Date: Friday, February 22, 2019 @ 15:51:17 Author: arodseth Revision: 435215
upgpkg: wordpress 5.1-1 Modified: wordpress/trunk/PKGBUILD wordpress/trunk/password_reset_exploit.patch ------------------------------+ PKGBUILD | 25 ++++++++--------- password_reset_exploit.patch | 58 +++++++++++++++++++---------------------- 2 files changed, 40 insertions(+), 43 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2019-02-22 15:51:07 UTC (rev 435214) +++ PKGBUILD 2019-02-22 15:51:17 UTC (rev 435215) @@ -5,33 +5,32 @@ # Contributor: Christopher Rogers <slaxemula...@gmail.com> pkgname=wordpress -pkgver=5.0.3 +pkgver=5.1 pkgrel=1 pkgdesc='Blog tool and publishing platform' -arch=('any') +arch=(any) url='https://wordpress.org/' -license=('GPL') -depends=('php') +license=(GPL) +depends=(php) optdepends=('nginx: Web server for serving WordPress' 'apache: Web server for serving WordPress' 'mariadb: Database server') -options=('emptydirs') -install="$pkgname.install" +options=(emptydirs) +install=$pkgname.install source=("https://wordpress.org/$pkgname-$pkgver.tar.gz" - 'password_reset_exploit.patch') -sha256sums=('9aa4d1bc9acc39279f15e914415be87af01a886287b1b92b3a80426a4edbd78a' - 'e73886f5cd0dd79a1ddc64113b181df0d32cefc975a09796994e885d75361726') + password_reset_exploit.patch) +sha256sums=('debd29c267021e34f59c31b210dd82e9c476fa9f1abdc62b5fdd1d50078fed4a' + '84c716953fb1aad583bfe62c2aba88173b760c60a90f6752228d4ba966e647b9') prepare() { - cd "$pkgname" - + cd $pkgname patch -p1 -i "$srcdir/password_reset_exploit.patch" } package() { install -d "$pkgdir/usr/share/webapps" - cp -r "$pkgname" "$pkgdir/usr/share/webapps" + cp -r $pkgname "$pkgdir/usr/share/webapps" } -# getver: wordpress.org/download/ +# getver: core.trac.wordpress.org/timeline?milestone=on # vim: ts=2 sw=2 et: Modified: password_reset_exploit.patch =================================================================== --- password_reset_exploit.patch 2019-02-22 15:51:07 UTC (rev 435214) +++ password_reset_exploit.patch 2019-02-22 15:51:17 UTC (rev 435215) @@ -1,33 +1,31 @@ --- a/wp-includes/pluggable.php 2017-05-07 15:19:40.838218673 +0200 +++ b/wp-includes/pluggable.php 2017-05-07 15:25:35.661548515 +0200 -@@ -321,15 +321,21 @@ - * https://core.trac.wordpress.org/ticket/5007. - */ - -- if ( !isset( $from_email ) ) { -- // Get the site domain and get rid of www. -- $sitename = strtolower( $_SERVER['SERVER_NAME'] ); -- if ( substr( $sitename, 0, 4 ) == 'www.' ) { -- $sitename = substr( $sitename, 4 ); -- } +@@ -328,14 +328,20 @@ + * https://core.trac.wordpress.org/ticket/5007. + */ + +- if ( ! isset( $from_email ) ) { +- // Get the site domain and get rid of www. +- $sitename = strtolower( $_SERVER['SERVER_NAME'] ); +- if ( substr( $sitename, 0, 4 ) == 'www.' ) { +- $sitename = substr( $sitename, 4 ); +- } - -- $from_email = 'wordpress@' . $sitename; -- } -+ // Thanks simlevesque @ https://news.ycombinator.com/item?id=14265092 -+ if ( !isset( $from_email ) ) { -+ // Get the site domain and get rid of www. -+ $sitename = strtolower( WP_HOME ); -+ if ( substr( $sitename, 0, 7 ) == 'http://' ) { -+ $sitename = substr( $sitename, 7 ); -+ } -+ if ( substr( $sitename, 0, 8 ) == 'https://' ) { -+ $sitename = substr( $sitename, 8 ); -+ } -+ if ( substr( $sitename, 0, 4 ) == 'www.' ) { -+ $sitename = substr( $sitename, 4 ); -+ } -+ $from_email = 'wordpress@' . $sitename; -+ } - - /** - * Filters the email address to send from. +- $from_email = 'wordpress@' . $sitename; ++ // Thanks simlevesque @ https://news.ycombinator.com/item?id=14265092 ++ if ( !isset( $from_email ) ) { ++ // Get the site domain and get rid of www. ++ $sitename = strtolower( WP_HOME ); ++ if ( substr( $sitename, 0, 7 ) == 'http://' ) { ++ $sitename = substr( $sitename, 7 ); ++ } ++ if ( substr( $sitename, 0, 8 ) == 'https://' ) { ++ $sitename = substr( $sitename, 8 ); ++ } ++ if ( substr( $sitename, 0, 4 ) == 'www.' ) { ++ $sitename = substr( $sitename, 4 ); ++ } ++ $from_email = 'wordpress@' . $sitename; + } + + /**