Grouped backports to the 4.4 branch.

- Media: Prevent CSRF setting attachment thumbnails. - Embeds: Add protocol validation for WordPress Embed code. Merges [55763] and [55764] to the 4.4 branch. Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad. git-svn-id: https://develop.svn.wordpress.org/branches/4.4@55779 602fd350-edb4-49c9-b593-d223f7449a82
2025-03-15 09:29:48 +01:00 · 2023-05-16 15:36:46 +00:00 · 2023-05-16 15:36:46 +00:00 · 9ede4924ce
commit 9ede4924ce
parent b9b63a9c16
9 changed files with 139 additions and 4 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -1,6 +1,6 @@
 {
 	"name": "WordPress",
-	"version": "4.4.29",
+	"version": "4.4.30",
 	"lockfileVersion": 1,
 	"requires": true,
 	"dependencies": {
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
 	"name": "WordPress",
-	"version": "4.4.29",
+	"version": "4.4.30",
 	"description": "WordPress is web software you can use to create a beautiful website or blog.",
 	"repository": {
 		"type": "svn",
--- a/src/wp-admin/about.php
+++ b/src/wp-admin/about.php
@ -50,6 +50,26 @@ include( ABSPATH . 'wp-admin/admin-header.php' );

 		<div class="changelog point-releases">
 			<h3><?php _e( 'Maintenance and Security Releases' ); ?> </h3>
+			<p>
+				<?php
+				printf(
+					/* translators: %s: WordPress version number */
+					__( '<strong>Version %s</strong> addressed some security issues.' ),
+					'4.4.30'
+				);
+				?>
+				<?php
+				printf(
+					/* translators: %s: HelpHub URL */
+					__( 'For more information, see <a href="%s">the release notes</a>.' ),
+					sprintf(
+						/* translators: %s: WordPress version */
+						esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+						sanitize_title( '4.4.30' )
+					)
+				);
+				?>
+			</p>
 			<p>
 				<?php
 				printf(
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@ -2160,6 +2160,10 @@ function wp_ajax_set_attachment_thumbnail() {
 		wp_send_json_error();
 	}

+	if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
+		wp_send_json_error();
+	}
+
 	$post_ids = array();
 	// For each URL, try to find its corresponding post ID.
 	foreach ( $_POST['urls'] as $url ) {
--- a/src/wp-includes/js/media/views/frame/video-details.js
+++ b/src/wp-includes/js/media/views/frame/video-details.js
@ -104,6 +104,7 @@ VideoDetails = MediaDetails.extend({

 			wp.ajax.send( 'set-attachment-thumbnail', {
 				data : {
+					_ajax_nonce: wp.media.view.settings.nonce.setAttachmentThumbnail,
 					urls: urls,
 					thumbnail_id: attachment.get( 'id' )
 				}
--- a/src/wp-includes/js/wp-embed.js
+++ b/src/wp-includes/js/wp-embed.js
@ -37,6 +37,7 @@

 		var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
 			blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
+			allowedProtocols = new RegExp( '^https?:$', 'i' ),
 			i, source, height, sourceURL, targetURL;

 		for ( i = 0; i < blockquotes.length; i++ ) {
@ -72,6 +73,11 @@
 				sourceURL.href = source.getAttribute( 'src' );
 				targetURL.href = data.value;

