From ec0d03d1b6f24b5fda88e3f851606091ee87d01f Mon Sep 17 00:00:00 2001
From: Aaron Jorbin <aaron@jorb.in>
Date: Tue, 30 Jan 2024 15:12:23 +0000
Subject: [PATCH] Grouped Backports to the 4.4 branch.

- Install: When populating options, maybe_serialize instead of always serialize.
- Uploads: Check for and verify ZIP archives.

Merges [57388] and [57389] to the 4.4 branch.

Props costdev, peterwilsoncc, azaozz, tykoted, johnbillion, desrosj, afragen, jorbin, xknown.

Built from https://develop.svn.wordpress.org/branches/4.4@57411


git-svn-id: http://core.svn.wordpress.org/branches/4.4@56917 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/class-wp-upgrader.php | 24 ++++++++++++++++++++++++
 wp-admin/includes/schema.php            |  5 +++--
 wp-admin/update.php                     |  8 ++++++++
 3 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/wp-admin/includes/class-wp-upgrader.php b/wp-admin/includes/class-wp-upgrader.php
index 0dcaa6e033..eb6d4da051 100644
--- a/wp-admin/includes/class-wp-upgrader.php
+++ b/wp-admin/includes/class-wp-upgrader.php
@@ -2547,6 +2547,30 @@ class File_Upload_Upgrader {
 			if ( isset( $file['error'] ) )
 				wp_die( $file['error'] );
 
+			if ( 'pluginzip' === $form || 'themezip' === $form ) {
+				$archive_is_valid = false;
+
+				/** This filter is documented in wp-admin/includes/file.php */
+				if ( class_exists( 'ZipArchive', false ) && apply_filters( 'unzip_file_use_ziparchive', true ) ) {
+					$archive          = new ZipArchive();
+					$archive_is_valid = $archive->open( $file['file'], ZIPARCHIVE::CHECKCONS );
+
+					if ( true === $archive_is_valid ) {
+						$archive->close();
+					}
+				} else {
+					require_once ABSPATH . 'wp-admin/includes/class-pclzip.php';
+
+					$archive          = new PclZip( $file['file'] );
+					$archive_is_valid = is_array( $archive->properties() );
+				}
+
+				if ( true !== $archive_is_valid ) {
+					wp_delete_file( $file['file'] );
+					wp_die( __( 'Incompatible Archive.' ) );
+				}
+			}
+
 			$this->filename = $_FILES[$form]['name'];
 			$this->package = $file['file'];
 
diff --git a/wp-admin/includes/schema.php b/wp-admin/includes/schema.php
index 4f49dc21e1..6b60719fb8 100644
--- a/wp-admin/includes/schema.php
+++ b/wp-admin/includes/schema.php
@@ -548,10 +548,11 @@ function populate_options() {
 		else
 			$autoload = 'yes';
 
-		if ( is_array($value) )
-			$value = serialize($value);
 		if ( !empty($insert) )
 			$insert .= ', ';
+
+		$value = maybe_serialize( sanitize_option( $option, $value ) );
+
 		$insert .= $wpdb->prepare( "(%s, %s, %s)", $option, $value, $autoload );
 	}
 
diff --git a/wp-admin/update.php b/wp-admin/update.php
index fba26f885a..1a52d5d5cd 100644
--- a/wp-admin/update.php
+++ b/wp-admin/update.php
@@ -146,6 +146,10 @@ if ( isset($_GET['action']) ) {
 
 		check_admin_referer('plugin-upload');
 
+		if ( isset( $_FILES['pluginzip']['name'] ) && ! str_ends_with( strtolower( $_FILES['pluginzip']['name'] ), '.zip' ) ) {
+			wp_die( __( 'Only .zip archives may be uploaded.' ) );
+		}
+
 		$file_upload = new File_Upload_Upgrader('pluginzip', 'package');
 
 		$title = __('Upload Plugin');
@@ -251,6 +255,10 @@ if ( isset($_GET['action']) ) {
 
 		check_admin_referer('theme-upload');
 
+		if ( isset( $_FILES['themezip']['name'] ) && ! str_ends_with( strtolower( $_FILES['themezip']['name'] ), '.zip' ) ) {
+			wp_die( __( 'Only .zip archives may be uploaded.' ) );
+		}
+
 		$file_upload = new File_Upload_Upgrader('themezip', 'package');
 
 		wp_enqueue_script( 'customize-loader' );