Make WordPress Core


Ignore:
Timestamp:
10/12/2023 03:03:26 PM (8 months ago)
Author:
joemcgill
Message:

Grouped backports to the 5.9 branch.

  • REST API: Limit search_columns for users without list_users.
  • Comments: Prevent users who can not see a post from seeing comments on it.
  • Application Passwords: Prevent the use of some pseudo protocols in application passwords.
  • Restrict media shortcode ajax to certain type
  • REST API: Ensure no-cache headers are sent when methods are overriden.
  • Prevent unintended behavior when certain objects are unserialized.

Merges [56833], [56834], [56835], [56836], [56837], and [56838] to the 5.9 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.

Location:
branches/5.9
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.9

  • branches/5.9/src/wp-admin/includes/user.php

    r52285 r56875  
    600600 *
    601601 * @since 5.6.0
     602 * @since 6.2.0 Allow insecure HTTP connections for the local environment.
     603 * @since 6.3.2 Validates the success and reject URLs to prevent javascript pseudo protocol being executed.
    602604 *
    603605 * @param array   $request {
     
    615617    $error = new WP_Error();
    616618
    617     if ( ! empty( $request['success_url'] ) ) {
    618         $scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME );
    619 
    620         if ( 'http' === $scheme ) {
     619    if ( isset( $request['success_url'] ) ) {
     620        $validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] );
     621        if ( is_wp_error( $validated_success_url ) ) {
    621622            $error->add(
    622                 'invalid_redirect_scheme',
    623                 __( 'The success URL must be served over a secure connection.' )
     623                $validated_success_url->get_error_code(),
     624                $validated_success_url->get_error_message()
    624625            );
    625626        }
    626627    }
    627628
    628     if ( ! empty( $request['reject_url'] ) ) {
    629         $scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME );
    630 
    631         if ( 'http' === $scheme ) {
     629    if ( isset( $request['reject_url'] ) ) {
     630        $validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] );
     631        if ( is_wp_error( $validated_reject_url ) ) {
    632632            $error->add(
    633                 'invalid_redirect_scheme',
    634                 __( 'The rejection URL must be served over a secure connection.' )
     633                $validated_reject_url->get_error_code(),
     634                $validated_reject_url->get_error_message()
    635635            );
    636636        }
     
    661661    return true;
    662662}
     663
     664/**
     665 * Validates the redirect URL protocol scheme. The protocol can be anything except http and javascript.
     666 *
     667 * @since 6.3.2
     668 *
     669 * @param string $url - The redirect URL to be validated.
     670 *
     671 * @return true|WP_Error True if the redirect URL is valid, a WP_Error object otherwise.
     672 */
     673function wp_is_authorize_application_redirect_url_valid( $url ) {
     674    $bad_protocols = array( 'javascript', 'data' );
     675    if ( empty( $url ) ) {
     676        return true;
     677    }
     678
     679    // Based on https://www.rfc-editor.org/rfc/rfc2396#section-3.1
     680    $valid_scheme_regex = '/^[a-zA-Z][a-zA-Z0-9+.-]*:/';
     681    if ( ! preg_match( $valid_scheme_regex, $url ) ) {
     682        return new WP_Error(
     683            'invalid_redirect_url_format',
     684            __( 'Invalid URL format.' )
     685        );
     686    }
     687
     688    /**
     689     * Filters the list of invalid protocols used in applications redirect URLs.
     690     *
     691     * @since 6.3.2
     692     *
     693     * @param string[]  $bad_protocols Array of invalid protocols.
     694     * @param string    $url The redirect URL to be validated.
     695     */
     696    $invalid_protocols = array_map( 'strtolower', apply_filters( 'wp_authorize_application_redirect_url_invalid_protocols', $bad_protocols, $url ) );
     697
     698    $scheme   = wp_parse_url( $url, PHP_URL_SCHEME );
     699    $host     = wp_parse_url( $url, PHP_URL_HOST );
     700    $is_local = 'local' === wp_get_environment_type();
     701
     702    // validates if the proper URI format is applied to the $url
     703    if ( empty( $host ) || empty( $scheme ) || in_array( strtolower( $scheme ), $invalid_protocols, true ) ) {
     704        return new WP_Error(
     705            'invalid_redirect_url_format',
     706            __( 'Invalid URL format.' )
     707        );
     708    }
     709
     710    if ( 'http' === $scheme && ! $is_local ) {
     711        return new WP_Error(
     712            'invalid_redirect_scheme',
     713            __( 'The URL must be served over a secure connection.' )
     714        );
     715    }
     716
     717    return true;
     718}
Note: See TracChangeset for help on using the changeset viewer.