Changeset 46492 for branches/5.0/src/wp-includes/rest-api.php

Timestamp:

10/14/2019 06:26:01 PM (7 years ago)

Author:

whyisjake

Message:

Backporting several bug fixes.

• Query: Remove the static query property.
• HTTP API: Protect against hex interpretation.
• Filesystem API: Prevent directory travelersals when creating new folders.
• Administration: Ensure that admin referer nonce is valid.
• REST API: Send a Vary: Origin header on GET requests.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 5.0 branch.

Location:

branches/5.0

Files:

• . (modified) (1 prop)
• src/wp-includes/rest-api.php (modified) (2 diffs)

branches/5.0/src/wp-includes/rest-api.php

@@ -211 +211 @@
 
     // Taxonomies.
-    $controller = new WP_REST_Taxonomies_Controller;
+    $controller = new WP_REST_Taxonomies_Controller();
     $controller->register_routes();
 
@@ -574 +574 @@
         header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
         header( 'Access-Control-Allow-Credentials: true' );
-        header( 'Vary: Origin' );
+        header( 'Vary: Origin', false );
+    } elseif ( ! headers_sent() && 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) {
+        header( 'Vary: Origin', false );
     }