Make WordPress Core

Changes from tags/3.9.1 at r59367 to tags/3.9.2 at r59367


Ignore:
Location:
tags/3.9.2
Files:
10 edited

Legend:

Unmodified
Added
Removed
  • tags/3.9.2/package.json

    r59367 r59367  
    11{
    22  "name": "WordPress",
    3   "version": "3.9.1",
     3  "version": "3.9.2",
    44  "description": "WordPress is web software you can use to create a beautiful website or blog.",
    55  "repository": {
  • tags/3.9.2/src/readme.html

    r59367 r59367  
    1010<h1 id="logo">
    1111    <a href="https://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" /></a>
    12     <br /> Version 3.9.1
     12    <br /> Version 3.9.2
    1313</h1>
    1414<p style="text-align: center">Semantic Personal Publishing Platform</p>
  • tags/3.9.2/src/wp-admin/about.php

    r59367 r59367  
    4040
    4141<div class="changelog point-releases">
    42     <h3><?php echo _n( 'Maintenance Release', 'Maintenance Releases', 1 ); ?></h3>
     42    <h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 2 ); ?></h3>
     43    <p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
     44         '<strong>Version %1$s</strong> addressed some security issues.', 6 ), '3.9.2', number_format_i18n( 6 ) ); ?>
     45        <?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'http://codex.wordpress.org/Version_3.9.2' ); ?>
     46    </p>
    4347    <p><?php printf( _n( '<strong>Version %1$s</strong> addressed %2$s bug.',
    4448         '<strong>Version %1$s</strong> addressed %2$s bugs.', 34 ), '3.9.1', number_format_i18n( 34 ) ); ?>
  • tags/3.9.2/src/wp-includes/ID3/getid3.lib.php

    r59367 r59367  
    520520
    521521    public static function XML2array($XMLstring) {
    522         if (function_exists('simplexml_load_string')) {
    523             if (function_exists('get_object_vars')) {
    524                 $XMLobject = simplexml_load_string($XMLstring);
    525                 return self::SimpleXMLelement2array($XMLobject);
    526             }
     522        if ( function_exists( 'simplexml_load_string' ) && function_exists( 'libxml_disable_entity_loader' ) ) {
     523            $loader = libxml_disable_entity_loader( true );
     524            $XMLobject = simplexml_load_string( $XMLstring, 'SimpleXMLElement', LIBXML_NOENT );
     525            $return = self::SimpleXMLelement2array( $XMLobject );
     526            libxml_disable_entity_loader( $loader );
     527            return $return;
    527528        }
    528529        return false;
  • tags/3.9.2/src/wp-includes/class-IXR.php

    r59367 r59367  
    204204        // first remove the XML declaration
    205205        // merged from WP #10698 - this method avoids the RAM usage of preg_replace on very large messages
    206         $header = preg_replace( '/<\?xml.*?\?'.'>/', '', substr($this->message, 0, 100), 1);
    207         $this->message = substr_replace($this->message, $header, 0, 100);
    208         if (trim($this->message) == '') {
     206        $header = preg_replace( '/<\?xml.*?\?'.'>/s', '', substr( $this->message, 0, 100 ), 1 );
     207        $this->message = trim( substr_replace( $this->message, $header, 0, 100 ) );
     208        if ( '' == $this->message ) {
    209209            return false;
    210210        }
     211
     212        // Then remove the DOCTYPE
     213        $header = preg_replace( '/^<!DOCTYPE[^>]*+>/i', '', substr( $this->message, 0, 200 ), 1 );
     214        $this->message = trim( substr_replace( $this->message, $header, 0, 200 ) );
     215        if ( '' == $this->message ) {
     216            return false;
     217        }
     218
     219        // Check that the root tag is valid
     220        $root_tag = substr( $this->message, 0, strcspn( substr( $this->message, 0, 20 ), "> \t\r\n" ) );
     221        if ( '<!DOCTYPE' === strtoupper( $root_tag ) ) {
     222            return false;
     223        }
     224        if ( ! in_array( $root_tag, array( '<methodCall', '<methodResponse', '<fault' ) ) ) {
     225            return false;
     226        }
     227
     228        // Bail if there are too many elements to parse
     229        $element_limit = 30000;
     230        if ( function_exists( 'apply_filters' ) ) {
     231            $element_limit = apply_filters( 'xmlrpc_element_limit', $element_limit );
     232        }
     233        if ( $element_limit && 2 * $element_limit < substr_count( $this->message, '<' ) ) {
     234            return false;
     235        }
     236
    211237        $this->_parser = xml_parser_create();
    212238        // Set XML parser to take the case of tags in to account
  • tags/3.9.2/src/wp-includes/class-wp-customize-widgets.php

