Make WordPress Core

Changeset 49400 for branches/4.6


Ignore:
Timestamp:
10/29/2020 06:59:47 PM (4 years ago)
Author:
whyisjake
Message:

General: WordPress updates

  • XML-RPC: Improve error messages for unprivileged users.
  • External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
  • Embeds: Disable embeds on deactivated Multisite sites.
  • Coding standards: Modify escaping functions to avoid potential false positives.
  • XML-RPC: Return error message if attachment ID is incorrect.
  • Upgrade/install: Improve logic check when determining installation status.
  • Meta: Sanitize meta key before checking protection status.
  • Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 4.6 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Location:
branches/4.6
Files:
1 added
16 edited

Legend:

Unmodified
Added
Removed
  • branches/4.6

  • branches/4.6/src/wp-admin/admin-header.php

    r37560 r49400  
    7171?>
    7272<script type="text/javascript">
    73 addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
    74 var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
    75     pagenow = '<?php echo $current_screen->id; ?>',
    76     typenow = '<?php echo $current_screen->post_type; ?>',
    77     adminpage = '<?php echo $admin_body_class; ?>',
    78     thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
    79     decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
     73addLoadEvent = function(func){if(typeof jQuery!=='undefined')jQuery(document).ready(func);else if(typeof wpOnload!=='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
     74var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
     75    pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
     76    typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
     77    adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
     78    thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
     79    decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
    8080    isRtl = <?php echo (int) is_rtl(); ?>;
    8181</script>
  • branches/4.6/src/wp-admin/custom-background.php

    r38028 r49400  
    465465     */
    466466    public function wp_set_background_image() {
     467        check_ajax_referer( 'custom-background' );
    467468        if ( ! current_user_can('edit_theme_options') || ! isset( $_POST['attachment_id'] ) ) exit;
    468469        $attachment_id = absint($_POST['attachment_id']);
  • branches/4.6/src/wp-admin/custom-header.php

    r37914 r49400  
    327327<script type="text/javascript">
    328328(function($){
    329     var default_color = '<?php echo $default_color; ?>',
     329    var default_color = '<?php echo esc_js( $default_color ); ?>',
    330330        header_text_fields;
    331331
  • branches/4.6/src/wp-admin/includes/media.php

    r47974 r49400  
    465465<script type="text/javascript">
    466466addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
    467 var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
     467var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
    468468isRtl = <?php echo (int) is_rtl(); ?>;
    469469</script>
  • branches/4.6/src/wp-admin/includes/ms.php

    r38024 r49400  
    894894?>
    895895<script type="text/javascript">
    896 var tb_pathToImage = "<?php echo includes_url( 'js/thickbox/loadingAnimation.gif', 'relative' ); ?>";
     896var tb_pathToImage = "<?php echo esc_js( includes_url( 'js/thickbox/loadingAnimation.gif', 'relative' ) ); ?>";
    897897</script>
    898898<?php
  • branches/4.6/src/wp-admin/includes/template.php

    r41414 r49400  
    15931593addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
    15941594function tb_close(){var win=window.dialogArguments||opener||parent||top;win.tb_remove();}
    1595 var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
    1596     pagenow = '<?php echo $current_screen->id; ?>',
    1597     typenow = '<?php echo $current_screen->post_type; ?>',
    1598     adminpage = '<?php echo $admin_body_class; ?>',
    1599     thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
    1600     decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
     1595var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
     1596    pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
     1597    typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
     1598    adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
     1599    thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
     1600    decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
    16011601    isRtl = <?php echo (int) is_rtl(); ?>;
    16021602</script>
  • branches/4.6/src/wp-admin/js/custom-background.js

    r26158 r49400  
    5757                // Grab the selected attachment.
    5858                var attachment = frame.state().get('selection').first();
     59                var nonceValue = $( '#_wpnonce' ).val() || '';
    5960
    6061                // Run an AJAX request to set the background image.
     
    6263                    action: 'set-background-image',
    6364                    attachment_id: attachment.id,
     65                    _ajax_nonce: nonceValue,
    6466                    size: 'full'
    6567                }).done( function() {
  • branches/4.6/src/wp-admin/js/media-gallery.js

    r26232 r49400  
    22jQuery(function($){
    33    $( 'body' ).bind( 'click.wp-gallery', function(e){
    4         var target = $( e.target ), id, img_size;
     4        var target = $( e.target ), id, img_size, nonceValue;
    55
    66        if ( target.hasClass( 'wp-set-header' ) ) {
     
