From 375d3d8775c43d8a3d3a7bf7664912bce84a6451 Mon Sep 17 00:00:00 2001
From: Jake Spurlock <whyisjake@git.wordpress.org>
Date: Mon, 14 Oct 2019 18:49:56 +0000
Subject: [PATCH] Backporting several bug fixes.

- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@46495 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/class-wp-query.php |  13 +++-
 src/wp-includes/class-wp.php       |   2 +-
 src/wp-includes/functions.php      |   5 ++
 src/wp-includes/http.php           |   5 +-
 src/wp-includes/pluggable.php      |   5 +-
 src/wp-includes/rest-api.php       |   4 +-
 tests/phpunit/tests/auth.php       |   9 +++
 tests/phpunit/tests/query/vars.php | 107 +++++++++++++++--------------
 8 files changed, 88 insertions(+), 62 deletions(-)

diff --git a/src/wp-includes/class-wp-query.php b/src/wp-includes/class-wp-query.php
index c0de352c2d..787240f9d1 100644
--- a/src/wp-includes/class-wp-query.php
+++ b/src/wp-includes/class-wp-query.php
@@ -582,7 +582,6 @@ class WP_Query {
 			, 'attachment'
 			, 'attachment_id'
 			, 'name'
-			, 'static'
 			, 'pagename'
 			, 'page_id'
 			, 'second'
@@ -811,7 +810,7 @@ class WP_Query {
 			// If year, month, day, hour, minute, and second are set, a single
 			// post is being queried.
 			$this->is_single = true;
-		} elseif ( '' != $qv['static'] || '' != $qv['pagename'] || !empty($qv['page_id']) ) {
+		} elseif ( '' != $qv['pagename'] || !empty($qv['page_id']) ) {
 			$this->is_page = true;
 			$this->is_single = false;
 		} else {
@@ -3048,7 +3047,15 @@ class WP_Query {
 			 */
 			$this->found_posts = $wpdb->get_var( apply_filters_ref_array( 'found_posts_query', array( 'SELECT FOUND_ROWS()', &$this ) ) );
 		} else {
-			$this->found_posts = count( $this->posts );
+			if ( is_array( $this->posts ) ) {
+				$this->found_posts = count( $this->posts );
+			} else {
+				if ( null === $this->posts ) {
+					$this->found_posts = 0;
+				} else {
+					$this->found_posts = 1;
+				}
+			}
 		}
 
 		/**
diff --git a/src/wp-includes/class-wp.php b/src/wp-includes/class-wp.php
index 63c7f0a2c6..fd3e08df50 100644
--- a/src/wp-includes/class-wp.php
+++ b/src/wp-includes/class-wp.php
@@ -15,7 +15,7 @@ class WP {
 	 * @access public
 	 * @var array
 	 */
-	public $public_query_vars = array('m', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'static', 'pagename', 'page_id', 'error', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
+	public $public_query_vars = array( 'm', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'pagename', 'page_id', 'error', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
 
 	/**
 	 * Private query variables.
diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
index c0bd2004b4..e95b7380fc 100644
--- a/src/wp-includes/functions.php
+++ b/src/wp-includes/functions.php
@@ -1608,6 +1608,11 @@ function wp_mkdir_p( $target ) {
 	if ( file_exists( $target ) )
 		return @is_dir( $target );
 
+	// Do not allow path traversals.
+	if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
+		return false;
+	}
+
 	// We need to find the permissions of the parent folder that exists and inherit that.
 	$target_parent = dirname( $target );
 	while ( '.' != $target_parent && ! is_dir( $target_parent ) ) {
diff --git a/src/wp-includes/http.php b/src/wp-includes/http.php
index 2c746a71db..c7e2d550dc 100644
--- a/src/wp-includes/http.php
+++ b/src/wp-includes/http.php
@@ -541,8 +541,9 @@ function wp_http_validate_url( $url ) {
 			$ip = $host;
 		} else {
 			$ip = gethostbyname( $host );
-			if ( $ip === $host ) // Error condition for gethostbyname()
-				$ip = false;
+			if ( $ip === $host ) { // Error condition for gethostbyname()
+				return false;
+			}
 		}
 		if ( $ip ) {
 			$parts = array_map( 'intval', explode( '.', $ip ) );
diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php
index b7076fda8f..6b5c75c23b 100644
--- a/src/wp-includes/pluggable.php
+++ b/src/wp-includes/pluggable.php
@@ -1055,7 +1055,7 @@ if ( !function_exists('check_admin_referer') ) :
  *                   0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
  */
 function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
-	if ( -1 == $action )
+	if ( -1 === $action )
 		_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
 
