HTML API: Prevent WP_HTML_Tag_Processor instances being unserialized and add some extra logic for validating pattern and template file paths.

Props dmsnell, xknown, jonsurrell, peterwilsoncc, johnbillion. Built from https://develop.svn.wordpress.org/trunk@61880 git-svn-id: http://core.svn.wordpress.org/trunk@61162 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2026-03-10 12:20:43 +00:00
parent ccc5ded2b6
commit f6a2aea6c4
5 changed files with 28 additions and 4 deletions
--- a/wp-includes/class-wp-block-patterns-registry.php
+++ b/wp-includes/class-wp-block-patterns-registry.php
@@ -173,12 +173,21 @@ final class WP_Block_Patterns_Registry {
 		} else {
 			$patterns = &$this->registered_patterns;
 		}
-		if ( ! isset( $patterns[ $pattern_name ]['content'] ) && isset( $patterns[ $pattern_name ]['filePath'] ) ) {
+
+		$pattern_path = realpath( $patterns[ $pattern_name ]['filePath'] ?? '' );
+		if (
+			! isset( $patterns[ $pattern_name ]['content'] ) &&
+			is_string( $pattern_path ) &&
+			( str_ends_with( $pattern_path, '.php' ) || str_ends_with( $pattern_path, '.html' ) ) &&
+			is_file( $pattern_path ) &&
+			is_readable( $pattern_path )
+		) {
 			ob_start();
 			include $patterns[ $pattern_name ]['filePath'];
 			$patterns[ $pattern_name ]['content'] = ob_get_clean();
 			unset( $patterns[ $pattern_name ]['filePath'] );
 		}
+
 		return $patterns[ $pattern_name ]['content'];
 	}

--- a/wp-includes/class-wp-http-ixr-client.php
+++ b/wp-includes/class-wp-http-ixr-client.php
@@ -89,7 +89,7 @@ class WP_HTTP_IXR_Client extends IXR_Client {
 			echo '<pre class="ixr_request">' . htmlspecialchars( $xml ) . "\n</pre>\n\n";
 		}

-		$response = wp_safe_remote_post( $url, $args );
+		$response = wp_remote_post( $url, $args );

 		if ( is_wp_error( $response ) ) {
 			$errno       = $response->get_error_code();
--- a/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -5061,4 +5061,13 @@ class WP_HTML_Tag_Processor {
 	 * @since 6.7.0
 	 */
 	const TEXT_IS_WHITESPACE = 'TEXT_IS_WHITESPACE';
+
+	/**
+	 * Wakeup magic method.
+	 *
+	 * @since 6.9.2
+	 */
+	public function __wakeup() {
+		throw new \LogicException( __CLASS__ . ' should never be unserialized' );
+	}
 }
--- a/wp-includes/template-loader.php
+++ b/wp-includes/template-loader.php
@@ -112,7 +112,13 @@ if ( wp_using_themes() ) {
 	 * @param string $template The path of the template to include.
 	 */
 	$template = apply_filters( 'template_include', $template );
-	if ( $template ) {
+	$template = is_string( $template ) ? realpath( $template ) : null;
+	if (
+		is_string( $template ) &&
+		( str_ends_with( $template, '.php' ) || str_ends_with( $template, '.html' ) ) &&
+		is_file( $template ) &&
+		is_readable( $template )
+	) {
 		/**
 		 * Fires immediately before including the template.
 		 *
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '7.0-beta3-61879';
+$wp_version = '7.0-beta3-61880';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.