From 96c3a010199bd86214d040e63f4bd314d90007ff Mon Sep 17 00:00:00 2001 From: "Aaron D. Campbell" Date: Tue, 16 May 2017 14:47:08 +0000 Subject: [PATCH] Add nonce for updating file system credentials. git-svn-id: https://develop.svn.wordpress.org/trunk@40723 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/includes/file.php | 33 ++++++++++++++++++++++++--------- src/wp-admin/js/updates.js | 4 ++++ 2 files changed, 28 insertions(+), 9 deletions(-) diff --git a/src/wp-admin/includes/file.php b/src/wp-admin/includes/file.php index 1f32c9728d..b1f447ea62 100644 --- a/src/wp-admin/includes/file.php +++ b/src/wp-admin/includes/file.php @@ -1091,14 +1091,28 @@ function request_filesystem_credentials( $form_post, $type = '', $error = false, $credentials = get_option('ftp_credentials', array( 'hostname' => '', 'username' => '')); + $submitted_form = wp_unslash( $_POST ); + + // Verify nonce, or unset submitted form field values on failure + if ( ! isset( $_POST['_fs_nonce'] ) || ! wp_verify_nonce( $_POST['_fs_nonce'], 'filesystem-credentials' ) ) { + unset( + $submitted_form['hostname'], + $submitted_form['username'], + $submitted_form['password'], + $submitted_form['public_key'], + $submitted_form['private_key'], + $submitted_form['connection_type'] + ); + } + // If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option) - $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? wp_unslash( $_POST['hostname'] ) : $credentials['hostname']); - $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? wp_unslash( $_POST['username'] ) : $credentials['username']); - $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? wp_unslash( $_POST['password'] ) : ''); + $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($submitted_form['hostname']) ? $submitted_form['hostname'] : $credentials['hostname']); + $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($submitted_form['username']) ? $submitted_form['username'] : $credentials['username']); + $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($submitted_form['password']) ? $submitted_form['password'] : ''); // Check to see if we are setting the public/private keys for ssh - $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? wp_unslash( $_POST['public_key'] ) : ''); - $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? wp_unslash( $_POST['private_key'] ) : ''); + $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($submitted_form['public_key']) ? $submitted_form['public_key'] : ''); + $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($submitted_form['private_key']) ? $submitted_form['private_key'] : ''); // Sanitize the hostname, Some people might pass in odd-data: $credentials['hostname'] = preg_replace('|\w+://|', '', $credentials['hostname']); //Strip any schemes off @@ -1115,8 +1129,8 @@ function request_filesystem_credentials( $form_post, $type = '', $error = false, $credentials['connection_type'] = 'ssh'; } elseif ( ( defined( 'FTP_SSL' ) && FTP_SSL ) && 'ftpext' == $type ) { //Only the FTP Extension understands SSL $credentials['connection_type'] = 'ftps'; - } elseif ( ! empty( $_POST['connection_type'] ) ) { - $credentials['connection_type'] = wp_unslash( $_POST['connection_type'] ); + } elseif ( ! empty( $submitted_form['connection_type'] ) ) { + $credentials['connection_type'] = $submitted_form['connection_type']; } elseif ( ! isset( $credentials['connection_type'] ) ) { //All else fails (And it's not defaulted to something else saved), Default to FTP $credentials['connection_type'] = 'ftp'; } @@ -1255,11 +1269,12 @@ if ( isset( $types['ssh'] ) ) { } foreach ( (array) $extra_fields as $field ) { - if ( isset( $_POST[ $field ] ) ) - echo ''; + if ( isset( $submitted_form[ $field ] ) ) + echo ''; } ?>

+

diff --git a/src/wp-admin/js/updates.js b/src/wp-admin/js/updates.js index 5bedfa2c30..233714f589 100644 --- a/src/wp-admin/js/updates.js +++ b/src/wp-admin/js/updates.js @@ -94,6 +94,7 @@ * @type {object} filesystemCredentials.ssh Holds SSH credentials. * @type {string} filesystemCredentials.ssh.publicKey The public key. Default empty string. * @type {string} filesystemCredentials.ssh.privateKey The private key. Default empty string. + * @type {string} filesystemCredentials.fsNonce Filesystem credentials form nonce. * @type {bool} filesystemCredentials.available Whether filesystem credentials have been provided. * Default 'false'. */ @@ -108,6 +109,7 @@ publicKey: '', privateKey: '' }, + fsNonce: '', available: false }; @@ -225,6 +227,7 @@ options.data = _.extend( data, { action: action, _ajax_nonce: wp.updates.ajaxNonce, + _fs_nonce: wp.updates.filesystemCredentials.fsNonce, username: wp.updates.filesystemCredentials.ftp.username, password: wp.updates.filesystemCredentials.ftp.password, hostname: wp.updates.filesystemCredentials.ftp.hostname, @@ -1706,6 +1709,7 @@ wp.updates.filesystemCredentials.ftp.connectionType = $( 'input[name="connection_type"]:checked' ).val(); wp.updates.filesystemCredentials.ssh.publicKey = $( '#public_key' ).val(); wp.updates.filesystemCredentials.ssh.privateKey = $( '#private_key' ).val(); + wp.updates.filesystemCredentials.fsNonce = $( '#_fs_nonce' ).val(); wp.updates.filesystemCredentials.available = true; // Unlock and invoke the queue.