Make WordPress Core

Changeset 55774


Ignore:
Timestamp:
05/16/2023 03:21:39 PM (18 months ago)
Author:
audrasjb
Message:

Grouped backports to the 5.9 branch.

  • Media: Prevent CSRF setting attachment thumbnails.
  • Embeds: Add protocol validation for WordPress Embed code.
  • I18N: Introduce sanitization function for locale.
  • Editor: Ensure block comments are of a valid form.
  • Editor: Remove shortcode support from block templates.

Merges [55760-55764] to the 5.9 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.

Location:
branches/5.9
Files:
1 added
13 edited

Legend:

Unmodified
Added
Removed
  • branches/5.9/package-lock.json

    r54580 r55774  
    11{
    22    "name": "WordPress",
    3     "version": "5.9.5",
     3    "version": "5.9.6",
    44    "lockfileVersion": 1,
    55    "requires": true,
  • branches/5.9/package.json

    r54580 r55774  
    11{
    22    "name": "WordPress",
    3     "version": "5.9.5",
     3    "version": "5.9.6",
    44    "description": "WordPress is open source software you can use to create a beautiful website, blog, or app.",
    55    "repository": {
  • branches/5.9/src/js/_enqueues/wp/embed.js

    r52132 r55774  
    5050        var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
    5151            blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
     52            allowedProtocols = new RegExp( '^https?:$', 'i' ),
    5253            i, source, height, sourceURL, targetURL;
    5354
     
    8485                sourceURL.href = source.getAttribute( 'src' );
    8586                targetURL.href = data.value;
     87
     88                /* Only follow link if the protocol is in the allow list. */
     89                if ( ! allowedProtocols.test( targetURL.protocol ) ) {
     90                    continue;
     91                }
    8692
    8793                /* Only continue if link hostname matches iframe's hostname. */
  • branches/5.9/src/js/media/views/frame/video-details.js

    r43309 r55774  
    107107            wp.ajax.send( 'set-attachment-thumbnail', {
    108108                data : {
     109                    _ajax_nonce: wp.media.view.settings.nonce.setAttachmentThumbnail,
    109110                    urls: urls,
    110111                    thumbnail_id: attachment.get( 'id' )
  • branches/5.9/src/wp-admin/about.php

    r55373 r55774  
    4343            <div class="column">
    4444                <h2><?php _e( 'Maintenance and Security Releases' ); ?></h2>
     45                <p>
     46                    <?php
     47                    printf(
     48                        /* translators: %s: WordPress version number. */
     49                        __( '<strong>Version %s</strong> addressed some security issues.' ),
     50                        '5.9.6'
     51                    );
     52                    ?>
     53                    <?php
     54                    printf(
     55                        /* translators: %s: HelpHub URL. */
     56                        __( 'For more information, see <a href="%s">the release notes</a>.' ),
     57                        sprintf(
     58                            /* translators: %s: WordPress version. */
     59                            esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
     60                            sanitize_title( '5.9.6' )
     61                        )
     62                    );
     63                    ?>
     64                </p>
    4565                <p>
    4666                    <?php
  • branches/5.9/src/wp-admin/includes/ajax-actions.php

    r54545 r55774  
    27332733    }
    27342734
     2735    if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
     2736        wp_send_json_error();
     2737    }
     2738
    27352739    $post_ids = array();
    27362740    // For each URL, try to find its corresponding post ID.
  • branches/5.9/src/wp-includes/block-template.php

    r52716 r55774  
    241241    $content = wptexturize( $content );
    242242    $content = convert_smilies( $content );
    243     $content = shortcode_unautop( $content );
    244243    $content = wp_filter_content_tags( $content );
    245     $content = do_shortcode( $content );
    246244    $content = str_replace( ']]>', ']]&gt;', $content );
    247245
  • branches/5.9/src/wp-includes/blocks.php

    r53019 r55774  
    629629    $result = '';
    630630
     631    if ( false !== strpos( $text, '<!--' ) && false !== strpos( $text, '--->' ) ) {
     632        $text = preg_replace_callback( '%<!--(.*?)--->%', '_filter_block_content_callback', $text );
     633    }
     634
    631635    $blocks = parse_blocks( $text );
    632636    foreach ( $blocks as $block ) {
     
    636640
    637641    return $result;
     642}
     643
     644/**
     645 * Callback used for regular expression replacement in filter_block_content().
     646 *
     647 * @private
     648 * @since 6.2.1
     649 *
     650 * @param array $matches Array of preg_replace_callback matches.
     651 * @return string Replacement string.
     652 */
     653function _filter_block_content_callback( $matches ) {
     654    return '<!--' . rtrim( $matches[1], '-' ) . '-->';
    638655}
    639656
  • branches/5.9/src/wp-includes/formatting.php

    r52464 r55774  
    24102410
    24112411/**
     2412 * Strips out all characters not allowed in a locale name.
     2413 *
     2414 * @since 6.2.1
     2415 *
     2416 * @param string $locale_name The locale name to be sanitized.
     2417 * @return string The sanitized value.
     2418 */
     2419function sanitize_locale_name( $locale_name ) {
     2420    // Limit to A-Z, a-z, 0-9, '_', '-'.
     2421    $sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $locale_name );
     2422
     2423    /**
     2424     * Filters a sanitized locale name string.
     2425     *
     2426     * @since 6.2.1
     2427     *
     2428     * @param string $sanitized   The sanitized locale name.
     2429     * @param string $locale_name The locale name before sanitization.
     2430     */
     2431    return apply_filters( 'sanitize_locale_name', $sanitized, $locale_name );
     2432}
     2433
     2434/**
    24122435 * Converts lone & characters into `&#038;` (a.k.a. `&amp;`)
    24132436 *
  • branches/5.9/src/wp-includes/l10n.php

