WordPress.org

Make WordPress Core

Ticket #22320: GetRecentPostPrivilegesFix.patch

File GetRecentPostPrivilegesFix.patch, 913 bytes (added by redsweater, 6 years ago)

Patch the XMLRPC server to reject attempts to request recent posts list from a blog they don't belong to.

  • wp-includes/class-wp-xmlrpc-server.php

     
    37873787                if ( !$user = $this->login($username, $password) )
    37883788                        return $this->error;
    37893789
     3790                if ( !current_user_can( 'edit_posts' ) )
     3791                        return new IXR_Error( 401, __( 'Sorry, you cannot edit posts on this site.' ) );
     3792
    37903793                do_action('xmlrpc_call', 'blogger.getRecentPosts');
    37913794
    37923795                $posts_list = wp_get_recent_posts( $query );
     
    48174820                if ( !$user = $this->login($username, $password) )
    48184821                        return $this->error;
    48194822
     4823                if ( !current_user_can( 'edit_posts' ) )
     4824                        return new IXR_Error( 401, __( 'Sorry, you cannot edit posts on this site.' ) );
     4825
    48204826                do_action('xmlrpc_call', 'metaWeblog.getRecentPosts');
    48214827
    48224828                $posts_list = wp_get_recent_posts( $query );