Merge pull request #1691 from ultimatemember/security/CVE-2025-47691

Updates dynamic function blacklist for security enhancement
This commit is contained in:
Mykyta Synelnikov
2025-05-15 01:09:52 +03:00
committed by GitHub
7 changed files with 3953 additions and 5 deletions
+7 -1
View File
@@ -55,6 +55,12 @@ if ( ! class_exists( 'um\admin\core\Admin_Builder' ) ) {
return $errors;
}
$functions_blacklist_error = UM()->builtin()->functions_blacklist_field_err( $submission_data['post'] );
if ( ! empty( $functions_blacklist_error ) ) {
$errors['_custom_dropdown_options_source'] = $functions_blacklist_error;
return $errors;
}
$field_attr = UM()->builtin()->get_core_field_attrs( $submission_data['field_type'] );
if ( ! array_key_exists( 'validate', $field_attr ) ) {
return $errors;
@@ -1151,7 +1157,7 @@ if ( ! class_exists( 'um\admin\core\Admin_Builder' ) ) {
* @return boolean
*/
public function skip_field_validation( $skip, $post_input, $array ) {
if ( $post_input === '_options' && isset( $array['post']['_custom_dropdown_options_source'] ) ) {
if ( '_options' === $post_input && isset( $array['post']['_custom_dropdown_options_source'] ) ) {
$skip = function_exists( wp_unslash( $array['post']['_custom_dropdown_options_source'] ) );
}
+21
View File
@@ -193,6 +193,27 @@ if ( ! class_exists( 'um\core\Builtin' ) ) {
return 0;
}
/**
* Checks for a blacklist function in the custom callback field error.
*
* @since 2.10.4
*
* @param array $args Custom field submission data.
*
* @return int|string Empty or error string.
*/
public function functions_blacklist_field_err( $args ) {
if ( empty( $args['_custom_dropdown_options_source'] ) ) {
return 0;
}
if ( UM()->fields()->is_source_blacklisted( $args['_custom_dropdown_options_source'] ) ) {
return __( 'This is not possible for security reasons.', 'ultimate-member' );
}
return 0;
}
/**
* Check date range errors (start date)
*
+34 -2
View File
@@ -1379,8 +1379,40 @@ if ( ! class_exists( 'um\core\Fields' ) ) {
public function dropdown_options_source_blacklist() {
$list = get_defined_functions();
$blacklist = ! empty( $list['internal'] ) ? $list['internal'] : array();
$blacklist = apply_filters( 'um_dropdown_options_source_blacklist', $blacklist );
return $blacklist;
// Get the saved version from the database
$wp_functions_version = get_option( 'um_wp_functions_version' );
if ( empty( $wp_functions_version ) || version_compare( UM_WP_FUNCTIONS_VERSION, $wp_functions_version, '>' ) ) {
// Load the JSON file's content
$jsonContent = file_get_contents( UM_PATH . 'includes/lib/php-scoper-wordpress-excludes/exclude-wordpress-functions.json' );
// Parse the JSON string into a PHP array
$um_wp_native_functions_list = json_decode( $jsonContent, true );
// Save the decoded JSON into wp_option
update_option( 'um_wp_functions_list', $um_wp_native_functions_list );
// Update the saved version in the database
update_option( 'um_wp_functions_version', UM_WP_FUNCTIONS_VERSION );
} else {
$um_wp_native_functions_list = get_option( 'um_wp_functions_list', array() );
}
if ( ! empty( $um_wp_native_functions_list ) ) {
$blacklist = array_merge( $blacklist, $um_wp_native_functions_list );
}
/**
* Filters the blacklist of the functions that cannot be used as custom callback for dropdown field to populate the options.
*
* @since 2.5.1
* @hook um_dropdown_options_source_blacklist
*
* @param {array} $blacklist Functions blacklist.
*
* @return {array} Functions blacklist.
*/
return apply_filters( 'um_dropdown_options_source_blacklist', $blacklist );
}
/**
File diff suppressed because it is too large Load Diff