Changeset 20637 for trunk/wp-includes/class-wp-xmlrpc-server.php

Timestamp:

04/30/2012 12:19:32 AM (13 years ago)

Author:

nacin

Message:

Check for the existence of a post before calling current_user_can() with a meta cap on that object. fixes #20336.

File:

• trunk/wp-includes/class-wp-xmlrpc-server.php (modified) (7 diffs)

trunk/wp-includes/class-wp-xmlrpc-server.php

@@ -832 +832 @@
 
         if ( $update ) {
+            if ( ! get_post( $post_data['ID'] ) )
+                return new IXR_Error( 401, __( 'Invalid post ID.' ) );
             if ( ! current_user_can( $post_type->cap->edit_post, $post_data['ID'] ) )
                 return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this post.' ) );
@@ -1815 +1817 @@
         }
 
+        $page = get_page($page_id);
+        if ( ! $page )
+            return new IXR_Error( 404, __( 'Invalid post ID.' ) );
+
         if ( !current_user_can( 'edit_page', $page_id ) )
             return new IXR_Error( 401, __( 'Sorry, you cannot edit this page.' ) );
 
         do_action('xmlrpc_call', 'wp.getPage');
-
-        // Lookup page info.
-        $page = get_page($page_id);
 
         // If we found the page then format the data.
@@ -3269 +3272 @@
             return $this->error;
 
+        $post_data = wp_get_single_post($post_ID, ARRAY_A);
+        if ( ! $post_data )
+            return new IXR_Error( 404, __( 'Invalid post ID.' ) );
+            
         if ( !current_user_can( 'edit_post', $post_ID ) )
             return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) );
 
         do_action('xmlrpc_call', 'blogger.getPost');
-
-        $post_data = wp_get_single_post($post_ID, ARRAY_A);
 
         $categories = implode(',', wp_get_post_categories($post_ID));
@@ -4219 +4224 @@
             return $this->error;
 
+        $postdata = wp_get_single_post($post_ID, ARRAY_A);
+        if ( ! $postdata )
+            return new IXR_Error( 404, __( 'Invalid post ID.' ) );
+
         if ( !current_user_can( 'edit_post', $post_ID ) )
             return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) );
 
         do_action('xmlrpc_call', 'metaWeblog.getPost');
-
-        $postdata = wp_get_single_post($post_ID, ARRAY_A);
 
         if ($postdata['post_date'] != '') {
@@ -4687 +4694 @@
             return $this->error;
 
+        if ( ! get_post( $post_ID ) )
+            return new IXR_Error( 404, __( 'Invalid post ID.' ) );
+
         if ( !current_user_can( 'edit_post', $post_ID ) )
             return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
@@ -4730 +4740 @@
         do_action('xmlrpc_call', 'mt.setPostCategories');
 
+        if ( ! get_post( $post_ID ) )
+            return new IXR_Error( 404, __( 'Invalid post ID.' ) );
+
         if ( !current_user_can('edit_post', $post_ID) )
             return new IXR_Error(401, __('Sorry, you cannot edit this post.'));
@@ -4837 +4850 @@
         do_action('xmlrpc_call', 'mt.publishPost');
 
+        $postdata = wp_get_single_post($post_ID, ARRAY_A);
+        if ( ! $postdata )
+            return new IXR_Error( 404, __( 'Invalid post ID.' ) );
+
         if ( !current_user_can('publish_posts') || !current_user_can('edit_post', $post_ID) )
             return new IXR_Error(401, __('Sorry, you cannot publish this post.'));
-
-        $postdata = wp_get_single_post($post_ID,ARRAY_A);
 
         $postdata['post_status'] = 'publish';