Make WordPress Core

Changeset 49405 for branches/4.1


Ignore:
Timestamp:
10/29/2020 07:09:27 PM (4 years ago)
Author:
whyisjake
Message:

General: WordPress updates

  • XML-RPC: Improve error messages for unprivileged users.
  • External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
  • Embeds: Disable embeds on deactivated Multisite sites.
  • Coding standards: Modify escaping functions to avoid potential false positives.
  • XML-RPC: Return error message if attachment ID is incorrect.
  • Upgrade/install: Improve logic check when determining installation status.
  • Meta: Sanitize meta key before checking protection status.
  • Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 4.1 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Location:
branches/4.1
Files:
1 added
14 edited

Legend:

Unmodified
Added
Removed
  • branches/4.1

  • branches/4.1/src/wp-admin/admin-header.php

    r30756 r49405  
    5959?>
    6060<script type="text/javascript">
    61 addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
    62 var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
    63     pagenow = '<?php echo $current_screen->id; ?>',
    64     typenow = '<?php echo $current_screen->post_type; ?>',
    65     adminpage = '<?php echo $admin_body_class; ?>',
    66     thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
    67     decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
     61addLoadEvent = function(func){if(typeof jQuery!=='undefined')jQuery(document).ready(func);else if(typeof wpOnload!=='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
     62var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
     63    pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
     64    typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
     65    adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
     66    thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
     67    decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
    6868    isRtl = <?php echo (int) is_rtl(); ?>;
    6969</script>
  • branches/4.1/src/wp-admin/custom-background.php

    r30931 r49405  
    517517     */
    518518    public function wp_set_background_image() {
     519        check_ajax_referer( 'custom-background' );
    519520        if ( ! current_user_can('edit_theme_options') || ! isset( $_POST['attachment_id'] ) ) exit;
    520521        $attachment_id = absint($_POST['attachment_id']);
  • branches/4.1/src/wp-admin/custom-header.php

    r30695 r49405  
    393393/* <![CDATA[ */
    394394(function($){
    395     var default_color = '<?php echo $default_color; ?>',
     395    var default_color = '<?php echo esc_js( $default_color ); ?>',
    396396        header_text_fields;
    397397
  • branches/4.1/src/wp-admin/includes/media.php

    r47969 r49405  
    451451//<![CDATA[
    452452addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
    453 var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
     453var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
    454454isRtl = <?php echo (int) is_rtl(); ?>;
    455455//]]>
  • branches/4.1/src/wp-admin/includes/ms.php

    r30630 r49405  
    957957<script type="text/javascript">
    958958//<![CDATA[
    959 var tb_pathToImage = "<?php echo includes_url( 'js/thickbox/loadingAnimation.gif', 'relative' ); ?>";
     959var tb_pathToImage = '<?php echo esc_js( includes_url( 'js/thickbox/loadingAnimation.gif', 'relative' ) ); ?>';
    960960//]]>
    961961</script>
  • branches/4.1/src/wp-admin/includes/template.php

    r41446 r49405  
    15481548addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
    15491549function tb_close(){var win=window.dialogArguments||opener||parent||top;win.tb_remove();}
    1550 var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
    1551     pagenow = '<?php echo $current_screen->id; ?>',
    1552     typenow = '<?php echo $current_screen->post_type; ?>',
    1553     adminpage = '<?php echo $admin_body_class; ?>',
    1554     thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
    1555     decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
     1550var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
     1551    pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
     1552    typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
     1553    adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
     1554    thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
     1555    decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
    15561556    isRtl = <?php echo (int) is_rtl(); ?>;
    15571557//]]>
  • branches/4.1/src/wp-admin/js/custom-background.js

    r26158 r49405  
    5757                // Grab the selected attachment.
    5858                var attachment = frame.state().get('selection').first();
     59                var nonceValue = $( '#_wpnonce' ).val() || '';
    5960
    6061                // Run an AJAX request to set the background image.
     
