From 1adfc1bb466cdba274563727ce9860e20d1c5cf4 Mon Sep 17 00:00:00 2001 From: ramonjd Date: Fri, 3 Dec 2021 08:52:42 +1100 Subject: [PATCH 01/15] Initial commit. Testing a way to cater for port numbers in pdf $url argument. Renaming $value to $url to match PHP doc comment. Adding tests --- src/wp-includes/kses.php | 12 +++++++----- tests/phpunit/tests/kses.php | 12 ++++++++++++ 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php index 025ef5d66bbde..f1af6ca0008f2 100644 --- a/src/wp-includes/kses.php +++ b/src/wp-includes/kses.php @@ -2591,21 +2591,23 @@ function _wp_add_global_attributes( $value ) { * @param string $url The URL to check. * @return bool True if the URL is safe, false otherwise. */ -function _wp_kses_allow_pdf_objects( $value ) { +function _wp_kses_allow_pdf_objects( $url ) { // We're not interested in URLs that contain query strings or fragments. - if ( strpos( $value, '?' ) !== false || strpos( $value, '#' ) !== false ) { + if ( strpos( $url, '?' ) !== false || strpos( $url, '#' ) !== false ) { return false; } // If it doesn't have a PDF extension, it's not safe. - if ( 0 !== substr_compare( $value, '.pdf', -4, 4, true ) ) { + if ( 0 !== substr_compare( $url, '.pdf', -4, 4, true ) ) { return false; } // If the URL host matches the current site's media URL, it's safe. $upload_info = wp_upload_dir( null, false ); - $upload_host = wp_parse_url( $upload_info['url'], PHP_URL_HOST ); - if ( 0 === strpos( $value, "http://$upload_host/" ) || 0 === strpos( $value, "https://$upload_host/" ) ) { + $parsed_url = wp_parse_url( $upload_info['url'] ); + $upload_host = $parsed_url['host']; + $upload_port = $parsed_url['port'] ? ':' . $parsed_url['port'] : ''; + if ( 0 === strpos( $url, "http://$upload_host$upload_port/" ) || 0 === strpos( $url, "https://$upload_host$upload_port/" ) ) { return true; } diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index 8c857fe7d849b..22d115cca09df 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -1596,6 +1596,18 @@ function data_wp_kses_object_tag_allowed() { '', '', ), + 'relative url' => array( + '', + '', + ), + 'url with port number' => array( + '', + '', + ), + 'url with port number-like path' => array( + '', + '', + ), ); } From 58311157bac78c14769c02d1693ae0d00ff82f81 Mon Sep 17 00:00:00 2001 From: ramonjd Date: Fri, 3 Dec 2021 09:00:41 +1100 Subject: [PATCH 02/15] Oh linter! How sweet thy plaintiff missives be to mine ears --- tests/phpunit/tests/kses.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index 22d115cca09df..7755ae5316606 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -1600,11 +1600,11 @@ function data_wp_kses_object_tag_allowed() { '', '', ), - 'url with port number' => array( + 'url with port number' => array( '', '', ), - 'url with port number-like path' => array( + 'url with port number-like path' => array( '', '', ), From c7de62604038847f01bb661abc1f53f83c819b70 Mon Sep 17 00:00:00 2001 From: ramonjd Date: Fri, 3 Dec 2021 09:10:33 +1100 Subject: [PATCH 03/15] Checking for the existence of the index port --- src/wp-includes/kses.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php index f1af6ca0008f2..82a8d977bcf04 100644 --- a/src/wp-includes/kses.php +++ b/src/wp-includes/kses.php @@ -2606,7 +2606,7 @@ function _wp_kses_allow_pdf_objects( $url ) { $upload_info = wp_upload_dir( null, false ); $parsed_url = wp_parse_url( $upload_info['url'] ); $upload_host = $parsed_url['host']; - $upload_port = $parsed_url['port'] ? ':' . $parsed_url['port'] : ''; + $upload_port = isset( $parsed_url['port'] ) ? ':' . $parsed_url['port'] : ''; if ( 0 === strpos( $url, "http://$upload_host$upload_port/" ) || 0 === strpos( $url, "https://$upload_host$upload_port/" ) ) { return true; } From eb8fa6950a07a1370fac671696da8ab482369300 Mon Sep 17 00:00:00 2001 From: ramonjd Date: Fri, 3 Dec 2021 09:11:30 +1100 Subject: [PATCH 04/15] Checking for the existence of the index host --- src/wp-includes/kses.