    r59367 r59367  
    11201120
    11211121    /**
    1122      * Get a widget instance's hash key.
    1123      *
    1124      * Serialize an instance and hash it with the AUTH_KEY; when a JS value is
    1125      * posted back to save, this instance hash key is used to ensure that the
    1126      * serialized_instance was not tampered with, but that it had originated
    1127      * from WordPress and so is sanitized.
     1122     * Get MAC for a serialized widget instance string.
     1123     *
     1124     * Allows values posted back from JS to be rejected if any tampering of the
     1125     * data has occurred.
    11281126     *
    11291127     * @since 3.9.0
    11301128     * @access protected
    11311129     *
    1132      * @param array $instance Widget instance.
    1133      * @return string Widget instance's hash key.
    1134      */
    1135     protected function get_instance_hash_key( $instance ) {
    1136         $hash = md5( AUTH_KEY . serialize( $instance ) );
    1137         return $hash;
     1130     * @param string $serialized_instance Widget instance.
     1131     * @return string MAC for serialized widget instance.
     1132     */
     1133    protected function get_instance_hash_key( $serialized_instance ) {
     1134        return wp_hash( $serialized_instance );
    11381135    }
    11391136
     
    11631160
    11641161        $decoded = base64_decode( $value['encoded_serialized_instance'], true );
    1165 
    11661162        if ( false === $decoded ) {
    11671163            return null;
    11681164        }
     1165
     1166        if ( $this->get_instance_hash_key( $decoded ) !== $value['instance_hash_key'] ) {
     1167            return null;
     1168        }
     1169
    11691170        $instance = unserialize( $decoded );
    1170 
    11711171        if ( false === $instance ) {
    11721172            return null;
    11731173        }
    1174         if ( $this->get_instance_hash_key( $instance ) !== $value['instance_hash_key'] ) {
    1175             return null;
    1176         }
     1174
    11771175        return $instance;
    11781176    }
     
    11951193                'title'                         => empty( $value['title'] ) ? '' : $value['title'],
    11961194                'is_widget_customizer_js_value' => true,
    1197                 'instance_hash_key'             => $this->get_instance_hash_key( $value ),
     1195                'instance_hash_key'             => $this->get_instance_hash_key( $serialized ),
    11981196            );
    11991197        }
  • tags/3.9.2/src/wp-includes/compat.php

    r59367 r59367  
    9595    }
    9696}
     97
     98if ( ! function_exists( 'hash_equals' ) ) :
     99/**
     100 * Compare two strings in constant time.
     101 *
     102 * This function was added in PHP 5.6.
     103 * It can leak the length of a string.
     104 *
     105 * @since 3.9.2
     106 *
     107 * @param string $a Expected string.
     108 * @param string $b Actual string.
     109 * @return bool Whether strings are equal.
     110 */
     111function hash_equals( $a, $b ) {
     112    $a_length = strlen( $a );
     113    if ( $a_length !== strlen( $b ) ) {
     114        return false;
     115    }
     116    $result = 0;
     117
     118    // Do not attempt to "optimize" this.
     119    for ( $i = 0; $i < $a_length; $i++ ) {
     120        $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
     121    }
     122
     123    return $result === 0;
     124}
     125endif;
  • tags/3.9.2/src/wp-includes/pluggable.php

    r59367 r59367  
    648648    $hash = hash_hmac('md5', $username . '|' . $expiration, $key);
    649649
    650     if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) {
     650    if ( ! hash_equals( $hash, $hmac ) ) {
    651651        /**
    652652         * Fires if a bad authentication cookie hash is encountered.
     
