mirror of
https://github.com/WordPress/WordPress.git
synced 2024-11-14 14:45:45 +01:00
Grouped backports to the 4.9 branch.
- Media: Prevent CSRF setting attachment thumbnails. - Embeds: Add protocol validation for WordPress Embed code. Merges [55763] and [55764] to the 4.9 branch. Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad. Built from https://develop.svn.wordpress.org/branches/4.9@55787 git-svn-id: http://core.svn.wordpress.org/branches/4.9@55299 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
65e9d7950e
commit
0d6d8d811d
@ -33,6 +33,26 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
|
|||||||
|
|
||||||
<div class="changelog point-releases">
|
<div class="changelog point-releases">
|
||||||
<h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
|
<h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
|
||||||
|
<p>
|
||||||
|
<?php
|
||||||
|
printf(
|
||||||
|
/* translators: %s: WordPress version number */
|
||||||
|
__( '<strong>Version %s</strong> addressed some security issues.' ),
|
||||||
|
'4.9.23'
|
||||||
|
);
|
||||||
|
?>
|
||||||
|
<?php
|
||||||
|
printf(
|
||||||
|
/* translators: %s: HelpHub URL */
|
||||||
|
__( 'For more information, see <a href="%s">the release notes</a>.' ),
|
||||||
|
sprintf(
|
||||||
|
/* translators: %s: WordPress version */
|
||||||
|
esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
|
||||||
|
sanitize_title( '4.9.23' )
|
||||||
|
)
|
||||||
|
);
|
||||||
|
?>
|
||||||
|
</p>
|
||||||
<p>
|
<p>
|
||||||
<?php
|
<?php
|
||||||
printf(
|
printf(
|
||||||
|
@ -2259,6 +2259,10 @@ function wp_ajax_set_attachment_thumbnail() {
|
|||||||
wp_send_json_error();
|
wp_send_json_error();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
|
||||||
|
wp_send_json_error();
|
||||||
|
}
|
||||||
|
|
||||||
$post_ids = array();
|
$post_ids = array();
|
||||||
// For each URL, try to find its corresponding post ID.
|
// For each URL, try to find its corresponding post ID.
|
||||||
foreach ( $_POST['urls'] as $url ) {
|
foreach ( $_POST['urls'] as $url ) {
|
||||||
|
@ -450,7 +450,7 @@ function get_post_embed_html( $width, $height, $post = null ) {
|
|||||||
* and edit wp-embed.js directly.
|
* and edit wp-embed.js directly.
|
||||||
*/
|
*/
|
||||||
$output .=<<<JS
|
$output .=<<<JS
|
||||||
!function(c,d){"use strict";var e=!1,n=!1;if(d.querySelector)if(c.addEventListener)e=!0;if(c.wp=c.wp||{},!c.wp.receiveEmbedMessage)if(c.wp.receiveEmbedMessage=function(e){var t=e.data;if(t)if(t.secret||t.message||t.value)if(!/[^a-zA-Z0-9]/.test(t.secret)){for(var r,a,i,s=d.querySelectorAll('iframe[data-secret="'+t.secret+'"]'),n=d.querySelectorAll('blockquote[data-secret="'+t.secret+'"]'),o=0;o<n.length;o++)n[o].style.display="none";for(o=0;o<s.length;o++)if(r=s[o],e.source===r.contentWindow){if(r.removeAttribute("style"),"height"===t.message){if(1e3<(i=parseInt(t.value,10)))i=1e3;else if(~~i<200)i=200;r.height=i}if("link"===t.message)if(a=d.createElement("a"),i=d.createElement("a"),a.href=r.getAttribute("src"),i.href=t.value,i.host===a.host)if(d.activeElement===r)c.top.location.href=t.value}}},e)c.addEventListener("message",c.wp.receiveEmbedMessage,!1),d.addEventListener("DOMContentLoaded",t,!1),c.addEventListener("load",t,!1);function t(){if(!n){n=!0;for(var e,t,r=-1!==navigator.appVersion.indexOf("MSIE 10"),a=!!navigator.userAgent.match(/Trident.*rv:11\./),i=d.querySelectorAll("iframe.wp-embedded-content"),s=0;s<i.length;s++){if(!(e=i[s]).getAttribute("data-secret"))t=Math.random().toString(36).substr(2,10),e.src+="#?secret="+t,e.setAttribute("data-secret",t);if(r||a)(t=e.cloneNode(!0)).removeAttribute("security"),e.parentNode.replaceChild(t,e)}}}}(window,document);
