Make WordPress Core


Ignore:
Timestamp:
10/29/2020 07:09:27 PM (4 years ago)
Author:
whyisjake
Message:

General: WordPress updates

  • XML-RPC: Improve error messages for unprivileged users.
  • External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
  • Embeds: Disable embeds on deactivated Multisite sites.
  • Coding standards: Modify escaping functions to avoid potential false positives.
  • XML-RPC: Return error message if attachment ID is incorrect.
  • Upgrade/install: Improve logic check when determining installation status.
  • Meta: Sanitize meta key before checking protection status.
  • Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 4.1 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Location:
branches/4.1
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.1

  • branches/4.1/src/wp-includes/meta.php

    r30848 r49405  
    15511551 * @return bool True if the key is protected, false otherwise.
    15521552 */
    1553 function is_protected_meta( $meta_key, $meta_type = null ) {
    1554     $protected = ( '_' == $meta_key[0] );
     1553function is_protected_meta( $meta_key, $meta_type = '' ) {
     1554    $sanitized_key = preg_replace( "/[^\x20-\x7E\p{L}]/", '', $meta_key );
     1555    $protected     = strlen( $sanitized_key ) > 0 && ( '_' === $sanitized_key[0] );
    15551556
    15561557    /**
Note: See TracChangeset for help on using the changeset viewer.