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php index 82a8d977bcf04..3d35eb2c20f63 100644 --- a/src/wp-includes/kses.php +++ b/src/wp-includes/kses.php @@ -2605,7 +2605,7 @@ function _wp_kses_allow_pdf_objects( $url ) { // If the URL host matches the current site's media URL, it's safe. $upload_info = wp_upload_dir( null, false ); $parsed_url = wp_parse_url( $upload_info['url'] ); - $upload_host = $parsed_url['host']; + $upload_host = isset( $parsed_url['host'] ) ? $parsed_url['host'] : ''; $upload_port = isset( $parsed_url['port'] ) ? ':' . $parsed_url['port'] : ''; if ( 0 === strpos( $url, "http://$upload_host$upload_port/" ) || 0 === strpos( $url, "https://$upload_host$upload_port/" ) ) { return true; From 7ae4c781efa3c0631de86d7d690ef0a42be4f0a6 Mon Sep 17 00:00:00 2001 From: ramonjd Date: Fri, 3 Dec 2021 10:42:53 +1100 Subject: [PATCH 05/15] Creating a new test + data provider and a filter to add a port number to the test host domain. --- tests/phpunit/tests/kses.php | 37 ++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index 7755ae5316606..adaf4c8bf1aa3 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -1600,17 +1600,50 @@ function data_wp_kses_object_tag_allowed() { '', '', ), - 'url with port number' => array( + ); + } + + /** + * Test that uploaded object tags with port numbers in the URL. + * + * @ticket 54261 + * + * @dataProvider data_wp_kses_object_data_url_with_port_number_allowed + * + * @param string $html A string of HTML to test. + * @param string $expected The expected result from KSES. + */ + function test_wp_kses_object_data_url_with_port_number_allowed( $html, $expected ) { + add_filter( 'upload_dir', array( $this, 'wp_kses_upload_dir_filter' ), 10, 2 ); + $this->assertSame( $expected, wp_kses_post( $html ) ); + remove_filter( 'upload_dir', array( $this, 'wp_kses_upload_dir_filter' ), 10, 2 ); + } + + /** + * Data provider for test_wp_kses_object_data_url_with_port_number_allowed(). + */ + function data_wp_kses_object_data_url_with_port_number_allowed() { + return array( + 'url with port number' => array( '', '', ), - 'url with port number-like path' => array( + 'url with port number and http protocol' => array( + '', + '', + ), + 'url with port number-like path' => array( '', '', ), ); } + public function wp_kses_upload_dir_filter( $param ) { + $param['port'] = 8888; + return $param; + } + /** * Test that object tags will continue to function if they've been added using the * 'wp_kses_allowed_html' filter. From 9dcfa81fe94360f116c842af422220033ccfe615 Mon Sep 17 00:00:00 2001 From: ramonjd Date: Fri, 3 Dec 2021 10:47:26 +1100 Subject: [PATCH 06/15] Removed dupe test --- tests/phpunit/tests/kses.php | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index adaf4c8bf1aa3..4eda133c8edeb 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -1596,10 +1596,6 @@ function data_wp_kses_object_tag_allowed() { '', '', ), - 'relative url' => array( - '', - '', - ), ); } From 306471d2e376d1faf4ad82d4967152060bc14eb9 Mon Sep 17 00:00:00 2001 From: ramonjd Date: Fri, 3 Dec 2021 10:48:34 +1100 Subject: [PATCH 07/15] Made comment readable --- tests/phpunit/tests/kses.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index 4eda133c8edeb..c9c372c445dbc 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -1600,7 +1600,7 @@ function data_wp_kses_object_tag_allowed() { } /** - * Test that uploaded object tags with port numbers in the URL. + * Test that object tags are allowed when there is a port number in the URL. * * @ticket 54261 * From bf474cf7f63b4a3e3e55f96b82276a96b86cd77d Mon Sep 17 00:00:00 2001 From: Ramon Date: Fri, 3 Dec 2021 11:01:10 +1100 Subject: [PATCH 08/15] Update tests/phpunit/tests/kses.php Co-authored-by: Peter Wilson <519727+peterwilsoncc@users.noreply.github.com> --- tests/phpunit/tests/kses.php | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index c9c372c445dbc..a55233d4ac13b 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -1612,7 +1612,6 @@ function data_wp_kses_object_tag_allowed() { function test_wp_kses_object_data_url_with_port_number_allowed( $html, $expected ) { add_filter( 'upload_dir', array( $this, 'wp_kses_upload_dir_filter' ), 10, 2 ); $this->assertSame( $expected, wp_kses_post( $html ) ); - remove_filter( 'upload_dir', array( $this, 'wp_kses_upload_dir_filter' ), 10, 2 ); } /** From 53d007fa3d0e98a059422461b45c6787ffe72782 Mon Sep 17 00:00:00 2001 From: Ramon Date: Fri, 3 Dec 2021 11:01:36 +1100 Subject: [PATCH 09/15] Update tests/phpunit/tests/kses.php Co-authored-by: Peter Wilson <519727+peterwilsoncc@users.noreply.github.com> --- tests/phpunit/tests/kses.