|
!function(d,l){"use strict";var e=!1,n=!1;if(l.querySelector)if(d.addEventListener)e=!0;if(d.wp=d.wp||{},!d.wp.receiveEmbedMessage)if(d.wp.receiveEmbedMessage=function(e){var t=e.data;if(t)if(t.secret||t.message||t.value)if(!/[^a-zA-Z0-9]/.test(t.secret)){for(var r,i,a,s=l.querySelectorAll('iframe[data-secret="'+t.secret+'"]'),n=l.querySelectorAll('blockquote[data-secret="'+t.secret+'"]'),o=new RegExp("^https?:$","i"),c=0;c<n.length;c++)n[c].style.display="none";for(c=0;c<s.length;c++)if(r=s[c],e.source===r.contentWindow){if(r.removeAttribute("style"),"height"===t.message){if(1e3<(a=parseInt(t.value,10)))a=1e3;else if(~~a<200)a=200;r.height=a}if("link"===t.message)if(i=l.createElement("a"),a=l.createElement("a"),i.href=r.getAttribute("src"),a.href=t.value,o.test(a.protocol))if(a.host===i.host)if(l.activeElement===r)d.top.location.href=t.value}}},e)d.addEventListener("message",d.wp.receiveEmbedMessage,!1),l.addEventListener("DOMContentLoaded",t,!1),d.addEventListener("load",t,!1);function t(){if(!n){n=!0;for(var e,t,r=-1!==navigator.appVersion.indexOf("MSIE 10"),i=!!navigator.userAgent.match(/Trident.*rv:11\./),a=l.querySelectorAll("iframe.wp-embedded-content"),s=0;s<a.length;s++){if(!(e=a[s]).getAttribute("data-secret"))t=Math.random().toString(36).substr(2,10),e.src+="#?secret="+t,e.setAttribute("data-secret",t);if(r||i)(t=e.cloneNode(!0)).removeAttribute("security"),e.parentNode.replaceChild(t,e)}}}}(window,document);
|
||||||
JS;
|
JS;
|
||||||
}
|
}
|
||||||
$output .= "\n//--><!]]>";
|
$output .= "\n//--><!]]>";
|
||||||
|
@ -43,6 +43,7 @@
|
|||||||
|
|
||||||
var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
|
var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
|
||||||
blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
|
blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
|
||||||
|
allowedProtocols = new RegExp( '^https?:$', 'i' ),
|
||||||
i, source, height, sourceURL, targetURL;
|
i, source, height, sourceURL, targetURL;
|
||||||
|
|
||||||
for ( i = 0; i < blockquotes.length; i++ ) {
|
for ( i = 0; i < blockquotes.length; i++ ) {
|
||||||
@ -78,6 +79,11 @@
|
|||||||
sourceURL.href = source.getAttribute( 'src' );
|
sourceURL.href = source.getAttribute( 'src' );
|
||||||
targetURL.href = data.value;
|
targetURL.href = data.value;
|
||||||
|
|
||||||
|
/* Only follow link if the protocol is in the allow list. */
|
||||||
|
if ( ! allowedProtocols.test( targetURL.protocol ) ) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
/* Only continue if link hostname matches iframe's hostname. */
|
/* Only continue if link hostname matches iframe's hostname. */
|
||||||
if ( targetURL.host === sourceURL.host ) {
|
if ( targetURL.host === sourceURL.host ) {
|
||||||
if ( document.activeElement === source ) {
|
if ( document.activeElement === source ) {
|
||||||
|
2
wp-includes/js/wp-embed.min.js
vendored
2
wp-includes/js/wp-embed.min.js
vendored
@ -1 +1 @@
|
|||||||
