Make WordPress Core


Ignore:
Timestamp:
10/12/2023 02:21:47 PM (8 months ago)
Author:
davidbaumwald
Message:

Grouped backports to the 4.1 branch.

  • Comments: Prevent users who can not see a post from seeing comments on it.
  • Shortcodes: Restrict ajax handler for media shortcode.
  • Prevent unintended behavior when certain objects are unserialized.

Merges [56835], [56836], and [56838] to the 4.1 branch.
Props xknown, jorbin, joehoyle, peterwilsoncc, ehtis, tykoted, antpb.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/4.1/src/wp-admin/includes/ajax-actions.php

    r55772 r56850  
    829829        wp_die( 0 );
    830830    }
    831    
     831
    832832    if ( ! current_user_can( $tax->cap->assign_terms ) ) {
    833833        wp_die( -1 );
     
    27682768    }
    27692769
    2770     setup_postdata( $post );
    2771     $shortcode = do_shortcode( wp_unslash( $_POST['shortcode'] ) );
     2770    $shortcode = wp_unslash( $_POST['shortcode'] );
     2771
     2772    // Only process previews for media related shortcodes:
     2773    $found_shortcodes = get_shortcode_tags_in_content( $shortcode );
     2774    $media_shortcodes = array(
     2775        'audio',
     2776        'embed',
     2777        'playlist',
     2778        'video',
     2779        'gallery',
     2780    );
     2781
     2782    $other_shortcodes = array_diff( $found_shortcodes, $media_shortcodes );
     2783
     2784    if ( ! empty( $other_shortcodes ) ) {
     2785        wp_send_json_error();
     2786    }
     2787
     2788    if ( ! empty( $_POST['post_ID'] ) ) {
     2789        $post = get_post( (int) $_POST['post_ID'] );
     2790    }
     2791
     2792    // the embed shortcode requires a post
     2793    if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) {
     2794        if ( in_array( 'embed', $found_shortcodes, true ) ) {
     2795            wp_send_json_error();
     2796        }
     2797    } else {
     2798        setup_postdata( $post );
     2799    }
    27722800
    27732801    if ( empty( $shortcode ) ) {
     
    28362864    } else {
    28372865        $sessions->destroy_all();
    2838         /* translators: 1: User's display name. */ 
     2866        /* translators: 1: User's display name. */
    28392867        $message = sprintf( __( '%s has been logged out.' ), $user->display_name );
    28402868    }
Note: See TracChangeset for help on using the changeset viewer.