Merged in feature/81-dev-dev01 (pull request #5)

auto-patch 81-dev-dev01-2023-12-05T22_45_26 * auto-patch 81-dev-dev01-2023-12-05T22_45_26
2023-12-05 23:05:59 +00:00
parent ba16964e7a
commit 725d3043d5
1463 changed files with 142461 additions and 89421 deletions
--- a/wp/wp-admin/includes/user.php
+++ b/wp/wp-admin/includes/user.php
@@ -535,28 +535,30 @@ function default_password_nag() {
 	if ( 'profile.php' === $pagenow || ! get_user_option( 'default_password_nag' ) ) {
 		return;
 	}
-	?>
-	<div class="error default-password-nag">
-		<p>
-			<strong><?php _e( 'Notice:' ); ?></strong>
-			<?php _e( 'You are using the auto-generated password for your account. Would you like to change it?' ); ?>
-		</p>
-		<p>
-		<?php
-		printf(
-			'<a href="%1$s">%2$s</a> | ',
-			esc_url( get_edit_profile_url() . '#password' ),
-			__( 'Yes, take me to my profile page' )
-		);
-		printf(
-			'<a href="%1$s" id="default-password-nag-no">%2$s</a>',
-			'?default_password_nag=0',
-			__( 'No thanks, do not remind me again' )
-		);
-		?>
-		</p>
-	</div>
-	<?php
+
+	$default_password_nag_message  = sprintf(
+		'<p><strong>%1$s</strong> %2$s</p>',
+		__( 'Notice:' ),
+		__( 'You are using the auto-generated password for your account. Would you like to change it?' )
+	);
+	$default_password_nag_message .= sprintf(
+		'<p><a href="%1$s">%2$s</a> | ',
+		esc_url( get_edit_profile_url() . '#password' ),
+		__( 'Yes, take me to my profile page' )
+	);
+	$default_password_nag_message .= sprintf(
+		'<a href="%1$s" id="default-password-nag-no">%2$s</a></p>',
+		'?default_password_nag=0',
+		__( 'No thanks, do not remind me again' )
+	);
+
+	wp_admin_notice(
+		$default_password_nag_message,
+		array(
+			'additional_classes' => array( 'error', 'default-password-nag' ),
+			'paragraph_wrap'     => false,
+		)
+	);
 }

 /**
@@ -636,6 +638,7 @@ Please click the following link to activate your user account:
 *
 * @since 5.6.0
 * @since 6.2.0 Allow insecure HTTP connections for the local environment.
+ * @since 6.3.2 Validates the success and reject URLs to prevent javascript pseudo protocol being executed.
 *
 * @param array   $request {
 *     The array of request data. All arguments are optional and may be empty.
@@ -649,27 +652,24 @@ Please click the following link to activate your user account:
 * @return true|WP_Error True if the request is valid, a WP_Error object contains errors if not.
 */
 function wp_is_authorize_application_password_request_valid( $request, $user ) {
-	$error    = new WP_Error();
-	$is_local = 'local' === wp_get_environment_type();
+	$error = new WP_Error();

-	if ( ! empty( $request['success_url'] ) ) {
-		$scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME );
-
-		if ( 'http' === $scheme && ! $is_local ) {
+	if ( isset( $request['success_url'] ) ) {
+		$validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] );
+		if ( is_wp_error( $validated_success_url ) ) {
 			$error->add(
-				'invalid_redirect_scheme',
-				__( 'The success URL must be served over a secure connection.' )
+				$validated_success_url->get_error_code(),
+				$validated_success_url->get_error_message()
 			);
 		}
 	}

-	if ( ! empty( $request['reject_url'] ) ) {
-		$scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME );
-
-		if ( 'http' === $scheme && ! $is_local ) {
+	if ( isset( $request['reject_url'] ) ) {
+		$validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] );
+		if ( is_wp_error( $validated_reject_url ) ) {
 			$error->add(
-				'invalid_redirect_scheme',
-				__( 'The rejection URL must be served over a secure connection.' )
+				$validated_reject_url->get_error_code(),
+				$validated_reject_url->get_error_message()
 			);
 		}
 	}
@@ -698,3 +698,59 @@ function wp_is_authorize_application_password_request_valid( $request, $user ) {

 	return true;
 }
+
+/**
+ * Validates the redirect URL protocol scheme. The protocol can be anything except http and javascript.
+ *
+ * @since 6.3.2
+ *
+ * @param string $url - The redirect URL to be validated.
+ *
+ * @return true|WP_Error True if the redirect URL is valid, a WP_Error object otherwise.
+ */
+function wp_is_authorize_application_redirect_url_valid( $url ) {
+	$bad_protocols = array( 'javascript', 'data' );
+	if ( empty( $url ) ) {
+		return true;
+	}
+
+	// Based on https://www.rfc-editor.org/rfc/rfc2396#section-3.1
+	$valid_scheme_regex = '/^[a-zA-Z][a-zA-Z0-9+.-]*:/';
+	if ( ! preg_match( $valid_scheme_regex, $url ) ) {
+		return new WP_Error(
+			'invalid_redirect_url_format',
+			__( 'Invalid URL format.' )
+		);
+	}
+
+	/**
+	 * Filters the list of invalid protocols used in applications redirect URLs.
+	 *
+	 * @since 6.3.2
+	 *
+	 * @param string[]  $bad_protocols Array of invalid protocols.
+	 * @param string    $url The redirect URL to be validated.
+	 */
+	$invalid_protocols = array_map( 'strtolower', apply_filters( 'wp_authorize_application_redirect_url_invalid_protocols', $bad_protocols, $url ) );
+
+	$scheme   = wp_parse_url( $url, PHP_URL_SCHEME );
+	$host     = wp_parse_url( $url, PHP_URL_HOST );
+	$is_local = 'local' === wp_get_environment_type();
+
+	// validates if the proper URI format is applied to the $url
+	if ( empty( $host ) || empty( $scheme ) || in_array( strtolower( $scheme ), $invalid_protocols, true ) ) {
+		return new WP_Error(
+			'invalid_redirect_url_format',
+			__( 'Invalid URL format.' )
+		);
+	}
+
+	if ( 'http' === $scheme && ! $is_local ) {
+		return new WP_Error(
+			'invalid_redirect_scheme',
+			__( 'The URL must be served over a secure connection.' )
+		);
+	}
+
+	return true;
+}