Update to WordPress 6.3.2. For more information, see https://wordpres…

…s.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
pantheon-systems · Oct 12, 2023 · 7fa5420 · 7fa5420
1 parent 7178558
commit 7fa5420
Show file tree

Hide file tree

Showing 84 changed files with 3,886 additions and 937 deletions.
diff --git a/wp-admin/about.php b/wp-admin/about.php
@@ -45,7 +45,32 @@
 
 		<div class="about__section changelog has-subtle-background-color">
 			<div class="column">
-				<h2><?php _e( 'Maintenance Release' ); ?></h2>
+				<h2><?php _e( 'Maintenance and Security Releases' ); ?></h2>
+				<p>
+					<?php
+					printf(
+						/* translators: 1: WordPress version number, 2: Plural number of bugs. More than one security issue. */
+						_n(
+							'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+							'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.',
+							41
+						),
+						'6.3.2',
+						'41'
+					);
+					?>
+					<?php
+					printf(
+						/* translators: %s: HelpHub URL. */
+						__( 'For more information, see <a href="%s">the release notes</a>.' ),
+						sprintf(
+							/* translators: %s: WordPress version. */
+							esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+							sanitize_title( '6.3.2' )
+						)
+					);
+					?>
+				</p>
 				<p>
 					<?php
 					printf(

diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php
@@ -3882,13 +3882,29 @@ function wp_ajax_parse_media_shortcode() {
 
 	$shortcode = wp_unslash( $_POST['shortcode'] );
 
+	// Only process previews for media related shortcodes:
+	$found_shortcodes = get_shortcode_tags_in_content( $shortcode );
+	$media_shortcodes = array(
+		'audio',
+		'embed',
+		'playlist',
+		'video',
+		'gallery',
+	);
+
+	$other_shortcodes = array_diff( $found_shortcodes, $media_shortcodes );
+
+	if ( ! empty( $other_shortcodes ) ) {
+		wp_send_json_error();
+	}
+
 	if ( ! empty( $_POST['post_ID'] ) ) {
 		$post = get_post( (int) $_POST['post_ID'] );
 	}
 
 	// The embed shortcode requires a post.
 	if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) {
-		if ( 'embed' === $shortcode ) {
+		if ( in_array( 'embed', $found_shortcodes, true ) ) {
 			wp_send_json_error();
 		}
 	} else {

diff --git a/wp-admin/includes/class-plugin-upgrader.php b/wp-admin/includes/class-plugin-upgrader.php
@@ -274,6 +274,8 @@ public function upgrade( $plugin, $args = array() ) {
 	 * @since 2.8.0
 	 * @since 3.7.0 The `$args` parameter was added, making clearing the plugin update cache optional.
 	 *
+	 * @global string $wp_version The WordPress version string.
+	 *
 	 * @param string[] $plugins Array of paths to plugin files relative to the plugins directory.
 	 * @param array    $args {
 	 *     Optional. Other arguments for upgrading several plugins at once.
@@ -283,6 +285,8 @@ public function upgrade( $plugin, $args = array() ) {
 	 * @return array|false An array of results indexed by plugin file, or false if unable to connect to the filesystem.
 	 */
 	public function bulk_upgrade( $plugins, $args = array() ) {
+		global $wp_version;
+
 		$defaults    = array(
 			'clear_update_cache' => true,
 		);
@@ -343,23 +347,55 @@ public function bulk_upgrade( $plugins, $args = array() ) {
 
 			$this->skin->plugin_active = is_plugin_active( $plugin );
 
-			$result = $this->run(
-				array(
-					'package'           => $r->package,
-					'destination'       => WP_PLUGIN_DIR,
-					'clear_destination' => true,
-					'clear_working'     => true,
-					'is_multi'          => true,
-					'hook_extra'        => array(
-						'plugin'      => $plugin,
-						'temp_backup' => array(
-							'slug' => dirname( $plugin ),
-							'src'  => WP_PLUGIN_DIR,
-							'dir'  => 'plugins',
+			if ( isset( $r->requires ) && ! is_wp_version_compatible( $r->requires ) ) {
+				$result = new WP_Error(
+					'incompatible_wp_required_version',
+					sprintf(
+						/* translators: 1: Current WordPress version, 2: WordPress version required by the new plugin version. */
+						__( 'Your WordPress version is %1$s, however the new plugin version requires %2$s.' ),
+						$wp_version,
+						$r->requires
+					)
+				);
+
+				$this->skin->before( $result );
+				$this->skin->error( $result );
+				$this->skin->after();
+			} elseif ( isset( $r->requires_php ) && ! is_php_version_compatible( $r->requires_php ) ) {
+				$result = new WP_Error(
+					'incompatible_php_required_version',
+					sprintf(
+						/* translators: 1: Current PHP version, 2: PHP version required by the new plugin version. */
+						__( 'The PHP version on your server is %1$s, however the new plugin version requires %2$s.' ),
+						PHP_VERSION,
+						$r->requires_php
+					)
+				);
+
+				$this->skin->before( $result );
+				$this->skin->error( $result );
+				$this->skin->after();
+			} else {
+				add_filter( 'upgrader_source_selection', array( $this, 'check_package' ) );
+				$result = $this->run(
+					array(
+						'package'           => $r->package,
+						'destination'       => WP_PLUGIN_DIR,
+						'clear_destination' => true,
+						'clear_working'     => true,
+						'is_multi'          => true,
+						'hook_extra'        => array(
+							'plugin'      => $plugin,
+							'temp_backup' => array(
+								'slug' => dirname( $plugin ),
+								'src'  => WP_PLUGIN_DIR,
+								'dir'  => 'plugins',
+							),
 						),
-					),
-				)
-			);
+					)
+				);
+				remove_filter( 'upgrader_source_selection', array( $this, 'check_package' ) );
+			}
 
