Skip to content
This repository has been archived by the owner on Mar 11, 2018. It is now read-only.

Commit

Permalink
Browse files Browse the repository at this point in the history
WP 3.9.2
  • Loading branch information
ibroadfo committed Aug 24, 2014
1 parent 2303f77 commit 4c07771
Show file tree
Hide file tree
Showing 9 changed files with 149 additions and 36 deletions.
2 changes: 1 addition & 1 deletion readme.html
Expand Up @@ -9,7 +9,7 @@
<body>
<h1 id="logo">
<a href="https://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" /></a>
<br /> Version 3.9.1
<br /> Version 3.9.2
</h1>
<p style="text-align: center">Semantic Personal Publishing Platform</p>

Expand Down
6 changes: 5 additions & 1 deletion wp-admin/about.php
Expand Up @@ -39,7 +39,11 @@
</h2>

<div class="changelog point-releases">
<h3><?php echo _n( 'Maintenance Release', 'Maintenance Releases', 1 ); ?></h3>
<h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 2 ); ?></h3>
<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
'<strong>Version %1$s</strong> addressed some security issues.', 6 ), '3.9.2', number_format_i18n( 6 ) ); ?>
<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'http://codex.wordpress.org/Version_3.9.2' ); ?>
</p>
<p><?php printf( _n( '<strong>Version %1$s</strong> addressed %2$s bug.',
'<strong>Version %1$s</strong> addressed %2$s bugs.', 34 ), '3.9.1', number_format_i18n( 34 ) ); ?>
<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'http://codex.wordpress.org/Version_3.9.1' ); ?>
Expand Down
11 changes: 6 additions & 5 deletions wp-includes/ID3/getid3.lib.php
Expand Up @@ -519,11 +519,12 @@ public static function array_min($arraydata, $returnkey=false) {
}

public static function XML2array($XMLstring) {
if (function_exists('simplexml_load_string')) {
if (function_exists('get_object_vars')) {
$XMLobject = simplexml_load_string($XMLstring);
return self::SimpleXMLelement2array($XMLobject);
}
if ( function_exists( 'simplexml_load_string' ) && function_exists( 'libxml_disable_entity_loader' ) ) {
$loader = libxml_disable_entity_loader( true );
$XMLobject = simplexml_load_string( $XMLstring, 'SimpleXMLElement', LIBXML_NOENT );
$return = self::SimpleXMLelement2array( $XMLobject );
libxml_disable_entity_loader( $loader );
return $return;
}
return false;
}
Expand Down
32 changes: 29 additions & 3 deletions wp-includes/class-IXR.php
Expand Up @@ -203,11 +203,37 @@ function parse()
{
// first remove the XML declaration
// merged from WP #10698 - this method avoids the RAM usage of preg_replace on very large messages
$header = preg_replace( '/<\?xml.*?\?'.'>/', '', substr($this->message, 0, 100), 1);
$this->message = substr_replace($this->message, $header, 0, 100);
if (trim($this->message) == '') {
$header = preg_replace( '/<\?xml.*?\?'.'>/s', '', substr( $this->message, 0, 100 ), 1 );
$this->message = trim( substr_replace( $this->message, $header, 0, 100 ) );
if ( '' == $this->message ) {
return false;
}

// Then remove the DOCTYPE
$header = preg_replace( '/^<!DOCTYPE[^>]*+>/i', '', substr( $this->message, 0, 200 ), 1 );
$this->message = trim( substr_replace( $this->message, $header, 0, 200 ) );
if ( '' == $this->message ) {
return false;
}

// Check that the root tag is valid
$root_tag = substr( $this->message, 0, strcspn( substr( $this->message, 0, 20 ), "> \t\r\n" ) );
if ( '<!DOCTYPE' === strtoupper( $root_tag ) ) {
return false;
}
if ( ! in_array( $root_tag, array( '<methodCall', '<methodResponse', '<fault' ) ) ) {
return false;
}

// Bail if there are too many elements to parse
$element_limit = 30000;
if ( function_exists( 'apply_filters' ) ) {
$element_limit = apply_filters( 'xmlrpc_element_limit', $element_limit );
}
if ( $element_limit && 2 * $element_limit < substr_count( $this->message, '<' ) ) {
return false;
}

