Make WordPress Core


Ignore:
Timestamp:
10/12/2023 02:59:09 PM (8 months ago)
Author:
joemcgill
Message:

Grouped backports to the 6.0 branch.

  • REST API: Limit search_columns for users without list_users.
  • Comments: Prevent users who can not see a post from seeing comments on it.
  • Application Passwords: Prevent the use of some pseudo protocols in application passwords.
  • Restrict media shortcode ajax to certain type
  • REST API: Ensure no-cache headers are sent when methods are overriden.
  • Prevent unintended behavior when certain objects are unserialized.

Merges [56833], [56834], [56835], [56836], [56837], and [56838] to the 6.0 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.

Location:
branches/6.0
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/6.0

  • branches/6.0/src/wp-admin/includes/user.php

    r53063 r56870  
    607607 *
    608608 * @since 5.6.0
     609 * @since 6.2.0 Allow insecure HTTP connections for the local environment.
     610 * @since 6.3.2 Validates the success and reject URLs to prevent javascript pseudo protocol being executed.
    609611 *
    610612 * @param array   $request {
     
    622624    $error = new WP_Error();
    623625
    624     if ( ! empty( $request['success_url'] ) ) {
    625         $scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME );
    626 
    627         if ( 'http' === $scheme ) {
     626    if ( isset( $request['success_url'] ) ) {
     627        $validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] );
     628        if ( is_wp_error( $validated_success_url ) ) {
    628629            $error->add(
    629                 'invalid_redirect_scheme',
    630                 __( 'The success URL must be served over a secure connection.' )
     630                $validated_success_url->get_error_code(),
     631                $validated_success_url->get_error_message()
    631632            );
    632633        }
    633634    }
    634635
    635     if ( ! empty( $request['reject_url'] ) ) {
    636         $scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME );
    637 
    638         if ( 'http' === $scheme ) {
     636    if ( isset( $request['reject_url'] ) ) {
     637        $validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] );
     638        if ( is_wp_error( $validated_reject_url ) ) {
    639639            $error->add(
    640                 'invalid_redirect_scheme',
    641                 __( 'The rejection URL must be served over a secure connection.' )
     640                $validated_reject_url->get_error_code(),
     641                $validated_reject_url->get_error_message()
    642642            );
    643643        }
     
    668668    return true;
    669669}
     670
     671/**
     672 * Validates the redirect URL protocol scheme. The protocol can be anything except http and javascript.
     673 *
     674 * @since 6.3.2
     675 *
     676 * @param string $url - The redirect URL to be validated.
     677 *
     678 * @return true|WP_Error True if the redirect URL is valid, a WP_Error object otherwise.
     679 */
     680function wp_is_authorize_application_redirect_url_valid( $url ) {
     681    $bad_protocols = array( 'javascript', 'data' );
     682    if ( empty( $url ) ) {
     683        return true;
     684    }
     685
     686    // Based on https://www.rfc-editor.org/rfc/rfc2396#section-3.1
     687    $valid_scheme_regex = '/^[a-zA-Z][a-zA-Z0-9+.-]*:/';
     688    if ( ! preg_match( $valid_scheme_regex, $url ) ) {
     689        return new WP_Error(
     690            'invalid_redirect_url_format',
     691            __( 'Invalid URL format.' )
     692        );
     693    }
     694
     695    /**
     696     * Filters the list of invalid protocols used in applications redirect URLs.
     697     *
     698     * @since 6.3.2
     699     *
     700     * @param string[]  $bad_protocols Array of invalid protocols.
     701     * @param string    $url The redirect URL to be validated.
     702     */
     703    $invalid_protocols = array_map( 'strtolower', apply_filters( 'wp_authorize_application_redirect_url_invalid_protocols', $bad_protocols, $url ) );
     704
     705    $scheme   = wp_parse_url( $url, PHP_URL_SCHEME );
     706    $host     = wp_parse_url( $url, PHP_URL_HOST );
     707    $is_local = 'local' === wp_get_environment_type();
     708
     709    // validates if the proper URI format is applied to the $url
     710    if ( empty( $host ) || empty( $scheme ) || in_array( strtolower( $scheme ), $invalid_protocols, true ) ) {
     711        return new WP_Error(
     712            'invalid_redirect_url_format',
     713            __( 'Invalid URL format.' )
     714        );
     715    }
     716
     717    if ( 'http' === $scheme && ! $is_local ) {
     718        return new WP_Error(
     719            'invalid_redirect_scheme',
     720            __( 'The URL must be served over a secure connection.' )
     721        );
     722    }
     723
     724    return true;
     725}
Note: See TracChangeset for help on using the changeset viewer.