vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-06-28 14:20:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Media: Prevent CSRF setting attachment thumbnails.

Browse Source 
Props martinkrcho, paulkevan, peterwilsoncc, xknown, peterwilsoncc.



git-svn-id: https://develop.svn.wordpress.org/trunk@55764 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Jb Audras
2023-05-16 14:26:01 +00:00
parent a6f0f3ea29
commit 35c0ab3c74
4 changed files with 98 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
tests/phpunit/tests/ajax/wpAjaxSendAttachmentToEditor.php
View File

@@ -101,4 +101,95 @@ class Tests_Ajax_wpAjaxSendAttachmentToEditor extends WP_Ajax_UnitTestCase {
$this->assertTrue( $response['success'] );
$this->assertSame( $expected, $response['data'] );
}
public function test_wp_ajax_set_attachment_thumbnail_success() {
// Become an administrator.
$post = $_POST;
$user_id = self::factory()->user->create(
array(
'role' => 'administrator',
'user_login' => 'user_36578_administrator',
'user_email' => 'user_36578_administrator@example.com',
)
);
wp_set_current_user( $user_id );
$_POST = array_merge( $_POST, $post );
// Upload the attachment itself.
$filename = DIR_TESTDATA . '/uploads/small-audio.mp3';
$contents = file_get_contents( $filename );
$upload = wp_upload_bits( wp_basename( $filename ), null, $contents );
$attachment = $this->_make_attachment( $upload );
// Upload the thumbnail.
$filename = DIR_TESTDATA . '/images/waffles.jpg';
$contents = file_get_contents( $filename );
$upload = wp_upload_bits( wp_basename( $filename ), null, $contents );
$thumbnail = $this->_make_attachment( $upload );
// Set up a default request.
$_POST['_ajax_nonce'] = wp_create_nonce( 'set-attachment-thumbnail' );
$_POST['thumbnail_id'] = $thumbnail;
$_POST['urls'] = array( wp_get_attachment_url( $attachment ) );
// Make the request.
try {
$this->_handleAjax( 'set-attachment-thumbnail' );
} catch ( WPAjaxDieContinueException $e ) {
unset( $e );
}
// Get the response.
$response = json_decode( $this->_last_response, true );
// Ensure everything is correct.
$this->assertTrue( $response['success'] );
}
public function test_wp_ajax_set_attachment_thumbnail_missing_nonce() {
// Become an administrator.
$post = $_POST;
$user_id = self::factory()->user->create(
array(
'role' => 'administrator',
'user_login' => 'user_36578_administrator',
'user_email' => 'user_36578_administrator@example.com',
)
);
wp_set_current_user( $user_id );
$_POST = array_merge( $_POST, $post );
// Upload the attachment itself.
$filename = DIR_TESTDATA . '/uploads/small-audio.mp3';
$contents = file_get_contents( $filename );
$upload = wp_upload_bits( wp_basename( $filename ), null, $contents );
$attachment = $this->_make_attachment( $upload );
// Upload the thumbnail.
$filename = DIR_TESTDATA . '/images/waffles.jpg';
$contents = file_get_contents( $filename );
$upload = wp_upload_bits( wp_basename( $filename ), null, $contents );
$thumbnail = $this->_make_attachment( $upload );
// Set up a default request.
$_POST['thumbnail_id'] = $thumbnail;
$_POST['urls'] = array( wp_get_attachment_url( $attachment ) );
// Make the request.
try {
$this->_handleAjax( 'set-attachment-thumbnail' );
} catch ( WPAjaxDieContinueException $e ) {
unset( $e );
}
// Get the response.
$response = json_decode( $this->_last_response, true );
// Check that success is false without sending nonce.
$this->assertFalse( $response['success'] );
}
}