Make WordPress Core


Ignore:
Timestamp:
10/29/2020 06:44:12 PM (4 years ago)
Author:
whyisjake
Message:

General: WordPress updates

  • XML-RPC: Improve error messages for unprivileged users.
  • External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
  • Embeds: Disable embeds on deactivated Multisite sites.
  • Coding standards: Modify escaping functions to avoid potential false positives.
  • XML-RPC: Return error message if attachment ID is incorrect.
  • Upgrade/install: Improve logic check when determining installation status.
  • Meta: Sanitize meta key before checking protection status.
  • Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 5.2 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Location:
branches/5.2
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.2

  • branches/5.2/src/wp-includes/meta.php

    r45064 r49394  
    10311031 * @return bool Whether the meta key is considered protected.
    10321032 */
    1033 function is_protected_meta( $meta_key, $meta_type = null ) {
    1034     $protected = ( '_' == $meta_key[0] );
     1033function is_protected_meta( $meta_key, $meta_type = '' ) {
     1034    $sanitized_key = preg_replace( "/[^\x20-\x7E\p{L}]/", '', $meta_key );
     1035    $protected     = strlen( $sanitized_key ) > 0 && ( '_' === $sanitized_key[0] );
    10351036
    10361037    /**
Note: See TracChangeset for help on using the changeset viewer.