Merge pull request #4988 from Automattic/develop

Staging release: v20231031.1

composer.json

@@ -8,7 +8,7 @@
         "yoast/phpunit-polyfills": "2.0.0",
         "johnpbloch/wordpress-core": "6.3.2",
         "wp-phpunit/wp-phpunit": "6.3.1",
-        "wp-cli/wp-cli": "2.8.1"
+        "wp-cli/wp-cli": "2.9.0"
     },
     "config": {
         "allow-plugins": {

files/class-wp-filesystem-vip.php

@@ -218,6 +218,10 @@ public function copy( $source, $destination, $overwrite = false, $mode = false )
 			return false;
 		}
 
+		if ( $source_transport instanceof WP_Filesystem_Direct && $destination_transport instanceof WP_Filesystem_Direct ) {
+			return $source_transport->copy( $source, $destination, $overwrite, $mode );
+		}
+
 		$destination_exists = $destination_transport->exists( $destination );
 		if ( ! $overwrite && $destination_exists ) {
 			/* translators: 1: destination file path 2: overwrite param 3: `true` boolean value */
@@ -248,13 +252,24 @@ public function copy( $source, $destination, $overwrite = false, $mode = false )
 	 * @return bool
 	 */
 	public function move( $source, $destination, $overwrite = false ) {
-		$copy_results = $this->copy( $source, $destination, $overwrite );
-		if ( false === $copy_results ) {
-			return false;
+		$source_transport      = $this->get_transport_for_path( $source );
+		$destination_transport = $this->get_transport_for_path( $destination, 'write' );
+		if ( $source_transport instanceof WP_Filesystem_Direct && $destination_transport instanceof WP_Filesystem_Direct ) {
+			return $source_transport->move( $source, $destination, $overwrite );
 		}
 
-		// We don't need to set the errors here since delete() will take care of it
-		return $this->delete( $source );
+		// WP_Filesystem_Direct::get_contents() invoked by copy() will return '' for directories; this will result in directories being copied as empty files.
+		if ( $source_transport->is_file( $source ) ) {
+			$copy_results = $this->copy( $source, $destination, $overwrite );
+			if ( false === $copy_results ) {
+				return false;
+			}
+
+			// We don't need to set the errors here since delete() will take care of it
+			return $this->delete( $source );
+		}
+
+		return false;
 	}
 
 	/**

jetpack.php

@@ -5,7 +5,7 @@
  * Plugin URI: https://jetpack.com
  * Description: Security, performance, and marketing tools made by WordPress experts. Jetpack keeps your site protected so you can focus on more important things.
  * Author: Automattic
- * Version: 12.7
+ * Version: 12.7.1
  * Author URI: https://jetpack.com
  * License: GPL2+
  * Text Domain: jetpack
@@ -34,7 +34,7 @@ function vip_default_jetpack_version() {
 		return '12.5';
 	} else {
 		// WordPress 6.2 and newer.
-		return '12.7';
+		return '12.7.1';
 	}
 }
 

misc.php

@@ -132,35 +132,6 @@ function _vip_filter_rest_url_for_ssl( $url ) {
 	return $url;
 }
 
-
-function wpcom_vip_query_log() {
-	// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
-	$request_uri = $_SERVER['REQUEST_URI'] ?? '';
-	if ( '/cache-healthcheck?' === $request_uri ) {
-		return;
-	}
-
-	// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Recommended
-	$action      = $_REQUEST['action'] ?? 'N/A';
-	$num_queries = count( $GLOBALS['wpdb']->queries );
-	// phpcs:ignore WordPress.PHP.DevelopmentFunctions
-	error_log( 'WPCOM VIP Query Log for ' . $request_uri . '  (action: ' . $action . ') ' . $num_queries . 'q: ' . PHP_EOL . print_r( $GLOBALS['wpdb']->queries, true ) );
-}
-
-/**
- * Think carefully before enabling this on a production site. Then
- * if you still want to do it, think again, and talk it over with
- * someone else.
- */
-if ( defined( 'WPCOM_VIP_QUERY_LOG' ) && WPCOM_VIP_QUERY_LOG ) {
-	if ( ! defined( 'SAVEQUERIES' ) || ! SAVEQUERIES ) {
-		define( 'SAVEQUERIES', true );
-	}
-	// For hyperdb, which doesn't use SAVEQUERIES
-	$GLOBALS['wpdb']->save_queries = SAVEQUERIES;
-	add_action( 'shutdown', 'wpcom_vip_query_log' );
-}
-
 /**
  * Improve perfomance of the `_WP_Editors::wp_link_query` method
  *

security/login-error.php

@@ -1,13 +1,15 @@
 <?php
 namespace Automattic\VIP\Security;
 
+use WP_Error;
+
 /**
  * Use a login message that does not reveal the type of login error in an attempted brute-force.
- * 
+ *
  * @param string $error Login error message.
- * 
+ *
  * @return string $error Login error message.
- * 
+ *
  * @since 1.1
  */
 function use_ambiguous_login_error( $error ): string {
@@ -17,6 +19,14 @@ function use_ambiguous_login_error( $error ): string {
 		return (string) $error;
 	}
 
