close
WordPress.org
Get WordPress

Make WordPress Core

Changeset 61880


Ignore:
Timestamp:
03/10/2026 12:19:38 PM (3 days ago)
Author:
johnbillion
Message:

HTML API: Prevent WP_HTML_Tag_Processor instances being unserialized and add some extra logic for validating pattern and template file paths.

Props dmsnell, xknown, jonsurrell, peterwilsoncc, johnbillion.

Location:
trunk/src/wp-includes
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/class-wp-block-patterns-registry.php

    r61348 r61880  
    174174            $patterns = &$this->registered_patterns;
    175175        }
    176         if ( ! isset( $patterns[ $pattern_name ]['content'] ) && isset( $patterns[ $pattern_name ]['filePath'] ) ) {
     176
     177        $pattern_path = realpath( $patterns[ $pattern_name ]['filePath'] ?? '' );
     178        if (
     179            ! isset( $patterns[ $pattern_name ]['content'] ) &&
     180            is_string( $pattern_path ) &&
     181            ( str_ends_with( $pattern_path, '.php' ) || str_ends_with( $pattern_path, '.html' ) ) &&
     182            is_file( $pattern_path ) &&
     183            is_readable( $pattern_path )
     184        ) {
    177185            ob_start();
    178186            include $patterns[ $pattern_name ]['filePath'];
     
    180188            unset( $patterns[ $pattern_name ]['filePath'] );
    181189        }
     190
    182191        return $patterns[ $pattern_name ]['content'];
    183192    }

  • trunk/src/wp-includes/class-wp-http-ixr-client.php

    r61879 r61880  
    9090        }
    9191
    92         $response = wp_safe_remote_post( $url, $args );
     92        $response = wp_remote_post( $url, $args );
    9393
    9494        if ( is_wp_error( $response ) ) {

  • trunk/src/wp-includes/html-api/class-wp-html-tag-processor.php

    r61796 r61880  
    50625062     */
    50635063    const TEXT_IS_WHITESPACE = 'TEXT_IS_WHITESPACE';
     5064
     5065    /**
     5066     * Wakeup magic method.
     5067     *
     5068     * @since 6.9.2
     5069     */
     5070    public function __wakeup() {
     5071        throw new \LogicException( __CLASS__ . ' should never be unserialized' );
     5072    }
    50645073}

  • trunk/src/wp-includes/template-loader.php

    r60936 r61880  
    113113     */
    114114    $template = apply_filters( 'template_include', $template );
    115     if ( $template ) {
     115    $template = is_string( $template ) ? realpath( $template ) : null;
     116    if (
     117        is_string( $template ) &&
     118        ( str_ends_with( $template, '.php' ) || str_ends_with( $template, '.html' ) ) &&
     119        is_file( $template ) &&
     120        is_readable( $template )
     121    ) {
    116122        /**
    117123         * Fires immediately before including the template.
Note: See TracChangeset for help on using the changeset viewer.