From 6a3acea8b516f727a6248a4410a10dd93a56a1e3 Mon Sep 17 00:00:00 2001
From: Dominik Schilling <dominikschilling+git@gmail.com>
Date: Wed, 30 Mar 2016 14:44:26 +0000
Subject: [PATCH] Multisite: Validate new email address confirmations. Built
 from https://develop.svn.wordpress.org/trunk@37103

git-svn-id: http://core.svn.wordpress.org/trunk@37070 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/user-edit.php  | 9 +++++----
 wp-includes/version.php | 2 +-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php
index 3ecfe0a455..04c19fb440 100644
--- a/wp-admin/user-edit.php
+++ b/wp-admin/user-edit.php
@@ -83,7 +83,7 @@ if ( is_multisite()
 // Execute confirmed email change. See send_confirmation_on_profile_email().
 if ( is_multisite() && IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $current_user->ID ) {
 	$new_email = get_user_meta( $current_user->ID, '_new_email', true );
-	if ( $new_email && $new_email[ 'hash' ] == $_GET[ 'newuseremail' ] ) {
+	if ( $new_email && hash_equals( $new_email[ 'hash' ], $_GET[ 'newuseremail' ] ) ) {
 		$user = new stdClass;
 		$user->ID = $current_user->ID;
 		$user->user_email = esc_html( trim( $new_email[ 'newemail' ] ) );
@@ -97,7 +97,8 @@ if ( is_multisite() && IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $c
 	} else {
 		wp_redirect( add_query_arg( array( 'error' => 'new-email' ), self_admin_url( 'profile.php' ) ) );
 	}
-} elseif ( is_multisite() && IS_PROFILE_PAGE && !empty( $_GET['dismiss'] ) && $current_user->ID . '_new_email' == $_GET['dismiss'] ) {
+} elseif ( is_multisite() && IS_PROFILE_PAGE && !empty( $_GET['dismiss'] ) && $current_user->ID . '_new_email' === $_GET['dismiss'] ) {
+	check_admin_referer( 'dismiss-' . $current_user->ID . '_new_email' );
 	delete_user_meta( $current_user->ID, '_new_email' );
 	wp_redirect( add_query_arg( array('updated' => 'true'), self_admin_url( 'profile.php' ) ) );
 	die();
@@ -400,11 +401,11 @@ if ( is_multisite() && is_network_admin() && ! IS_PROFILE_PAGE && current_user_c
 		printf(
 			/* translators: %s: new email */
 			__( 'There is a pending change of your email to %s.' ),
-			'<code>' . $new_email['newemail'] . '</code>'
+			'<code>' . esc_html( $new_email['newemail'] ) . '</code>'
 		);
 		printf(
 			' <a href="%1$s">%2$s</a>',
-			esc_url( self_admin_url( 'profile.php?dismiss=' . $current_user->ID . '_new_email' ) ),
+			esc_url( wp_nonce_url( self_admin_url( 'profile.php?dismiss=' . $current_user->ID . '_new_email' ), 'dismiss-' . $current_user->ID . '_new_email' ) ),
 			__( 'Cancel' )
 		);
 	?></p>
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 2432ac804a..e124cdd04e 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.5-RC1-37094';
+$wp_version = '4.5-RC1-37103';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.