Backporting several bug fixes.

- Query: Remove the static query property. - HTTP API: Protect against hex interpretation. - Filesystem API: Prevent directory travelersals when creating new folders. - Administration: Ensure that admin referer nonce is valid. - REST API: Send a Vary: Origin header on GET requests. - Customizer: Properly sanitize background images. Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.0 branch. Built from https://develop.svn.wordpress.org/branches/4.0@46502 git-svn-id: http://core.svn.wordpress.org/branches/4.0@46299 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 19:20:15 +00:00 · 2019-10-14 19:20:15 +00:00 · 8a02054f7e
parent d6d162d67c
commit 8a02054f7e
5 changed files with 22 additions and 9 deletions
--- a/wp-includes/class-wp.php
+++ b/wp-includes/class-wp.php
@ -15,7 +15,7 @@ class WP {
 	 * @access public
 	 * @var array
 	 */
-	public $public_query_vars = array('m', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'static', 'pagename', 'page_id', 'error', 'comments_popup', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type');
+	public $public_query_vars = array( 'm', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'pagename', 'page_id', 'error', 'comments_popup', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );

 	/**
 	 * Private query variables.
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@ -1492,6 +1492,11 @@ function wp_mkdir_p( $target ) {
 	if ( file_exists( $target ) )
 		return @is_dir( $target );

+	// Do not allow path traversals.
+	if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
+		return false;
+	}
+
 	// We need to find the permissions of the parent folder that exists and inherit that.
 	$target_parent = dirname( $target );
 	while ( '.' != $target_parent && ! is_dir( $target_parent ) ) {
--- a/wp-includes/http.php
+++ b/wp-includes/http.php
@ -469,8 +469,9 @@ function wp_http_validate_url( $url ) {
 			$ip = $host;
 		} else {
 			$ip = gethostbyname( $host );
-			if ( $ip === $host ) // Error condition for gethostbyname()
-				$ip = false;
+			if ( $ip === $host ) { // Error condition for gethostbyname()
+				return false;
+			}
 		}
 		if ( $ip ) {
 			$parts = array_map( 'intval', explode( '.', $ip ) );
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@ -1064,9 +1064,9 @@ if ( !function_exists('check_admin_referer') ) :
 * @param string $action Action nonce
 * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
 */
-function check_admin_referer($action = -1, $query_arg = '_wpnonce') {
-	if ( -1 == $action )
-		_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2' );
+function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
+	if ( -1 === $action )
+		_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );

 	$adminurl = strtolower(admin_url());
 	$referer = strtolower(wp_get_referer());
@ -1085,6 +1085,12 @@ function check_admin_referer($action = -1, $query_arg = '_wpnonce') {
 	 * @param bool   $result Whether the admin request nonce was validated.
 	 */
 	do_action( 'check_admin_referer', $action, $result );
+
+	if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
+		wp_nonce_ays( $action );
+		die();
+	}
+
 	return $result;
 }
 endif;
@ -1099,6 +1105,9 @@ if ( !function_exists('check_ajax_referer') ) :
 * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
 */
 function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
+	if ( -1 === $action )
+		_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
+
 	$nonce = '';

 	if ( $query_arg && isset( $_REQUEST[ $query_arg ] ) )
@ -2293,4 +2302,3 @@ function wp_text_diff( $left_string, $right_string, $args = null ) {
 	return $r;
 }
 endif;
-
--- a/wp-includes/query.php
+++ b/wp-includes/query.php
@ -1398,7 +1398,6 @@ class WP_Query {
 			, 'attachment'
 			, 'attachment_id'
 			, 'name'
-			, 'static'
 			, 'pagename'
 			, 'page_id'
 			, 'second'
@ -1596,7 +1595,7 @@ class WP_Query {
 			// If year, month, day, hour, minute, and second are set, a single
 			// post is being queried.
 			$this->is_single = true;
-		} elseif ( '' != $qv['static'] || '' != $qv['pagename'] || !empty($qv['page_id']) ) {
+		} elseif ( '' != $qv['pagename'] || !empty($qv['page_id']) ) {
 			$this->is_page = true;
 			$this->is_single = false;
 		} else {