From 4de2e30bb4527ff29d4b55e39eaa2ba5dd4f64e5 Mon Sep 17 00:00:00 2001
From: Weston Ruter <westonruter@git.wordpress.org>
Date: Sun, 30 Oct 2016 20:20:54 +0000
Subject: [PATCH] Customize: Prevent auto-draft post/page stubs from being
 saved with empty slugs or published with non-unique slugs.

* Allow `WP_Customize_Nav_Menus::insert_auto_draft_post()` to take full post array to pass to `wp_insert_post()`, except for `post_status`. Require `post_title`.
* Ensure empty `post_name` gets explicitly set to slugified `post_title`.
* Explicitly allow only `post_type` and `post_title` params in `WP_Customize_Nav_Menus::ajax_insert_auto_draft_post()`.
* Use `wp_update_post()` instead of `wp_publish_post()` to ensure unique slugs are assigned to published auto-draft posts.
* Re-use `WP_Customize_Nav_Menus::insert_auto_draft_post()` when inserting stubs from starter content.

See #38114, #38013, #34923.
Fixes #38539.


git-svn-id: https://develop.svn.wordpress.org/trunk@39038 602fd350-edb4-49c9-b593-d223f7449a82
---
 .../class-wp-customize-manager.php            |  8 +--
 .../class-wp-customize-nav-menus.php          | 52 +++++++++++--------
 tests/phpunit/tests/ajax/CustomizeMenus.php   | 20 +++++++
 tests/phpunit/tests/customize/nav-menus.php   | 19 ++++++-
 4 files changed, 73 insertions(+), 26 deletions(-)

diff --git a/src/wp-includes/class-wp-customize-manager.php b/src/wp-includes/class-wp-customize-manager.php
index 4862de4525..f96a220349 100644
--- a/src/wp-includes/class-wp-customize-manager.php
+++ b/src/wp-includes/class-wp-customize-manager.php
@@ -959,10 +959,10 @@ final class WP_Customize_Manager {
 		// Posts & pages.
 		if ( ! empty( $posts ) ) {
 			foreach ( array_keys( $posts ) as $post_symbol ) {
-				$posts[ $post_symbol ]['ID'] = wp_insert_post( wp_slash( array_merge(
-					$posts[ $post_symbol ],
-					array( 'post_status' => 'auto-draft' )
-				) ) );
+				$r = $this->nav_menus->insert_auto_draft_post( $posts[ $post_symbol ] );
+				if ( $r instanceof WP_Post ) {
+					$posts[ $post_symbol ]['ID'] = $r->ID;
+				}
 			}
 			$this->set_post_value( 'nav_menus_created_posts', wp_list_pluck( $posts, 'ID' ) ); // This is why nav_menus component is dependency for adding posts.
 		}
diff --git a/src/wp-includes/class-wp-customize-nav-menus.php b/src/wp-includes/class-wp-customize-nav-menus.php
index ec60c2f344..66dd4660a5 100644
--- a/src/wp-includes/class-wp-customize-nav-menus.php
+++ b/src/wp-includes/class-wp-customize-nav-menus.php
@@ -734,10 +734,12 @@ final class WP_Customize_Nav_Menus {
 	 * @since 4.7.0
 	 *
 	 * @param array $postarr {
-	 *     Abbreviated post array.
+	 *     Post array. Note that post_status is overridden to be `auto-draft`.
 	 *
-	 *     @var string $post_title Post title.
-	 *     @var string $post_type  Post type.
+	 *     @var string $post_title   Post title. Required.
+	 *     @var string $post_type    Post type. Required.
+	 *     @var string $post_name    Post name.
+	 *     @var string $post_content Post content.
 	 * }
 	 * @return WP_Post|WP_Error Inserted auto-draft post object or error.
 	 */
@@ -745,18 +747,22 @@ final class WP_Customize_Nav_Menus {
 		if ( ! isset( $postarr['post_type'] ) || ! post_type_exists( $postarr['post_type'] )  ) {
 			return new WP_Error( 'unknown_post_type', __( 'Unknown post type' ) );
 		}
-		if ( ! isset( $postarr['post_title'] ) ) {
-			$postarr['post_title'] = '';
+		if ( empty( $postarr['post_title'] ) ) {
+			return new WP_Error( 'empty_title', __( 'Empty title' ) );
+		}
+		if ( ! empty( $postarr['post_status'] ) ) {
+			return new WP_Error( 'status_forbidden', __( 'Status is forbidden' ) );
+		}
+
+		$postarr['post_status'] = 'auto-draft';
+
+		// Auto-drafts are allowed to have empty post_names, so it has to be explicitly set.
+		if ( empty( $postarr['post_name'] ) ) {
+			$postarr['post_name'] = sanitize_title( $postarr['post_title'] );
 		}
 