+				/* Only follow link if the protocol is in the allow list. */
+				if ( ! allowedProtocols.test( targetURL.protocol ) ) {
+					continue;
+				}
+
 				/* Only continue if link hostname matches iframe's hostname. */
 				if ( targetURL.host === sourceURL.host ) {
 					if ( document.activeElement === source ) {
--- a/src/wp-includes/media.php
+++ b/src/wp-includes/media.php
@ -3278,7 +3278,8 @@ function wp_enqueue_media( $args = array() ) {
 		/** This filter is documented in wp-admin/includes/media.php */
 		'captions'  => ! apply_filters( 'disable_captions', '' ),
 		'nonce'     => array(
-			'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
+			'sendToEditor'           => wp_create_nonce( 'media-send-to-editor' ),
+			'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ),
 		),
 		'post'    => array(
 			'id' => 0,
--- a/src/wp-includes/version.php
+++ b/src/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '4.4.29-src';
+$wp_version = '4.4.30-src';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
--- a/tests/phpunit/tests/ajax/Attachments.php
+++ b/tests/phpunit/tests/ajax/Attachments.php
@ -0,0 +1,103 @@
+<?php
+/**
+ * Admin ajax functions to be tested
+ */
+require_once( ABSPATH . 'wp-admin/includes/ajax-actions.php' );
+
+/**
+ * Testing ajax attachment handling.
+ *
+ * @group ajax
+ */
+class Tests_Ajax_Attachments extends WP_Ajax_UnitTestCase {
+	public function test_wp_ajax_set_attachment_thumbnail_success() {
+		// Become an administrator.
+		$post    = $_POST;
+		$user_id = self::factory()->user->create(
+			array(
+				'role'       => 'administrator',
+				'user_login' => 'user_36578_administrator',
+				'user_email' => 'user_36578_administrator@example.com',
+			)
+		);
+		wp_set_current_user( $user_id );
+		$_POST = array_merge( $_POST, $post );
+
+		// Upload the attachment itself.
+		$filename = DIR_TESTDATA . '/uploads/small-audio.mp3';
+		$contents = file_get_contents( $filename );
+
+		$upload     = wp_upload_bits( wp_basename( $filename ), null, $contents );
+		$attachment = $this->_make_attachment( $upload );
+
+		// Upload the thumbnail.
+		$filename = DIR_TESTDATA . '/images/waffles.jpg';
+		$contents = file_get_contents( $filename );
+
+		$upload    = wp_upload_bits( wp_basename( $filename ), null, $contents );
+		$thumbnail = $this->_make_attachment( $upload );
+
+		// Set up a default request.
+		$_POST['_ajax_nonce']  = wp_create_nonce( 'set-attachment-thumbnail' );
+		$_POST['thumbnail_id'] = $thumbnail;
+		$_POST['urls']         = array( wp_get_attachment_url( $attachment ) );
+
+		// Make the request.
+		try {
+			$this->_handleAjax( 'set-attachment-thumbnail' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		// Get the response.
+		$response = json_decode( $this->_last_response, true );
+
+		// Ensure everything is correct.
+		$this->assertTrue( $response['success'] );
+	}
+
+	public function test_wp_ajax_set_attachment_thumbnail_missing_nonce() {
+		// Become an administrator.
+		$post    = $_POST;
+		$user_id = self::factory()->user->create(
+			array(
+				'role'       => 'administrator',
+				'user_login' => 'user_36578_administrator',
+				'user_email' => 'user_36578_administrator@example.com',
+			)
+		);
+		wp_set_current_user( $user_id );
+		$_POST = array_merge( $_POST, $post );
+
+		// Upload the attachment itself.
+		$filename = DIR_TESTDATA . '/uploads/small-audio.mp3';
+		$contents = file_get_contents( $filename );
+
+		$upload     = wp_upload_bits( wp_basename( $filename ), null, $contents );
+		$attachment = $this->_make_attachment( $upload );
+
+		// Upload the thumbnail.
+		$filename = DIR_TESTDATA . '/images/waffles.jpg';
+		$contents = file_get_contents( $filename );
+
+		$upload    = wp_upload_bits( wp_basename( $filename ), null, $contents );
+		$thumbnail = $this->_make_attachment( $upload );
+
+		// Set up a default request.
+		$_POST['thumbnail_id'] = $thumbnail;
+		$_POST['urls']         = array( wp_get_attachment_url( $attachment ) );
+
+		// Make the request.
+		try {
+			$this->_handleAjax( 'set-attachment-thumbnail' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		// Get the response.
+		$response = json_decode( $this->_last_response, true );
+
+		// Check that success is false without sending nonce.
+		$this->assertFalse( $response['success'] );
+	}
+}