General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41412] to the 4.7 branch

See #13377

Built from https://develop.svn.wordpress.org/branches/4.7@41413


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41246 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
John Blackbourn 2017-09-19 10:21:48 +00:00
parent 1e45c3e2fe
commit 7c8fbd2966
6 changed files with 35 additions and 33 deletions

View File

@ -601,16 +601,16 @@ class WP_Plugins_List_Table extends WP_List_Table {
if ( $is_active ) { if ( $is_active ) {
if ( current_user_can( 'manage_network_plugins' ) ) { if ( current_user_can( 'manage_network_plugins' ) ) {
/* translators: %s: plugin name */ /* translators: %s: plugin name */
$actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( _x( 'Network Deactivate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Deactivate' ) . '</a>'; $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( _x( 'Network Deactivate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Deactivate' ) . '</a>';
} }
} else { } else {
if ( current_user_can( 'manage_network_plugins' ) ) { if ( current_user_can( 'manage_network_plugins' ) ) {
/* translators: %s: plugin name */ /* translators: %s: plugin name */
$actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( _x( 'Network Activate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Activate' ) . '</a>'; $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( _x( 'Network Activate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Activate' ) . '</a>';
} }
if ( current_user_can( 'delete_plugins' ) && ! is_plugin_active( $plugin_file ) ) { if ( current_user_can( 'delete_plugins' ) && ! is_plugin_active( $plugin_file ) ) {
/* translators: %s: plugin name */ /* translators: %s: plugin name */
$actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&amp;checked[]=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( _x( 'Delete %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>'; $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&amp;checked[]=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( _x( 'Delete %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>';
} }
} }
} else { } else {
@ -624,14 +624,14 @@ class WP_Plugins_List_Table extends WP_List_Table {
); );
} elseif ( $is_active ) { } elseif ( $is_active ) {
/* translators: %s: plugin name */ /* translators: %s: plugin name */
$actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( _x( 'Deactivate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Deactivate' ) . '</a>'; $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( _x( 'Deactivate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Deactivate' ) . '</a>';
} else { } else {
/* translators: %s: plugin name */ /* translators: %s: plugin name */
$actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( _x( 'Activate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Activate' ) . '</a>'; $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( _x( 'Activate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Activate' ) . '</a>';
if ( ! is_multisite() && current_user_can( 'delete_plugins' ) ) { if ( ! is_multisite() && current_user_can( 'delete_plugins' ) ) {
/* translators: %s: plugin name */ /* translators: %s: plugin name */
$actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&amp;checked[]=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( _x( 'Delete %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>'; $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&amp;checked[]=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( _x( 'Delete %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>';
} }
} // end if $is_active } // end if $is_active
@ -639,7 +639,7 @@ class WP_Plugins_List_Table extends WP_List_Table {
if ( ( ! is_multisite() || $screen->in_admin( 'network' ) ) && current_user_can( 'edit_plugins' ) && is_writable( WP_PLUGIN_DIR . '/' . $plugin_file ) ) { if ( ( ! is_multisite() || $screen->in_admin( 'network' ) ) && current_user_can( 'edit_plugins' ) && is_writable( WP_PLUGIN_DIR . '/' . $plugin_file ) ) {
/* translators: %s: plugin name */ /* translators: %s: plugin name */
$actions['edit'] = '<a href="plugin-editor.php?file=' . $plugin_file . '" class="edit" aria-label="' . esc_attr( sprintf( __( 'Edit %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Edit' ) . '</a>'; $actions['edit'] = '<a href="plugin-editor.php?file=' . urlencode( $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( __( 'Edit %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Edit' ) . '</a>';
} }
} // end if $context } // end if $context

View File

@ -772,7 +772,7 @@ function page_template_dropdown( $default = '', $post_type = 'page' ) {
ksort( $templates ); ksort( $templates );
foreach ( array_keys( $templates ) as $template ) { foreach ( array_keys( $templates ) as $template ) {
$selected = selected( $default, $templates[ $template ], false ); $selected = selected( $default, $templates[ $template ], false );
echo "\n\t<option value='" . $templates[ $template ] . "' $selected>$template</option>"; echo "\n\t<option value='" . esc_attr( $templates[ $template ] ) . "' $selected>" . esc_html( $template ) . "</option>";
} }
} }

