Make WordPress Core

Changeset 56851


Ignore:
Timestamp:
10/12/2023 02:25:18 PM (8 months ago)
Author:
davidbaumwald
Message:

Grouped backports to the 4.2 branch.

  • Comments: Prevent users who can not see a post from seeing comments on it.
  • Shortcodes: Restrict ajax handler for media shortcode.
  • Prevent unintended behavior when certain objects are unserialized.

Merges [56835], [56836], and [56838] to the 4.1 branch.
Props xknown, jorbin, joehoyle, peterwilsoncc, ehtis, tykoted, antpb.

Location:
branches/4.2/src
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • branches/4.2/src/wp-admin/includes/ajax-actions.php

    r55775 r56851  
    28002800    $shortcode = wp_unslash( $_POST['shortcode'] );
    28012801
     2802    // Only process previews for media related shortcodes:
     2803    $found_shortcodes = get_shortcode_tags_in_content( $shortcode );
     2804    $media_shortcodes = array(
     2805        'audio',
     2806        'embed',
     2807        'playlist',
     2808        'video',
     2809        'gallery',
     2810    );
     2811
     2812    $other_shortcodes = array_diff( $found_shortcodes, $media_shortcodes );
     2813
     2814    if ( ! empty( $other_shortcodes ) ) {
     2815        wp_send_json_error();
     2816    }
     2817
    28022818    if ( ! empty( $_POST['post_ID'] ) ) {
    28032819        $post = get_post( (int) $_POST['post_ID'] );
     
    28062822    // the embed shortcode requires a post
    28072823    if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) {
    2808         if ( 'embed' === $shortcode ) {
     2824        if ( in_array( 'embed', $found_shortcodes, true ) ) {
    28092825            wp_send_json_error();
    28102826        }
  • branches/4.2/src/wp-admin/includes/class-wp-comments-list-table.php

    r32175 r56851  
    371371        $this->user_can = current_user_can( 'edit_comment', $comment->comment_ID );
    372372
     373        $edit_post_cap = $post ? 'edit_post' : 'edit_posts';
     374        if (
     375            current_user_can( $edit_post_cap, $comment->comment_post_ID ) ||
     376            (
     377                empty( $post->post_password ) &&
     378                current_user_can( 'read_post', $comment->comment_post_ID )
     379            )
     380        ) {
     381            // The user has access to the post
     382        } else {
     383            return false;
     384        }
     385
    373386        echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>";
    374387        $this->single_row_columns( $comment );
  • branches/4.2/src/wp-admin/includes/class-wp-list-table.php

    r31513 r56851  
    610610        $pending_phrase = sprintf( __( '%s pending' ), number_format( $pending_comments ) );
    611611
     612        $post_object   = get_post( $post_id );
     613        $edit_post_cap = $post_object ? 'edit_post' : 'edit_posts';
     614        if (
     615            current_user_can( $edit_post_cap, $post_id ) ||
     616            (
     617                empty( $post_object->post_password ) &&
     618                current_user_can( 'read_post', $post_id )
     619            )
     620        ) {
     621            // The user has access to the post and thus can see comments
     622        } else {
     623            return false;
     624        }
     625
    612626        if ( $pending_comments )
    613627            echo '<strong>';
  • branches/4.2/src/wp-admin/includes/dashboard.php

    r33358 r56851  
    787787
    788788        echo '<div id="the-comment-list" data-wp-lists="list:comment">';
    789         foreach ( $comments as $comment )
    790             _wp_dashboard_recent_comments_row( $comment );
     789        foreach ( $comments as $comment ) {
     790            $comment_post = get_post( $comment->comment_post_ID );
     791            if (
     792                current_user_can( 'edit_post', $comment->comment_post_ID ) ||
     793                (
     794                    empty( $comment_post->post_password ) &&
     795                    current_user_can( 'read_post', $comment->comment_post_ID )
     796                )
     797            ) {
     798                _wp_dashboard_recent_comments_row( $comment );
     799            }
     800        }
    791801        echo '</div>';
    792802
  • branches/4.2/src/wp-includes/class-wp-theme.php

    r39814 r56851  
    478478
    479479    /**
     480     * Perform reinitialization tasks.
     481     *
     482     * Prevents a callback from being injected during unserialization of an object.
     483     *
     484     * @return void
     485     */
     486    public function __wakeup() {
     487        if ( $this->parent && ! $this->parent instanceof self ) {
     488            throw new UnexpectedValueException();
     489        }
     490        if ( $this->headers && ! is_array( $this->headers ) ) {
     491            throw new UnexpectedValueException();
     492        }
     493        foreach ( $this->headers as $value ) {
     494            if ( ! is_string( $value ) ) {
     495                throw new UnexpectedValueException();
     496            }
     497        }
     498        $this->headers_sanitized = array();
     499    }
     500
     501    /**
    480502     * Adds theme data to cache.
    481503     *
     
