Changeset 55776

Timestamp:

05/16/2023 03:25:24 PM (2 weeks ago)

Author:

SergeyBiryukov

Message:

Grouped backports to the 4.3 branch.

• Media: Prevent CSRF setting attachment thumbnails.

Merges [55764] to the 4.3 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.

Location:

branches/4.3

Files:

• package-lock.json (modified) (1 diff)
• package.json (modified) (1 diff)
• src/wp-admin/about.php (modified) (1 diff)
• src/wp-admin/includes/ajax-actions.php (modified) (1 diff)
• src/wp-includes/js/media/views/frame/video-details.js (modified) (1 diff)
• src/wp-includes/media.php (modified) (1 diff)
• src/wp-includes/version.php (modified) (1 diff)

branches/4.3/package-lock.json

@@ -1 +1 @@
 {
     "name": "WordPress",
-    "version": "4.3.30",
+    "version": "4.3.31",
     "lockfileVersion": 1,
     "requires": true,

branches/4.3/package.json

@@ -1 +1 @@
 {
     "name": "WordPress",
-    "version": "4.3.30",
+    "version": "4.3.31",
     "description": "WordPress is web software you can use to create a beautiful website or blog.",
     "repository": {

branches/4.3/src/wp-admin/about.php

@@ -109 +109 @@
 
         <div class="changelog point-releases">
-            <h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 30 ); ?></h3>
+            <h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 31 ); ?></h3>
+            <p>
+                <?php
+                printf(
+                    /* translators: %s: WordPress version number */
+                    __( '<strong>Version %s</strong> addressed one security issue.' ),
+                    '4.3.31'
+                );
+                ?>
+                <?php
+                printf(
+                    /* translators: %s: HelpHub URL */
+                    __( 'For more information, see <a href="%s">the release notes</a>.' ),
+                    sprintf(
+                        /* translators: %s: WordPress version */
+                        esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+                        sanitize_title( '4.3.31' )
+                    )
+                );
+                ?>
+            </p>
             <p>
                 <?php

branches/4.3/src/wp-admin/includes/ajax-actions.php

@@ -2060 +2060 @@
     }
 
+    if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
+        wp_send_json_error();
+    }
+
     $post_ids = array();
     // For each URL, try to find its corresponding post ID.

branches/4.3/src/wp-includes/js/media/views/frame/video-details.js

@@ -105 +105 @@
             wp.ajax.send( 'set-attachment-thumbnail', {
                 data : {
+                    _ajax_nonce: wp.media.view.settings.nonce.setAttachmentThumbnail,
                     urls: urls,
                     thumbnail_id: attachment.get( 'id' )

branches/4.3/src/wp-includes/media.php

@@ -2978 +2978 @@
         'captions'  => ! apply_filters( 'disable_captions', '' ),
         'nonce'     => array(
-            'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
+            'sendToEditor'           => wp_create_nonce( 'media-send-to-editor' ),
+            'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ),
         ),
         'post'    => array(

branches/4.3/src/wp-includes/version.php

@@ -5 +5 @@
  * @global string $wp_version
  */
-$wp_version = '4.3.30-src';
+$wp_version = '4.3.31-src';
 
 /**