From 02221125feb732808cec9c089701881004848d03 Mon Sep 17 00:00:00 2001
From: Jake Spurlock
Date: Wed, 29 Apr 2020 16:52:21 +0000
Subject: [PATCH] User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based
queries. Cache API: Ensure proper escaping around the stats method in the
cache API. Formatting: Expand `sanitize_file_name` to have better support for
utf8 characters.
Brings the changes in [47634], [47635], [47637], and [47638] to the 4.1 branch.
Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, whyisjake, whyisjake, xknown.
git-svn-id: https://develop.svn.wordpress.org/branches/4.1@47658 602fd350-edb4-49c9-b593-d223f7449a82
---
src/wp-includes/cache.php | 2 +-
src/wp-includes/formatting.php | 19 ++++++++++++++-
src/wp-includes/query.php | 4 ----
src/wp-includes/user.php | 2 +-
.../tests/formatting/SanitizeFileName.php | 16 +++++++++++++
tests/phpunit/tests/user.php | 23 ++++++++++++++++++-
6 files changed, 58 insertions(+), 8 deletions(-)
diff --git a/src/wp-includes/cache.php b/src/wp-includes/cache.php
index 3cd344bb09ce..dae1bbeab660 100644
--- a/src/wp-includes/cache.php
+++ b/src/wp-includes/cache.php
@@ -639,7 +639,7 @@ public function stats() {
echo "
";
echo '';
foreach ($this->cache as $group => $cache) {
- echo "- Group: $group - ( " . number_format( strlen( serialize( $cache ) ) / 1024, 2 ) . 'k )
';
+ echo '- Group: ' . esc_html( $group ) . ' - ( ' . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )
';
}
echo '
';
}
diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php
index e311c0b258fb..1f86c96b5e02 100644
--- a/src/wp-includes/formatting.php
+++ b/src/wp-includes/formatting.php
@@ -1166,6 +1166,24 @@ function remove_accents($string) {
function sanitize_file_name( $filename ) {
$filename_raw = $filename;
$special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", chr(0));
+
+ // Check for support for utf8 in the installed PCRE library once and store the result in a static.
+ static $utf8_pcre = null;
+ if ( ! isset( $utf8_pcre ) ) {
+ // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
+ $utf8_pcre = @preg_match( '/^./u', 'a' );
+ }
+
+ if ( ! seems_utf8( $filename ) ) {
+ $_ext = pathinfo( $filename, PATHINFO_EXTENSION );
+ $_name = pathinfo( $filename, PATHINFO_FILENAME );
+ $filename = sanitize_title_with_dashes( $_name ) . '.' . $_ext;
+ }
+
+ if ( $utf8_pcre ) {
+ $filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
+ }
+
/**
* Filter the list of characters to remove from a filename.
*
@@ -1175,7 +1193,6 @@ function sanitize_file_name( $filename ) {
* @param string $filename_raw Filename as it was passed into sanitize_file_name().
*/
$special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
- $filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
$filename = str_replace( $special_chars, '', $filename );
$filename = str_replace( array( '%20', '+' ), '-', $filename );
$filename = preg_replace( '/[\r\n\t -]+/', '-', $filename );
diff --git a/src/wp-includes/query.php b/src/wp-includes/query.php
index d95c925ac381..338a43365110 100644
--- a/src/wp-includes/query.php
+++ b/src/wp-includes/query.php
@@ -1590,10 +1590,6 @@ public function parse_query( $query = '' ) {
$this->is_single = true;
} elseif ( $qv['p'] ) {
$this->is_single = true;
- } elseif ( ('' !== $qv['hour']) && ('' !== $qv['minute']) &&('' !== $qv['second']) && ('' != $qv['year']) && ('' != $qv['monthnum']) && ('' != $qv['day']) ) {
- // If year, month, day, hour, minute, and second are set, a single
- // post is being queried.
- $this->is_single = true;
} elseif ( '' != $qv['pagename'] || !empty($qv['page_id']) ) {
$this->is_page = true;
$this->is_single = false;
diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index 3640980f5641..27735dc76712 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -1885,7 +1885,7 @@ function wp_insert_user( $userdata ) {
$data = wp_unslash( $compacted );
if ( $update ) {
- if ( $user_email !== $old_user_data->user_email ) {
+ if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) {
$data['user_activation_key'] = '';
}
$wpdb->update( $wpdb->users, $data, compact( 'ID' ) );
diff --git a/tests/phpunit/tests/formatting/SanitizeFileName.php b/tests/phpunit/tests/formatting/SanitizeFileName.php
index 0362ee71e190..6fed38b736b2 100644
--- a/tests/phpunit/tests/formatting/SanitizeFileName.php
+++ b/tests/phpunit/tests/formatting/SanitizeFileName.php
@@ -60,4 +60,20 @@ function test_replaces_unnammed_file_extensionless() {
// Test a filenames that becomes extensionless.
$this->assertEquals( 'no-extension', sanitize_file_name( '_.no-extension' ) );
}
+
+ /**
+ * @dataProvider data_wp_filenames
+ */
+ function test_replaces_invalid_utf8_characters( $input, $expected ) {
+ $this->assertEquals( $expected, sanitize_file_name( $input ) );
+ }
+
+ function data_wp_filenames() {
+ return array(
+ array( urldecode( '%B1myfile.png' ), 'myfile.png' ),
+ array( urldecode( '%B1myfile' ), 'myfile' ),
+ array( 'demo bar.png', 'demo-bar.png' ),
+ array( 'demo' . json_decode( '"\u00a0"' ) . 'bar.png', 'demo-bar.png' ),
+ );
+ }
}
diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php
index 8ba4f970d9a6..207f0259aa2c 100644
--- a/tests/phpunit/tests/user.php
+++ b/tests/phpunit/tests/user.php
@@ -633,7 +633,7 @@ public function test_wp_insert_user_should_sanitize_user_nicename_parameter() {
$this->assertSame( $user->user_nicename, $updated_user->user_nicename );
}
- function test_changing_email_invalidates_password_reset_key() {
+ public function test_changing_email_invalidates_password_reset_key() {
global $wpdb;
$user = $this->factory->user->create_and_get();
@@ -664,4 +664,25 @@ function test_changing_email_invalidates_password_reset_key() {
$user = get_userdata( $user->ID );
$this->assertEmpty( $user->user_activation_key );
}
+
+ public function test_changing_password_invalidates_password_reset_key() {
+ global $wpdb;
+
+ $user = $this->factory->user->create_and_get();
+ $wpdb->update( $wpdb->users, array( 'user_activation_key' => 'key' ), array( 'ID' => $user->ID ) );
+ clean_user_cache( $user );
+
+ $user = get_userdata( $user->ID );
+ $this->assertEquals( 'key', $user->user_activation_key );
+
+ $userdata = array(
+ 'ID' => $user->ID,
+ 'user_pass' => 'password',
+ );
+ wp_update_user( $userdata );
+
+ $user = get_userdata( $user->ID );
+ $this->assertEmpty( $user->user_activation_key );
+ }
+
}