    r52394 r55774  
    148148
    149149    if ( ! empty( $_GET['wp_lang'] ) ) {
    150         $wp_lang = sanitize_text_field( $_GET['wp_lang'] );
     150        $wp_lang = sanitize_locale_name( wp_unslash( $_GET['wp_lang'] ) );
    151151    } elseif ( ! empty( $_COOKIE['wp_lang'] ) ) {
    152         $wp_lang = sanitize_text_field( $_COOKIE['wp_lang'] );
     152        $wp_lang = sanitize_locale_name( wp_unslash( $_COOKIE['wp_lang'] ) );
    153153    }
    154154
  • branches/5.9/src/wp-includes/media.php

    r53006 r55774  
    43894389        'captions'          => ! apply_filters( 'disable_captions', '' ),
    43904390        'nonce'             => array(
    4391             'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
     4391            'sendToEditor'           => wp_create_nonce( 'media-send-to-editor' ),
     4392            'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ),
    43924393        ),
    43934394        'post'              => array(
  • branches/5.9/src/wp-includes/version.php

    r54580 r55774  
    1717 * @global string $wp_version
    1818 */
    19 $wp_version = '5.9.5-src';
     19$wp_version = '5.9.6-src';
    2020
    2121/**
  • branches/5.9/tests/phpunit/tests/ajax/Attachments.php

    r51870 r55774  
    115115        $this->assertSame( $expected, $response['data'] );
    116116    }
     117
     118    public function test_wp_ajax_set_attachment_thumbnail_success() {
     119        // Become an administrator.
     120        $post    = $_POST;
     121        $user_id = self::factory()->user->create(
     122            array(
     123                'role'       => 'administrator',
     124                'user_login' => 'user_36578_administrator',
     125                'user_email' => 'user_36578_administrator@example.com',
     126            )
     127        );
     128        wp_set_current_user( $user_id );
     129        $_POST = array_merge( $_POST, $post );
     130
     131        // Upload the attachment itself.
     132        $filename = DIR_TESTDATA . '/uploads/small-audio.mp3';
     133        $contents = file_get_contents( $filename );
     134
     135        $upload     = wp_upload_bits( wp_basename( $filename ), null, $contents );
     136        $attachment = $this->_make_attachment( $upload );
     137
     138        // Upload the thumbnail.
     139        $filename = DIR_TESTDATA . '/images/waffles.jpg';
     140        $contents = file_get_contents( $filename );
     141
     142        $upload    = wp_upload_bits( wp_basename( $filename ), null, $contents );
     143        $thumbnail = $this->_make_attachment( $upload );
     144
     145        // Set up a default request.
     146        $_POST['_ajax_nonce']  = wp_create_nonce( 'set-attachment-thumbnail' );
     147        $_POST['thumbnail_id'] = $thumbnail;
     148        $_POST['urls']         = array( wp_get_attachment_url( $attachment ) );
     149
     150        // Make the request.
     151        try {
     152            $this->_handleAjax( 'set-attachment-thumbnail' );
     153        } catch ( WPAjaxDieContinueException $e ) {
     154            unset( $e );
     155        }
     156
     157        // Get the response.
     158        $response = json_decode( $this->_last_response, true );
     159
     160        // Ensure everything is correct.
     161        $this->assertTrue( $response['success'] );
     162    }
     163
     164    public function test_wp_ajax_set_attachment_thumbnail_missing_nonce() {
     165        // Become an administrator.
     166        $post    = $_POST;
     167        $user_id = self::factory()->user->create(
     168            array(
     169                'role'       => 'administrator',
     170                'user_login' => 'user_36578_administrator',
     171                'user_email' => 'user_36578_administrator@example.com',
     172            )
     173        );
     174        wp_set_current_user( $user_id );
     175        $_POST = array_merge( $_POST, $post );
     176
     177        // Upload the attachment itself.
     178        $filename = DIR_TESTDATA . '/uploads/small-audio.mp3';
     179        $contents = file_get_contents( $filename );
     180
     181        $upload     = wp_upload_bits( wp_basename( $filename ), null, $contents );
     182        $attachment = $this->_make_attachment( $upload );
     183
     184        // Upload the thumbnail.
     185        $filename = DIR_TESTDATA . '/images/waffles.jpg';
     186        $contents = file_get_contents( $filename );
     187
     188        $upload    = wp_upload_bits( wp_basename( $filename ), null, $contents );
     189        $thumbnail = $this->_make_attachment( $upload );
     190
     191        // Set up a default request.
     192        $_POST['thumbnail_id'] = $thumbnail;
     193        $_POST['urls']         = array( wp_get_attachment_url( $attachment ) );
     194
     195        // Make the request.
     196        try {
     197            $this->_handleAjax( 'set-attachment-thumbnail' );
     198        } catch ( WPAjaxDieContinueException $e ) {
     199            unset( $e );
     200        }
     201
     202        // Get the response.
     203        $response = json_decode( $this->_last_response, true );
     204
     205        // Check that success is false without sending nonce.
     206        $this->assertFalse( $response['success'] );
     207    }
    117208}
Note: See TracChangeset for help on using the changeset viewer.