meta/isProtectedMeta.php (added)
• tests/phpunit/tests/multisite/site.php (modified) (1 diff)

branches/4.9/src/wp-admin/admin-header.php

@@ -76 +76 @@
 ?>
 <script type="text/javascript">
-addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
-var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
-    pagenow = '<?php echo $current_screen->id; ?>',
-    typenow = '<?php echo $current_screen->post_type; ?>',
-    adminpage = '<?php echo $admin_body_class; ?>',
-    thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
-    decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
+addLoadEvent = function(func){if(typeof jQuery!=='undefined')jQuery(document).ready(func);else if(typeof wpOnload!=='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
+var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
+    pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
+    typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
+    adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
+    thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
+    decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
     isRtl = <?php echo (int) is_rtl(); ?>;
 </script>

branches/4.9/src/wp-admin/custom-background.php

@@ -542 +542 @@
      */
     public function wp_set_background_image() {
+        check_ajax_referer( 'custom-background' );
         if ( ! current_user_can('edit_theme_options') || ! isset( $_POST['attachment_id'] ) ) exit;
         $attachment_id = absint($_POST['attachment_id']);

branches/4.9/src/wp-admin/custom-header.php

@@ -323 +323 @@
 <script type="text/javascript">
 (function($){
-    var default_color = '<?php echo $default_color; ?>',
+    var default_color = '<?php echo esc_js( $default_color ); ?>',
         header_text_fields;
 

branches/4.9/src/wp-admin/includes/media.php

@@ -474 +474 @@
 <script type="text/javascript">
 addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
-var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
+var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
 isRtl = <?php echo (int) is_rtl(); ?>;
 </script>

branches/4.9/src/wp-admin/includes/ms.php

@@ -746 +746 @@
 ?>
 <script type="text/javascript">
-var tb_pathToImage = "<?php echo includes_url( 'js/thickbox/loadingAnimation.gif', 'relative' ); ?>";
+var tb_pathToImage = "<?php echo esc_js( includes_url( 'js/thickbox/loadingAnimation.gif', 'relative' ) ); ?>";
 </script>
 <?php

branches/4.9/src/wp-admin/includes/template.php

@@ -1642 +1642 @@
 addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
 function tb_close(){var win=window.dialogArguments||opener||parent||top;win.tb_remove();}
-var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
-    pagenow = '<?php echo $current_screen->id; ?>',
-    typenow = '<?php echo $current_screen->post_type; ?>',
-    adminpage = '<?php echo $admin_body_class; ?>',
-    thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
-    decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
+var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
+    pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
+    typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
+    adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
+    thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
+    decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
     isRtl = <?php echo (int) is_rtl(); ?>;
 </script>

branches/4.9/src/wp-admin/js/custom-background.js

@@ -123 +123 @@
                 // Grab the selected attachment.
                 var attachment = frame.state().get('selection').first();
+                var nonceValue = $( '#_wpnonce' ).val() || '';
 
                 // Run an AJAX request to set the background image.
@@ -128 +129 @@
                     action: 'set-background-image',
                     attachment_id: attachment.id,
+                    _ajax_nonce: nonceValue,
                     size: 'full'
                 }).done( function() {

branches/4.9/src/wp-admin/js/media-gallery.js

@@ -10 +10 @@
      */
     $( 'body' ).bind( 'click.wp-gallery', function(e) {
-        var target = $( e.target ), id, img_size;
+        var target = $( e.target ), id, img_size, nonceValue;
 
         if ( target.hasClass( 'wp-set-header' ) ) {
@@ -20 +20 @@
             id = target.data( 'attachment-id' );
             img_size = $( 'input[name="attachments[' + id + '][image-size]"]:checked').val();
+            nonceValue = $( '#_wpnonce' ).val() && '';
 
             /**
@@ -27 +28 @@
                 action: 'set-background-image',
                 attachment_id: id,
+                _ajax_nonce: nonceValue,
                 size: img_size
             }, function() {

branches/4.9/src/wp-admin/media-new.php

@@ -73 +73 @@
 
     <script type="text/javascript">
-    var post_id = <?php echo $post_id; ?>, shortform = 3;
+    var post_id = <?php echo absint( $post_id ); ?>, shortform = 3;
     </script>
-    <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" />
+    <input type="hidden" name="post_id" id="post_id" value="<?php echo absint( $post_id ); ?>" />
     <?php wp_nonce_field('media-form'); ?>
     <div id="media-items" class="hide-if-no-js"></div>

branches/4.9/src/wp-admin/network/site-users.php

@@ -212 +212 @@
 
 <script type="text/javascript">
-var current_site_id = <?php echo $id; ?>;
+var current_site_id = <?php echo absint( $id ); ?>;
 </script>
 

branches/4.9/src/wp-includes/Requests/Utility/FilteredIterator.php

@@ -43 +43 @@
         return $value;
     }
+
 }

branches/4.9/src/wp-includes/class-wp-xmlrpc-server.php

@@ -3639 +3639 @@
         }
 
+        if (
+            'publish' === get_post_status( $post_id ) &&
+            ! current_user_can( 'edit_post', $post_id ) &&
+            post_password_required( $post_id )
+        ) {
+            return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
+        }
+
+        if (
+            'private' === get_post_status( $post_id ) &&
+            ! current_user_can( 'read_post', $post_id )
+        ) {
+            return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
+        }
+
         $comment = array(
             'comment_post_ID' => $post_id,
@@ -4024 +4039 @@
         do_action( 'xmlrpc_call', 'wp.getMediaItem' );
 
