Make WordPress Core

Changeset 55776


Ignore:
Timestamp:
05/16/2023 03:25:24 PM (13 months ago)
Author:
SergeyBiryukov
Message:

Grouped backports to the 4.3 branch.

  • Media: Prevent CSRF setting attachment thumbnails.

Merges [55764] to the 4.3 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.

Location:
branches/4.3
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • branches/4.3/package-lock.json

    r54584 r55776  
    11{
    22    "name": "WordPress",
    3     "version": "4.3.30",
     3    "version": "4.3.31",
    44    "lockfileVersion": 1,
    55    "requires": true,
  • branches/4.3/package.json

    r54584 r55776  
    11{
    22    "name": "WordPress",
    3     "version": "4.3.30",
     3    "version": "4.3.31",
    44    "description": "WordPress is web software you can use to create a beautiful website or blog.",
    55    "repository": {
  • branches/4.3/src/wp-admin/about.php

    r55389 r55776  
    109109
    110110        <div class="changelog point-releases">
    111             <h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 30 ); ?></h3>
     111            <h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 31 ); ?></h3>
     112            <p>
     113                <?php
     114                printf(
     115                    /* translators: %s: WordPress version number */
     116                    __( '<strong>Version %s</strong> addressed one security issue.' ),
     117                    '4.3.31'
     118                );
     119                ?>
     120                <?php
     121                printf(
     122                    /* translators: %s: HelpHub URL */
     123                    __( 'For more information, see <a href="%s">the release notes</a>.' ),
     124                    sprintf(
     125                        /* translators: %s: WordPress version */
     126                        esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
     127                        sanitize_title( '4.3.31' )
     128                    )
     129                );
     130                ?>
     131            </p>
    112132            <p>
    113133                <?php
  • branches/4.3/src/wp-admin/includes/ajax-actions.php

    r45952 r55776  
    20602060    }
    20612061
     2062    if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
     2063        wp_send_json_error();
     2064    }
     2065
    20622066    $post_ids = array();
    20632067    // For each URL, try to find its corresponding post ID.
  • branches/4.3/src/wp-includes/js/media/views/frame/video-details.js

    r33337 r55776  
    105105            wp.ajax.send( 'set-attachment-thumbnail', {
    106106                data : {
     107                    _ajax_nonce: wp.media.view.settings.nonce.setAttachmentThumbnail,
    107108                    urls: urls,
    108109                    thumbnail_id: attachment.get( 'id' )
  • branches/4.3/src/wp-includes/media.php

    r40165 r55776  
    29782978        'captions'  => ! apply_filters( 'disable_captions', '' ),
    29792979        'nonce'     => array(
    2980             'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
     2980            'sendToEditor'           => wp_create_nonce( 'media-send-to-editor' ),
     2981            'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ),
    29812982        ),
    29822983        'post'    => array(
  • branches/4.3/src/wp-includes/version.php

    r54584 r55776  
    55 * @global string $wp_version
    66 */
    7 $wp_version = '4.3.30-src';
     7$wp_version = '4.3.31-src';
    88
    99/**
Note: See TracChangeset for help on using the changeset viewer.