View File

@ -37,11 +37,11 @@ if ( empty( $plugins ) ) {
$file = ''; $file = '';
$plugin = ''; $plugin = '';
if ( isset( $_REQUEST['file'] ) ) { if ( isset( $_REQUEST['file'] ) ) {
$file = sanitize_text_field( $_REQUEST['file'] ); $file = wp_unslash( $_REQUEST['file'] );
} }
if ( isset( $_REQUEST['plugin'] ) ) { if ( isset( $_REQUEST['plugin'] ) ) {
$plugin = sanitize_text_field( $_REQUEST['plugin'] ); $plugin = wp_unslash( $_REQUEST['plugin'] );
} }
if ( empty( $plugin ) ) { if ( empty( $plugin ) ) {
@ -107,10 +107,10 @@ if ( isset( $_REQUEST['action'] ) && 'update' === $_REQUEST['action'] ) {
} }
if ( ( ! empty( $_GET['networkwide'] ) && ! is_plugin_active_for_network( $file ) ) || ! is_plugin_active( $file ) ) { if ( ( ! empty( $_GET['networkwide'] ) && ! is_plugin_active_for_network( $file ) ) || ! is_plugin_active( $file ) ) {
activate_plugin( $plugin, "plugin-editor.php?file=$file&phperror=1", ! empty( $_GET['networkwide'] ) ); activate_plugin( $plugin, "plugin-editor.php?file=" . urlencode( $file ) . "&phperror=1", ! empty( $_GET['networkwide'] ) );
} // we'll override this later if the plugin can be included without fatal error } // we'll override this later if the plugin can be included without fatal error
wp_redirect( self_admin_url("plugin-editor.php?file=$file&plugin=$plugin&a=te&scrollto=$scrollto") ); wp_redirect( self_admin_url( 'plugin-editor.php?file=' . urlencode( $file ) . '&plugin=' . urlencode( $plugin ) . "&a=te&scrollto=$scrollto" ) );
exit; exit;
} }
@ -203,18 +203,18 @@ if ( isset( $_REQUEST['action'] ) && 'update' === $_REQUEST['action'] ) {
if ( is_plugin_active( $plugin ) ) { if ( is_plugin_active( $plugin ) ) {
if ( is_writeable( $real_file ) ) { if ( is_writeable( $real_file ) ) {
/* translators: %s: plugin file name */ /* translators: %s: plugin file name */
echo sprintf( __( 'Editing %s (active)' ), '<strong>' . $file . '</strong>' ); echo sprintf( __( 'Editing %s (active)' ), '<strong>' . esc_html( $file ) . '</strong>' );
} else { } else {
/* translators: %s: plugin file name */ /* translators: %s: plugin file name */
echo sprintf( __( 'Browsing %s (active)' ), '<strong>' . $file . '</strong>' ); echo sprintf( __( 'Browsing %s (active)' ), '<strong>' . esc_html( $file ) . '</strong>' );
} }
} else { } else {
if ( is_writeable( $real_file ) ) { if ( is_writeable( $real_file ) ) {
/* translators: %s: plugin file name */ /* translators: %s: plugin file name */
echo sprintf( __( 'Editing %s (inactive)' ), '<strong>' . $file . '</strong>' ); echo sprintf( __( 'Editing %s (inactive)' ), '<strong>' . esc_html( $file ) . '</strong>' );
} else { } else {
/* translators: %s: plugin file name */ /* translators: %s: plugin file name */
echo sprintf( __( 'Browsing %s (inactive)' ), '<strong>' . $file . '</strong>' ); echo sprintf( __( 'Browsing %s (inactive)' ), '<strong>' . esc_html( $file ) . '</strong>' );
} }
} }
?></big> ?></big>
@ -259,7 +259,7 @@ foreach ( $plugin_files as $plugin_file ) :
continue; continue;
} }
?> ?>
<li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo $plugin_file ?></a></li> <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo esc_html( $plugin_file ); ?></a></li>
<?php endforeach; ?> <?php endforeach; ?>
</ul> </ul>
</div> </div>