+	// For lostpassword action, use different message.
+	if ( isset( $_GET['action'] ) && 'lostpassword' === $_GET['action'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		return esc_html__(
+			'If there is an account associated with the username/email address, you will receive an email with a link to reset your password.',
+			'vip'
+		);
+	}
+
 	$err_codes = $errors->get_error_codes();
 
 	$err_types = [
@@ -28,12 +38,38 @@ function use_ambiguous_login_error( $error ): string {
 
 	foreach ( $err_types as $err ) {
 		if ( in_array( $err, $err_codes, true ) ) {
-			$error = '<strong>Error</strong>: The username/email address or password is incorrect. Please try again.';
+			$error = '<strong>' . esc_html__( 'Error', 'vip' ) . '</strong>: ' . 
+			esc_html__( 'The username/email address or password is incorrect. Please try again.', 'vip' );
 			break;
 		}
 	}
 
 	return (string) $error;
 }
-
 add_filter( 'login_errors', __NAMESPACE__ . '\use_ambiguous_login_error', 99, 1 );
+
+/**
+ * Use a message that does not reveal the type of login error in an attempted brute-force on forget password.
+ *
+ * @param WP_Error $errors WP Error object.
+ *
+ * @return WP_Error $errors WP Error object.
+ *
+ * @since 1.1
+ */
+function use_ambiguous_confirmation( $errors ): WP_Error {
+	if ( isset( $_GET['checkemail'] ) && 'confirm' === $_GET['checkemail'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$messages = $errors->get_error_messages( 'confirm' );
+		if ( ! empty( $messages ) ) {
+			$errors->remove( 'confirm' );
+			$errors->add(
+				'confirm',
+				esc_html__( 'If there is an account associated with the username/email address, you will receive an email with a link to reset your password.', 'vip' ),
+				'message'
+			);
+		}
+	}
+
+	return $errors;
+}
+add_filter( 'wp_login_errors', __NAMESPACE__ . '\use_ambiguous_confirmation', 99 );

tests/mock-constants.php

@@ -200,3 +200,19 @@ function constant( $constant ) {
 		return Constant_Mocker::constant( $constant );
 	}
 }
+
+namespace Automattic\VIP\Mail {
+	use Automattic\Test\Constant_Mocker;
+
+	function define( $constant, $value ) {
+		return Constant_Mocker::define( $constant, $value );
+	}
+
+	function defined( $constant ) {
+		return Constant_Mocker::defined( $constant );
+	}
+
+	function constant( $constant ) {
+		return Constant_Mocker::constant( $constant );
+	}
+}

tests/security/test-login-error.php

@@ -0,0 +1,59 @@
+<?php
+
+namespace Automattic\VIP\Security;
+
+use WP_Error;
+use WP_UnitTestCase;
+
+class Login_Error_Test extends WP_UnitTestCase {
+	public function tearDown(): void {
+		global $errors;
+
+		unset( $errors );
+		parent::tearDown();
+	}
+
+	public function test_has_filters(): void {
+		self::assertEquals( 99, has_filter( 'login_errors', __NAMESPACE__ . '\use_ambiguous_login_error' ) );
+		self::assertEquals( 99, has_filter( 'wp_login_errors', __NAMESPACE__ . '\use_ambiguous_confirmation' ) );
+	}
+
+	public function test_use_ambiguous_confirmation(): void {
+		$errors = new WP_Error();
+		$errors->add(
+			'confirm',
+			sprintf(
+				'Check your email for the confirmation link, then visit the <a href="%s">login page</a>.',
+				wp_login_url()
+			),
+			'message'
+		);
+
+		$_GET['checkemail'] = 'confirm';
+		$actual             = apply_filters( 'wp_login_errors', $errors, admin_url() );
+
+		self::assertInstanceOf( WP_Error::class, $actual );
+		self::assertContains(
+			'If there is an account associated with the username/email address, you will receive an email with a link to reset your password.',
+			$actual->get_error_messages( 'confirm' )
+		);
+	}
+
+	public function test_ambiguous_reset(): void {
+		global $errors;
+
+		$message = 'Something went terribly wrong';
+
+		// phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited
+		$errors = new WP_Error();
+		$errors->add( 'error', $message );
+
+		$_GET['action'] = 'lostpassword';
+
+		$actual = apply_filters( 'login_errors', $message );
+		self::assertSame(
+			'If there is an account associated with the username/email address, you will receive an email with a link to reset your password.',
+			$actual
+		);
+	}
+}

tests/test-jetpack.php

@@ -7,7 +7,7 @@ public function test__vip_default_jetpack_version() {
 		global $wp_version;
 		$saved_wp_version = $wp_version;
 
-		$latest = '12.7';
+		$latest = '12.7.1';
 
 		$versions_map = [
 			// WordPress version => Jetpack version