 		add_filter( 'wp_insert_post_empty_content', '__return_false', 1000 );
-		$args = array(
-			'post_status' => 'auto-draft',
-			'post_type'   => $postarr['post_type'],
-			'post_title'  => $postarr['post_title'],
-			'post_name'   => sanitize_title( $postarr['post_title'] ), // Auto-drafts are allowed to have empty post_names, so we need to explicitly set it.
-		);
-		$r = wp_insert_post( wp_slash( $args ), true );
+		$r = wp_insert_post( wp_slash( $postarr ), true );
 		remove_filter( 'wp_insert_post_empty_content', '__return_false', 1000 );
 
 		if ( is_wp_error( $r ) ) {
@@ -785,15 +791,18 @@ final class WP_Customize_Nav_Menus {
 			wp_send_json_error( 'missing_params', 400 );
 		}
 
-		$params = wp_array_slice_assoc(
-			array_merge(
-				array(
-					'post_type' => '',
-					'post_title' => '',
-				),
-				wp_unslash( $_POST['params'] )
+		$params = wp_unslash( $_POST['params'] );
+		$illegal_params = array_diff( array_keys( $params ), array( 'post_type', 'post_title' ) );
+		if ( ! empty( $illegal_params ) ) {
+			wp_send_json_error( 'illegal_params', 400 );
+		}
+
+		$params = array_merge(
+			array(
+				'post_type' => '',
+				'post_title' => '',
 			),
-			array( 'post_type', 'post_title' )
+			$params
 		);
 
 		if ( empty( $params['post_type'] ) || ! post_type_exists( $params['post_type'] ) ) {
@@ -1139,7 +1148,8 @@ final class WP_Customize_Nav_Menus {
 		$post_ids = $setting->post_value();
 		if ( ! empty( $post_ids ) ) {
 			foreach ( $post_ids as $post_id ) {
-				wp_publish_post( $post_id );
+				// Note that wp_publish_post() cannot be used because unique slugs need to be assigned.
+				wp_update_post( array( 'ID' => $post_id, 'post_status' => 'publish' ) );
 			}
 		}
 	}
diff --git a/tests/phpunit/tests/ajax/CustomizeMenus.php b/tests/phpunit/tests/ajax/CustomizeMenus.php
index 28871b749b..8614350b2b 100644
--- a/tests/phpunit/tests/ajax/CustomizeMenus.php
+++ b/tests/phpunit/tests/ajax/CustomizeMenus.php
@@ -547,6 +547,10 @@ class Tests_Ajax_CustomizeMenus extends WP_Ajax_UnitTestCase {
 		$this->assertTrue( $response['success'] );
 		$this->assertArrayHasKey( 'post_id', $response['data'] );
 		$this->assertArrayHasKey( 'url', $response['data'] );
+		$post = get_post( $response['data']['post_id'] );
+		$this->assertEquals( 'Hello World', $post->post_title );
+		$this->assertEquals( 'post', $post->post_type );
+		$this->assertEquals( 'hello-world', $post->post_name );
 	}
 