$this->_parser = xml_parser_create();
// Set XML parser to take the case of tags in to account
xml_parser_set_option($this->_parser, XML_OPTION_CASE_FOLDING, false);
Expand Down
28 changes: 13 additions & 15 deletions wp-includes/class-wp-customize-widgets.php
Expand Up @@ -1119,22 +1119,19 @@ public function tally_sidebars_via_dynamic_sidebar_calls( $has_widgets, $sidebar
}

/**
* Get a widget instance's hash key.
* Get MAC for a serialized widget instance string.
*
* Serialize an instance and hash it with the AUTH_KEY; when a JS value is
* posted back to save, this instance hash key is used to ensure that the
* serialized_instance was not tampered with, but that it had originated
* from WordPress and so is sanitized.
* Allows values posted back from JS to be rejected if any tampering of the
* data has occurred.
*
* @since 3.9.0
* @access protected
*
* @param array $instance Widget instance.
* @return string Widget instance's hash key.
* @param string $serialized_instance Widget instance.
* @return string MAC for serialized widget instance.
*/
protected function get_instance_hash_key( $instance ) {
$hash = md5( AUTH_KEY . serialize( $instance ) );
return $hash;
protected function get_instance_hash_key( $serialized_instance ) {
return wp_hash( $serialized_instance );
}

/**
Expand Down Expand Up @@ -1162,18 +1159,19 @@ public function sanitize_widget_instance( $value ) {
}

$decoded = base64_decode( $value['encoded_serialized_instance'], true );

if ( false === $decoded ) {
return null;
}
$instance = unserialize( $decoded );

if ( false === $instance ) {
if ( $this->get_instance_hash_key( $decoded ) !== $value['instance_hash_key'] ) {
return null;
}
if ( $this->get_instance_hash_key( $instance ) !== $value['instance_hash_key'] ) {

$instance = unserialize( $decoded );
if ( false === $instance ) {
return null;
}

return $instance;
}

Expand All @@ -1194,7 +1192,7 @@ public function sanitize_widget_js_instance( $value ) {
'encoded_serialized_instance' => base64_encode( $serialized ),
'title' => empty( $value['title'] ) ? '' : $value['title'],
'is_widget_customizer_js_value' => true,
'instance_hash_key' => $this->get_instance_hash_key( $value ),
'instance_hash_key' => $this->get_instance_hash_key( $serialized ),
);
}
return $value;
Expand Down
29 changes: 29 additions & 0 deletions wp-includes/compat.php
Expand Up @@ -94,3 +94,32 @@ function _json_decode_object_helper($data) {
return is_array($data) ? array_map(__FUNCTION__, $data) : $data;
}
}

if ( ! function_exists( 'hash_equals' ) ) :
/**
* Compare two strings in constant time.
*
* This function was added in PHP 5.6.
* It can leak the length of a string.
*
* @since 3.9.2
*
* @param string $a Expected string.
* @param string $b Actual string.
* @return bool Whether strings are equal.
*/
function hash_equals( $a, $b ) {
$a_length = strlen( $a );
if ( $a_length !== strlen( $b ) ) {
return false;
}
$result = 0;

// Do not attempt to "optimize" this.
for ( $i = 0; $i < $a_length; $i++ ) {
$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
}

return $result === 0;
}
endif;
49 changes: 44 additions & 5 deletions wp-includes/pluggable.php
Expand Up @@ -647,7 +647,7 @@ function wp_validate_auth_cookie($cookie = '', $scheme = '') {
$key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);
$hash = hash_hmac('md5', $username . '|' . $expiration, $key);

if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) {
if ( ! hash_equals( $hash, $hmac ) ) {
/**
* Fires if a bad authentication cookie hash is encountered.
*
Expand Down Expand Up @@ -1658,11 +1658,17 @@ function wp_verify_nonce($nonce, $action = -1) {
$i = wp_nonce_tick();

// Nonce generated 0-12 hours ago
if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) === $nonce )
$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid, 'nonce'), -12, 10 );
if ( hash_equals( $expected, $nonce ) ) {
return 1;
}

// Nonce generated 12-24 hours ago
if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) === $nonce )
$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid, 'nonce' ), -12, 10 );
if ( hash_equals( $expected, $nonce ) ) {
return 2;
}

