From a2c890409bf1fa9b7237caf6bcfb07eac1e41a31 Mon Sep 17 00:00:00 2001 From: Peter Wilson Date: Thu, 13 Dec 2018 01:26:24 +0000 Subject: [PATCH] Multisite: Validate activation links. Built from https://develop.svn.wordpress.org/trunk@44048 git-svn-id: http://core.svn.wordpress.org/trunk@43878 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-activate.php | 4 +++- wp-admin/includes/class-wp-screen.php | 4 +++- wp-admin/post.php | 8 +++++++- wp-includes/class-wp.php | 2 ++ wp-includes/ms-deprecated.php | 15 ++++++++++----- wp-includes/version.php | 2 +- 6 files changed, 26 insertions(+), 9 deletions(-) diff --git a/wp-activate.php b/wp-activate.php index be8a35a41c..5954140960 100644 --- a/wp-activate.php +++ b/wp-activate.php @@ -26,7 +26,9 @@ $activate_cookie = 'wp-activate-' . COOKIEHASH; $key = ''; $result = null; -if ( ! empty( $_GET['key'] ) ) { +if ( isset( $_GET['key'] ) && isset( $_POST['key'] ) && $_GET['key'] !== $_POST['key'] ) { + wp_die( __( 'A key value mismatch has been detected. Please follow the link provided in your activation email.' ), __( 'An error occurred during the activation' ), 400 ); +} elseif ( ! empty( $_GET['key'] ) ) { $key = $_GET['key']; } elseif ( ! empty( $_POST['key'] ) ) { $key = $_POST['key']; diff --git a/wp-admin/includes/class-wp-screen.php b/wp-admin/includes/class-wp-screen.php index 3f63539f63..f8e63554ca 100644 --- a/wp-admin/includes/class-wp-screen.php +++ b/wp-admin/includes/class-wp-screen.php @@ -272,7 +272,9 @@ final class WP_Screen { switch ( $base ) { case 'post': - if ( isset( $_GET['post'] ) ) { + if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] ) { + wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 ); + } elseif ( isset( $_GET['post'] ) ) { $post_id = (int) $_GET['post']; } elseif ( isset( $_POST['post_ID'] ) ) { $post_id = (int) $_POST['post_ID']; diff --git a/wp-admin/post.php b/wp-admin/post.php index 87743bec95..052ce8e448 100644 --- a/wp-admin/post.php +++ b/wp-admin/post.php @@ -16,7 +16,9 @@ $submenu_file = 'edit.php'; wp_reset_vars( array( 'action' ) ); -if ( isset( $_GET['post'] ) ) { +if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] ) { + wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 ); +} elseif ( isset( $_GET['post'] ) ) { $post_id = $post_ID = (int) $_GET['post']; } elseif ( isset( $_POST['post_ID'] ) ) { $post_id = $post_ID = (int) $_POST['post_ID']; @@ -40,6 +42,10 @@ if ( $post ) { $post_type_object = get_post_type_object( $post_type ); } +if ( isset( $_POST['post_type'] ) && $post && $post_type !== $_POST['post_type'] ) { + wp_die( __( 'A post type mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 ); +} + if ( isset( $_POST['deletepost'] ) ) { $action = 'delete'; } elseif ( isset( $_POST['wp-preview'] ) && 'dopreview' == $_POST['wp-preview'] ) { diff --git a/wp-includes/class-wp.php b/wp-includes/class-wp.php index dfc2f9717b..b3bc907f9a 100644 --- a/wp-includes/class-wp.php +++ b/wp-includes/class-wp.php @@ -295,6 +295,8 @@ class WP { foreach ( $this->public_query_vars as $wpvar ) { if ( isset( $this->extra_query_vars[ $wpvar ] ) ) { $this->query_vars[ $wpvar ] = $this->extra_query_vars[ $wpvar ]; + } elseif ( isset( $_GET[ $wpvar ] ) && isset( $_POST[ $wpvar ] ) && $_GET[ $wpvar ] !== $_POST[ $wpvar ] ) { + wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 ); } elseif ( isset( $_POST[ $wpvar ] ) ) { $this->query_vars[ $wpvar ] = $_POST[ $wpvar ]; } elseif ( isset( $_GET[ $wpvar ] ) ) { diff --git a/wp-includes/ms-deprecated.php b/wp-includes/ms-deprecated.php index e25384ea01..26544a57f9 100644 --- a/wp-includes/ms-deprecated.php +++ b/wp-includes/ms-deprecated.php @@ -271,10 +271,13 @@ function wpmu_admin_do_redirect( $url = '' ) { _deprecated_function( __FUNCTION__, '3.3.0', 'wp_redirect()' ); $ref = ''; - if ( isset( $_GET['ref'] ) ) - $ref = $_GET['ref']; - if ( isset( $_POST['ref'] ) ) - $ref = $_POST['ref']; + if ( isset( $_GET['ref'] ) && isset( $_POST['ref'] ) && $_GET['ref'] !== $_POST['ref'] ) { + wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 ); + } elseif ( isset( $_POST['ref'] ) ) { + $ref = $_POST[ 'ref' ]; + } elseif ( isset( $_GET['ref'] ) ) { + $ref = $_GET[ 'ref' ]; + } if ( $ref ) { $ref = wpmu_admin_redirect_add_updated_param( $ref ); @@ -287,7 +290,9 @@ function wpmu_admin_do_redirect( $url = '' ) { } $url = wpmu_admin_redirect_add_updated_param( $url ); - if ( isset( $_GET['redirect'] ) ) { + if ( isset( $_GET['redirect'] ) && isset( $_POST['redirect'] ) && $_GET['redirect'] !== $_POST['redirect'] ) { + wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 ); + } elseif ( isset( $_GET['redirect'] ) ) { if ( substr( $_GET['redirect'], 0, 2 ) == 's_' ) $url .= '&action=blogs&s='. esc_html( substr( $_GET['redirect'], 2 ) ); } elseif ( isset( $_POST['redirect'] ) ) { diff --git a/wp-includes/version.php b/wp-includes/version.php index 95bfb00d18..97a687454b 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.1-alpha-44021'; +$wp_version = '5.1-alpha-44048'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.