WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/14/2019 06:26:01 PM (17 months ago)
Author:
whyisjake
Message:

Backporting several bug fixes.

  • Query: Remove the static query property.
  • HTTP API: Protect against hex interpretation.
  • Filesystem API: Prevent directory travelersals when creating new folders.
  • Administration: Ensure that admin referer nonce is valid.
  • REST API: Send a Vary: Origin header on GET requests.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 5.0 branch.

Location:
branches/5.0
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.0

  • branches/5.0/src/wp-includes/rest-api.php

    r43834 r46492  
    211211
    212212    // Taxonomies.
    213     $controller = new WP_REST_Taxonomies_Controller;
     213    $controller = new WP_REST_Taxonomies_Controller();
    214214    $controller->register_routes();
    215215
     
    574574        header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
    575575        header( 'Access-Control-Allow-Credentials: true' );
    576         header( 'Vary: Origin' );
     576        header( 'Vary: Origin', false );
     577    } elseif ( ! headers_sent() && 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) {
     578        header( 'Vary: Origin', false );
    577579    }
    578580
Note: See TracChangeset for help on using the changeset viewer.