 	/**
@@ -635,5 +639,21 @@ class Tests_Ajax_CustomizeMenus extends WP_Ajax_UnitTestCase {
 		$response = json_decode( $this->_last_response, true );
 		$this->assertFalse( $response['success'] );
 		$this->assertEquals( 'missing_post_title', $response['data'] );
+
+		// illegal_params.
+		$_POST = wp_slash( array(
+			'customize-menus-nonce' => wp_create_nonce( 'customize-menus' ),
+			'params' => array(
+				'post_type' => 'post',
+				'post_title' => 'OK',
+				'post_name' => 'bad',
+				'post_content' => 'bad',
+			),
+		) );
+		$this->_last_response = '';
+		$this->make_ajax_call( 'customize-nav-menus-insert-auto-draft' );
+		$response = json_decode( $this->_last_response, true );
+		$this->assertFalse( $response['success'] );
+		$this->assertEquals( 'illegal_params', $response['data'] );
 	}
 }
diff --git a/tests/phpunit/tests/customize/nav-menus.php b/tests/phpunit/tests/customize/nav-menus.php
index 06e2333be3..f8b38a181f 100644
--- a/tests/phpunit/tests/customize/nav-menus.php
+++ b/tests/phpunit/tests/customize/nav-menus.php
@@ -542,11 +542,22 @@ class Test_WP_Customize_Nav_Menus extends WP_UnitTestCase {
 		$this->assertInstanceOf( 'WP_Error', $r );
 		$this->assertEquals( 'unknown_post_type', $r->get_error_code() );
 
+		$r = $menus->insert_auto_draft_post( array( 'post_status' => 'publish', 'post_title' => 'Bad', 'post_type' => 'post' ) );
+		$this->assertInstanceOf( 'WP_Error', $r );
+		$this->assertEquals( 'status_forbidden', $r->get_error_code() );
+
 		$r = $menus->insert_auto_draft_post( array( 'post_title' => 'Hello World', 'post_type' => 'post' ) );
 		$this->assertInstanceOf( 'WP_Post', $r );
 		$this->assertEquals( 'Hello World', $r->post_title );
+		$this->assertEquals( 'hello-world', $r->post_name );
 		$this->assertEquals( 'post', $r->post_type );
-		$this->assertEquals( sanitize_title( $r->post_title ), $r->post_name );
+
+		$r = $menus->insert_auto_draft_post( array( 'post_title' => 'Hello World', 'post_type' => 'post', 'post_name' => 'greetings-world', 'post_content' => 'Hi World' ) );
+		$this->assertInstanceOf( 'WP_Post', $r );
+		$this->assertEquals( 'Hello World', $r->post_title );
+		$this->assertEquals( 'post', $r->post_type );
+		$this->assertEquals( 'greetings-world', $r->post_name );
+		$this->assertEquals( 'Hi World', $r->post_content );
 	}
 
 	/**
@@ -731,6 +742,7 @@ class Test_WP_Customize_Nav_Menus extends WP_UnitTestCase {
 		$post_ids = $this->factory()->post->create_many( 3, array(
 			'post_status' => 'auto-draft',
 			'post_type' => 'post',
+			'post_name' => 'auto-draft',
 		) );
 		$pre_published_post_id = $this->factory()->post->create( array( 'post_status' => 'publish' ) );
 
@@ -750,6 +762,11 @@ class Test_WP_Customize_Nav_Menus extends WP_UnitTestCase {
 		foreach ( $post_ids as $post_id ) {
 			$this->assertEquals( 'publish', get_post_status( $post_id ) );
 		}
+
+		// Ensure that unique slugs were assigned.
+		$posts = array_map( 'get_post', $post_ids );
+		$post_names = wp_list_pluck( $posts, 'post_name' );
+		$this->assertEqualSets( $post_names, array_unique( $post_names ) );
 	}
 
 	/**