Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
N
noblogs-wp
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
39
Issues
39
List
Boards
Labels
Service Desk
Milestones
Merge Requests
1
Merge Requests
1
Operations
Operations
Incidents
Analytics
Analytics
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
ai
noblogs-wp
Commits
2626e7c3
Commit
2626e7c3
authored
Nov 02, 2017
by
lucha
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Wordpress 4.8.3
parent
ad5a59a1
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
158 additions
and
37 deletions
+158
-37
wp-admin/about.php
wp-admin/about.php
+3
-0
wp-includes/formatting.php
wp-includes/formatting.php
+5
-0
wp-includes/post.php
wp-includes/post.php
+2
-2
wp-includes/version.php
wp-includes/version.php
+1
-1
wp-includes/wp-db.php
wp-includes/wp-db.php
+147
-34
No files found.
wp-admin/about.php
View file @
2626e7c3
...
...
@@ -45,6 +45,9 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
<div
class=
"changelog point-releases"
>
<h3>
<?php
_e
(
'Maintenance and Security Releases'
);
?>
</h3>
<p>
<?php
printf
(
__
(
'<strong>Version %s</strong> addressed one security issue.'
),
'4.8.3'
);
?>
<?php
printf
(
__
(
'For more information, see <a href="%s">the release notes</a>.'
),
'https://codex.wordpress.org/Version_4.8.3'
);
?>
</p>
<p>
<?php
printf
(
_n
(
'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.'
,
'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.'
,
5
),
'4.8.2'
,
number_format_i18n
(
5
)
);
?>
<?php
printf
(
__
(
'For more information, see <a href="%s">the release notes</a>.'
),
'https://codex.wordpress.org/Version_4.8.2'
);
?>
...
...
wp-includes/formatting.php
View file @
2626e7c3
...
...
@@ -3738,6 +3738,11 @@ function _deep_replace( $search, $subject ) {
* Sometimes, spot-escaping is required or useful. One example
* is preparing an array for use in an IN clause.
*
* NOTE: Since 4.8.3, '%' characters will be replaced with a placeholder string,
* this prevents certain SQLi attacks from taking place. This change in behaviour
* may cause issues for code that expects the return value of esc_sql() to be useable
* for other purposes.
*
* @since 2.8.0
*
* @global wpdb $wpdb WordPress database abstraction object.
...
...
wp-includes/post.php
View file @
2626e7c3
...
...
@@ -4246,10 +4246,10 @@ function get_page_by_path( $page_path, $output = OBJECT, $post_type = 'page' ) {
$page_path
=
str_replace
(
'%2F'
,
'/'
,
$page_path
);
$page_path
=
str_replace
(
'%20'
,
' '
,
$page_path
);
$parts
=
explode
(
'/'
,
trim
(
$page_path
,
'/'
)
);
$parts
=
esc_sql
(
$parts
);
$parts
=
array_map
(
'sanitize_title_for_query'
,
$parts
);
$escaped_parts
=
esc_sql
(
$parts
);
$in_string
=
"'"
.
implode
(
"','"
,
$parts
)
.
"'"
;
$in_string
=
"'"
.
implode
(
"','"
,
$
escaped_
parts
)
.
"'"
;
if
(
is_array
(
$post_type
)
)
{
$post_types
=
$post_type
;
...
...
wp-includes/version.php
View file @
2626e7c3
...
...
@@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version
=
'4.8.
2
'
;
$wp_version
=
'4.8.
3
'
;
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
...
...
wp-includes/wp-db.php
View file @
2626e7c3
...
...
@@ -1168,20 +1168,22 @@ class wpdb {
function
_real_escape
(
$string
)
{
if
(
$this
->
dbh
)
{
if
(
$this
->
use_mysqli
)
{
return
mysqli_real_escape_string
(
$this
->
dbh
,
$string
);
$escaped
=
mysqli_real_escape_string
(
$this
->
dbh
,
$string
);
}
else
{
return
mysql_real_escape_string
(
$string
,
$this
->
dbh
);
$escaped
=
mysql_real_escape_string
(
$string
,
$this
->
dbh
);
}
}
$class
=
get_class
(
$this
);
if
(
function_exists
(
'__'
)
)
{
/* translators: %s: database access abstraction class, usually wpdb or a class extending wpdb */
_doing_it_wrong
(
$class
,
sprintf
(
__
(
'%s must set a database connection for use with escaping.'
),
$class
),
'3.6.0'
);
}
else
{
_doing_it_wrong
(
$class
,
sprintf
(
'%s must set a database connection for use with escaping.'
,
$class
),
'3.6.0'
);
$class
=
get_class
(
$this
);
if
(
function_exists
(
'__'
)
)
{
/* translators: %s: database access abstraction class, usually wpdb or a class extending wpdb */
_doing_it_wrong
(
$class
,
sprintf
(
__
(
'%s must set a database connection for use with escaping.'
),
$class
),
'3.6.0'
);
}
else
{
_doing_it_wrong
(
$class
,
sprintf
(
'%s must set a database connection for use with escaping.'
