From 02221125feb732808cec9c089701881004848d03 Mon Sep 17 00:00:00 2001
From: Jake Spurlock <whyisjake@git.wordpress.org>
Date: Wed, 29 Apr 2020 16:52:21 +0000
Subject: [PATCH] User: Invalidate `user_activation_key` on password update.
 Query: Ensure that only a single post can be returned on date/time based
 queries. Cache API: Ensure proper escaping around the stats method in the
 cache API. Formatting: Expand `sanitize_file_name` to have better support for
 utf8 characters.

Brings the changes in [47634], [47635], [47637], and [47638] to the 4.1 branch.

Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, whyisjake, whyisjake, xknown.


git-svn-id: https://develop.svn.wordpress.org/branches/4.1@47658 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/cache.php                     |  2 +-
 src/wp-includes/formatting.php                | 19 ++++++++++++++-
 src/wp-includes/query.php                     |  4 ----
 src/wp-includes/user.php                      |  2 +-
 .../tests/formatting/SanitizeFileName.php     | 16 +++++++++++++
 tests/phpunit/tests/user.php                  | 23 ++++++++++++++++++-
 6 files changed, 58 insertions(+), 8 deletions(-)

diff --git a/src/wp-includes/cache.php b/src/wp-includes/cache.php
index 3cd344bb09ce..dae1bbeab660 100644
--- a/src/wp-includes/cache.php
+++ b/src/wp-includes/cache.php
@@ -639,7 +639,7 @@ public function stats() {
 		echo "</p>";
 		echo '<ul>';
 		foreach ($this->cache as $group => $cache) {
-			echo "<li><strong>Group:</strong> $group - ( " . number_format( strlen( serialize( $cache ) ) / 1024, 2 ) . 'k )</li>';
+			echo '<li><strong>Group:</strong> ' . esc_html( $group ) . ' - ( ' . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';
 		}
 		echo '</ul>';
 	}
diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php
index e311c0b258fb..1f86c96b5e02 100644
--- a/src/wp-includes/formatting.php
+++ b/src/wp-includes/formatting.php
@@ -1166,6 +1166,24 @@ function remove_accents($string) {
 function sanitize_file_name( $filename ) {
 	$filename_raw = $filename;
 	$special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", chr(0));
+
+	// Check for support for utf8 in the installed PCRE library once and store the result in a static.
+	static $utf8_pcre = null;
+	if ( ! isset( $utf8_pcre ) ) {
+		// phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
+		$utf8_pcre = @preg_match( '/^./u', 'a' );
+	}
+
+	if ( ! seems_utf8( $filename ) ) {
+		$_ext     = pathinfo( $filename, PATHINFO_EXTENSION );
+		$_name    = pathinfo( $filename, PATHINFO_FILENAME );
+		$filename = sanitize_title_with_dashes( $_name ) . '.' . $_ext;
+	}
+
+	if ( $utf8_pcre ) {
+		$filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
+	}
+
 	/**
 	 * Filter the list of characters to remove from a filename.
 	 *
@@ -1175,7 +1193,6 @@ function sanitize_file_name( $filename ) {
 	 * @param string $filename_raw  Filename as it was passed into sanitize_file_name().
 	 */
 	$special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
-	$filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
 	$filename = str_replace( $special_chars, '', $filename );
 	$filename = str_replace( array( '%20', '+' ), '-', $filename );
 	$filename = preg_replace( '/[\r\n\t -]+/', '-', $filename );
diff --git a/src/wp-includes/query.php b/src/wp-includes/query.php
index d95c925ac381..338a43365110 100644
--- a/src/wp-includes/query.php
+++ b/src/wp-includes/query.php
@@ -1590,10 +1590,6 @@ public function parse_query( $query =  '' ) {
 			$this->is_single = true;
 		} elseif ( $qv['p'] ) {
 			$this->is_single = true;
-		} elseif ( ('' !== $qv['hour']) && ('' !== $qv['minute']) &&('' !== $qv['second']) && ('' != $qv['year']) && ('' != $qv['monthnum']) && ('' != $qv['day']) ) {
-			// If year, month, day, hour, minute, and second are set, a single
-			// post is being queried.
-			$this->is_single = true;
 		} elseif ( '' != $qv['pagename'] || !empty($qv['page_id']) ) {
 			$this->is_page = true;
 			$this->is_single = false;
diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index 3640980f5641..27735dc76712 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -1885,7 +1885,7 @@ function wp_insert_user( $userdata ) {
 	$data = wp_unslash( $compacted );
 
 	if ( $update ) {
-		if ( $user_email !== $old_user_data->user_email ) {
+		if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) {
 			$data['user_activation_key'] = '';
 		}
 		$wpdb->update( $wpdb->users, $data, compact( 'ID' ) );
diff --git a/tests/phpunit/tests/formatting/SanitizeFileName.php b/tests/phpunit/tests/formatting/SanitizeFileName.php
index 0362ee71e190..6fed38b736b2 100644
--- a/tests/phpunit/tests/formatting/SanitizeFileName.php
+++ b/tests/phpunit/tests/formatting/SanitizeFileName.php
@@ -60,4 +60,20 @@ function test_replaces_unnammed_file_extensionless() {
 		// Test a filenames that becomes extensionless.
 		$this->assertEquals( 'no-extension', sanitize_file_name( '_.no-extension' ) );
 	}
+
+	/**
+	 * @dataProvider data_wp_filenames
+	 */
+	function test_replaces_invalid_utf8_characters( $input, $expected ) {
+		$this->assertEquals( $expected, sanitize_file_name( $input ) );
+	}
+
+	function data_wp_filenames() {
+		return array(
+			array( urldecode( '%B1myfile.png' ), 'myfile.png' ),
+			array( urldecode( '%B1myfile' ), 'myfile' ),
+			array( 'demo bar.png', 'demo-bar.png' ),
+			array( 'demo' . json_decode( '"\u00a0"' ) . 'bar.png', 'demo-bar.png' ),
+		);
+	}
 }
diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php
index 8ba4f970d9a6..207f0259aa2c 100644
--- a/tests/phpunit/tests/user.php
+++ b/tests/phpunit/tests/user.php
@@ -633,7 +633,7 @@ public function test_wp_insert_user_should_sanitize_user_nicename_parameter() {
 		$this->assertSame( $user->user_nicename, $updated_user->user_nicename );
 	}
 
-	function test_changing_email_invalidates_password_reset_key() {
+	public function test_changing_email_invalidates_password_reset_key() {
 		global $wpdb;
 
 		$user = $this->factory->user->create_and_get();
@@ -664,4 +664,25 @@ function test_changing_email_invalidates_password_reset_key() {
 		$user = get_userdata( $user->ID );
 		$this->assertEmpty( $user->user_activation_key );
 	}
+
+	public function test_changing_password_invalidates_password_reset_key() {
+		global $wpdb;
+
+		$user = $this->factory->user->create_and_get();
+		$wpdb->update( $wpdb->users, array( 'user_activation_key' => 'key' ), array( 'ID' => $user->ID ) );
+		clean_user_cache( $user );
+
+		$user = get_userdata( $user->ID );
+		$this->assertEquals( 'key', $user->user_activation_key );
+
+		$userdata = array(
+			'ID'        => $user->ID,
+			'user_pass' => 'password',
+		);
+		wp_update_user( $userdata );
+
+		$user = get_userdata( $user->ID );
+		$this->assertEmpty( $user->user_activation_key );
+	}
+
 }