WordPress.org

Make WordPress Core

Changeset 46484


Ignore:
Timestamp:
10/14/2019 04:33:02 PM (5 weeks ago)
Author:
whyisjake
Message:

Filesystem API: Prevent directory travelersals when creating new folders.

Reject file paths that contain sub-directory paths.

Props iandunn, xknown, sstoqnov, whyisjake.

Location:
branches/5.2
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.2

  • branches/5.2/src/wp-includes/rest-api.php

    r44933 r46484  
    588588        header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
    589589        header( 'Access-Control-Allow-Credentials: true' );
     590        header( 'Vary: Origin', false );
     591    } elseif ( ! headers_sent() && 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) {
     592        header( 'Vary: Origin', false );
     593    } elseif ( ! headers_sent() && 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) {
    590594        header( 'Vary: Origin' );
    591595    }
Note: See TracChangeset for help on using the changeset viewer.