!function(c,d){"use strict";var e=!1,n=!1;if(d.querySelector)if(c.addEventListener)e=!0;if(c.wp=c.wp||{},!c.wp.receiveEmbedMessage)if(c.wp.receiveEmbedMessage=function(e){var t=e.data;if(t)if(t.secret||t.message||t.value)if(!/[^a-zA-Z0-9]/.test(t.secret)){for(var r,a,i,s=d.querySelectorAll('iframe[data-secret="'+t.secret+'"]'),n=d.querySelectorAll('blockquote[data-secret="'+t.secret+'"]'),o=0;o<n.length;o++)n[o].style.display="none";for(o=0;o<s.length;o++)if(r=s[o],e.source===r.contentWindow){if(r.removeAttribute("style"),"height"===t.message){if(1e3<(i=parseInt(t.value,10)))i=1e3;else if(~~i<200)i=200;r.height=i}if("link"===t.message)if(a=d.createElement("a"),i=d.createElement("a"),a.href=r.getAttribute("src"),i.href=t.value,i.host===a.host)if(d.activeElement===r)c.top.location.href=t.value}}},e)c.addEventListener("message",c.wp.receiveEmbedMessage,!1),d.addEventListener("DOMContentLoaded",t,!1),c.addEventListener("load",t,!1);function t(){if(!n){n=!0;for(var e,t,r=-1!==navigator.appVersion.indexOf("MSIE 10"),a=!!navigator.userAgent.match(/Trident.*rv:11\./),i=d.querySelectorAll("iframe.wp-embedded-content"),s=0;s<i.length;s++){if(!(e=i[s]).getAttribute("data-secret"))t=Math.random().toString(36).substr(2,10),e.src+="#?secret="+t,e.setAttribute("data-secret",t);if(r||a)(t=e.cloneNode(!0)).removeAttribute("security"),e.parentNode.replaceChild(t,e)}}}}(window,document);
|
!function(d,l){"use strict";var e=!1,n=!1;if(l.querySelector)if(d.addEventListener)e=!0;if(d.wp=d.wp||{},!d.wp.receiveEmbedMessage)if(d.wp.receiveEmbedMessage=function(e){var t=e.data;if(t)if(t.secret||t.message||t.value)if(!/[^a-zA-Z0-9]/.test(t.secret)){for(var r,i,a,s=l.querySelectorAll('iframe[data-secret="'+t.secret+'"]'),n=l.querySelectorAll('blockquote[data-secret="'+t.secret+'"]'),o=new RegExp("^https?:$","i"),c=0;c<n.length;c++)n[c].style.display="none";for(c=0;c<s.length;c++)if(r=s[c],e.source===r.contentWindow){if(r.removeAttribute("style"),"height"===t.message){if(1e3<(a=parseInt(t.value,10)))a=1e3;else if(~~a<200)a=200;r.height=a}if("link"===t.message)if(i=l.createElement("a"),a=l.createElement("a"),i.href=r.getAttribute("src"),a.href=t.value,o.test(a.protocol))if(a.host===i.host)if(l.activeElement===r)d.top.location.href=t.value}}},e)d.addEventListener("message",d.wp.receiveEmbedMessage,!1),l.addEventListener("DOMContentLoaded",t,!1),d.addEventListener("load",t,!1);function t(){if(!n){n=!0;for(var e,t,r=-1!==navigator.appVersion.indexOf("MSIE 10"),i=!!navigator.userAgent.match(/Trident.*rv:11\./),a=l.querySelectorAll("iframe.wp-embedded-content"),s=0;s<a.length;s++){if(!(e=a[s]).getAttribute("data-secret"))t=Math.random().toString(36).substr(2,10),e.src+="#?secret="+t,e.setAttribute("data-secret",t);if(r||i)(t=e.cloneNode(!0)).removeAttribute("security"),e.parentNode.replaceChild(t,e)}}}}(window,document);
|
@ -3442,7 +3442,8 @@ function wp_enqueue_media( $args = array() ) {
|
|||||||
/** This filter is documented in wp-admin/includes/media.php */
|
/** This filter is documented in wp-admin/includes/media.php */
|
||||||
'captions' => ! apply_filters( 'disable_captions', '' ),
|
'captions' => ! apply_filters( 'disable_captions', '' ),
|
||||||
'nonce' => array(
|
'nonce' => array(
|
||||||
'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
|
'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
|
||||||
|
'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ),
|
||||||
),
|
),
|
||||||
'post' => array(
|
'post' => array(
|
||||||
'id' => 0,
|
'id' => 0,
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
*
|
*
|
||||||
* @global string $wp_version
|
* @global string $wp_version
|
||||||
*/
|
*/
|
||||||
$wp_version = '4.9.22';
|
$wp_version = '4.9.23';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||||
|
Loading…
Reference in New Issue
Block a user