From d54cd10bb42ee48f694afa148c8154020507863a Mon Sep 17 00:00:00 2001 From: roykho Date: Thu, 23 Sep 2021 18:51:10 -0700 Subject: [PATCH 1/3] Revert "Enable redirect method to also handle absolute filepaths." This reverts commit 36022c29eb95e9fa7cb9ea1a172c20882997951c. --- includes/class-wc-download-handler.php | 5 ----- includes/class-wc-product-download.php | 3 +++ 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/includes/class-wc-download-handler.php b/includes/class-wc-download-handler.php index 37692fb296c..e0cd94e5c36 100644 --- a/includes/class-wc-download-handler.php +++ b/includes/class-wc-download-handler.php @@ -241,11 +241,6 @@ class WC_Download_Handler { * @param string $filename File name. */ public static function download_file_redirect( $file_path, $filename = '' ) { - $parsed_file_path = self::parse_file_path( $file_path ); - $file_path = $parsed_file_path['file_path']; - if ( ! $parsed_file_path['remote_file'] ) { - $file_path = trim( preg_replace( '`^' . str_replace( '\\', '/', getcwd() ) . '`', '', $file_path ), '/' ); - } header( 'Location: ' . $file_path ); exit; } diff --git a/includes/class-wc-product-download.php b/includes/class-wc-product-download.php index d78b2e8a434..03fbba9134b 100644 --- a/includes/class-wc-product-download.php +++ b/includes/class-wc-product-download.php @@ -172,6 +172,9 @@ class WC_Product_Download implements ArrayAccess { $value = $matches[1]; } + $parsed_file_path = WC_Download_Handler::parse_file_path( $value ); + $value = $parsed_file_path['file_path']; + switch ( $this->get_type_of_file_path( $value ) ) { case 'absolute': $this->data['file'] = esc_url_raw( $value ); From bce05c811a880e126895169e7d98daab05f5b036 Mon Sep 17 00:00:00 2001 From: roykho Date: Thu, 23 Sep 2021 18:51:41 -0700 Subject: [PATCH 2/3] Revert "Tweak download filepaths" This reverts commit 90e187b899cdeb62e3db1de97dbce4447f98e7bf. --- includes/class-wc-download-handler.php | 7 ++- includes/class-wc-product-download.php | 18 ++++--- .../legacy/unit-tests/customer/functions.php | 4 +- .../class-wc-product-download-test.php | 50 ------------------- 4 files changed, 15 insertions(+), 64 deletions(-) delete mode 100644 tests/php/includes/class-wc-product-download-test.php diff --git a/includes/class-wc-download-handler.php b/includes/class-wc-download-handler.php index e0cd94e5c36..e3422560511 100644 --- a/includes/class-wc-download-handler.php +++ b/includes/class-wc-download-handler.php @@ -269,10 +269,9 @@ class WC_Download_Handler { str_replace( 'https:', 'http:', site_url( '/', 'http' ) ) => ABSPATH, ); - $count = 0; - $file_path = str_replace( array_keys( $replacements ), array_values( $replacements ), $file_path, $count ); + $file_path = str_replace( array_keys( $replacements ), array_values( $replacements ), $file_path ); $parsed_file_path = wp_parse_url( $file_path ); - $remote_file = null === $count || 0 === $count; // Remote file only if there were no replacements. + $remote_file = true; // Paths that begin with '//' are always remote URLs. if ( '//' === substr( $file_path, 0, 2 ) ) { @@ -292,7 +291,7 @@ class WC_Download_Handler { $file_path = realpath( WP_CONTENT_DIR . substr( $file_path, 11 ) ); // Check if we have an absolute path. - } elseif ( ( ! isset( $parsed_file_path['scheme'] ) || ! in_array( $parsed_file_path['scheme'], array( 'http', 'https', 'ftp' ), true ) ) && isset( $parsed_file_path['path'] ) ) { + } elseif ( ( ! isset( $parsed_file_path['scheme'] ) || ! in_array( $parsed_file_path['scheme'], array( 'http', 'https', 'ftp' ), true ) ) && isset( $parsed_file_path['path'] ) && file_exists( $parsed_file_path['path'] ) ) { $remote_file = false; $file_path = $parsed_file_path['path']; } diff --git a/includes/class-wc-product-download.php b/includes/class-wc-product-download.php index 03fbba9134b..3b4344bd9be 100644 --- a/includes/class-wc-product-download.php +++ b/includes/class-wc-product-download.php @@ -95,16 +95,22 @@ class WC_Product_Download implements ArrayAccess { * @return boolean */ public function is_allowed_filetype() { - $file_path = $this->get_file(); - $parsed_file_path = WC_Download_Handler::parse_file_path( $file_path ); + $file_path = $this->get_file(); // File types for URL-based files located on the server should get validated. - $is_file_on_server = ! $parsed_file_path['remote_file']; + $is_file_on_server = false; + if ( false !== stripos( $file_path, network_site_url( '/', 'https' ) ) || + false !== stripos( $file_path, network_site_url( '/', 'http' ) ) || + false !== stripos( $file_path, site_url( '/', 'https' ) ) || + false !== stripos( $file_path, site_url( '/', 'http' ) ) + ) { + $is_file_on_server = true; + } if ( ! $is_file_on_server && 'relative' !