-        if ( ! $attachment = get_post($attachment_id) )
+        $attachment = get_post( $attachment_id );
+        if ( ! $attachment || 'attachment' !== $attachment->post_type ) {
             return new IXR_Error( 404, __( 'Invalid attachment ID.' ) );
+        }
 
         return $this->_prepare_media_item( $attachment );

branches/4.9/src/wp-includes/embed.php

@@ -1095 +1095 @@
         $site  = reset( $sites );
 
-        if ( $site && (int) $site->blog_id !== get_current_blog_id() ) {
+        // Do not allow embeds for deleted/archived/spam sites.
+        if ( ! empty( $site->deleted ) || ! empty( $site->spam ) || ! empty( $site->archived ) ) {
+            return false;
+        }
+
+        if ( $site && get_current_blog_id() !== (int) $site->blog_id ) {
             switch_to_blog( $site->blog_id );
             $switched_blog = true;

branches/4.9/src/wp-includes/formatting.php

@@ -1091 +1091 @@
  */
 function utf8_uri_encode( $utf8_string, $length = 0 ) {
-    $unicode = '';
-    $values = array();
-    $num_octets = 1;
+    $unicode        = '';
+    $values         = array();
+    $num_octets     = 1;
     $unicode_length = 0;
 
@@ -1105 +1105 @@
 
         if ( $value < 128 ) {
-            if ( $length && ( $unicode_length >= $length ) )
+            if ( $length && ( $unicode_length >= $length ) ) {
                 break;
-            $unicode .= chr($value);
+            }
+            $unicode .= chr( $value );
             $unicode_length++;
         } else {
@@ -2008 +2009 @@
             $title = mb_strtolower($title, 'UTF-8');
         }
-        $title = utf8_uri_encode($title, 200);
+        $title = utf8_uri_encode( $title, 200 );
     }
 

branches/4.9/src/wp-includes/meta.php

@@ -924 +924 @@
  * @return bool True if the key is protected, false otherwise.
  */
-function is_protected_meta( $meta_key, $meta_type = null ) {
-    $protected = ( '_' == $meta_key[0] );
+function is_protected_meta( $meta_key, $meta_type = '' ) {
+    $sanitized_key = preg_replace( "/[^\x20-\x7E\p{L}]/", '', $meta_key );
+    $protected     = strlen( $sanitized_key ) > 0 && ( '_' === $sanitized_key[0] );
 
     /**

branches/4.9/tests/phpunit/tests/formatting/Utf8UriEncode.php

@@ -13 +13 @@
      */
     function test_percent_encodes_non_reserved_characters( $utf8, $urlencoded ) {
-        $this->assertEquals($urlencoded, utf8_uri_encode( $utf8 ) );
+        $this->assertEquals( $urlencoded, utf8_uri_encode( $utf8 ) );
     }
 

branches/4.9/tests/phpunit/tests/multisite/site.php

@@ -444 +444 @@
 
         remove_action( 'make_ham_blog', array( $this, '_action_counter_cb' ), 10 );
+    }
+
+    function test_content_from_spam_blog_is_not_available() {
+        $spam_blog_id = self::factory()->blog->create();
+        switch_to_blog( $spam_blog_id );
+        $post_data      = array(
+            'post_title'   => 'Hello World!',
+            'post_content' => 'Hello world content',
+        );
+        $post_id        = self::factory()->post->create( $post_data );
+        $post           = get_post( $post_id );
+        $spam_permalink = site_url() . '/?p=' . $post->ID;
+        $spam_embed_url = get_post_embed_url( $post_id );
+
+        restore_current_blog();
+        $this->assertNotEmpty( $spam_permalink );
+        $this->assertEquals( $post_data['post_title'], $post->post_title );
+
+        update_blog_status( $spam_blog_id, 'spam', 1 );
+
+        $post_id = self::factory()->post->create(
+            array(
+                'post_content' => "\n $spam_permalink \n",
+            )
+        );
+        $post    = get_post( $post_id );
+        $content = apply_filters( 'the_content', $post->post_content );
+
+        $this->assertNotContains( $post_data['post_title'], $content );
+        $this->assertNotContains( "src=\"{$spam_embed_url}#?", $content );
     }