Make WordPress Core


Ignore:
Timestamp:
10/12/2023 12:45:49 PM (6 months ago)
Author:
audrasjb
Message:

Shortcodes: Restrict ajax handler for media shortcode.

Props tykoted, xknown, peterwilsoncc, antpb, jorbin.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/media.php

    r56743 r56838  
    26082608        }
    26092609    } elseif ( ! empty( $atts['exclude'] ) ) {
     2610        $post_parent_id = $id;
    26102611        $attachments = get_children(
    26112612            array(
     
    26202621        );
    26212622    } else {
     2623        $post_parent_id = $id;
    26222624        $attachments = get_children(
    26232625            array(
     
    26302632            )
    26312633        );
     2634    }
     2635
     2636    if ( ! empty( $post_parent_id ) ) {
     2637        $post_parent = get_post( $post_parent_id );
     2638
     2639        // terminate the shortcode execution if user cannot read the post or password-protected
     2640        if (
     2641        ( ! is_post_publicly_viewable( $post_parent->ID ) && ! current_user_can( 'read_post', $post_parent->ID ) )
     2642        || post_password_required( $post_parent ) ) {
     2643            return '';
     2644        }
    26322645    }
    26332646
     
    29642977    }
    29652978
     2979    if ( ! empty( $args['post_parent'] ) ) {
     2980        $post_parent = get_post( $id );
     2981
     2982        // terminate the shortcode execution if user cannot read the post or password-protected
     2983        if ( ! current_user_can( 'read_post', $post_parent->ID ) || post_password_required( $post_parent ) ) {
     2984            return '';
     2985        }
     2986    }
     2987
    29662988    if ( empty( $attachments ) ) {
    29672989        return '';
Note: See TracChangeset for help on using the changeset viewer.