From 0d6d8d811dc01ca94679f3b3ff594ee0a4bb3053 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Tue, 16 May 2023 15:54:27 +0000 Subject: [PATCH] Grouped backports to the 4.9 branch. - Media: Prevent CSRF setting attachment thumbnails. - Embeds: Add protocol validation for WordPress Embed code. Merges [55763] and [55764] to the 4.9 branch. Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad. Built from https://develop.svn.wordpress.org/branches/4.9@55787 git-svn-id: http://core.svn.wordpress.org/branches/4.9@55299 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/about.php | 20 ++++++++++++++++++++ wp-admin/includes/ajax-actions.php | 4 ++++ wp-includes/embed.php | 2 +- wp-includes/js/wp-embed.js | 6 ++++++ wp-includes/js/wp-embed.min.js | 2 +- wp-includes/media.php | 3 ++- wp-includes/version.php | 2 +- 7 files changed, 35 insertions(+), 4 deletions(-) diff --git a/wp-admin/about.php b/wp-admin/about.php index 46760ffe90..5754ea0095 100644 --- a/wp-admin/about.php +++ b/wp-admin/about.php @@ -33,6 +33,26 @@ include( ABSPATH . 'wp-admin/admin-header.php' );

+

+ Version %s addressed some security issues.' ), + '4.9.23' + ); + ?> + the release notes.' ), + sprintf( + /* translators: %s: WordPress version */ + esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ), + sanitize_title( '4.9.23' ) + ) + ); + ?> +

"; diff --git a/wp-includes/js/wp-embed.js b/wp-includes/js/wp-embed.js index 17270b05d8..85f53f263e 100644 --- a/wp-includes/js/wp-embed.js +++ b/wp-includes/js/wp-embed.js @@ -43,6 +43,7 @@ var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ), blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ), + allowedProtocols = new RegExp( '^https?:$', 'i' ), i, source, height, sourceURL, targetURL; for ( i = 0; i < blockquotes.length; i++ ) { @@ -78,6 +79,11 @@ sourceURL.href = source.getAttribute( 'src' ); targetURL.href = data.value; + /* Only follow link if the protocol is in the allow list. */ + if ( ! allowedProtocols.test( targetURL.protocol ) ) { + continue; + } + /* Only continue if link hostname matches iframe's hostname. */ if ( targetURL.host === sourceURL.host ) { if ( document.activeElement === source ) { diff --git a/wp-includes/js/wp-embed.min.js b/wp-includes/js/wp-embed.min.js index 4860629324..f4a49c5493 100644 --- a/wp-includes/js/wp-embed.min.js +++ b/wp-includes/js/wp-embed.min.js @@ -1 +1 @@ -!function(c,d){"use strict";var e=!1,n=!1;if(d.querySelector)if(c.addEventListener)e=!0;if(c.wp=c.wp||{},!c.wp.receiveEmbedMessage)if(c.wp.receiveEmbedMessage=function(e){var t=e.data;if(t)if(t.secret||t.message||t.value)if(!/[^a-zA-Z0-9]/.test(t.secret)){for(var r,a,i,s=d.querySelectorAll('iframe[data-secret="'+t.secret+'"]'),n=d.querySelectorAll('blockquote[data-secret="'+t.secret+'"]'),o=0;o ! apply_filters( 'disable_captions', '' ), 'nonce' => array( - 'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ), + 'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ), + 'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ), ), 'post' => array( 'id' => 0, diff --git a/wp-includes/version.php b/wp-includes/version.php index 3f666afab5..ea160e96e4 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.9.22'; +$wp_version = '4.9.23'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.