From 1bc66eba086c03946ae31c645ce41c43311de8cf Mon Sep 17 00:00:00 2001 From: Jake Spurlock Date: Thu, 29 Oct 2020 18:56:04 +0000 Subject: [PATCH] General: WordPress updates * XML-RPC: Improve error messages for unprivileged users. * External Libraries: Disable deserialization in Requests_Utility_FilteredIterator * Embeds: Disable embeds on deactivated Multisite sites. * Coding standards: Modify escaping functions to avoid potential false positives. * XML-RPC: Return error message if attachment ID is incorrect. * Upgrade/install: Improve logic check when determining installation status. * Meta: Sanitize meta key before checking protection status. * Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page. Brings the changes from [49380,49382-49388] to the 4.7 branch. Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32. git-svn-id: https://develop.svn.wordpress.org/branches/4.7@49399 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/admin-header.php | 14 ++--- src/wp-admin/custom-background.php | 1 + src/wp-admin/custom-header.php | 2 +- src/wp-admin/includes/media.php | 2 +- src/wp-admin/includes/ms.php | 2 +- src/wp-admin/includes/template.php | 12 ++-- src/wp-admin/js/custom-background.js | 2 + src/wp-admin/js/media-gallery.js | 4 +- src/wp-admin/media-new.php | 4 +- src/wp-admin/network/site-users.php | 2 +- .../Requests/Utility/FilteredIterator.php | 1 + src/wp-includes/class-wp-xmlrpc-server.php | 19 ++++++- src/wp-includes/formatting.php | 13 +++-- src/wp-includes/meta.php | 5 +- .../tests/formatting/Utf8UriEncode.php | 2 +- tests/phpunit/tests/meta/isProtectedMeta.php | 55 +++++++++++++++++++ 16 files changed, 110 insertions(+), 30 deletions(-) create mode 100644 tests/phpunit/tests/meta/isProtectedMeta.php diff --git a/src/wp-admin/admin-header.php b/src/wp-admin/admin-header.php index d5ceeccd61..b91dad9610 100644 --- a/src/wp-admin/admin-header.php +++ b/src/wp-admin/admin-header.php @@ -75,13 +75,13 @@ wp_enqueue_script( 'svg-painter' ); $admin_body_class = preg_replace('/[^a-z0-9_-]+/i', '-', $hook_suffix); ?> diff --git a/src/wp-admin/custom-background.php b/src/wp-admin/custom-background.php index bea4084c30..58ffcddfc3 100644 --- a/src/wp-admin/custom-background.php +++ b/src/wp-admin/custom-background.php @@ -544,6 +544,7 @@ if ( current_theme_supports( 'custom-background', 'default-color' ) ) * @deprecated 3.5.0 */ public function wp_set_background_image() { + check_ajax_referer( 'custom-background' ); if ( ! current_user_can('edit_theme_options') || ! isset( $_POST['attachment_id'] ) ) exit; $attachment_id = absint($_POST['attachment_id']); /** This filter is documented in wp-admin/includes/media.php */ diff --git a/src/wp-admin/custom-header.php b/src/wp-admin/custom-header.php index 5cc64ef7bf..2ecf81ba53 100644 --- a/src/wp-admin/custom-header.php +++ b/src/wp-admin/custom-header.php @@ -326,7 +326,7 @@ class Custom_Image_Header { ?> addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}}; function tb_close(){var win=window.dialogArguments||opener||parent||top;win.tb_remove();} -var ajaxurl = '', - pagenow = 'id; ?>', - typenow = 'post_type; ?>', - adminpage = '', - thousandsSeparator = 'number_format['thousands_sep'] ); ?>', - decimalPoint = 'number_format['decimal_point'] ); ?>', +var ajaxurl = '', + pagenow = 'id ); ?>', + typenow = 'post_type ); ?>', + adminpage = '', + thousandsSeparator = 'number_format['thousands_sep'] ); ?>', + decimalPoint = 'number_format['decimal_point'] ); ?>', isRtl = ; - +
diff --git a/src/wp-admin/network/site-users.php b/src/wp-admin/network/site-users.php index fcd1a863d0..fc85185672 100644 --- a/src/wp-admin/network/site-users.php +++ b/src/wp-admin/network/site-users.php @@ -208,7 +208,7 @@ if ( ! wp_is_large_network( 'users' ) && apply_filters( 'show_network_site_users require( ABSPATH . 'wp-admin/admin-header.php' ); ?> diff --git a/src/wp-includes/Requests/Utility/FilteredIterator.php b/src/wp-includes/Requests/Utility/FilteredIterator.php index 76a29e7228..b90cbcd76a 100644 --- a/src/wp-includes/Requests/Utility/FilteredIterator.php +++ b/src/wp-includes/Requests/Utility/FilteredIterator.php @@ -42,4 +42,5 @@ class Requests_Utility_FilteredIterator extends ArrayIterator { $value = call_user_func($this->callback, $value); return $value; } + } diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php index 9b80f0dfe1..b057429cfc 100644 --- a/src/wp-includes/class-wp-xmlrpc-server.php +++ b/src/wp-includes/class-wp-xmlrpc-server.php @@ -3580,6 +3580,21 @@ class wp_xmlrpc_server extends IXR_Server { return new IXR_Error( 403, __( 'Comment is required.' ) ); } + if ( + 'publish' === get_post_status( $post_id ) && + ! current_user_can( 'edit_post', $post_id ) && + post_password_required( $post_id ) + ) { + return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) ); + } + + if ( + 'private' === get_post_status( $post_id ) && + ! current_user_can( 'read_post', $post_id ) + ) { + return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) ); + } + $comment = array( 'comment_post_ID' => $post_id, 'comment_content' => $content_struct['content'], @@ -3965,8 +3980,10 @@ class wp_xmlrpc_server extends IXR_Server { /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ do_action( 'xmlrpc_call', 'wp.getMediaItem' ); - if ( ! $attachment = get_post($attachment_id) ) + $attachment = get_post( $attachment_id ); + if ( ! $attachment || 'attachment' !== $attachment->post_type ) { return new IXR_Error( 404, __( 'Invalid attachment ID.' ) ); + } return $this->_prepare_media_item( $attachment ); } diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php index bf723e2597..3c0e41e27f 100644 --- a/src/wp-includes/formatting.php +++ b/src/wp-includes/formatting.php @@ -1076,9 +1076,9 @@ function wp_check_invalid_utf8( $string, $strip = false ) { * @return string String with Unicode encoded for URI. */ function utf8_uri_encode( $utf8_string, $length = 0 ) { - $unicode = ''; - $values = array(); - $num_octets = 1; + $unicode = ''; + $values = array(); + $num_octets = 1; $unicode_length = 0; mbstring_binary_safe_encoding(); @@ -1090,9 +1090,10 @@ function utf8_uri_encode( $utf8_string, $length = 0 ) { $value = ord( $utf8_string[ $i ] ); if ( $value < 128 ) { - if ( $length && ( $unicode_length >= $length ) ) + if ( $length && ( $unicode_length >= $length ) ) { break; - $unicode .= chr($value); + } + $unicode .= chr( $value ); $unicode_length++; } else { if ( count( $values ) == 0 ) { @@ -1992,7 +1993,7 @@ function sanitize_title_with_dashes( $title, $raw_title = '', $context = 'displa if (function_exists('mb_strtolower')) { $title = mb_strtolower($title, 'UTF-8'); } - $title = utf8_uri_encode($title, 200); + $title = utf8_uri_encode( $title, 200 ); } $title = strtolower($title); diff --git a/src/wp-includes/meta.php b/src/wp-includes/meta.php index cd3cc74606..eaac2fff34 100644 --- a/src/wp-includes/meta.php +++ b/src/wp-includes/meta.php @@ -916,8 +916,9 @@ function _get_meta_table($type) { * @param string|null $meta_type * @return bool True if the key is protected, false otherwise. */ -function is_protected_meta( $meta_key, $meta_type = null ) { - $protected = ( '_' == $meta_key[0] ); +function is_protected_meta( $meta_key, $meta_type = '' ) { + $sanitized_key = preg_replace( "/[^\x20-\x7E\p{L}]/", '', $meta_key ); + $protected = strlen( $sanitized_key ) > 0 && ( '_' === $sanitized_key[0] ); /** * Filters whether a meta key is protected. diff --git a/tests/phpunit/tests/formatting/Utf8UriEncode.php b/tests/phpunit/tests/formatting/Utf8UriEncode.php index 2389c9a345..e5724441f8 100644 --- a/tests/phpunit/tests/formatting/Utf8UriEncode.php +++ b/tests/phpunit/tests/formatting/Utf8UriEncode.php @@ -12,7 +12,7 @@ class Tests_Formatting_Utf8UriEncode extends WP_UnitTestCase { * @dataProvider data */ function test_percent_encodes_non_reserved_characters( $utf8, $urlencoded ) { - $this->assertEquals($urlencoded, utf8_uri_encode( $utf8 ) ); + $this->assertEquals( $urlencoded, utf8_uri_encode( $utf8 ) ); } /** diff --git a/tests/phpunit/tests/meta/isProtectedMeta.php b/tests/phpunit/tests/meta/isProtectedMeta.php new file mode 100644 index 0000000000..c204d381f5 --- /dev/null +++ b/tests/phpunit/tests/meta/isProtectedMeta.php @@ -0,0 +1,55 @@ +assertTrue( is_protected_meta( $key ) ); + } + + public function protected_data() { + $protected_keys = array( + array( '_wp_attachment' ), + ); + for ( $i = 0, $max = 31; $i < $max; $i ++ ) { + $protected_keys[] = array( chr( $i ) . '_wp_attachment' ); + } + for ( $i = 127, $max = 159; $i <= $max; $i ++ ) { + $protected_keys[] = array( chr( $i ) . '_wp_attachment' ); + } + $protected_keys[] = array( chr( 95 ) . '_wp_attachment' ); + + return $protected_keys; + } + + /** + * @dataProvider unprotected_data + */ + public function test_unprotected( $key ) { + $this->assertFalse( is_protected_meta( $key ) ); + } + + public function unprotected_data() { + $unprotected_keys = array( + array( 'singleword' ), + array( 'two_words' ), + array( 'ąŌ_not_so_protected_meta' ), + ); + + for ( $i = 32, $max = 94; $i <= $max; $i ++ ) { + $unprotected_keys[] = array( chr( $i ) . '_wp_attachment' ); + } + for ( $i = 96, $max = 126; $i <= $max; $i ++ ) { + $unprotected_keys[] = array( chr( $i ) . '_wp_attachment' ); + } + + return $unprotected_keys; + } + +}