    16591659
    16601660    // Nonce generated 0-12 hours ago
    1661     if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) === $nonce )
     1661    $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid, 'nonce'), -12, 10 );
     1662    if ( hash_equals( $expected, $nonce ) ) {
    16621663        return 1;
     1664    }
     1665
    16631666    // Nonce generated 12-24 hours ago
    1664     if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) === $nonce )
     1667    $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid, 'nonce' ), -12, 10 );
     1668    if ( hash_equals( $expected, $nonce ) ) {
    16651669        return 2;
     1670    }
     1671
    16661672    // Invalid nonce
    16671673    return false;
     
    16881694    $i = wp_nonce_tick();
    16891695
    1690     return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10);
     1696    return substr(wp_hash($i . '|' . $action . '|' . $uid, 'nonce'), -12, 10);
    16911697}
    16921698endif;
     
    21082114        $avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo' height='{$size}' width='{$size}' />";
    21092115    } else {
    2110         $avatar = "<img alt='{$safe_alt}' src='{$default}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
     2116        $out = esc_url( $default );
     2117        $avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
    21112118    }
    21122119
     
    22012208endif;
    22022209
     2210if ( ! function_exists( 'hash_equals' ) ) :
     2211/**
     2212 * Compare two strings in constant time.
     2213 *
     2214 * This function is NOT pluggable. It is in this file (in addition to
     2215 * compat.php) to prevent errors if, during an update, pluggable.php
     2216 * copies over but compat.php does not.
     2217 *
     2218 * This function was added in PHP 5.6.
     2219 * It can leak the length of a string.
     2220 *
     2221 * @since 3.9.2
     2222 *
     2223 * @param string $a Expected string.
     2224 * @param string $b Actual string.
     2225 * @return bool Whether strings are equal.
     2226 */
     2227function hash_equals( $a, $b ) {
     2228    $a_length = strlen( $a );
     2229    if ( $a_length !== strlen( $b ) ) {
     2230        return false;
     2231    }
     2232    $result = 0;
     2233
     2234    // Do not attempt to "optimize" this.
     2235    for ( $i = 0; $i < $a_length; $i++ ) {
     2236        $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
     2237    }
     2238
     2239    return $result === 0;
     2240}
     2241endif;
  • tags/3.9.2/src/wp-includes/version.php

    r59367 r59367  
    55 * @global string $wp_version
    66 */
    7 $wp_version = '3.9.1-src';
     7$wp_version = '3.9.2-src';
    88
    99/**
  • tags/3.9.2/src/wp-login.php

    r59367 r59367  
    563563case 'resetpass' :
    564564case 'rp' :
    565     $user = check_password_reset_key($_GET['key'], $_GET['login']);
    566 
    567     if ( is_wp_error($user) ) {
    568         if ( $user->get_error_code() === 'expired_key' )
     565    list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
     566    $rp_cookie = 'wp-resetpass-' . COOKIEHASH;
     567    if ( isset( $_GET['key'] ) ) {
     568        $value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) );
     569        setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
     570        wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) );
     571        exit;
     572    }
     573
     574    if ( isset( $_COOKIE[ $rp_cookie ] ) && 0 < strpos( $_COOKIE[ $rp_cookie ], ':' ) ) {
     575        list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
     576        $user = check_password_reset_key( $rp_key, $rp_login );
     577    } else {
     578        $user = false;
     579    }
     580
     581    if ( ! $user || is_wp_error( $user ) ) {
     582        setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
     583        if ( $user && $user->get_error_code() === 'expired_key' )
    569584            wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) );
    570585        else
     
    590605    if ( ( ! $errors->get_error_code() ) && isset( $_POST['pass1'] ) && !empty( $_POST['pass1'] ) ) {
    591606        reset_password($user, $_POST['pass1']);
     607        setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
    592608        login_header( __( 'Password Reset' ), '<p class="message reset-pass">' . __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a></p>' );
    593609        login_footer();
     
    601617
    602618?>
    603 <form name="resetpassform" id="resetpassform" action="<?php echo esc_url( site_url( 'wp-login.php?action=resetpass&key=' . urlencode( $_GET['key'] ) . '&login=' . urlencode( $_GET['login'] ), 'login_post' ) ); ?>" method="post" autocomplete="off">
    604     <input type="hidden" id="user_login" value="<?php echo esc_attr( $_GET['login'] ); ?>" autocomplete="off" />
     619<form name="resetpassform" id="resetpassform" action="<?php echo esc_url( site_url( 'wp-login.php?action=resetpass', 'login_post' ) ); ?>" method="post" autocomplete="off">
     620    <input type="hidden" id="user_login" value="<?php echo esc_attr( $rp_login ); ?>" autocomplete="off" />
    605621
    606622    <p>
Note: See TracChangeset for help on using the changeset viewer.