Make WordPress Core


Ignore:
Timestamp:
10/12/2023 04:07:43 PM (15 months ago)
Author:
joemcgill
Message:

Grouped backports to the 6.2 branch.

  • REST API: Limit search_columns for users without list_users.
  • Comments: Prevent users who can not see a post from seeing comments on it.
  • Application Passwords: Prevent the use of some pseudo protocols in application passwords.
  • Restrict media shortcode ajax to certain type
  • REST API: Ensure no-cache headers are sent when methods are overriden.
  • Prevent unintended behavior when certain objects are unserialized.

Merges [56833], [56834], [56835], [56836], [56837], and [56838] to the 6.2 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.

Location:
branches/6.2
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/6.2

  • branches/6.2/src/wp-admin/includes/user.php

    r55283 r56895  
    614614 * @since 5.6.0
    615615 * @since 6.2.0 Allow insecure HTTP connections for the local environment.
     616 * @since 6.3.2 Validates the success and reject URLs to prevent javascript pseudo protocol being executed.
    616617 *
    617618 * @param array   $request {
     
    627628 */
    628629function wp_is_authorize_application_password_request_valid( $request, $user ) {
    629     $error    = new WP_Error();
    630     $is_local = 'local' === wp_get_environment_type();
    631 
    632     if ( ! empty( $request['success_url'] ) ) {
    633         $scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME );
    634 
    635         if ( 'http' === $scheme && ! $is_local ) {
     630    $error = new WP_Error();
     631
     632    if ( isset( $request['success_url'] ) ) {
     633        $validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] );
     634        if ( is_wp_error( $validated_success_url ) ) {
    636635            $error->add(
    637                 'invalid_redirect_scheme',
    638                 __( 'The success URL must be served over a secure connection.' )
     636                $validated_success_url->get_error_code(),
     637                $validated_success_url->get_error_message()
    639638            );
    640639        }
    641640    }
    642641
    643     if ( ! empty( $request['reject_url'] ) ) {
    644         $scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME );
    645 
    646         if ( 'http' === $scheme && ! $is_local ) {
     642    if ( isset( $request['reject_url'] ) ) {
     643        $validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] );
     644        if ( is_wp_error( $validated_reject_url ) ) {
    647645            $error->add(
    648                 'invalid_redirect_scheme',
    649                 __( 'The rejection URL must be served over a secure connection.' )
     646                $validated_reject_url->get_error_code(),
     647                $validated_reject_url->get_error_message()
    650648            );
    651649        }
     
    676674    return true;
    677675}
     676
     677/**
     678 * Validates the redirect URL protocol scheme. The protocol can be anything except http and javascript.
     679 *
     680 * @since 6.3.2
     681 *
     682 * @param string $url - The redirect URL to be validated.
     683 *
     684 * @return true|WP_Error True if the redirect URL is valid, a WP_Error object otherwise.
     685 */
     686function wp_is_authorize_application_redirect_url_valid( $url ) {
     687    $bad_protocols = array( 'javascript', 'data' );
     688    if ( empty( $url ) ) {
     689        return true;
     690    }
     691
     692    // Based on https://www.rfc-editor.org/rfc/rfc2396#section-3.1
     693    $valid_scheme_regex = '/^[a-zA-Z][a-zA-Z0-9+.-]*:/';
     694    if ( ! preg_match( $valid_scheme_regex, $url ) ) {
     695        return new WP_Error(
     696            'invalid_redirect_url_format',
     697            __( 'Invalid URL format.' )
     698        );
     699    }
     700
     701    /**
     702     * Filters the list of invalid protocols used in applications redirect URLs.
     703     *
     704     * @since 6.3.2
     705     *
     706     * @param string[]  $bad_protocols Array of invalid protocols.
     707     * @param string    $url The redirect URL to be validated.
     708     */
     709    $invalid_protocols = array_map( 'strtolower', apply_filters( 'wp_authorize_application_redirect_url_invalid_protocols', $bad_protocols, $url ) );
     710
     711    $scheme   = wp_parse_url( $url, PHP_URL_SCHEME );
     712    $host     = wp_parse_url( $url, PHP_URL_HOST );
     713    $is_local = 'local' === wp_get_environment_type();
     714
     715    // validates if the proper URI format is applied to the $url
     716    if ( empty( $host ) || empty( $scheme ) || in_array( strtolower( $scheme ), $invalid_protocols, true ) ) {
     717        return new WP_Error(
     718            'invalid_redirect_url_format',
     719            __( 'Invalid URL format.' )
     720        );
     721    }
     722
     723    if ( 'http' === $scheme && ! $is_local ) {
     724        return new WP_Error(
     725            'invalid_redirect_scheme',
     726            __( 'The URL must be served over a secure connection.' )
     727        );
     728    }
     729
     730    return true;
     731}
Note: See TracChangeset for help on using the changeset viewer.