    6263                    action: 'set-background-image',
    6364                    attachment_id: attachment.id,
     65                    _ajax_nonce: nonceValue,
    6466                    size: 'full'
    6567                }).done( function() {
  • branches/4.1/src/wp-admin/js/media-gallery.js

    r26232 r49405  
    22jQuery(function($){
    33    $( 'body' ).bind( 'click.wp-gallery', function(e){
    4         var target = $( e.target ), id, img_size;
     4        var target = $( e.target ), id, img_size, nonceValue;
    55
    66        if ( target.hasClass( 'wp-set-header' ) ) {
     
    1010            id = target.data( 'attachment-id' );
    1111            img_size = $( 'input[name="attachments[' + id + '][image-size]"]:checked').val();
     12            nonceValue = $( '#_wpnonce' ).val() && '';
    1213
    1314            jQuery.post(ajaxurl, {
    1415                action: 'set-background-image',
    1516                attachment_id: id,
     17                _ajax_nonce: nonceValue,
    1618                size: img_size
    1719            }, function(){
  • branches/4.1/src/wp-admin/media-new.php

    r27469 r49405  
    7373
    7474    <script type="text/javascript">
    75     var post_id = <?php echo $post_id; ?>, shortform = 3;
     75    var post_id = <?php echo absint( $post_id ); ?>, shortform = 3;
    7676    </script>
    77     <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" />
     77    <input type="hidden" name="post_id" id="post_id" value="<?php echo absint( $post_id ); ?>" />
    7878    <?php wp_nonce_field('media-form'); ?>
    7979    <div id="media-items" class="hide-if-no-js"></div>
  • branches/4.1/src/wp-admin/network/site-users.php

    r30356 r49405  
    179179<script type="text/javascript">
    180180/* <![CDATA[ */
    181 var current_site_id = <?php echo $id; ?>;
     181var current_site_id = <?php echo absint( $id ); ?>;
    182182/* ]]> */
    183183</script>
  • branches/4.1/src/wp-includes/class-wp-xmlrpc-server.php

    r40699 r49405  
    32933293            return new IXR_Error( 404, __( 'Invalid post ID.' ) );
    32943294
     3295        if (
     3296            'publish' === get_post_status( $post_id ) &&
     3297            ! current_user_can( 'edit_post', $post_id ) &&
     3298            post_password_required( $post_id )
     3299        ) {
     3300            return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
     3301        }
     3302
     3303        if (
     3304            'private' === get_post_status( $post_id ) &&
     3305            ! current_user_can( 'read_post', $post_id )
     3306        ) {
     3307            return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
     3308        }
     3309
    32953310        $comment = array();
    32963311        $comment['comment_post_ID'] = $post_id;
     
    36093624        do_action( 'xmlrpc_call', 'wp.getMediaItem' );
    36103625
    3611         if ( ! $attachment = get_post($attachment_id) )
     3626        $attachment = get_post( $attachment_id );
     3627        if ( ! $attachment || 'attachment' !== $attachment->post_type ) {
    36123628            return new IXR_Error( 404, __( 'Invalid attachment ID.' ) );
     3629        }
    36133630
    36143631        return $this->_prepare_media_item( $attachment );
  • branches/4.1/src/wp-includes/meta.php

    r30848 r49405  
    15511551 * @return bool True if the key is protected, false otherwise.
    15521552 */
    1553 function is_protected_meta( $meta_key, $meta_type = null ) {
    1554     $protected = ( '_' == $meta_key[0] );
     1553function is_protected_meta( $meta_key, $meta_type = '' ) {
     1554    $sanitized_key = preg_replace( "/[^\x20-\x7E\p{L}]/", '', $meta_key );
     1555    $protected     = strlen( $sanitized_key ) > 0 && ( '_' === $sanitized_key[0] );
    15551556
    15561557    /**
  • branches/4.1/tests/phpunit/tests/formatting/Utf8UriEncode.php

    r25002 r49405  
    1313     */
    1414    function test_percent_encodes_non_reserved_characters( $utf8, $urlencoded ) {
    15         $this->assertEquals($urlencoded, utf8_uri_encode( $utf8 ) );
     15        $this->assertEquals( $urlencoded, utf8_uri_encode( $utf8 ) );
    1616    }
    1717
Note: See TracChangeset for help on using the changeset viewer.