Changeset 56895 for branches/6.2/src/wp-admin/includes/user.php
- Timestamp:
- 10/12/2023 04:07:43 PM (15 months ago)
- Location:
- branches/6.2
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/6.2
- Property svn:mergeinfo changed
/trunk merged: 56833-56838
- Property svn:mergeinfo changed
-
branches/6.2/src/wp-admin/includes/user.php
r55283 r56895 614 614 * @since 5.6.0 615 615 * @since 6.2.0 Allow insecure HTTP connections for the local environment. 616 * @since 6.3.2 Validates the success and reject URLs to prevent javascript pseudo protocol being executed. 616 617 * 617 618 * @param array $request { … … 627 628 */ 628 629 function wp_is_authorize_application_password_request_valid( $request, $user ) { 629 $error = new WP_Error(); 630 $is_local = 'local' === wp_get_environment_type(); 631 632 if ( ! empty( $request['success_url'] ) ) { 633 $scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME ); 634 635 if ( 'http' === $scheme && ! $is_local ) { 630 $error = new WP_Error(); 631 632 if ( isset( $request['success_url'] ) ) { 633 $validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] ); 634 if ( is_wp_error( $validated_success_url ) ) { 636 635 $error->add( 637 'invalid_redirect_scheme',638 __( 'The success URL must be served over a secure connection.')636 $validated_success_url->get_error_code(), 637 $validated_success_url->get_error_message() 639 638 ); 640 639 } 641 640 } 642 641 643 if ( ! empty( $request['reject_url'] ) ) { 644 $scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME ); 645 646 if ( 'http' === $scheme && ! $is_local ) { 642 if ( isset( $request['reject_url'] ) ) { 643 $validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] ); 644 if ( is_wp_error( $validated_reject_url ) ) { 647 645 $error->add( 648 'invalid_redirect_scheme',649 __( 'The rejection URL must be served over a secure connection.')646 $validated_reject_url->get_error_code(), 647 $validated_reject_url->get_error_message() 650 648 ); 651 649 } … … 676 674 return true; 677 675 } 676 677 /** 678 * Validates the redirect URL protocol scheme. The protocol can be anything except http and javascript. 679 * 680 * @since 6.3.2 681 * 682 * @param string $url - The redirect URL to be validated. 683 * 684 * @return true|WP_Error True if the redirect URL is valid, a WP_Error object otherwise. 685 */ 686 function wp_is_authorize_application_redirect_url_valid( $url ) { 687 $bad_protocols = array( 'javascript', 'data' ); 688 if ( empty( $url ) ) { 689 return true; 690 } 691 692 // Based on https://www.rfc-editor.org/rfc/rfc2396#section-3.1 693 $valid_scheme_regex = '/^[a-zA-Z][a-zA-Z0-9+.-]*:/'; 694 if ( ! preg_match( $valid_scheme_regex, $url ) ) { 695 return new WP_Error( 696 'invalid_redirect_url_format', 697 __( 'Invalid URL format.' ) 698 ); 699 } 700 701 /** 702 * Filters the list of invalid protocols used in applications redirect URLs. 703 * 704 * @since 6.3.2 705 * 706 * @param string[] $bad_protocols Array of invalid protocols. 707 * @param string $url The redirect URL to be validated. 708 */ 709 $invalid_protocols = array_map( 'strtolower', apply_filters( 'wp_authorize_application_redirect_url_invalid_protocols', $bad_protocols, $url ) ); 710 711 $scheme = wp_parse_url( $url, PHP_URL_SCHEME ); 712 $host = wp_parse_url( $url, PHP_URL_HOST ); 713 $is_local = 'local' === wp_get_environment_type(); 714 715 // validates if the proper URI format is applied to the $url 716 if ( empty( $host ) || empty( $scheme ) || in_array( strtolower( $scheme ), $invalid_protocols, true ) ) { 717 return new WP_Error( 718 'invalid_redirect_url_format', 719 __( 'Invalid URL format.' ) 720 ); 721 } 722 723 if ( 'http' === $scheme && ! $is_local ) { 724 return new WP_Error( 725 'invalid_redirect_scheme', 726 __( 'The URL must be served over a secure connection.' ) 727 ); 728 } 729 730 return true; 731 }
Note: See TracChangeset
for help on using the changeset viewer.