 	$adminurl = strtolower(admin_url());
@@ -1073,7 +1073,7 @@ function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
 	 */
 	do_action( 'check_admin_referer', $action, $result );
 
-	if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
+	if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
 		wp_nonce_ays( $action );
 		die();
 	}
@@ -2518,4 +2518,3 @@ function wp_text_diff( $left_string, $right_string, $args = null ) {
 	return $r;
 }
 endif;
-
diff --git a/src/wp-includes/rest-api.php b/src/wp-includes/rest-api.php
index c83f9125b1..606a978797 100644
--- a/src/wp-includes/rest-api.php
+++ b/src/wp-includes/rest-api.php
@@ -528,7 +528,9 @@ function rest_send_cors_headers( $value ) {
 		header( 'Access-Control-Allow-Origin: ' . esc_url_raw( $origin ) );
 		header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
 		header( 'Access-Control-Allow-Credentials: true' );
-		header( 'Vary: Origin' );
+		header( 'Vary: Origin', false );
+	} elseif ( ! headers_sent() && 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) {
+		header( 'Vary: Origin', false );
 	}
 
 	return $value;
diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php
index 581e856f64..dbba15eabb 100644
--- a/tests/phpunit/tests/auth.php
+++ b/tests/phpunit/tests/auth.php
@@ -163,6 +163,15 @@ class Tests_Auth extends WP_UnitTestCase {
 		unset( $_REQUEST['_wpnonce'] );
 	}
 
+	public function test_check_admin_referer_with_default_action_as_string_not_doing_it_wrong() {
+		// A valid nonce needs to be set so the check doesn't die()
+		$_REQUEST['_wpnonce'] = wp_create_nonce( '-1' );
+		$result               = check_admin_referer( '-1' );
+		$this->assertSame( 1, $result );
+
+		unset( $_REQUEST['_wpnonce'] );
+	}
+
 	/**
 	 * @ticket 36361
 	 */
diff --git a/tests/phpunit/tests/query/vars.php b/tests/phpunit/tests/query/vars.php
index 758fb86580..705d3852b9 100644
--- a/tests/phpunit/tests/query/vars.php
+++ b/tests/phpunit/tests/query/vars.php
@@ -16,61 +16,64 @@ class Tests_Query_Vars extends WP_UnitTestCase {
 		// Re-initialise any dynamically-added public query vars:
 		do_action( 'init' );
 
-		$this->assertEquals( array(
+		$this->assertEquals(
+			array(
 
-			// Static public query vars:
-			'm',
-			'p',
-			'posts',
-			'w',
-			'cat',
-			'withcomments',
-			'withoutcomments',
-			's',
-			'search',
-			'exact',
-			'sentence',
-			'calendar',
-			'page',
-			'paged',
-			'more',
-			'tb',
-			'pb',
-			'author',
-			'order',
-			'orderby',
-			'year',
-			'monthnum',
-			'day',
-			'hour',
-			'minute',
-			'second',
-			'name',
-			'category_name',
-			'tag',
-			'feed',
-			'author_name',
-			'static',
-			'pagename',
-			'page_id',
-			'error',
-			'attachment',
-			'attachment_id',
-			'subpost',
-			'subpost_id',
-			'preview',
-			'robots',
-			'taxonomy',
-			'term',
-			'cpage',
-			'post_type',
-			'embed',
+				// Static public query vars:
+				'm',
+				'p',
+				'posts',
+				'w',
+				'cat',
+				'withcomments',
+				'withoutcomments',
+				's',
+				'search',
+				'exact',
+				'sentence',
+				'calendar',
+				'page',
+				'paged',
+				'more',
+				'tb',
+				'pb',
+				'author',
+				'order',
+				'orderby',
+				'year',
+				'monthnum',
+				'day',
+				'hour',
+				'minute',
+				'second',
+				'name',
+				'category_name',
+				'tag',
+				'feed',
+				'author_name',
+				'pagename',
+				'page_id',
+				'error',
+				'attachment',
+				'attachment_id',
+				'subpost',
+				'subpost_id',
+				'preview',
+				'robots',
+				'taxonomy',
+				'term',
+				'cpage',
+				'post_type',
+				'embed',
 
-			// Dynamically added public query vars:
-			'post_format',
-			'rest_route',
+				// Dynamically added public query vars:
+				'post_format',
+				'rest_route',
 
-		), $wp->public_query_vars, 'Care should be taken when introducing new public query vars. See https://core.trac.wordpress.org/ticket/35115' );
+			),
+			$wp->public_query_vars,
+			'Care should be taken when introducing new public query vars. See https://core.trac.wordpress.org/ticket/35115'
+		);
 	}
 
 }