Make WordPress Core

Changeset 52309


Ignore:
Timestamp:
12/03/2021 02:42:17 AM (8 weeks ago)
Author:
peterwilsoncc
Message:

KSES: Accept port number in PDF upload paths.

Improves the URL validation in _wp_kses_allow_pdf_objects() to account for sites using an upload path that contains a port, for example wp.org:8080.

Follow up to [51963], [52304].

Props ocean90, ramonopoly, talldanwp.
See #54261.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/kses.php

    r52304 r52309  
    25922592 * @return bool True if the URL is safe, false otherwise.
    25932593 */
    2594 function _wp_kses_allow_pdf_objects( $value ) {
     2594function _wp_kses_allow_pdf_objects( $url ) {
    25952595    // We're not interested in URLs that contain query strings or fragments.
    2596     if ( strpos( $value, '?' ) !== false || strpos( $value, '#' ) !== false ) {
     2596    if ( strpos( $url, '?' ) !== false || strpos( $url, '#' ) !== false ) {
    25972597        return false;
    25982598    }
    25992599
    26002600    // If it doesn't have a PDF extension, it's not safe.
    2601     if ( 0 !== substr_compare( $value, '.pdf', -4, 4, true ) ) {
     2601    if ( 0 !== substr_compare( $url, '.pdf', -4, 4, true ) ) {
    26022602        return false;
    26032603    }
     
    26052605    // If the URL host matches the current site's media URL, it's safe.
    26062606    $upload_info = wp_upload_dir( null, false );
    2607     $upload_host = wp_parse_url( $upload_info['url'], PHP_URL_HOST );
    2608     if ( 0 === strpos( $value, "http://$upload_host/" ) || 0 === strpos( $value, "https://$upload_host/" ) ) {
     2607    $parsed_url  = wp_parse_url( $upload_info['url'] );
     2608    $upload_host = isset( $parsed_url['host'] ) ? $parsed_url['host'] : '';
     2609    $upload_port = isset( $parsed_url['port'] ) ? ':' . $parsed_url['port'] : '';
     2610    if ( 0 === strpos( $url, "http://$upload_host$upload_port/" ) || 0 === strpos( $url, "https://$upload_host$upload_port/" ) ) {
    26092611        return true;
    26102612    }
  • trunk/tests/phpunit/tests/kses.php

    r52304 r52309  
    15971597                '',
    15981598            ),
    1599         );
     1599            'url with port number-like path'          => array(
     1600                '<object type="application/pdf" data="https://example.org/cat:8888/foo.pdf" />',
     1601                '<object type="application/pdf" data="https://example.org/cat:8888/foo.pdf" />',
     1602            ),
     1603        );
     1604    }
     1605
     1606    /**
     1607     * Test that object tags are allowed when there is a port number in the URL.
     1608     *
     1609     * @ticket 54261
     1610     *
     1611     * @dataProvider data_wp_kses_object_data_url_with_port_number_allowed
     1612     *
     1613     * @param string $html     A string of HTML to test.
     1614     * @param string $expected The expected result from KSES.
     1615     */
     1616    function test_wp_kses_object_data_url_with_port_number_allowed( $html, $expected ) {
     1617        add_filter( 'upload_dir', array( $this, 'wp_kses_upload_dir_filter' ), 10, 2 );
     1618        $this->assertSame( $expected, wp_kses_post( $html ) );
     1619    }
     1620
     1621    /**
     1622     * Data provider for test_wp_kses_object_data_url_with_port_number_allowed().
     1623     */
     1624    function data_wp_kses_object_data_url_with_port_number_allowed() {
     1625        return array(
     1626            'url with port number'                   => array(
     1627                '<object type="application/pdf" data="https://example.org:8888/cat/foo.pdf" />',
     1628                '<object type="application/pdf" data="https://example.org:8888/cat/foo.pdf" />',
     1629            ),
     1630            'url with port number and http protocol' => array(
     1631                '<object type="application/pdf" data="http://example.org:8888/cat/foo.pdf" />',
     1632                '<object type="application/pdf" data="http://example.org:8888/cat/foo.pdf" />',
     1633            ),
     1634            'url with wrong port number'             => array(
     1635                '<object type="application/pdf" data="http://example.org:3333/cat/foo.pdf" />',
     1636                '',
     1637            ),
     1638            'url without port number'                => array(
     1639                '<object type="application/pdf" data="http://example.org/cat/foo.pdf" />',
     1640                '',
     1641            ),
     1642        );
     1643    }
     1644
     1645    /**
     1646     * Filter upload directory for tests using port number.
     1647     *
     1648     * @param  array $param See wp_upload_dir()
     1649     * @return array        $param with a modified `url`.
     1650     */
     1651    public function wp_kses_upload_dir_filter( $param ) {
     1652        $url_with_port_number = is_string( $param['url'] ) ? str_replace( 'example.org', 'example.org:8888', $param['url'] ) : $param['url'];
     1653        $param['url']         = $url_with_port_number;
     1654        return $param;
    16001655    }
    16011656
Note: See TracChangeset for help on using the changeset viewer.