[arch-commits] Commit in wordpress/trunk (PKGBUILD password_reset_exploit.patch)

[Alexander Rødseth]

    Date: Sunday, May 7, 2017 @ 13:45:33
  Author: arodseth
Revision: 227255

upgpkg: wordpress 4.7.4-2

Added:
  wordpress/trunk/password_reset_exploit.patch
Modified:
  wordpress/trunk/PKGBUILD

------------------------------+
 PKGBUILD                     |   14 ++++++++++----
 password_reset_exploit.patch |   33 +++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 4 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2017-05-07 12:23:54 UTC (rev 227254)
+++ PKGBUILD	2017-05-07 13:45:33 UTC (rev 227255)
@@ -7,7 +7,7 @@
 
 pkgname=wordpress
 pkgver=4.7.4
-pkgrel=1
+pkgrel=2
 pkgdesc='Blog tool and publishing platform'
 arch=('any')
 url='https://wordpress.org/'
@@ -19,12 +19,18 @@
             'mysql: Database server')
 options=('emptydirs')
 install="$pkgname.install"
-source=("https://wordpress.org/$pkgname-$pkgver.tar.gz")
-sha256sums=('c11ce7580f21dfbca70dd6f817d3376385be6d34cf4d86f233eae3acb5fd87fd')
+source=("https://wordpress.org/$pkgname-$pkgver.tar.gz" 'password_reset_exploit.patch')
+sha256sums=('c11ce7580f21dfbca70dd6f817d3376385be6d34cf4d86f233eae3acb5fd87fd'
+            '68244b5bd534b21c88dc25074bf1fbc7a26d601cee69d78a467b1287f9eb2eed')
 
+prepare() {
+  cd "$pkgname"
+  patch -p1 -i "$srcdir/password_reset_exploit.patch"
+}
+
 package() {
   install -d "$pkgdir/usr/share/webapps"
-  cp -r wordpress "$pkgdir/usr/share/webapps"
+  cp -r "$pkgname" "$pkgdir/usr/share/webapps"
 }
 
 # vim:set ts=2 sw=2 et:

Added: password_reset_exploit.patch
===================================================================
--- password_reset_exploit.patch	                        (rev 0)
+++ password_reset_exploit.patch	2017-05-07 13:45:33 UTC (rev 227255)
@@ -0,0 +1,33 @@
+--- a/wp-includes/pluggable.php	2017-05-07 15:19:40.838218673 +0200
++++ b/wp-includes/pluggable.php	2017-05-07 15:25:35.661548515 +0200
+@@ -321,15 +321,21 @@
+ 	 * https://core.trac.wordpress.org/ticket/5007.
+ 	 */
+ 
+-	if ( !isset( $from_email ) ) {
+-		// Get the site domain and get rid of www.
+-		$sitename = strtolower( $_SERVER['SERVER_NAME'] );
+-		if ( substr( $sitename, 0, 4 ) == 'www.' ) {
+-			$sitename = substr( $sitename, 4 );
+-		}
+-
+-		$from_email = 'wordpress@' . $sitename;
+-	}
++    // Thanks simlevesque @ https://news.ycombinator.com/item?id=14265092
++    if ( !isset( $from_email ) ) {
++        // Get the site domain and get rid of www.
++        $sitename = strtolower( WP_HOME );
++        if ( substr( $sitename, 0, 7 ) == 'http://' ) {
++            $sitename = substr( $sitename, 7 );
++        }
++        if ( substr( $sitename, 0, 8 ) == 'https://' ) {
++            $sitename = substr( $sitename, 8 );
++        }
++        if ( substr( $sitename, 0, 4 ) == 'www.' ) {
++            $sitename = substr( $sitename, 4 );
++        }
++        $from_email = 'wordpress@' . $sitename;
++    }
+ 
+ 	/**
+ 	 * Filters the email address to send from.