// Invalid nonce
return false;
}
Expand All @@ -1687,7 +1693,7 @@ function wp_create_nonce($action = -1) {

$i = wp_nonce_tick();

return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10);
return substr(wp_hash($i . '|' . $action . '|' . $uid, 'nonce'), -12, 10);
}
endif;

Expand Down Expand Up @@ -2107,7 +2113,8 @@ function get_avatar( $id_or_email, $size = '96', $default = '', $alt = false ) {
$out = str_replace( '&#038;', '&amp;', esc_url( $out ) );
$avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo' height='{$size}' width='{$size}' />";
} else {
$avatar = "<img alt='{$safe_alt}' src='{$default}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
$out = esc_url( $default );
$avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
}

/**
Expand Down Expand Up @@ -2200,3 +2207,35 @@ function wp_text_diff( $left_string, $right_string, $args = null ) {
}
endif;

if ( ! function_exists( 'hash_equals' ) ) :
/**
* Compare two strings in constant time.
*
* This function is NOT pluggable. It is in this file (in addition to
* compat.php) to prevent errors if, during an update, pluggable.php
* copies over but compat.php does not.
*
* This function was added in PHP 5.6.
* It can leak the length of a string.
*
* @since 3.9.2
*
* @param string $a Expected string.
* @param string $b Actual string.
* @return bool Whether strings are equal.
*/
function hash_equals( $a, $b ) {
$a_length = strlen( $a );
if ( $a_length !== strlen( $b ) ) {
return false;
}
$result = 0;

// Do not attempt to "optimize" this.
for ( $i = 0; $i < $a_length; $i++ ) {
$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
}

return $result === 0;
}
endif;
2 changes: 1 addition & 1 deletion wp-includes/version.php
Expand Up @@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '3.9.1';
$wp_version = '3.9.2';

/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
Expand Down
26 changes: 21 additions & 5 deletions wp-login.php
Expand Up @@ -562,10 +562,25 @@ function retrieve_password() {

case 'resetpass' :
case 'rp' :
$user = check_password_reset_key($_GET['key'], $_GET['login']);
list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
$rp_cookie = 'wp-resetpass-' . COOKIEHASH;
if ( isset( $_GET['key'] ) ) {
$value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) );
setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) );
exit;
}

if ( isset( $_COOKIE[ $rp_cookie ] ) && 0 < strpos( $_COOKIE[ $rp_cookie ], ':' ) ) {
list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
$user = check_password_reset_key( $rp_key, $rp_login );
} else {
$user = false;
}

if ( is_wp_error($user) ) {
if ( $user->get_error_code() === 'expired_key' )
if ( ! $user || is_wp_error( $user ) ) {
setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
if ( $user && $user->get_error_code() === 'expired_key' )
wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) );
else
wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) );
Expand All @@ -589,6 +604,7 @@ function retrieve_password() {

if ( ( ! $errors->get_error_code() ) && isset( $_POST['pass1'] ) && !empty( $_POST['pass1'] ) ) {
reset_password($user, $_POST['pass1']);
setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
login_header( __( 'Password Reset' ), '<p class="message reset-pass">' . __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a></p>' );
login_footer();
exit;
Expand All @@ -600,8 +616,8 @@ function retrieve_password() {
login_header(__('Reset Password'), '<p class="message reset-pass">' . __('Enter your new password below.') . '</p>', $errors );

?>
<form name="resetpassform" id="resetpassform" action="<?php echo esc_url( site_url( 'wp-login.php?action=resetpass&key=' . urlencode( $_GET['key'] ) . '&login=' . urlencode( $_GET['login'] ), 'login_post' ) ); ?>" method="post" autocomplete="off">
<input type="hidden" id="user_login" value="<?php echo esc_attr( $_GET['login'] ); ?>" autocomplete="off" />
<form name="resetpassform" id="resetpassform" action="<?php echo esc_url( site_url( 'wp-login.php?action=resetpass', 'login_post' ) ); ?>" method="post" autocomplete="off">
<input type="hidden" id="user_login" value="<?php echo esc_attr( $rp_login ); ?>" autocomplete="off" />

<p>
<label for="pass1"><?php _e('New password') ?><br />
Expand Down

0 comments on commit 4c07771

Please sign in to comment.