Changeset 49393 for branches/5.3/src/wp-includes/class-wp-xmlrpc-server.php

Timestamp:

10/29/2020 06:41:43 PM (4 years ago)

Author:

whyisjake

Message:

General: WordPress updates

• XML-RPC: Improve error messages for unprivileged users.
• External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
• Embeds: Disable embeds on deactivated Multisite sites.
• Coding standards: Modify escaping functions to avoid potential false positives.
• XML-RPC: Return error message if attachment ID is incorrect.
• Upgrade/install: Improve logic check when determining installation status.
• Meta: Sanitize meta key before checking protection status.
• Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 5.3 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Location:

branches/5.3

Files:

• . (modified) (1 prop)
• src/wp-includes/class-wp-xmlrpc-server.php (modified) (2 diffs)

branches/5.3/src/wp-includes/class-wp-xmlrpc-server.php

@@ -3874 +3874 @@
         }
 
+        if (
+            'publish' === get_post_status( $post_id ) &&
+            ! current_user_can( 'edit_post', $post_id ) &&
+            post_password_required( $post_id )
+        ) {
+            return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
+        }
+
+        if (
+            'private' === get_post_status( $post_id ) &&
+            ! current_user_can( 'read_post', $post_id )
+        ) {
+            return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
+        }
+
         $comment = array(
             'comment_post_ID' => $post_id,
@@ -4287 +4302 @@
 
         $attachment = get_post( $attachment_id );
-        if ( ! $attachment ) {
+        if ( ! $attachment || 'attachment' !== $attachment->post_type ) {
             return new IXR_Error( 404, __( 'Invalid attachment ID.' ) );
         }