From 2bc3c9a6d9418528029213e138a2c630dfa9705a Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Tue, 16 May 2023 15:47:23 +0000 Subject: [PATCH] Grouped backports to the 4.7 branch. - Media: Prevent CSRF setting attachment thumbnails. - Embeds: Add protocol validation for WordPress Embed code. Merges [55763] and [55764] to the 4.7 branch. Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad. Built from https://develop.svn.wordpress.org/branches/4.7@55784 git-svn-id: http://core.svn.wordpress.org/branches/4.7@55296 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/about.php | 20 ++++++++++++++++++++ wp-admin/includes/ajax-actions.php | 4 ++++ wp-includes/embed.php | 2 +- wp-includes/js/wp-embed.js | 6 ++++++ wp-includes/js/wp-embed.min.js | 2 +- wp-includes/media.php | 3 ++- wp-includes/version.php | 2 +- 7 files changed, 35 insertions(+), 4 deletions(-) diff --git a/wp-admin/about.php b/wp-admin/about.php index dd7d22be0a..334997daee 100644 --- a/wp-admin/about.php +++ b/wp-admin/about.php @@ -45,6 +45,26 @@ include( ABSPATH . 'wp-admin/admin-header.php' );

+

+ Version %s addressed some security issues.' ), + '4.7.26' + ); + ?> + the release notes.' ), + sprintf( + /* translators: %s: WordPress version */ + esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ), + sanitize_title( '4.7.26' ) + ) + ); + ?> +

"; diff --git a/wp-includes/js/wp-embed.js b/wp-includes/js/wp-embed.js index 3be0dc7245..d0a372662c 100644 --- a/wp-includes/js/wp-embed.js +++ b/wp-includes/js/wp-embed.js @@ -37,6 +37,7 @@ var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ), blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ), + allowedProtocols = new RegExp( '^https?:$', 'i' ), i, source, height, sourceURL, targetURL; for ( i = 0; i < blockquotes.length; i++ ) { @@ -72,6 +73,11 @@ sourceURL.href = source.getAttribute( 'src' ); targetURL.href = data.value; + /* Only follow link if the protocol is in the allow list. */ + if ( ! allowedProtocols.test( targetURL.protocol ) ) { + continue; + } + /* Only continue if link hostname matches iframe's hostname. */ if ( targetURL.host === sourceURL.host ) { if ( document.activeElement === source ) { diff --git a/wp-includes/js/wp-embed.min.js b/wp-includes/js/wp-embed.min.js index 4d37bce0b5..57e22365c5 100644 --- a/wp-includes/js/wp-embed.min.js +++ b/wp-includes/js/wp-embed.min.js @@ -1 +1 @@ -!function(c,d){"use strict";var e=!1,n=!1;if(d.querySelector)if(c.addEventListener)e=!0;if(c.wp=c.wp||{},!c.wp.receiveEmbedMessage)if(c.wp.receiveEmbedMessage=function(e){var t=e.data;if(t.secret||t.message||t.value)if(!/[^a-zA-Z0-9]/.test(t.secret)){for(var r,a,i,s=d.querySelectorAll('iframe[data-secret="'+t.secret+'"]'),n=d.querySelectorAll('blockquote[data-secret="'+t.secret+'"]'),o=0;o ! apply_filters( 'disable_captions', '' ), 'nonce' => array( - 'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ), + 'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ), + 'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ), ), 'post' => array( 'id' => 0, diff --git a/wp-includes/version.php b/wp-includes/version.php index bcf1fd38f8..2fba9c274b 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7.25'; +$wp_version = '4.7.26'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.