Changeset 56870 for branches/6.0/src/wp-admin/includes/user.php

Timestamp:

10/12/2023 02:59:09 PM (19 months ago)

Author:

joemcgill

Message:

Grouped backports to the 6.0 branch.

• REST API: Limit search_columns for users without list_users.
• Comments: Prevent users who can not see a post from seeing comments on it.
• Application Passwords: Prevent the use of some pseudo protocols in application passwords.
• Restrict media shortcode ajax to certain type
• REST API: Ensure no-cache headers are sent when methods are overriden.
• Prevent unintended behavior when certain objects are unserialized.

Merges [56833], [56834], [56835], [56836], [56837], and [56838] to the 6.0 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.

Location:

branches/6.0

Files:

• . (modified) (1 prop)
• src/wp-admin/includes/user.php (modified) (3 diffs)

branches/6.0/src/wp-admin/includes/user.php

@@ -607 +607 @@
  *
  * @since 5.6.0
+ * @since 6.2.0 Allow insecure HTTP connections for the local environment.
+ * @since 6.3.2 Validates the success and reject URLs to prevent javascript pseudo protocol being executed.
  *
  * @param array   $request {
@@ -622 +624 @@
     $error = new WP_Error();
 
-    if ( ! empty( $request['success_url'] ) ) {
-        $scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME );
-
-        if ( 'http' === $scheme ) {
+    if ( isset( $request['success_url'] ) ) {
+        $validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] );
+        if ( is_wp_error( $validated_success_url ) ) {
             $error->add(
-                'invalid_redirect_scheme',
-                __( 'The success URL must be served over a secure connection.' )
+                $validated_success_url->get_error_code(),
+                $validated_success_url->get_error_message()
             );
         }
     }
 
-    if ( ! empty( $request['reject_url'] ) ) {
-        $scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME );
-
-        if ( 'http' === $scheme ) {
+    if ( isset( $request['reject_url'] ) ) {
+        $validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] );
+        if ( is_wp_error( $validated_reject_url ) ) {
             $error->add(
-                'invalid_redirect_scheme',
-                __( 'The rejection URL must be served over a secure connection.' )
+                $validated_reject_url->get_error_code(),
+                $validated_reject_url->get_error_message()
             );
         }
@@ -668 +668 @@
     return true;
 }
+
+/**
+ * Validates the redirect URL protocol scheme. The protocol can be anything except http and javascript.
+ *
+ * @since 6.3.2
+ *
+ * @param string $url - The redirect URL to be validated.
+ *
+ * @return true|WP_Error True if the redirect URL is valid, a WP_Error object otherwise.
+ */
+function wp_is_authorize_application_redirect_url_valid( $url ) {
+    $bad_protocols = array( 'javascript', 'data' );
+    if ( empty( $url ) ) {
+        return true;
+    }
+
+    // Based on https://www.rfc-editor.org/rfc/rfc2396#section-3.1
+    $valid_scheme_regex = '/^[a-zA-Z][a-zA-Z0-9+.-]*:/';
+    if ( ! preg_match( $valid_scheme_regex, $url ) ) {
+        return new WP_Error(
+            'invalid_redirect_url_format',
+            __( 'Invalid URL format.' )
+        );
+    }
+
+    /**
+     * Filters the list of invalid protocols used in applications redirect URLs.
+     *
+     * @since 6.3.2
+     *
+     * @param string[]  $bad_protocols Array of invalid protocols.
+     * @param string    $url The redirect URL to be validated.
+     */
+    $invalid_protocols = array_map( 'strtolower', apply_filters( 'wp_authorize_application_redirect_url_invalid_protocols', $bad_protocols, $url ) );
+
+    $scheme   = wp_parse_url( $url, PHP_URL_SCHEME );
+    $host     = wp_parse_url( $url, PHP_URL_HOST );
+    $is_local = 'local' === wp_get_environment_type();
+
+    // validates if the proper URI format is applied to the $url
+    if ( empty( $host ) || empty( $scheme ) || in_array( strtolower( $scheme ), $invalid_protocols, true ) ) {
+        return new WP_Error(
+            'invalid_redirect_url_format',
+            __( 'Invalid URL format.' )
+        );
+    }
+
+    if ( 'http' === $scheme && ! $is_local ) {
+        return new WP_Error(
+            'invalid_redirect_scheme',
+            __( 'The URL must be served over a secure connection.' )
+        );
+    }
+
+    return true;
+}