    1010            id = target.data( 'attachment-id' );
    1111            img_size = $( 'input[name="attachments[' + id + '][image-size]"]:checked').val();
     12            nonceValue = $( '#_wpnonce' ).val() && '';
    1213
    1314            jQuery.post(ajaxurl, {
    1415                action: 'set-background-image',
    1516                attachment_id: id,
     17                _ajax_nonce: nonceValue,
    1618                size: img_size
    1719            }, function(){
  • branches/4.6/src/wp-admin/media-new.php

    r37914 r49400  
    7373
    7474    <script type="text/javascript">
    75     var post_id = <?php echo $post_id; ?>, shortform = 3;
     75    var post_id = <?php echo absint( $post_id ); ?>, shortform = 3;
    7676    </script>
    77     <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" />
     77    <input type="hidden" name="post_id" id="post_id" value="<?php echo absint( $post_id ); ?>" />
    7878    <?php wp_nonce_field('media-form'); ?>
    7979    <div id="media-items" class="hide-if-no-js"></div>
  • branches/4.6/src/wp-admin/network/site-users.php

    r37914 r49400  
    198198
    199199<script type="text/javascript">
    200 var current_site_id = <?php echo $id; ?>;
     200var current_site_id = <?php echo absint( $id ); ?>;
    201201</script>
    202202
  • branches/4.6/src/wp-includes/Requests/Utility/FilteredIterator.php

    r37428 r49400  
    4343        return $value;
    4444    }
     45
    4546}
  • branches/4.6/src/wp-includes/class-wp-xmlrpc-server.php

    r40694 r49400  
    35743574        }
    35753575
     3576        if (
     3577            'publish' === get_post_status( $post_id ) &&
     3578            ! current_user_can( 'edit_post', $post_id ) &&
     3579            post_password_required( $post_id )
     3580        ) {
     3581            return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
     3582        }
     3583
     3584        if (
     3585            'private' === get_post_status( $post_id ) &&
     3586            ! current_user_can( 'read_post', $post_id )
     3587        ) {
     3588            return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
     3589        }
     3590
    35763591        $comment = array();
    35773592        $comment['comment_post_ID'] = $post_id;
     
    39523967        do_action( 'xmlrpc_call', 'wp.getMediaItem' );
    39533968
    3954         if ( ! $attachment = get_post($attachment_id) )
     3969        $attachment = get_post( $attachment_id );
     3970        if ( ! $attachment || 'attachment' !== $attachment->post_type ) {
    39553971            return new IXR_Error( 404, __( 'Invalid attachment ID.' ) );
     3972        }
    39563973
    39573974        return $this->_prepare_media_item( $attachment );
  • branches/4.6/src/wp-includes/formatting.php

    r47651 r49400  
    10711071 */
    10721072function utf8_uri_encode( $utf8_string, $length = 0 ) {
    1073     $unicode = '';
    1074     $values = array();
    1075     $num_octets = 1;
     1073    $unicode        = '';
     1074    $values         = array();
     1075    $num_octets     = 1;
    10761076    $unicode_length = 0;
    10771077
     
    10851085
    10861086        if ( $value < 128 ) {
    1087             if ( $length && ( $unicode_length >= $length ) )
     1087            if ( $length && ( $unicode_length >= $length ) ) {
    10881088                break;
    1089             $unicode .= chr($value);
     1089            }
     1090            $unicode .= chr( $value );
    10901091            $unicode_length++;
    10911092        } else {
     
    19761977            $title = mb_strtolower($title, 'UTF-8');
    19771978        }
    1978         $title = utf8_uri_encode($title, 200);
     1979        $title = utf8_uri_encode( $title, 200 );
    19791980    }
    19801981
  • branches/4.6/src/wp-includes/meta.php

    r42915 r49400  
    917917 * @return bool True if the key is protected, false otherwise.
    918918 */
    919 function is_protected_meta( $meta_key, $meta_type = null ) {
    920     $protected = ( '_' == $meta_key[0] );
     919function is_protected_meta( $meta_key, $meta_type = '' ) {
     920    $sanitized_key = preg_replace( "/[^\x20-\x7E\p{L}]/", '', $meta_key );
     921    $protected     = strlen( $sanitized_key ) > 0 && ( '_' === $sanitized_key[0] );
    921922
    922923    /**
  • branches/4.6/tests/phpunit/tests/formatting/Utf8UriEncode.php

    r25002 r49400  
    1313     */
    1414    function test_percent_encodes_non_reserved_characters( $utf8, $urlencoded ) {
    15         $this->assertEquals($urlencoded, utf8_uri_encode( $utf8 ) );
     15        $this->assertEquals( $urlencoded, utf8_uri_encode( $utf8 ) );
    1616    }
    1717
Note: See TracChangeset for help on using the changeset viewer.