== $this->get_type_of_file_path() ) { return true; } - return ( ! $is_file_on_server && ! $this->get_file_extension() ) || in_array( $this->get_file_type(), $this->get_allowed_mime_types(), true ); + return ! $this->get_file_extension() || in_array( $this->get_file_type(), $this->get_allowed_mime_types(), true ); } /** @@ -171,10 +177,6 @@ class WC_Product_Download implements ArrayAccess { if ( preg_match( '#^//+(/[^/].+)$#i', $value, $matches ) ) { $value = $matches[1]; } - - $parsed_file_path = WC_Download_Handler::parse_file_path( $value ); - $value = $parsed_file_path['file_path']; - switch ( $this->get_type_of_file_path( $value ) ) { case 'absolute': $this->data['file'] = esc_url_raw( $value ); diff --git a/tests/legacy/unit-tests/customer/functions.php b/tests/legacy/unit-tests/customer/functions.php index 0438c646211..41746df84e0 100644 --- a/tests/legacy/unit-tests/customer/functions.php +++ b/tests/legacy/unit-tests/customer/functions.php @@ -152,7 +152,7 @@ class WC_Tests_Customer_Functions extends WC_Unit_Test_Case { // Test download permissions. $prod_download = new WC_Product_Download(); - $prod_download->set_file( WC_ABSPATH . 'assets/images/help.png' ); + $prod_download->set_file( plugin_dir_url( __FILE__ ) . '/assets/images/help.png' ); $prod_download->set_id( 'download' ); $product = new WC_Product_Simple(); @@ -382,7 +382,7 @@ class WC_Tests_Customer_Functions extends WC_Unit_Test_Case { $customer_id = wc_create_new_customer( 'test@example.com', 'testuser', 'testpassword' ); $prod_download = new WC_Product_Download(); - $prod_download->set_file( WC_ABSPATH . 'assets/images/help.png' ); + $prod_download->set_file( plugin_dir_url( __FILE__ ) . '/assets/images/help.png' ); $prod_download->set_id( 1 ); $product = new WC_Product_Simple(); diff --git a/tests/php/includes/class-wc-product-download-test.php b/tests/php/includes/class-wc-product-download-test.php deleted file mode 100644 index a1c17f39e1c..00000000000 --- a/tests/php/includes/class-wc-product-download-test.php +++ /dev/null @@ -1,50 +0,0 @@ -getMockBuilder( WC_Product_Download::class ) - ->setMethods( array( 'get_file' ) ) - ->getMock(); - } - - /** - * Test when file appears remote but is local. - */ - public function test_is_allowed_filetype_when_file_with_false_query_params() { - $download = $this->get_sut_with_get_file(); - $payload = trailingslashit( site_url( '/' ) ) . 'non_exists/?/../../wp-config.php'; - $download->method( 'get_file' )->willReturn( $payload ); - $this->assertFalse( $download->is_allowed_filetype() ); - } - - /** - * Test when file appears remote, but is local and tries to appear remote by having characters to be stripped by esc_url_raw. - */ - public function test_is_allowed_filetype_when_file_with_quote_and_false_query_params() { - $download = $this->get_sut_with_get_file(); - $payload = trailingslashit( site_url( '/' ) ) . '"non_exists/?/../../foo.php'; - $download->method( 'get_file' )->willReturn( $payload ); - $this->assertFalse( $download->is_allowed_filetype() ); - } - - /** - * Test when file has invalid scheme. - */ - public function test_is_allowed_filetype_when_file_with_url_escapable_scheme() { - $download = $this->get_sut_with_get_file(); - $payload = trailingslashit( site_url( '/' ) ); - $payload = str_replace( 'http', 'http;', $payload ); - $payload = trailingslashit( $payload ) . 'wp-config.php?/../../foo'; // http;//example.com/wp-config.php?/../../foo. - $download->method( 'get_file' )->willReturn( $payload ); - $this->assertFalse( $download->is_allowed_filetype() ); - } -} From 2779c7b7655d6af2356d7f02a7649f6833efc747 Mon Sep 17 00:00:00 2001 From: roykho Date: Thu, 23 Sep 2021 18:54:40 -0700 Subject: [PATCH 3/3] Revert downloads path change and changelog --- changelog.txt | 15 +++++++++++++++ readme.txt | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/changelog.txt b/changelog.txt index 653bf063739..03c8a71a4a1 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,5 +1,20 @@ == Changelog == += 5.7.1 2021-09-23 = + +**WooCommerce** + +* Dev - Revert Download filepaths changes. + +**WooCommerce Admin - 2.6.5** + +- Fix: Add filters to get new hidden options #7698 + +**WooCommerce Blocks - 5.7.2** + +- Fix - Infinite recursion when removing an attribute filter from the Active filters block. #4816 +- Fix - Fix Product Search block displaying incorrectly. #4740 + = 5.7.0 2021-09-21 = **WooCommerce** diff --git a/readme.txt b/readme.txt index 2444a7645b7..e9f1c486249 100644 --- a/readme.txt +++ b/readme.txt @@ -4,7 +4,7 @@ Tags: e-commerce, store, sales, sell, woo, shop, cart, checkout, downloadable, d Requires at least: 5.6 Tested up to: 5.8 Requires PHP: 7.0 -Stable tag: 5.7.0 +Stable tag: 5.7.1 License: GPLv3 License URI: https://www.gnu.org/licenses/gpl-3.0.html