WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Multisite: Validate activation links. 

Built from https://develop.svn.wordpress.org/trunk@44048


git-svn-id: http://core.svn.wordpress.org/trunk@43878 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Peter Wilson 2018-12-13 01:26:24 +00:00
parent 481e5f4b36
commit a2c890409b
6 changed files with 26 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
wp-activate.php
View File

@ -26,7 +26,9 @@ $activate_cookie = 'wp-activate-' . COOKIEHASH;
$key = ''; $key = '';
$result = null; $result = null;
if ( ! empty( $_GET['key'] ) ) { if ( isset( $_GET['key'] ) && isset( $_POST['key'] ) && $_GET['key'] !== $_POST['key'] ) {
wp_die( __( 'A key value mismatch has been detected. Please follow the link provided in your activation email.' ), __( 'An error occurred during the activation' ), 400 );
} elseif ( ! empty( $_GET['key'] ) ) {
$key = $_GET['key']; $key = $_GET['key'];
} elseif ( ! empty( $_POST['key'] ) ) { } elseif ( ! empty( $_POST['key'] ) ) {
$key = $_POST['key']; $key = $_POST['key'];

4
wp-admin/includes/class-wp-screen.php
View File

@ -272,7 +272,9 @@ final class WP_Screen {
switch ( $base ) { switch ( $base ) {
case 'post': case 'post':
if ( isset( $_GET['post'] ) ) { if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] ) {
wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
} elseif ( isset( $_GET['post'] ) ) {
$post_id = (int) $_GET['post']; $post_id = (int) $_GET['post'];
} elseif ( isset( $_POST['post_ID'] ) ) { } elseif ( isset( $_POST['post_ID'] ) ) {
$post_id = (int) $_POST['post_ID']; $post_id = (int) $_POST['post_ID'];

8
wp-admin/post.php
View File

@ -16,7 +16,9 @@ $submenu_file = 'edit.php';
wp_reset_vars( array( 'action' ) ); wp_reset_vars( array( 'action' ) );
if ( isset( $_GET['post'] ) ) { if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] ) {
wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
} elseif ( isset( $_GET['post'] ) ) {
$post_id = $post_ID = (int) $_GET['post']; $post_id = $post_ID = (int) $_GET['post'];
} elseif ( isset( $_POST['post_ID'] ) ) { } elseif ( isset( $_POST['post_ID'] ) ) {
$post_id = $post_ID = (int) $_POST['post_ID']; $post_id = $post_ID = (int) $_POST['post_ID'];
@ -40,6 +42,10 @@ if ( $post ) {
$post_type_object = get_post_type_object( $post_type ); $post_type_object = get_post_type_object( $post_type );
} }
if ( isset( $_POST['post_type'] ) && $post && $post_type !== $_POST['post_type'] ) {
wp_die( __( 'A post type mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
}
if ( isset( $_POST['deletepost'] ) ) { if ( isset( $_POST['deletepost'] ) ) {
$action = 'delete'; $action = 'delete';
} elseif ( isset( $_POST['wp-preview'] ) && 'dopreview' == $_POST['wp-preview'] ) { } elseif ( isset( $_POST['wp-preview'] ) && 'dopreview' == $_POST['wp-preview'] ) {

2
wp-includes/class-wp.php
View File

@ -295,6 +295,8 @@ class WP {
foreach ( $this->public_query_vars as $wpvar ) { foreach ( $this->public_query_vars as $wpvar ) {
if ( isset( $this->extra_query_vars[ $wpvar ] ) ) { if ( isset( $this->extra_query_vars[ $wpvar ] ) ) {
$this->query_vars[ $wpvar ] = $this->extra_query_vars[ $wpvar ]; $this->query_vars[ $wpvar ] = $this->extra_query_vars[ $wpvar ];
} elseif ( isset( $_GET[ $wpvar ] ) && isset( $_POST[ $wpvar ] ) && $_GET[ $wpvar ] !== $_POST[ $wpvar ] ) {
wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
} elseif ( isset( $_POST[ $wpvar ] ) ) { } elseif ( isset( $_POST[ $wpvar ] ) ) {
$this->query_vars[ $wpvar ] = $_POST[ $wpvar ]; $this->query_vars[ $wpvar ] = $_POST[ $wpvar ];
} elseif ( isset( $_GET[ $wpvar ] ) ) { } elseif ( isset( $_GET[ $wpvar ] ) ) {

15
wp-includes/ms-deprecated.php
View File

@ -271,10 +271,13 @@ function wpmu_admin_do_redirect( $url = '' ) {
_deprecated_function( __FUNCTION__, '3.3.0', 'wp_redirect()' ); _deprecated_function( __FUNCTION__, '3.3.0', 'wp_redirect()' );
$ref = ''; $ref = '';
if ( isset( $_GET['ref'] ) ) if ( isset( $_GET['ref'] ) && isset( $_POST['ref'] ) && $_GET['ref'] !== $_POST['ref'] ) {
$ref = $_GET['ref']; wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
if ( isset( $_POST['ref'] ) ) } elseif ( isset( $_POST['ref'] ) ) {
$ref = $_POST['ref']; $ref = $_POST[ 'ref' ];
} elseif ( isset( $_GET['ref'] ) ) {
$ref = $_GET[ 'ref' ];
}
if ( $ref ) { if ( $ref ) {
$ref = wpmu_admin_redirect_add_updated_param( $ref ); $ref = wpmu_admin_redirect_add_updated_param( $ref );
@ -287,7 +290,9 @@ function wpmu_admin_do_redirect( $url = '' ) {
} }
$url = wpmu_admin_redirect_add_updated_param( $url ); $url = wpmu_admin_redirect_add_updated_param( $url );
if ( isset( $_GET['redirect'] ) ) { if ( isset( $_GET['redirect'] ) && isset( $_POST['redirect'] ) && $_GET['redirect'] !== $_POST['redirect'] ) {
wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
} elseif ( isset( $_GET['redirect'] ) ) {
if ( substr( $_GET['redirect'], 0, 2 ) == 's_' ) if ( substr( $_GET['redirect'], 0, 2 ) == 's_' )
$url .= '&action=blogs&s='. esc_html( substr( $_GET['redirect'], 2 ) ); $url .= '&action=blogs&s='. esc_html( substr( $_GET['redirect'], 2 ) );
} elseif ( isset( $_POST['redirect'] ) ) { } elseif ( isset( $_POST['redirect'] ) ) {

2
wp-includes/version.php
View File

@ -13,7 +13,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '5.1-alpha-44021'; $wp_version = '5.1-alpha-44048';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.