Skip to content

Commit 69ad1bb

Browse files
committed
General: WordPress updates
* XML-RPC: Improve error messages for unprivileged users. * External Libraries: Disable deserialization in Requests_Utility_FilteredIterator * Embeds: Disable embeds on deactivated Multisite sites. * Coding standards: Modify escaping functions to avoid potential false positives. * XML-RPC: Return error message if attachment ID is incorrect. * Upgrade/install: Improve logic check when determining installation status. * Meta: Sanitize meta key before checking protection status. * Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page. Brings the changes from [49380,49382-49388] to the 4.6 branch. Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32. git-svn-id: https://develop.svn.wordpress.org/branches/4.6@49400 602fd350-edb4-49c9-b593-d223f7449a82
1 parent c1c6d97 commit 69ad1bb

16 files changed

Lines changed: 110 additions & 30 deletions

File tree

src/wp-admin/admin-header.php

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -70,13 +70,13 @@
7070
$admin_body_class = preg_replace('/[^a-z0-9_-]+/i', '-', $hook_suffix);
7171
?>
7272
<script type="text/javascript">
73-
addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
74-
var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
75-
pagenow = '<?php echo $current_screen->id; ?>',
76-
typenow = '<?php echo $current_screen->post_type; ?>',
77-
adminpage = '<?php echo $admin_body_class; ?>',
78-
thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
79-
decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
73+
addLoadEvent = function(func){if(typeof jQuery!=='undefined')jQuery(document).ready(func);else if(typeof wpOnload!=='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
74+
var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
75+
pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
76+
typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
77+
adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
78+
thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
79+
decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
8080
isRtl = <?php echo (int) is_rtl(); ?>;
8181
</script>
8282
<meta name="viewport" content="width=device-width,initial-scale=1.0">

src/wp-admin/custom-background.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -464,6 +464,7 @@ public function filter_upload_tabs( $tabs ) {
464464
* @deprecated 3.5.0
465465
*/
466466
public function wp_set_background_image() {
467+
check_ajax_referer( 'custom-background' );
467468
if ( ! current_user_can('edit_theme_options') || ! isset( $_POST['attachment_id'] ) ) exit;
468469
$attachment_id = absint($_POST['attachment_id']);
469470
/** This filter is documented in wp-admin/includes/media.php */

src/wp-admin/custom-header.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -326,7 +326,7 @@ public function js_1() {
326326
?>
327327
<script type="text/javascript">
328328
(function($){
329-
var default_color = '<?php echo $default_color; ?>',
329+
var default_color = '<?php echo esc_js( $default_color ); ?>',
330330
header_text_fields;
331331

332332
function pickColor(color) {

src/wp-admin/includes/media.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -464,7 +464,7 @@ function wp_iframe($content_func /* ... */) {
464464
?>
465465
<script type="text/javascript">
466466
addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
467-
var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
467+
var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
468468
isRtl = <?php echo (int) is_rtl(); ?>;
469469
</script>
470470
<?php

src/wp-admin/includes/ms.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -893,7 +893,7 @@ function can_edit_network( $site_id ) {
893893
function _thickbox_path_admin_subfolder() {
894894
?>
895895
<script type="text/javascript">
896-
var tb_pathToImage = "<?php echo includes_url( 'js/thickbox/loadingAnimation.gif', 'relative' ); ?>";
896+
var tb_pathToImage = "<?php echo esc_js( includes_url( 'js/thickbox/loadingAnimation.gif', 'relative' ) ); ?>";
897897
</script>
898898
<?php
899899
}

src/wp-admin/includes/template.php

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1592,12 +1592,12 @@ function iframe_header( $title = '', $deprecated = false ) {
15921592
<script type="text/javascript">
15931593
addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
15941594
function tb_close(){var win=window.dialogArguments||opener||parent||top;win.tb_remove();}
1595-
var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
1596-
pagenow = '<?php echo $current_screen->id; ?>',
1597-
typenow = '<?php echo $current_screen->post_type; ?>',
1598-
adminpage = '<?php echo $admin_body_class; ?>',
1599-
thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
1600-
decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
1595+
var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
1596+
pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
1597+
typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
1598+
adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
1599+
thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
1600+
decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
16011601
isRtl = <?php echo (int) is_rtl(); ?>;
16021602
</script>
16031603
<?php

src/wp-admin/js/custom-background.js

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,11 +56,13 @@
5656
frame.on( 'select', function() {
5757
// Grab the selected attachment.
5858
var attachment = frame.state().get('selection').first();
59+
var nonceValue = $( '#_wpnonce' ).val() || '';
5960

6061
// Run an AJAX request to set the background image.
6162
$.post( ajaxurl, {
6263
action: 'set-background-image',
6364
attachment_id: attachment.id,
65+
_ajax_nonce: nonceValue,
6466
size: 'full'
6567
}).done( function() {
6668
// When the request completes, reload the window.

src/wp-admin/js/media-gallery.js

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,20 @@
11
/* global ajaxurl */
22
jQuery(function($){
33
$( 'body' ).bind( 'click.wp-gallery', function(e){
4-
var target = $( e.target ), id, img_size;
4+
var target = $( e.target ), id, img_size, nonceValue;
55

66
if ( target.hasClass( 'wp-set-header' ) ) {
77
( window.dialogArguments || opener || parent || top ).location.href = target.data( 'location' );
88
e.preventDefault();
99
} else if ( target.hasClass( 'wp-set-background' ) ) {
1010
id = target.data( 'attachment-id' );
1111
img_size = $( 'input[name="attachments[' + id + '][image-size]"]:checked').val();
12+
nonceValue = $( '#_wpnonce' ).val() && '';
1213

1314
jQuery.post(ajaxurl, {
1415
action: 'set-background-image',
1516
attachment_id: id,
17+
_ajax_nonce: nonceValue,
1618
size: img_size
1719
}, function(){
1820
var win = window.dialogArguments || opener || parent || top;

src/wp-admin/media-new.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -72,9 +72,9 @@
7272
<?php media_upload_form(); ?>
7373

7474
<script type="text/javascript">
75-
var post_id = <?php echo $post_id; ?>, shortform = 3;
75+
var post_id = <?php echo absint( $post_id ); ?>, shortform = 3;
7676
</script>
77-
<input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" />
77+
<input type="hidden" name="post_id" id="post_id" value="<?php echo absint( $post_id ); ?>" />
7878
<?php wp_nonce_field('media-form'); ?>
7979
<div id="media-items" class="hide-if-no-js"></div>
8080
</form>

src/wp-admin/network/site-users.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -197,7 +197,7 @@
197197
require( ABSPATH . 'wp-admin/admin-header.php' ); ?>
198198

199199
<script type="text/javascript">
200-
var current_site_id = <?php echo $id; ?>;
200+
var current_site_id = <?php echo absint( $id ); ?>;
201201
</script>
202202

203203

0 commit comments

Comments
 (0)