Skip to content

Commit 38347d7

Browse files
committed
Add nonce for updating file system credentials.
Built from https://develop.svn.wordpress.org/trunk@40723 git-svn-id: http://core.svn.wordpress.org/trunk@40581 1a063a9b-81f0-0310-95a4-ce76da25c4cd
1 parent 4eb107c commit 38347d7

File tree

4 files changed

+31
-12
lines changed

4 files changed

+31
-12
lines changed

Diff for: wp-admin/includes/file.php

+24-9
Original file line numberDiff line numberDiff line change
@@ -1091,14 +1091,28 @@ function request_filesystem_credentials( $form_post, $type = '', $error = false,
10911091

10921092
$credentials = get_option('ftp_credentials', array( 'hostname' => '', 'username' => ''));
10931093

1094+
$submitted_form = wp_unslash( $_POST );
1095+
1096+
// Verify nonce, or unset submitted form field values on failure
1097+
if ( ! isset( $_POST['_fs_nonce'] ) || ! wp_verify_nonce( $_POST['_fs_nonce'], 'filesystem-credentials' ) ) {
1098+
unset(
1099+
$submitted_form['hostname'],
1100+
$submitted_form['username'],
1101+
$submitted_form['password'],
1102+
$submitted_form['public_key'],
1103+
$submitted_form['private_key'],
1104+
$submitted_form['connection_type']
1105+
);
1106+
}
1107+
10941108
// If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option)
1095-
$credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? wp_unslash( $_POST['hostname'] ) : $credentials['hostname']);
1096-
$credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? wp_unslash( $_POST['username'] ) : $credentials['username']);
1097-
$credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? wp_unslash( $_POST['password'] ) : '');
1109+
$credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($submitted_form['hostname']) ? $submitted_form['hostname'] : $credentials['hostname']);
1110+
$credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($submitted_form['username']) ? $submitted_form['username'] : $credentials['username']);
1111+
$credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($submitted_form['password']) ? $submitted_form['password'] : '');
10981112

10991113
// Check to see if we are setting the public/private keys for ssh
1100-
$credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? wp_unslash( $_POST['public_key'] ) : '');
1101-
$credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? wp_unslash( $_POST['private_key'] ) : '');
1114+
$credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($submitted_form['public_key']) ? $submitted_form['public_key'] : '');
1115+
$credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($submitted_form['private_key']) ? $submitted_form['private_key'] : '');
11021116

11031117
// Sanitize the hostname, Some people might pass in odd-data:
11041118
$credentials['hostname'] = preg_replace('|\w+://|', '', $credentials['hostname']); //Strip any schemes off
@@ -1115,8 +1129,8 @@ function request_filesystem_credentials( $form_post, $type = '', $error = false,
11151129
$credentials['connection_type'] = 'ssh';
11161130
} elseif ( ( defined( 'FTP_SSL' ) && FTP_SSL ) && 'ftpext' == $type ) { //Only the FTP Extension understands SSL
11171131
$credentials['connection_type'] = 'ftps';
1118-
} elseif ( ! empty( $_POST['connection_type'] ) ) {
1119-
$credentials['connection_type'] = wp_unslash( $_POST['connection_type'] );
1132+
} elseif ( ! empty( $submitted_form['connection_type'] ) ) {
1133+
$credentials['connection_type'] = $submitted_form['connection_type'];
11201134
} elseif ( ! isset( $credentials['connection_type'] ) ) { //All else fails (And it's not defaulted to something else saved), Default to FTP
11211135
$credentials['connection_type'] = 'ftp';
11221136
}
@@ -1255,11 +1269,12 @@ function request_filesystem_credentials( $form_post, $type = '', $error = false,
12551269
}
12561270

12571271
foreach ( (array) $extra_fields as $field ) {
1258-
if ( isset( $_POST[ $field ] ) )
1259-
echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( wp_unslash( $_POST[ $field ] ) ) . '" />';
1272+
if ( isset( $submitted_form[ $field ] ) )
1273+
echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( $submitted_form[ $field ] ) . '" />';
12601274
}
12611275
?>
12621276
<p class="request-filesystem-credentials-action-buttons">
1277+
<?php wp_nonce_field( 'filesystem-credentials', '_fs_nonce', false, true ); ?>
12631278
<button class="button cancel-button" data-js-action="close" type="button"><?php _e( 'Cancel' ); ?></button>
12641279
<?php submit_button( __( 'Proceed' ), '', 'upgrade', false ); ?>
12651280
</p>

Diff for: wp-admin/js/updates.js

+4
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,7 @@
9494
* @type {object} filesystemCredentials.ssh Holds SSH credentials.
9595
* @type {string} filesystemCredentials.ssh.publicKey The public key. Default empty string.
9696
* @type {string} filesystemCredentials.ssh.privateKey The private key. Default empty string.
97+
* @type {string} filesystemCredentials.fsNonce Filesystem credentials form nonce.
9798
* @type {bool} filesystemCredentials.available Whether filesystem credentials have been provided.
9899
* Default 'false'.
99100
*/
@@ -108,6 +109,7 @@
108109
publicKey: '',
109110
privateKey: ''
110111
},
112+
fsNonce: '',
111113
available: false
112114
};
113115

@@ -225,6 +227,7 @@
225227
options.data = _.extend( data, {
226228
action: action,
227229
_ajax_nonce: wp.updates.ajaxNonce,
230+
_fs_nonce: wp.updates.filesystemCredentials.fsNonce,
228231
username: wp.updates.filesystemCredentials.ftp.username,
229232
password: wp.updates.filesystemCredentials.ftp.password,
230233
hostname: wp.updates.filesystemCredentials.ftp.hostname,
@@ -1706,6 +1709,7 @@
17061709
wp.updates.filesystemCredentials.ftp.connectionType = $( 'input[name="connection_type"]:checked' ).val();
17071710
wp.updates.filesystemCredentials.ssh.publicKey = $( '#public_key' ).val();
17081711
wp.updates.filesystemCredentials.ssh.privateKey = $( '#private_key' ).val();
1712+
wp.updates.filesystemCredentials.fsNonce = $( '#_fs_nonce' ).val();
17091713
wp.updates.filesystemCredentials.available = true;
17101714

17111715
// Unlock and invoke the queue.

Diff for: wp-admin/js/updates.min.js

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: wp-includes/version.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
*
55
* @global string $wp_version
66
*/
7-
$wp_version = '4.8-beta1-40716';
7+
$wp_version = '4.8-beta1-40723';
88

99
/**
1010
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

0 commit comments

Comments
 (0)