 			$results[ $plugin ] = $result;
 

diff --git a/wp-admin/includes/class-wp-comments-list-table.php b/wp-admin/includes/class-wp-comments-list-table.php
@@ -651,6 +651,19 @@ public function single_row( $item ) {
 
 		$this->user_can = current_user_can( 'edit_comment', $comment->comment_ID );
 
+		$edit_post_cap = $post ? 'edit_post' : 'edit_posts';
+		if (
+			current_user_can( $edit_post_cap, $comment->comment_post_ID ) ||
+			(
+				empty( $post->post_password ) &&
+				current_user_can( 'read_post', $comment->comment_post_ID )
+			)
+		) {
+			// The user has access to the post
+		} else {
+			return false;
+		}
+
 		echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>";
 		$this->single_row_columns( $comment );
 		echo "</tr>\n";

diff --git a/wp-admin/includes/class-wp-list-table.php b/wp-admin/includes/class-wp-list-table.php
@@ -818,6 +818,20 @@ protected function comments_bubble( $post_id, $pending_comments ) {
 			$pending_comments_number
 		);
 
+		$post_object   = get_post( $post_id );
+		$edit_post_cap = $post_object ? 'edit_post' : 'edit_posts';
+		if (
+			current_user_can( $edit_post_cap, $post_id ) ||
+			(
+				empty( $post_object->post_password ) &&
+				current_user_can( 'read_post', $post_id )
+			)
+		) {
+			// The user has access to the post and thus can see comments
+		} else {
+			return false;
+		}
+
 		if ( ! $approved_comments && ! $pending_comments ) {
 			// No comments at all.
 			printf(

diff --git a/wp-admin/includes/class-wp-upgrader.php b/wp-admin/includes/class-wp-upgrader.php
@@ -1206,8 +1206,7 @@ public function delete_temp_backup() {
 			if ( ! $wp_filesystem->delete( $temp_backup_dir, true ) ) {
 				$errors->add(
 					'temp_backup_delete_failed',
-					sprintf( $this->strings['temp_backup_delete_failed'] ),
-					$args['slug']
+					sprintf( $this->strings['temp_backup_delete_failed'], $args['slug'] )
 				);
 				continue;
 			}

diff --git a/wp-admin/includes/dashboard.php b/wp-admin/includes/dashboard.php
@@ -1103,7 +1103,16 @@ function wp_dashboard_recent_comments( $total_items = 5 ) {
 
 		echo '<ul id="the-comment-list" data-wp-lists="list:comment">';
 		foreach ( $comments as $comment ) {
-			_wp_dashboard_recent_comments_row( $comment );
+			$comment_post = get_post( $comment->comment_post_ID );
+			if (
+				current_user_can( 'edit_post', $comment->comment_post_ID ) ||
+				(
+					empty( $comment_post->post_password ) &&
+					current_user_can( 'read_post', $comment->comment_post_ID )
+				)
+			) {
+				_wp_dashboard_recent_comments_row( $comment );
+			}
 		}
 		echo '</ul>';
 

diff --git a/wp-admin/includes/user.php b/wp-admin/includes/user.php
@@ -636,6 +636,7 @@ function admin_created_user_email( $text ) {
  *
  * @since 5.6.0
  * @since 6.2.0 Allow insecure HTTP connections for the local environment.
+ * @since 6.3.2 Validates the success and reject URLs to prevent javascript pseudo protocol being executed.
  *
  * @param array   $request {
  *     The array of request data. All arguments are optional and may be empty.
@@ -649,27 +650,24 @@ function admin_created_user_email( $text ) {
  * @return true|WP_Error True if the request is valid, a WP_Error object contains errors if not.
  */
 function wp_is_authorize_application_password_request_valid( $request, $user ) {
-	$error    = new WP_Error();
-	$is_local = 'local' === wp_get_environment_type();
-
-	if ( ! empty( $request['success_url'] ) ) {
-		$scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME );
+	$error = new WP_Error();
 