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index a55233d4ac13b..4759f5a28409b 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -1634,6 +1634,9 @@ function data_wp_kses_object_data_url_with_port_number_allowed() { ); } + /** + * Filter upload directory for tests using port number. + */ public function wp_kses_upload_dir_filter( $param ) { $param['port'] = 8888; return $param; From 872e96aafd40e18d4992517fc2829539aa4facbe Mon Sep 17 00:00:00 2001 From: ramonjd Date: Fri, 3 Dec 2021 11:03:09 +1100 Subject: [PATCH 10/15] Relocated test where the url didn't contain a port --- tests/phpunit/tests/kses.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index 4759f5a28409b..f8c0e8073f13b 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -1596,6 +1596,10 @@ function data_wp_kses_object_tag_allowed() { '', '', ), + 'url with port number-like path' => array( + '', + '', + ), ); } @@ -1627,10 +1631,6 @@ function data_wp_kses_object_data_url_with_port_number_allowed() { '', '', ), - 'url with port number-like path' => array( - '', - '', - ), ); } From af59eee174599dd7adcf452b0ed8d34a4c805d3b Mon Sep 17 00:00:00 2001 From: ramonjd Date: Fri, 3 Dec 2021 11:32:41 +1100 Subject: [PATCH 11/15] 'port' does not exist as an index on the $param array. It would help if I read the docs for this filter. --- tests/phpunit/tests/kses.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index f8c0e8073f13b..10a3acb76b77b 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -1636,9 +1636,13 @@ function data_wp_kses_object_data_url_with_port_number_allowed() { /** * Filter upload directory for tests using port number. + * + * @param array $param See wp_upload_dir() + * @return array $param with a modified `url`. */ public function wp_kses_upload_dir_filter( $param ) { - $param['port'] = 8888; + $url_with_port_number = is_string( $param['url'] ) ? str_replace( 'example.org', 'example.org:8888', $param['url'] ) : $param['url']; + $param['url'] = $url_with_port_number; return $param; } From 4a2988a82506254b8ce203b4141c0d8d1eab98b8 Mon Sep 17 00:00:00 2001 From: ramonjd Date: Fri, 3 Dec 2021 11:35:10 +1100 Subject: [PATCH 12/15] Linter! My friend, why do you forsake me? You run so slowly on my local machine. --- tests/phpunit/tests/kses.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index 10a3acb76b77b..c56fa705a98ab 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -1642,7 +1642,7 @@ function data_wp_kses_object_data_url_with_port_number_allowed() { */ public function wp_kses_upload_dir_filter( $param ) { $url_with_port_number = is_string( $param['url'] ) ? str_replace( 'example.org', 'example.org:8888', $param['url'] ) : $param['url']; - $param['url'] = $url_with_port_number; + $param['url'] = $url_with_port_number; return $param; } From 7d44da3da7b25495401d4050040cc0384dd89326 Mon Sep 17 00:00:00 2001 From: ramonjd Date: Fri, 3 Dec 2021 13:08:14 +1100 Subject: [PATCH 13/15] Unhappy paths --- tests/phpunit/tests/kses.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index c56fa705a98ab..fc4c1f4fc3cb9 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -1631,6 +1631,14 @@ function data_wp_kses_object_data_url_with_port_number_allowed() { '', '', ), + 'url with wrong protocol' => array( + '', + '', + ), + 'url with without protocol' => array( + '', + '', + ), ); } From eaa4e5b037a85cd21effff1b31dc8fed52e6ea3f Mon Sep 17 00:00:00 2001 From: ramonjd Date: Fri, 3 Dec 2021 13:14:19 +1100 Subject: [PATCH 14/15] My blod is typo --- tests/phpunit/tests/kses.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index fc4c1f4fc3cb9..413d04950b8a0 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -1635,7 +1635,7 @@ function data_wp_kses_object_data_url_with_port_number_allowed() { '', '', ), - 'url with without protocol' => array( + 'url without protocol' => array( '', '', ), From ef96bcce54150e967ce14772cd2bff26ef2f0d62 Mon Sep 17 00:00:00 2001 From: ramonjd Date: Fri, 3 Dec 2021 13:14:56 +1100 Subject: [PATCH 15/15] My blod is typo --- tests/phpunit/tests/kses.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index 413d04950b8a0..cda6d3d7e44cc 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -1631,11 +1631,11 @@ function data_wp_kses_object_data_url_with_port_number_allowed() { '', '', ), - 'url with wrong protocol' => array( + 'url with wrong port number' => array( '', '', ), - 'url without protocol' => array( + 'url without port number' => array( '', '', ),