    12361258        return strnatcasecmp( $a->display( 'Name', false, true ), $b->display( 'Name', false, true ) );
    12371259    }
     1260
     1261    private static function _check_headers_property_has_correct_type( $headers ) {
     1262        if ( ! is_array( $headers ) ) {
     1263            return false;
     1264        }
     1265        foreach ( $headers as $key => $value ) {
     1266            if ( ! is_string( $key ) || ! is_string( $value ) ) {
     1267                return false;
     1268            }
     1269        }
     1270        return true;
     1271    }
    12381272}
  • branches/4.2/src/wp-includes/media.php

    r55775 r56851  
    10111011        }
    10121012    } elseif ( ! empty( $atts['exclude'] ) ) {
     1013        $post_parent_id = $id;
    10131014        $attachments = get_children( array( 'post_parent' => $id, 'exclude' => $atts['exclude'], 'post_status' => 'inherit', 'post_type' => 'attachment', 'post_mime_type' => 'image', 'order' => $atts['order'], 'orderby' => $atts['orderby'] ) );
    10141015    } else {
     1016        $post_parent_id = $id;
    10151017        $attachments = get_children( array( 'post_parent' => $id, 'post_status' => 'inherit', 'post_type' => 'attachment', 'post_mime_type' => 'image', 'order' => $atts['order'], 'orderby' => $atts['orderby'] ) );
     1018    }
     1019
     1020    if ( ! empty( $post_parent_id ) ) {
     1021        $post_parent = get_post( $post_parent_id );
     1022
     1023        // terminate the shortcode execution if user cannot read the post or password-protected
     1024        if (
     1025        ( ! is_post_publicly_viewable( $post_parent->ID ) && ! current_user_can( 'read_post', $post_parent->ID ) )
     1026        || post_password_required( $post_parent ) ) {
     1027            return '';
     1028        }
    10161029    }
    10171030
     
    13061319    }
    13071320
     1321    if ( ! empty( $args['post_parent'] ) ) {
     1322        $post_parent = get_post( $id );
     1323
     1324        // terminate the shortcode execution if user cannot read the post or password-protected
     1325        if ( ! current_user_can( 'read_post', $post_parent->ID ) || post_password_required( $post_parent ) ) {
     1326            return '';
     1327        }
     1328    }
     1329
    13081330    if ( empty( $attachments ) ) {
    13091331        return '';
  • branches/4.2/src/wp-includes/shortcodes.php

    r34145 r56851  
    174174
    175175/**
    176  * Search content for shortcodes and filter shortcodes through their hooks.
     176 * Returns a list of registered shortcode names found in the given content.
     177 *
     178 * Example usage:
     179 *
     180 *     get_shortcode_tags_in_content( '[audio src="file.mp3"][/audio] [foo] [gallery ids="1,2,3"]' );
     181 *     // array( 'audio', 'gallery' )
     182 *
     183 * @since 6.3.2
     184 *
     185 * @param string $content The content to check.
     186 * @return string[] An array of registered shortcode names found in the content.
     187 */
     188function get_shortcode_tags_in_content( $content ) {
     189    if ( false === strpos( $content, '[' ) ) {
     190        return array();
     191    }
     192
     193    preg_match_all( '/' . get_shortcode_regex() . '/', $content, $matches, PREG_SET_ORDER );
     194    if ( empty( $matches ) ) {
     195        return array();
     196    }
     197
     198    $tags = array();
     199    foreach ( $matches as $shortcode ) {
     200        $tags[] = $shortcode[2];
     201
     202        if ( ! empty( $shortcode[5] ) ) {
     203            $deep_tags = get_shortcode_tags_in_content( $shortcode[5] );
     204            if ( ! empty( $deep_tags ) ) {
     205                $tags = array_merge( $tags, $deep_tags );
     206            }
     207        }
     208    }
     209
     210    return $tags;
     211}
     212
     213/**
     214 * Searches content for shortcodes and filter shortcodes through their hooks.
    177215 *
    178216 * If there are no shortcode tags defined, then the content will be returned
Note: See TracChangeset for help on using the changeset viewer.