Context Navigation

class-wp-xmlrpc-server.php

Timestamp:

10/29/2020 07:17:08 PM (6 years ago)

Author:

whyisjake

Message:

General: WordPress updates

XML-RPC: Improve error messages for unprivileged users.
External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
Embeds: Disable embeds on deactivated Multisite sites.
Coding standards: Modify escaping functions to avoid potential false positives.
XML-RPC: Return error message if attachment ID is incorrect.
Upgrade/install: Improve logic check when determining installation status.
Meta: Sanitize meta key before checking protection status.
Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 3.7 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Location:

branches/3.7

Files:

branches/3.7
- Property svn:mergeinfo changed
  /branches/5.5 (added) merged: 49373-49379,49381
  /trunk merged: 49380,49382-49388
branches/3.7/src
- Property svn:mergeinfo changed
  /trunk/src merged: 49380,49382-49388

-                      r40703
+                      r49409
             return new IXR_Error( 404, __( 'Invalid post ID.' ) );
+        if (
+            'publish' === get_post_status( $post_id ) &&
+            ! current_user_can( 'edit_post', $post_id ) &&
+            post_password_required( $post_id )
+        ) {
+            return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
+        }
+        if (
+            'private' === get_post_status( $post_id ) &&
+            ! current_user_can( 'read_post', $post_id )
+        ) {
+            return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
+        }
+        $comment = array();
         $comment['comment_post_ID'] = $post_id;
 …
         do_action('xmlrpc_call', 'wp.getMediaItem');
+        if ( ! $attachment = get_post($attachment_id) )
+        $attachment = get_post( $attachment_id );
+        if ( ! $attachment || 'attachment' !== $attachment->post_type ) {
             return new IXR_Error( 404, __( 'Invalid attachment ID.' ) );
+        }
         return $this->_prepare_media_item( $attachment );

Note: See TracChangeset for help on using the changeset viewer.

/branches/5.5 (added)	merged: 49373-49379,49381
/trunk	merged: 49380,49382-49388