Make WordPress Core

Changeset 55775


Ignore:
Timestamp:
05/16/2023 03:23:11 PM (19 months ago)
Author:
SergeyBiryukov
Message:

Grouped backports to the 4.2 branch.

  • Media: Prevent CSRF setting attachment thumbnails.

Merges [55764] to the 4.2 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.

Location:
branches/4.2
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • branches/4.2/package-lock.json

    r54582 r55775  
    11{
    22    "name": "WordPress",
    3     "version": "4.2.34",
     3    "version": "4.2.35",
    44    "lockfileVersion": 1,
    55    "requires": true,
  • branches/4.2/package.json

    r54582 r55775  
    11{
    22    "name": "WordPress",
    3     "version": "4.2.34",
     3    "version": "4.2.35",
    44    "description": "WordPress is web software you can use to create a beautiful website or blog.",
    55    "repository": {
  • branches/4.2/src/wp-admin/about.php

    r55390 r55775  
    4242
    4343<div class="changelog point-releases">
    44     <h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 34 ); ?></h3>
     44    <h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 35 ); ?></h3>
     45    <p>
     46        <?php
     47        printf(
     48            /* translators: %s: WordPress version number */
     49            __( '<strong>Version %1$s</strong> addressed a security issue.' ),
     50            '4.2.35'
     51        );
     52        ?>
     53        <?php
     54        printf(
     55            /* translators: %s: HelpHub URL */
     56            __( 'For more information, see <a href="%s">the release notes</a>.' ),
     57            sprintf(
     58                /* translators: %s: WordPress version */
     59                esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
     60                sanitize_title( '4.2.35' )
     61            )
     62        );
     63        ?>
     64    </p>
    4565    <p>
    4666        <?php
  • branches/4.2/src/wp-admin/includes/ajax-actions.php

    r45953 r55775  
    20252025    }
    20262026
     2027    if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
     2028        wp_send_json_error();
     2029    }
     2030
    20272031    $post_ids = array();
    20282032    // For each URL, try to find its corresponding post ID.
  • branches/4.2/src/wp-includes/js/media/views/frame/video-details.js

    r33316 r55775  
    107107            wp.ajax.send( 'set-attachment-thumbnail', {
    108108                data : {
     109                    _ajax_nonce: wp.media.view.settings.nonce.setAttachmentThumbnail,
    109110                    urls: urls,
    110111                    thumbnail_id: attachment.get( 'id' )
  • branches/4.2/src/wp-includes/media.php

    r40166 r55775  
    29522952        'captions'  => ! apply_filters( 'disable_captions', '' ),
    29532953        'nonce'     => array(
    2954             'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
     2954            'sendToEditor'           => wp_create_nonce( 'media-send-to-editor' ),
     2955            'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ),
    29552956        ),
    29562957        'post'    => array(
  • branches/4.2/src/wp-includes/version.php

    r54582 r55775  
    55 * @global string $wp_version
    66 */
    7 $wp_version = '4.2.34-src';
     7$wp_version = '4.2.35-src';
    88
    99/**
Note: See TracChangeset for help on using the changeset viewer.