From 41a7a8e58138d8d1387d237bbb2dd4bacf52a95d Mon Sep 17 00:00:00 2001
From: Peter Wilson <wilson@peterwilson.cc>
Date: Thu, 13 Dec 2018 01:42:20 +0000
Subject: [PATCH] Multisite: Validate activation links.

Merges [44048] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@44057


git-svn-id: http://core.svn.wordpress.org/branches/4.6@43887 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-activate.php                       |  4 +++-
 wp-admin/includes/class-wp-screen.php |  4 +++-
 wp-admin/post.php                     |  8 +++++++-
 wp-includes/class-wp.php              |  2 ++
 wp-includes/ms-deprecated.php         | 15 ++++++++++-----
 5 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/wp-activate.php b/wp-activate.php
index 770e7a1ecf..5669497c9f 100644
--- a/wp-activate.php
+++ b/wp-activate.php
@@ -26,7 +26,9 @@ $activate_cookie = 'wp-activate-' . COOKIEHASH;
 $key    = '';
 $result = null;
 
-if ( ! empty( $_GET['key'] ) ) {
+if ( isset( $_GET['key'] ) && isset( $_POST['key'] ) && $_GET['key'] !== $_POST['key'] ) {
+	wp_die( __( 'A key value mismatch has been detected. Please follow the link provided in your activation email.' ), __( 'An error occurred during the activation' ), 400 );
+} elseif ( ! empty( $_GET['key'] ) ) {
 	$key = $_GET['key'];
 } elseif ( ! empty( $_POST['key'] ) ) {
 	$key = $_POST['key'];
diff --git a/wp-admin/includes/class-wp-screen.php b/wp-admin/includes/class-wp-screen.php
index 967875917c..6243a5d175 100644
--- a/wp-admin/includes/class-wp-screen.php
+++ b/wp-admin/includes/class-wp-screen.php
@@ -290,7 +290,9 @@ final class WP_Screen {
 
 			switch ( $base ) {
 				case 'post' :
-					if ( isset( $_GET['post'] ) )
+					if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] )
+						wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
+					elseif ( isset( $_GET['post'] ) )
 						$post_id = (int) $_GET['post'];
 					elseif ( isset( $_POST['post_ID'] ) )
 						$post_id = (int) $_POST['post_ID'];
diff --git a/wp-admin/post.php b/wp-admin/post.php
index 437d1bd997..bcd39aeb3f 100644
--- a/wp-admin/post.php
+++ b/wp-admin/post.php
@@ -16,7 +16,9 @@ $submenu_file = 'edit.php';
 
 wp_reset_vars( array( 'action' ) );
 
-if ( isset( $_GET['post'] ) )
+if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] )
+	wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
+elseif ( isset( $_GET['post'] ) )
  	$post_id = $post_ID = (int) $_GET['post'];
 elseif ( isset( $_POST['post_ID'] ) )
  	$post_id = $post_ID = (int) $_POST['post_ID'];
@@ -38,6 +40,10 @@ if ( $post ) {
 	$post_type_object = get_post_type_object( $post_type );
 }
 
+if ( isset( $_POST['post_type'] ) && $post && $post_type !== $_POST['post_type'] ) {
+	wp_die( __( 'A post type mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
+}
+
 if ( isset( $_POST['deletepost'] ) )
 	$action = 'delete';
 elseif ( isset($_POST['wp-preview']) && 'dopreview' == $_POST['wp-preview'] )
diff --git a/wp-includes/class-wp.php b/wp-includes/class-wp.php
index 4a9718364e..b363e2d444 100644
--- a/wp-includes/class-wp.php
+++ b/wp-includes/class-wp.php
@@ -302,6 +302,8 @@ class WP {
 		foreach ( $this->public_query_vars as $wpvar ) {
 			if ( isset( $this->extra_query_vars[$wpvar] ) )
 				$this->query_vars[$wpvar] = $this->extra_query_vars[$wpvar];
+			elseif ( isset( $_GET[ $wpvar ] ) && isset( $_POST[ $wpvar ] ) && $_GET[ $wpvar ] !== $_POST[ $wpvar ] )
+				wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
 			elseif ( isset( $_POST[$wpvar] ) )
 				$this->query_vars[$wpvar] = $_POST[$wpvar];
 			elseif ( isset( $_GET[$wpvar] ) )
diff --git a/wp-includes/ms-deprecated.php b/wp-includes/ms-deprecated.php
index 7e43fccd83..a944575416 100644
--- a/wp-includes/ms-deprecated.php
+++ b/wp-includes/ms-deprecated.php
@@ -270,10 +270,13 @@ function wpmu_admin_do_redirect( $url = '' ) {
 	_deprecated_function( __FUNCTION__, '3.3.0' );
 
 	$ref = '';
-	if ( isset( $_GET['ref'] ) )
-		$ref = $_GET['ref'];
-	if ( isset( $_POST['ref'] ) )
-		$ref = $_POST['ref'];
+	if ( isset( $_GET['ref'] ) && isset( $_POST['ref'] ) && $_GET['ref'] !== $_POST['ref'] ) {
+		wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
+	} elseif ( isset( $_POST['ref'] ) ) {
+		$ref = $_POST[ 'ref' ];
+	} elseif ( isset( $_GET['ref'] ) ) {
+		$ref = $_GET[ 'ref' ];
+	}
 
 	if ( $ref ) {
 		$ref = wpmu_admin_redirect_add_updated_param( $ref );
@@ -286,7 +289,9 @@ function wpmu_admin_do_redirect( $url = '' ) {
 	}
 
 	$url = wpmu_admin_redirect_add_updated_param( $url );
-	if ( isset( $_GET['redirect'] ) ) {
+	if ( isset( $_GET['redirect'] ) && isset( $_POST['redirect'] ) && $_GET['redirect'] !== $_POST['redirect'] ) {
+		wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
+	} elseif ( isset( $_GET['redirect'] ) ) {
 		if ( substr( $_GET['redirect'], 0, 2 ) == 's_' )
 			$url .= '&action=blogs&s='. esc_html( substr( $_GET['redirect'], 2 ) );
 	} elseif ( isset( $_POST['redirect'] ) ) {