-		if ( 'http' === $scheme && ! $is_local ) {
+	if ( isset( $request['success_url'] ) ) {
+		$validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] );
+		if ( is_wp_error( $validated_success_url ) ) {
 			$error->add(
-				'invalid_redirect_scheme',
-				__( 'The success URL must be served over a secure connection.' )
+				$validated_success_url->get_error_code(),
+				$validated_success_url->get_error_message()
 			);
 		}
 	}
 
-	if ( ! empty( $request['reject_url'] ) ) {
-		$scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME );
-
-		if ( 'http' === $scheme && ! $is_local ) {
+	if ( isset( $request['reject_url'] ) ) {
+		$validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] );
+		if ( is_wp_error( $validated_reject_url ) ) {
 			$error->add(
-				'invalid_redirect_scheme',
-				__( 'The rejection URL must be served over a secure connection.' )
+				$validated_reject_url->get_error_code(),
+				$validated_reject_url->get_error_message()
 			);
 		}
 	}
@@ -698,3 +696,59 @@ function wp_is_authorize_application_password_request_valid( $request, $user ) {
 
 	return true;
 }
+
+/**
+ * Validates the redirect URL protocol scheme. The protocol can be anything except http and javascript.
+ *
+ * @since 6.3.2
+ *
+ * @param string $url - The redirect URL to be validated.
+ *
+ * @return true|WP_Error True if the redirect URL is valid, a WP_Error object otherwise.
+ */
+function wp_is_authorize_application_redirect_url_valid( $url ) {
+	$bad_protocols = array( 'javascript', 'data' );
+	if ( empty( $url ) ) {
+		return true;
+	}
+
+	// Based on https://www.rfc-editor.org/rfc/rfc2396#section-3.1
+	$valid_scheme_regex = '/^[a-zA-Z][a-zA-Z0-9+.-]*:/';
+	if ( ! preg_match( $valid_scheme_regex, $url ) ) {
+		return new WP_Error(
+			'invalid_redirect_url_format',
+			__( 'Invalid URL format.' )
+		);
+	}
+
+	/**
+	 * Filters the list of invalid protocols used in applications redirect URLs.
+	 *
+	 * @since 6.3.2
+	 *
+	 * @param string[]  $bad_protocols Array of invalid protocols.
+	 * @param string    $url The redirect URL to be validated.
+	 */
+	$invalid_protocols = array_map( 'strtolower', apply_filters( 'wp_authorize_application_redirect_url_invalid_protocols', $bad_protocols, $url ) );
+
+	$scheme   = wp_parse_url( $url, PHP_URL_SCHEME );
+	$host     = wp_parse_url( $url, PHP_URL_HOST );
+	$is_local = 'local' === wp_get_environment_type();
+
+	// validates if the proper URI format is applied to the $url
+	if ( empty( $host ) || empty( $scheme ) || in_array( strtolower( $scheme ), $invalid_protocols, true ) ) {
+		return new WP_Error(
+			'invalid_redirect_url_format',
+			__( 'Invalid URL format.' )
+		);
+	}
+
+	if ( 'http' === $scheme && ! $is_local ) {
+		return new WP_Error(
+			'invalid_redirect_scheme',
+			__( 'The URL must be served over a secure connection.' )
+		);
+	}
+
+	return true;
+}
diff --git a/wp-content/mu-plugins/pantheon-mu-plugin/inc/cli.php b/wp-content/mu-plugins/pantheon-mu-plugin/inc/cli.php
@@ -48,8 +48,9 @@
  */
 function __deprecated_maintenance_mode_output( $args ) {
 	$allowed_args = [ 'disabled', 'anonymous', 'everyone' ];
-	$replacement_command = ( ! empty( $args  && count( $args ) === 1 ) && in_array( $args[0], $allowed_args, true ) ) ? 'set-maintenance-mode ' . $args[0] : false;
+	$replacement_command = ( ! empty( $args && count( $args ) === 1 ) && in_array( $args[0], $allowed_args, true ) ) ? 'set-maintenance-mode ' . $args[0] : false;
 
+	// translators: %s is the replacement command.
 	WP_CLI::warning( WP_CLI::colorize( '%y' . sprintf( __( 'This command is deprecated and will be removed in a future release. Use `wp pantheon %s` instead.', 'pantheon-systems' ), $replacement_command ) . '%n' ) );
 	WP_CLI::line( __( 'Run `wp pantheon set-maintenance-mode --help` for more information.', 'pantheon-systems' ) );