View File

@ -17,7 +17,7 @@ $pagenum = $wp_list_table->get_pagenum();
$action = $wp_list_table->current_action(); $action = $wp_list_table->current_action();
$plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : ''; $plugin = isset($_REQUEST['plugin']) ? wp_unslash( $_REQUEST['plugin'] ) : '';
$s = isset($_REQUEST['s']) ? urlencode( wp_unslash( $_REQUEST['s'] ) ) : ''; $s = isset($_REQUEST['s']) ? urlencode( wp_unslash( $_REQUEST['s'] ) ) : '';
// Clean up request URI from temporary args for screen options/paging uri's to work as expected. // Clean up request URI from temporary args for screen options/paging uri's to work as expected.
@ -39,10 +39,10 @@ if ( $action ) {
check_admin_referer('activate-plugin_' . $plugin); check_admin_referer('activate-plugin_' . $plugin);
$result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . $plugin), is_network_admin() ); $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . urlencode( $plugin ) ), is_network_admin() );
if ( is_wp_error( $result ) ) { if ( is_wp_error( $result ) ) {
if ( 'unexpected_output' == $result->get_error_code() ) { if ( 'unexpected_output' == $result->get_error_code() ) {
$redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . $plugin . "&plugin_status=$status&paged=$page&s=$s"); $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . urlencode( $plugin ) . "&plugin_status=$status&paged=$page&s=$s");
wp_redirect(add_query_arg('_error_nonce', wp_create_nonce('plugin-activation-error_' . $plugin), $redirect)); wp_redirect(add_query_arg('_error_nonce', wp_create_nonce('plugin-activation-error_' . $plugin), $redirect));
exit; exit;
} else { } else {
@ -73,7 +73,7 @@ if ( $action ) {
check_admin_referer('bulk-plugins'); check_admin_referer('bulk-plugins');
$plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array(); $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
if ( is_network_admin() ) { if ( is_network_admin() ) {
foreach ( $plugins as $i => $plugin ) { foreach ( $plugins as $i => $plugin ) {
@ -122,9 +122,9 @@ if ( $action ) {
check_admin_referer( 'bulk-plugins' ); check_admin_referer( 'bulk-plugins' );
if ( isset( $_GET['plugins'] ) ) if ( isset( $_GET['plugins'] ) )
$plugins = explode( ',', $_GET['plugins'] ); $plugins = explode( ',', wp_unslash( $_GET['plugins'] ) );
elseif ( isset( $_POST['checked'] ) ) elseif ( isset( $_POST['checked'] ) )
$plugins = (array) $_POST['checked']; $plugins = (array) wp_unslash( $_POST['checked'] );
else else
$plugins = array(); $plugins = array();
@ -197,7 +197,7 @@ if ( $action ) {
check_admin_referer('bulk-plugins'); check_admin_referer('bulk-plugins');
$plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array(); $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
// Do not deactivate plugins which are already deactivated. // Do not deactivate plugins which are already deactivated.
if ( is_network_admin() ) { if ( is_network_admin() ) {
$plugins = array_filter( $plugins, 'is_plugin_active_for_network' ); $plugins = array_filter( $plugins, 'is_plugin_active_for_network' );
@ -234,7 +234,7 @@ if ( $action ) {
check_admin_referer('bulk-plugins'); check_admin_referer('bulk-plugins');
//$_POST = from the plugin form; $_GET = from the FTP details screen. //$_POST = from the plugin form; $_GET = from the FTP details screen.
$plugins = isset( $_REQUEST['checked'] ) ? (array) $_REQUEST['checked'] : array(); $plugins = isset( $_REQUEST['checked'] ) ? (array) wp_unslash( $_REQUEST['checked'] ) : array();
if ( empty( $plugins ) ) { if ( empty( $plugins ) ) {
wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") ); wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") );
exit; exit;
@ -368,7 +368,7 @@ if ( $action ) {
default: default:
if ( isset( $_POST['checked'] ) ) { if ( isset( $_POST['checked'] ) ) {
check_admin_referer('bulk-plugins'); check_admin_referer('bulk-plugins');
$plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array(); $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
$sendback = wp_get_referer(); $sendback = wp_get_referer();
/** This action is documented in wp-admin/edit-comments.php */ /** This action is documented in wp-admin/edit-comments.php */

View File

@ -99,7 +99,7 @@ if ( empty( $file ) ) {
$relative_file = 'style.css'; $relative_file = 'style.css';
$file = $allowed_files['style.css']; $file = $allowed_files['style.css'];
} else { } else {
$relative_file = $file; $relative_file = wp_unslash( $file );
$file = $theme->get_stylesheet_directory() . '/' . $relative_file; $file = $theme->get_stylesheet_directory() . '/' . $relative_file;
} }
@ -156,10 +156,12 @@ default:
<div id="message" class="updated notice is-dismissible"><p><?php _e( 'File edited successfully.' ) ?></p></div> <div id="message" class="updated notice is-dismissible"><p><?php _e( 'File edited successfully.' ) ?></p></div>
<?php endif; <?php endif;
$description = get_file_description( $relative_file ); $file_description = get_file_description( $relative_file );
$file_show = array_search( $file, array_filter( $allowed_files ) ); $file_show = array_search( $file, array_filter( $allowed_files ) );
if ( $description != $file_show ) $description = esc_html( $file_description );
$description .= ' <span>(' . $file_show . ')</span>'; if ( $file_description != $file_show ) {
$description .= ' <span>(' . esc_html( $file_show ) . ')</span>';
}
?> ?>
<div class="wrap"> <div class="wrap">
<h1><?php echo esc_html( $title ); ?></h1> <h1><?php echo esc_html( $title ); ?></h1>
@ -230,9 +232,9 @@ if ( $allowed_files ) :
echo "\t<ul>\n"; echo "\t<ul>\n";
} }
$file_description = get_file_description( $filename ); $file_description = esc_html( get_file_description( $filename ) );
if ( $filename !== basename( $absolute_filename ) || $file_description !== $filename ) { if ( $filename !== basename( $absolute_filename ) || $file_description !== $filename ) {
$file_description .= '<br /><span class="nonessential">(' . $filename . ')</span>'; $file_description .= '<br /><span class="nonessential">(' . esc_html( $filename ) . ')</span>';
} }
if ( $absolute_filename === $file ) { if ( $absolute_filename === $file ) {

View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.7.6-alpha-41401'; $wp_version = '4.7.6-alpha-41413';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.