From 20821b59c0d3c4b63179d133b112b5228352d57b Mon Sep 17 00:00:00 2001 From: whyisjake Date: Mon, 14 Oct 2019 18:45:23 +0000 Subject: [PATCH] Backporting several bug fixes. - Query: Remove the static query property. - HTTP API: Protect against hex interpretation. - Filesystem API: Prevent directory travelersals when creating new folders. - Administration: Ensure that admin referer nonce is valid. - REST API: Send a Vary: Origin header on GET requests. Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.8 branch. Built from https://develop.svn.wordpress.org/branches/4.8@46494 git-svn-id: http://core.svn.wordpress.org/branches/4.8@46291 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/class-wp-query.php | 13 ++++++++++--- wp-includes/class-wp.php | 2 +- wp-includes/functions.php | 5 +++++ wp-includes/http.php | 5 +++-- wp-includes/pluggable.php | 5 ++--- wp-includes/rest-api.php | 4 +++- 6 files changed, 24 insertions(+), 10 deletions(-) diff --git a/wp-includes/class-wp-query.php b/wp-includes/class-wp-query.php index baefec75b4..f21a58b7b7 100644 --- a/wp-includes/class-wp-query.php +++ b/wp-includes/class-wp-query.php @@ -582,7 +582,6 @@ class WP_Query { , 'attachment' , 'attachment_id' , 'name' - , 'static' , 'pagename' , 'page_id' , 'second' @@ -813,7 +812,7 @@ class WP_Query { // If year, month, day, hour, minute, and second are set, a single // post is being queried. $this->is_single = true; - } elseif ( '' != $qv['static'] || '' != $qv['pagename'] || !empty($qv['page_id']) ) { + } elseif ( '' != $qv['pagename'] || !empty($qv['page_id']) ) { $this->is_page = true; $this->is_single = false; } else { @@ -3058,7 +3057,15 @@ class WP_Query { */ $this->found_posts = $wpdb->get_var( apply_filters_ref_array( 'found_posts_query', array( 'SELECT FOUND_ROWS()', &$this ) ) ); } else { - $this->found_posts = count( $this->posts ); + if ( is_array( $this->posts ) ) { + $this->found_posts = count( $this->posts ); + } else { + if ( null === $this->posts ) { + $this->found_posts = 0; + } else { + $this->found_posts = 1; + } + } } /** diff --git a/wp-includes/class-wp.php b/wp-includes/class-wp.php index 63c7f0a2c6..fd3e08df50 100644 --- a/wp-includes/class-wp.php +++ b/wp-includes/class-wp.php @@ -15,7 +15,7 @@ class WP { * @access public * @var array */ - public $public_query_vars = array('m', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'static', 'pagename', 'page_id', 'error', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' ); + public $public_query_vars = array( 'm', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'pagename', 'page_id', 'error', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' ); /** * Private query variables. diff --git a/wp-includes/functions.php b/wp-includes/functions.php index 95f2058aba..2dda110f01 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -1608,6 +1608,11 @@ function wp_mkdir_p( $target ) { if ( file_exists( $target ) ) return @is_dir( $target ); + // Do not allow path traversals. + if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) { + return false; + } + // We need to find the permissions of the parent folder that exists and inherit that. $target_parent = dirname( $target ); while ( '.' != $target_parent && ! is_dir( $target_parent ) ) { diff --git a/wp-includes/http.php b/wp-includes/http.php index 2af3292caf..e9d9b2f74f 100644 --- a/wp-includes/http.php +++ b/wp-includes/http.php @@ -541,8 +541,9 @@ function wp_http_validate_url( $url ) { $ip = $host; } else { $ip = gethostbyname( $host ); - if ( $ip === $host ) // Error condition for gethostbyname() - $ip = false; + if ( $ip === $host ) { // Error condition for gethostbyname() + return false; + } } if ( $ip ) { $parts = array_map( 'intval', explode( '.', $ip ) ); diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index 00131862ec..131dbdaaee 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -1070,7 +1070,7 @@ if ( !function_exists('check_admin_referer') ) : * 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago. */ function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) { - if ( -1 == $action ) + if ( -1 === $action ) _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' ); $adminurl = strtolower(admin_url()); @@ -1088,7 +1088,7 @@ function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) { */ do_action( 'check_admin_referer', $action, $result ); - if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) { + if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) { wp_nonce_ays( $action ); die(); } @@ -2538,4 +2538,3 @@ function wp_text_diff( $left_string, $right_string, $args = null ) { return $r; } endif; - diff --git a/wp-includes/rest-api.php b/wp-includes/rest-api.php index 3b158ea07f..0f93307631 100644 --- a/wp-includes/rest-api.php +++ b/wp-includes/rest-api.php @@ -551,7 +551,9 @@ function rest_send_cors_headers( $value ) { header( 'Access-Control-Allow-Origin: ' . $origin ); header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' ); header( 'Access-Control-Allow-Credentials: true' ); - header( 'Vary: Origin' ); + header( 'Vary: Origin', false ); + } elseif ( ! headers_sent() && 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) { + header( 'Vary: Origin', false ); } return $value;