Make WordPress Core


Ignore:
Timestamp:
10/29/2020 06:44:12 PM (4 years ago)
Author:
whyisjake
Message:

General: WordPress updates

  • XML-RPC: Improve error messages for unprivileged users.
  • External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
  • Embeds: Disable embeds on deactivated Multisite sites.
  • Coding standards: Modify escaping functions to avoid potential false positives.
  • XML-RPC: Return error message if attachment ID is incorrect.
  • Upgrade/install: Improve logic check when determining installation status.
  • Meta: Sanitize meta key before checking protection status.
  • Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 5.2 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Location:
branches/5.2
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.2

  • branches/5.2/src/wp-includes/class-wp-xmlrpc-server.php

    r45082 r49394  
    38303830        }
    38313831
     3832        if (
     3833            'publish' === get_post_status( $post_id ) &&
     3834            ! current_user_can( 'edit_post', $post_id ) &&
     3835            post_password_required( $post_id )
     3836        ) {
     3837            return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
     3838        }
     3839
     3840        if (
     3841            'private' === get_post_status( $post_id ) &&
     3842            ! current_user_can( 'read_post', $post_id )
     3843        ) {
     3844            return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
     3845        }
     3846
    38323847        $comment = array(
    38333848            'comment_post_ID' => $post_id,
     
    42344249        do_action( 'xmlrpc_call', 'wp.getMediaItem' );
    42354250
    4236         if ( ! $attachment = get_post( $attachment_id ) ) {
     4251        $attachment = get_post( $attachment_id );
     4252        if ( ! $attachment || 'attachment' !== $attachment->post_type ) {
    42374253            return new IXR_Error( 404, __( 'Invalid attachment ID.' ) );
    42384254        }
Note: See TracChangeset for help on using the changeset viewer.