Make WordPress Core

Changeset 55779


Ignore:
Timestamp:
05/16/2023 03:36:46 PM (18 months ago)
Author:
SergeyBiryukov
Message:

Grouped backports to the 4.4 branch.

  • Media: Prevent CSRF setting attachment thumbnails.
  • Embeds: Add protocol validation for WordPress Embed code.

Merges [55763] and [55764] to the 4.4 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.

Location:
branches/4.4
Files:
1 added
8 edited

Legend:

Unmodified
Added
Removed
  • branches/4.4/package-lock.json

    r54587 r55779  
    11{
    22    "name": "WordPress",
    3     "version": "4.4.29",
     3    "version": "4.4.30",
    44    "lockfileVersion": 1,
    55    "requires": true,
  • branches/4.4/package.json

    r54587 r55779  
    11{
    22    "name": "WordPress",
    3     "version": "4.4.29",
     3    "version": "4.4.30",
    44    "description": "WordPress is web software you can use to create a beautiful website or blog.",
    55    "repository": {
  • branches/4.4/src/wp-admin/about.php

    r55388 r55779  
    5151        <div class="changelog point-releases">
    5252            <h3><?php _e( 'Maintenance and Security Releases' ); ?> </h3>
     53            <p>
     54                <?php
     55                printf(
     56                    /* translators: %s: WordPress version number */
     57                    __( '<strong>Version %s</strong> addressed some security issues.' ),
     58                    '4.4.30'
     59                );
     60                ?>
     61                <?php
     62                printf(
     63                    /* translators: %s: HelpHub URL */
     64                    __( 'For more information, see <a href="%s">the release notes</a>.' ),
     65                    sprintf(
     66                        /* translators: %s: WordPress version */
     67                        esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
     68                        sanitize_title( '4.4.30' )
     69                    )
     70                );
     71                ?>
     72            </p>
    5373            <p>
    5474                <?php
  • branches/4.4/src/wp-admin/includes/ajax-actions.php

    r45951 r55779  
    21612161    }
    21622162
     2163    if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
     2164        wp_send_json_error();
     2165    }
     2166
    21632167    $post_ids = array();
    21642168    // For each URL, try to find its corresponding post ID.
  • branches/4.4/src/wp-includes/js/media/views/frame/video-details.js

    r33337 r55779  
    105105            wp.ajax.send( 'set-attachment-thumbnail', {
    106106                data : {
     107                    _ajax_nonce: wp.media.view.settings.nonce.setAttachmentThumbnail,
    107108                    urls: urls,
    108109                    thumbnail_id: attachment.get( 'id' )
  • branches/4.4/src/wp-includes/js/wp-embed.js

    r37093 r55779  
    3838        var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
    3939            blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
     40            allowedProtocols = new RegExp( '^https?:$', 'i' ),
    4041            i, source, height, sourceURL, targetURL;
    4142
     
    7273                sourceURL.href = source.getAttribute( 'src' );
    7374                targetURL.href = data.value;
     75
     76                /* Only follow link if the protocol is in the allow list. */
     77                if ( ! allowedProtocols.test( targetURL.protocol ) ) {
     78                    continue;
     79                }
    7480
    7581                /* Only continue if link hostname matches iframe's hostname. */
  • branches/4.4/src/wp-includes/media.php

    r36152 r55779  
    32793279        'captions'  => ! apply_filters( 'disable_captions', '' ),
    32803280        'nonce'     => array(
    3281             'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
     3281            'sendToEditor'           => wp_create_nonce( 'media-send-to-editor' ),
     3282            'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ),
    32823283        ),
    32833284        'post'    => array(
  • branches/4.4/src/wp-includes/version.php

    r54587 r55779  
    55 * @global string $wp_version
    66 */
    7 $wp_version = '4.4.29-src';
     7$wp_version = '4.4.30-src';
    88
    99/**
Note: See TracChangeset for help on using the changeset viewer.