Changeset 47649

Timestamp:

04/29/2020 04:18:07 PM (4 years ago)

Author:

whyisjake

Message:

Customize: Add additional filters to Customizer to prevent JSON corruption.
User: Invalidate user_activation_key on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand sanitize_file_name to have better support for utf8 characters.

Brings the changes in [47633], [47634], [47635], [47637], and [47638] to the 4.8 branch.

Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, westonruter, whyisjake, whyisjake, xknown.

Location:

branches/4.8

Files:

• . (modified) (1 prop)
• src/wp-includes/cache.php (modified) (1 diff)
• src/wp-includes/class-wp-customize-manager.php (modified) (3 diffs)
• src/wp-includes/class-wp-query.php (modified) (1 diff)
• src/wp-includes/formatting.php (modified) (2 diffs)
• src/wp-includes/post.php (modified) (3 diffs)
• src/wp-includes/user.php (modified) (1 diff)
• tests/phpunit/tests/customize/manager.php (modified) (1 diff)
• tests/phpunit/tests/formatting/SanitizeFileName.php (modified) (1 diff)
• tests/phpunit/tests/user.php (modified) (2 diffs)

branches/4.8/src/wp-includes/cache.php

@@ -692 +692 @@
         echo '<ul>';
         foreach ($this->cache as $group => $cache) {
-            echo "<li><strong>Group:</strong> $group - ( " . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';
+            echo  . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';
         }
         echo '</ul>';

branches/4.8/src/wp-includes/class-wp-customize-manager.php

@@ -2528 +2528 @@
         add_filter( 'wp_save_post_revision_post_has_changed', array( $this, '_filter_revision_post_has_changed' ), 5, 3 );
 
-        // Update the changeset post. The publish_customize_changeset action will cause the settings in the changeset to be saved via WP_Customize_Setting::save().
-        $has_kses = ( false !== has_filter( 'content_save_pre', 'wp_filter_post_kses' ) );
-        if ( $has_kses ) {
-            kses_remove_filters(); // Prevent KSES from corrupting JSON in post_content.
-        }
-
-        // Note that updating a post with publish status will trigger WP_Customize_Manager::publish_changeset_values().
+        /*
+         * Update the changeset post. The publish_customize_changeset action will cause the settings in the
+         * changeset to be saved via WP_Customize_Setting::save(). Updating a post with publish status will
+         * trigger WP_Customize_Manager::publish_changeset_values().
+         */
+        add_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5, 3 );
         if ( $changeset_post_id ) {
             $post_array['edit_date'] = true; // Prevent date clearing.
@@ -2544 +2543 @@
             }
         }
-        if ( $has_kses ) {
-            kses_init_filters();
-        }
+
+        );
+
         $this->_changeset_data = null; // Reset so WP_Customize_Manager::changeset_data() will re-populate with updated contents.
 
@@ -2561 +2560 @@
 
         return $response;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
     }
 

branches/4.8/src/wp-includes/class-wp-query.php

@@ -809 +809 @@
         } elseif ( $qv['p'] ) {
             $this->is_single = true;
-        } elseif ( ('' !== $qv['hour']) && ('' !== $qv['minute']) &&('' !== $qv['second']) && ('' != $qv['year']) && ('' != $qv['monthnum']) && ('' != $qv['day']) ) {
-            // If year, month, day, hour, minute, and second are set, a single
-            // post is being queried.
-            $this->is_single = true;
         } elseif ( '' != $qv['pagename'] || !empty($qv['page_id']) ) {
             $this->is_page = true;

branches/4.8/src/wp-includes/formatting.php

@@ -1763 +1763 @@
     $filename_raw = $filename;
     $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", "%", "+", chr(0));
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
     /**
      * Filters the list of characters to remove from a filename.
@@ -1772 +1790 @@
      */
     $special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
-    $filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
     $filename = str_replace( $special_chars, '', $filename );
     $filename = str_replace( array( '%20', '+' ), '-', $filename );

branches/4.8/src/wp-includes/post.php

@@ -2974 +2974 @@
     global $wpdb;
 
+
+
+
     $user_id = get_current_user_id();
 
@@ -3270 +3273 @@
          *
          * @since 3.9.0
+
          *
-         * @param array $data    An array of sanitized attachment post data.
-         * @param array $postarr An array of unsanitized attachment post data.
+         * @param array $data                An array of slashed, sanitized, and processed attachment post data.
+         * @param array $postarr             An array of slashed and sanitized attachment post data, but not processed.
+         * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed attachment post data
+         *                                   as originally passed to wp_insert_post().
          */
-        $data = apply_filters( 'wp_insert_attachment_data', $data, $postarr );
+        $data = apply_filters( 'wp_insert_attachment_data', $data, $postarr );
     } else {
         /**
@@ -3280 +3286 @@
          *
          * @since 2.7.0
+
          *
-         * @param array $data    An array of slashed post data.
-         * @param array $postarr An array of sanitized, but otherwise unmodified post data.
+         * @param array $data                An array of slashed, sanitized, and processed post data.
+         * @param array $postarr             An array of sanitized (and slashed) but otherwise unmodified post data.
+         * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed post data as
+         *                                   originally passed to wp_insert_post().
          */
-        $data = apply_filters( 'wp_insert_post_data', $data, $postarr );
+        $data = apply_filters( 'wp_insert_post_data', $data, $postarr );
     }
     $data = wp_unslash( $data );

branches/4.8/src/wp-includes/user.php

@@ -1639 +1639 @@
 
     if ( $update ) {
-        if ( $user_email !== $old_user_data->user_email ) {
+        if ( $user_email !== $old_user_data->user_email ) {
             $data['user_activation_key'] = '';
         }

branches/4.8/tests/phpunit/tests/customize/manager.php

@@ -893 +893 @@
 
     /**
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
      * Call count for customize_changeset_save_data filter.
      *

branches/4.8/tests/phpunit/tests/formatting/SanitizeFileName.php

@@ -68 +68 @@
         $this->assertEquals( 'no-extension', sanitize_file_name( '_.no-extension' ) );
     }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 }

branches/4.8/tests/phpunit/tests/user.php

@@ -916 +916 @@
     }
 
-    function test_changing_email_invalidates_password_reset_key() {
+    function test_changing_email_invalidates_password_reset_key() {
         global $wpdb;
 
@@ -941 +941 @@
             'user_nicename' => 'cat',
             'user_email'    => 'foo@bar.dev',
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
         );
         wp_update_user( $userdata );