,
$class
),
'3.6.0'
);
}
$escaped
=
addslashes
(
$string
);
}
return
addslashes
(
$string
);
return
$this
->
add_placeholder_escape
(
$escaped
);
}
/**
...
...
@@ -1257,67 +1259,120 @@ class wpdb {
/**
* Prepares a SQL query for safe execution. Uses sprintf()-like syntax.
*
* The following
directives can be used in the query format
string:
* The following
placeholders can be used in the query
string:
* %d (integer)
* %f (float)
* %s (string)
* %% (literal percentage sign - no argument needed)
*
* All of %d, %f, and %s are to be left unquoted in the query string and they need an argument passed for them.
* Literals (%) as parts of the query must be properly written as %%.
* All placeholders MUST be left unquoted in the query string. A corresponding argument MUST be passed for each placeholder.
*
* This function only supports a small subset of the sprintf syntax; it only supports %d (integer), %f (float), and %s (string).
* Does not support sign, padding, alignment, width or precision specifiers.
* Does not support argument numbering/swapping.
* For compatibility with old behavior, numbered or formatted string placeholders (eg, %1$s, %5s) will not have quotes
* added by this function, so should be passed with appropriate quotes around them for your usage.
*
* May be called like {@link https://secure.php.net/sprintf sprintf()} or like {@link https://secure.php.net/vsprintf vsprintf()}.
* Literal percentage signs (%) in the query string must be written as %%. Percentage wildcards (for example,
* to use in LIKE syntax) must be passed via a substitution argument containing the complete LIKE string, these
* cannot be inserted directly in the query string. Also see {@see esc_like()}.
*
* Both %d and %s should be left unquoted in the query string.
* Arguments may be passed as individual arguments to the method, or as a single array containing all arguments. A combination
* of the two is not supported.
*
* $wpdb->prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", 'foo', 1337 );
* Examples:
* $wpdb->prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d OR `other_field` LIKE %s", array( 'foo', 1337, '%bar' ) );
* $wpdb->prepare( "SELECT DATE_FORMAT(`field`, '%%c') FROM `table` WHERE `column` = %s", 'foo' );
*
* @link https://secure.php.net/sprintf Description of syntax.
* @since 2.3.0
*
* @param string $query Query statement with sprintf()-like placeholders
* @param array|mixed $args The array of variables to substitute into the query's placeholders if being called like
* {@link https://secure.php.net/vsprintf vsprintf()}, or the first variable to substitute into the query's placeholders if
* being called like {@link https://secure.php.net/sprintf sprintf()}.
* @param mixed $args,... further variables to substitute into the query's placeholders if being called like
* {@link https://secure.php.net/sprintf sprintf()}.
* @param array|mixed $args The array of variables to substitute into the query's placeholders if being called with an array of arguments,
* or the first variable to substitute into the query's placeholders if being called with individual arguments.
* @param mixed $args,... further variables to substitute into the query's placeholders if being called wih individual arguments.
* @return string|void Sanitized query string, if there is a query to prepare.
*/
public
function
prepare
(
$query
,
$args
)
{
if
(
is_null
(
$query
)
)
if
(
is_null
(
$query
)
)
{
return
;
}
// This is not meant to be foolproof -- but it will catch obviously incorrect usage.
if
(
strpos
(
$query
,
'%'
)
===
false
)
{
wp_load_translations_early
();
_doing_it_wrong
(
'wpdb::prepare'
,
sprintf
(
__
(
'The query argument of %s must have a placeholder.'
),
'wpdb::prepare()'
),
'3.9.0'
);
}
$args
=
func_get_args
();
array_shift
(
$args
);
// If args were passed as an array (as in vsprintf), move them up
// If args were passed as an array (as in vsprintf), move them up.
$passed_as_array
=
false
;
if
(
is_array
(
$args
[
0
]
)
&&
count
(
$args
)
==
1
)
{
$passed_as_array
=
true
;
$args
=
$args
[
0
];
}
foreach
(
$args
as
$arg
)
{
if
(
!
is_scalar
(
$arg
)
&&
!
is_null
(
$arg
)
)
{
_doing_it_wrong
(
'wpdb::prepare'
,
sprintf
(
'Unsupported value type (%s).'
,
gettype
(
$arg
)
),
'4.8.2'
);
wp_load_translations_early
();
_doing_it_wrong
(
'wpdb::prepare'
,
sprintf
(
__
(
'Unsupported value type (%s).'
),
gettype
(
$arg
)
),
'4.8.2'
);
}
}
/*
* Specify the formatting allowed in a placeholder. The following are allowed:
*
* - Sign specifier. eg, $+d
* - Numbered placeholders. eg, %1$s
* - Padding specifier, including custom padding characters. eg, %05s, %'#5s
* - Alignment specifier. eg, %05-s
* - Precision specifier. eg, %.2f
*/
$allowed_format
=
'(?:[1-9][0-9]*[$])?[-+0-9]*(?: |0|\'.)?[-+0-9]*(?:\.[0-9]+)?'
;
/*
* If a %s placeholder already has quotes around it, removing the existing quotes and re-inserting them
* ensures the quotes are consistent.
