Make WordPress Core


Ignore:
Timestamp:
10/12/2023 01:27:29 PM (13 months ago)
Author:
audrasjb
Message:

Shortcodes: Restrict ajax handler for media shortcode.

Props tykoted, xknown, peterwilsoncc, antpb, jorbin.
Merges [56838] to the 6.3 branch.

Location:
branches/6.3
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/6.3

  • branches/6.3/src/wp-includes/media.php

    r56429 r56846  
    26062606        }
    26072607    } elseif ( ! empty( $atts['exclude'] ) ) {
     2608        $post_parent_id = $id;
    26082609        $attachments = get_children(
    26092610            array(
     
    26182619        );
    26192620    } else {
     2621        $post_parent_id = $id;
    26202622        $attachments = get_children(
    26212623            array(
     
    26282630            )
    26292631        );
     2632    }
     2633
     2634    if ( ! empty( $post_parent_id ) ) {
     2635        $post_parent = get_post( $post_parent_id );
     2636
     2637        // terminate the shortcode execution if user cannot read the post or password-protected
     2638        if (
     2639        ( ! is_post_publicly_viewable( $post_parent->ID ) && ! current_user_can( 'read_post', $post_parent->ID ) )
     2640        || post_password_required( $post_parent ) ) {
     2641            return '';
     2642        }
    26302643    }
    26312644
     
    29622975    }
    29632976
     2977    if ( ! empty( $args['post_parent'] ) ) {
     2978        $post_parent = get_post( $id );
     2979
     2980        // terminate the shortcode execution if user cannot read the post or password-protected
     2981        if ( ! current_user_can( 'read_post', $post_parent->ID ) || post_password_required( $post_parent ) ) {
     2982            return '';
     2983        }
     2984    }
     2985
    29642986    if ( empty( $attachments ) ) {
    29652987        return '';
Note: See TracChangeset for help on using the changeset viewer.