close
WordPress.org
Get WordPress

Make WordPress Core

Changeset 61892


Ignore:
Timestamp:
03/10/2026 01:55:45 PM (3 days ago)
Author:
audrasjb
Message:

HTML API: Prevent WP_HTML_Tag_Processor instances being unserialized and add some extra logic for validating pattern and template file paths.

Merges [61880,61881] to the 6.9 branch.
Props dmsnell, xknown, jonsurrell, peterwilsoncc, johnbillion.

Location:
branches/6.9
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • branches/6.9

  • branches/6.9/src/wp-includes/class-wp-block-patterns-registry.php

    r60904 r61892  
    174174            $patterns = &$this->registered_patterns;
    175175        }
    176         if ( ! isset( $patterns[ $pattern_name ]['content'] ) && isset( $patterns[ $pattern_name ]['filePath'] ) ) {
     176
     177        $pattern_path = realpath( $patterns[ $pattern_name ]['filePath'] ?? '' );
     178        if (
     179            ! isset( $patterns[ $pattern_name ]['content'] ) &&
     180            is_string( $pattern_path ) &&
     181            ( str_ends_with( $pattern_path, '.php' ) || str_ends_with( $pattern_path, '.html' ) ) &&
     182            is_file( $pattern_path ) &&
     183            is_readable( $pattern_path )
     184        ) {
    177185            ob_start();
    178186            include $patterns[ $pattern_name ]['filePath'];
     
    180188            unset( $patterns[ $pattern_name ]['filePath'] );
    181189        }
     190
    182191        return $patterns[ $pattern_name ]['content'];
    183192    }

  • branches/6.9/src/wp-includes/html-api/class-wp-html-tag-processor.php

    r61350 r61892  
    46814681     */
    46824682    const TEXT_IS_WHITESPACE = 'TEXT_IS_WHITESPACE';
     4683
     4684    /**
     4685     * Wakeup magic method.
     4686     *
     4687     * @since 6.9.2
     4688     */
     4689    public function __wakeup() {
     4690        throw new \LogicException( __CLASS__ . ' should never be unserialized' );
     4691    }
    46834692}

  • branches/6.9/src/wp-includes/template-loader.php

    r60936 r61892  
    113113     */
    114114    $template = apply_filters( 'template_include', $template );
    115     if ( $template ) {
     115    $template = is_string( $template ) ? realpath( $template ) : null;
     116    if (
     117        is_string( $template ) &&
     118        ( str_ends_with( $template, '.php' ) || str_ends_with( $template, '.html' ) ) &&
     119        is_file( $template ) &&
     120        is_readable( $template )
     121    ) {
    116122        /**
    117123         * Fires immediately before including the template.
Note: See TracChangeset for help on using the changeset viewer.