*
* For backwards compatibility, this is only applied to %s, and not to placeholders like %1$s, which are frequently
* used in the middle of longer strings, or as table name placeholders.
*/
$query
=
str_replace
(
"'%s'"
,
'%s'
,
$query
);
// Strip any existing single quotes.
$query
=
str_replace
(
'"%s"'
,
'%s'
,
$query
);
// Strip any existing double quotes.
$query
=
preg_replace
(
'/(?<!%)%s/'
,
"'%s'"
,
$query
);
// Quote the strings, avoiding escaped strings like %%s.
$query
=
preg_replace
(
"/(?<!%)(%(
$allowed_format
)?f)/"
,
'%\\2F'
,
$query
);
// Force floats to be locale unaware.
$query
=
preg_replace
(
"/%(?:%|$|(?!(
$allowed_format
)?[sdF]))/"
,
'%%\\1'
,
$query
);
// Escape any unescaped percents.
// Count the number of valid placeholders in the query.
$placeholders
=
preg_match_all
(
"/(^|[^%]|(%%)+)%(
$allowed_format
)?[sdF]/"
,
$query
,
$matches
);
if
(
count
(
$args
)
!==
$placeholders
)
{
if
(
1
===
$placeholders
&&
$passed_as_array
)
{
// If the passed query only expected one argument, but the wrong number of arguments were sent as an array, bail.
wp_load_translations_early
();
_doing_it_wrong
(
'wpdb::prepare'
,
__
(
'The query only expected one placeholder, but an array of multiple placeholders was sent.'
),
'4.9.0'
);
return
;
}
else
{
/*
* If we don't have the right number of placeholders, but they were passed as individual arguments,
* or we were expecting multiple arguments in an array, throw a warning.
*/
wp_load_translations_early
();
_doing_it_wrong
(
'wpdb::prepare'
,
/* translators: 1: number of placeholders, 2: number of arguments passed */
sprintf
(
__
(
'The query does not contain the correct number of placeholders (%1$d) for the number of arguments passed (%2$d).'
),
$placeholders
,
count
(
$args
)
),
'4.8.3'
);
}
}
$query
=
str_replace
(
"'%s'"
,
'%s'
,
$query
);
// in case someone mistakenly already singlequoted it
$query
=
str_replace
(
'"%s"'
,
'%s'
,
$query
);
// doublequote unquoting
$query
=
preg_replace
(
'|(?<!%)%f|'
,
'%F'
,
$query
);
// Force floats to be locale unaware
$query
=
preg_replace
(
'|(?<!%)%s|'
,
"'%s'"
,
$query
);
// quote the strings, avoiding escaped strings like %%s
$query
=
preg_replace
(
'/%(?:%|$|([^dsF]))/'
,
'%%\\1'
,
$query
);
// escape any unescaped percents
array_walk
(
$args
,
array
(
$this
,
'escape_by_ref'
)
);
return
@
vsprintf
(
$query
,
$args
);
$query
=
@
vsprintf
(
$query
,
$args
);
return
$this
->
add_placeholder_escape
(
$query
);
}
/**
...
...
@@ -1895,6 +1950,64 @@ class wpdb {
}
}
/**
* Generates and returns a placeholder escape string for use in queries returned by ::prepare().
*
* @since 4.8.3
*
* @return string String to escape placeholders.
*/
public
function
placeholder_escape
()
{
static
$placeholder
;
if
(
!
$placeholder
)
{
// If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
$algo
=
function_exists
(
'hash'
)
?
'sha256'
:
'sha1'
;
// Old WP installs may not have AUTH_SALT defined.
$salt
=
defined
(
'AUTH_SALT'
)
?
AUTH_SALT
:
rand
();
$placeholder
=
'{'
.
hash_hmac
(
$algo
,
uniqid
(
$salt
,
true
),
$salt
)
.
'}'
;
}
/*
* Add the filter to remove the placeholder escaper. Uses priority 0, so that anything
* else attached to this filter will recieve the query with the placeholder string removed.
*/
if
(
!
has_filter
(
'query'
,
array
(
$this
,
'remove_placeholder_escape'
)
)
)
{
add_filter
(
'query'
,
array
(
$this
,
'remove_placeholder_escape'
),
0
);
}
return
$placeholder
;
}
/**
* Adds a placeholder escape string, to escape anything that resembles a printf() placeholder.
*
* @since 4.8.3
*
* @param string $query The query to escape.
* @return string The query with the placeholder escape string inserted where necessary.
*/
public
function
add_placeholder_escape
(
$query
)
{
/*
* To prevent returning anything that even vaguely resembles a placeholder,
* we clobber every % we can find.
*/
return
str_replace
(
'%'
,
$this
->
placeholder_escape
(),
$query
);
}
/**
* Removes the placeholder escape strings from a query.
*
* @since 4.8.3
*
* @param string $query The query from which the placeholder will be removed.
* @return string The query with the placeholder removed.
*/
public
function
remove_placeholder_escape
(
$query
)
{
return
str_replace
(
$this
->
placeholder_escape
(),
'%'
,
$query
);
}
/**
* Insert a row into a table.
*
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment