WordPress.org

Make WordPress Core

Ticket #22320: GetRecentPostPrivilegesFix.patch

File GetRecentPostPrivilegesFix.patch, 913 bytes (added by redsweater, 2 years ago)

Patch the XMLRPC server to reject attempts to request recent posts list from a blog they don't belong to.

  • wp-includes/class-wp-xmlrpc-server.php

     
    37873787                if ( !$user = $this->login($username, $password) ) 
    37883788                        return $this->error; 
    37893789 
     3790                if ( !current_user_can( 'edit_posts' ) ) 
     3791                        return new IXR_Error( 401, __( 'Sorry, you cannot edit posts on this site.' ) ); 
     3792 
    37903793                do_action('xmlrpc_call', 'blogger.getRecentPosts'); 
    37913794 
    37923795                $posts_list = wp_get_recent_posts( $query ); 
     
    48174820                if ( !$user = $this->login($username, $password) ) 
    48184821                        return $this->error; 
    48194822 
     4823                if ( !current_user_can( 'edit_posts' ) ) 
     4824                        return new IXR_Error( 401, __( 'Sorry, you cannot edit posts on this site.' ) ); 
     4825 
    48204826                do_action('xmlrpc_call', 'metaWeblog.getRecentPosts'); 
    48214827 
    48224828                $posts_list = wp_get_recent_posts( $query );