Make WordPress Core

Changeset 56852


Ignore:
Timestamp:
10/12/2023 02:28:05 PM (8 months ago)
Author:
davidbaumwald
Message:

Grouped backports to the 4.3 branch.

  • Comments: Prevent users who can not see a post from seeing comments on it.
  • Shortcodes: Restrict ajax handler for media shortcode.
  • Prevent unintended behavior when certain objects are unserialized.

Merges [56835], [56836], and [56838] to the 4.1 branch.
Props xknown, jorbin, joehoyle, peterwilsoncc, ehtis, tykoted, antpb.

Location:
branches/4.3/src
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • branches/4.3/src/wp-admin/includes/ajax-actions.php

    r55776 r56852  
    28702870    $shortcode = wp_unslash( $_POST['shortcode'] );
    28712871
     2872    // Only process previews for media related shortcodes:
     2873    $found_shortcodes = get_shortcode_tags_in_content( $shortcode );
     2874    $media_shortcodes = array(
     2875        'audio',
     2876        'embed',
     2877        'playlist',
     2878        'video',
     2879        'gallery',
     2880    );
     2881
     2882    $other_shortcodes = array_diff( $found_shortcodes, $media_shortcodes );
     2883
     2884    if ( ! empty( $other_shortcodes ) ) {
     2885        wp_send_json_error();
     2886    }
     2887
    28722888    if ( ! empty( $_POST['post_ID'] ) ) {
    28732889        $post = get_post( (int) $_POST['post_ID'] );
     
    28762892    // the embed shortcode requires a post
    28772893    if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) {
    2878         if ( 'embed' === $shortcode ) {
     2894        if ( in_array( 'embed', $found_shortcodes, true ) ) {
    28792895            wp_send_json_error();
    28802896        }
  • branches/4.3/src/wp-admin/includes/class-wp-comments-list-table.php

    r33614 r56852  
    446446        $this->user_can = current_user_can( 'edit_comment', $comment->comment_ID );
    447447
     448        $edit_post_cap = $post ? 'edit_post' : 'edit_posts';
     449        if (
     450            current_user_can( $edit_post_cap, $comment->comment_post_ID ) ||
     451            (
     452                empty( $post->post_password ) &&
     453                current_user_can( 'read_post', $comment->comment_post_ID )
     454            )
     455        ) {
     456            // The user has access to the post
     457        } else {
     458            return false;
     459        }
     460
    448461        echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>";
    449462        $this->single_row_columns( $comment );
  • branches/4.3/src/wp-admin/includes/class-wp-list-table.php

    r33623 r56852  
    624624        $pending_phrase = sprintf( _n( '%s pending comment', '%s pending comments', $pending_comments ), $pending_comments_number );
    625625
    626         // No comments at all.
     626        $post_object   = get_post( $post_id );
     627        $edit_post_cap = $post_object ? 'edit_post' : 'edit_posts';
     628        if (
     629            current_user_can( $edit_post_cap, $post_id ) ||
     630            (
     631                empty( $post_object->post_password ) &&
     632                current_user_can( 'read_post', $post_id )
     633            )
     634        ) {
     635            // The user has access to the post and thus can see comments
     636        } else {
     637            return false;
     638        }
     639
    627640        if ( ! $approved_comments && ! $pending_comments ) {
    628641            printf( '<span aria-hidden="true">—</span><span class="screen-reader-text">%s</span>',
  • branches/4.3/src/wp-admin/includes/dashboard.php

    r33357 r56852  
    822822
    823823        echo '<div id="the-comment-list" data-wp-lists="list:comment">';
    824         foreach ( $comments as $comment )
    825             _wp_dashboard_recent_comments_row( $comment );
     824        foreach ( $comments as $comment ) {
     825            $comment_post = get_post( $comment->comment_post_ID );
     826            if (
     827                current_user_can( 'edit_post', $comment->comment_post_ID ) ||
     828                (
     829                    empty( $comment_post->post_password ) &&
     830                    current_user_can( 'read_post', $comment->comment_post_ID )
     831                )
     832            ) {
     833                _wp_dashboard_recent_comments_row( $comment );
     834            }
     835        }
    826836        echo '</div>';
    827837
  • branches/4.3/src/wp-includes/class-wp-theme.php

    r39813 r56852  
    508508
    509509    /**
     510     * Perform reinitialization tasks.
     511     *
     512     * Prevents a callback from being injected during unserialization of an object.
     513     *
     514     * @return void
     515     */
     516    public function __wakeup() {
     517        if ( $this->parent && ! $this->parent instanceof self ) {
     518            throw new UnexpectedValueException();
     519        }
     520        if ( $this->headers && ! is_array( $this->headers ) ) {
     521            throw new UnexpectedValueException();
     522        }
     523        foreach ( $this->headers as $value ) {
     524            if ( ! is_string( $value ) ) {
     525                throw new UnexpectedValueException();
     526            }
     527        }
     528        $this->headers_sanitized = array();
     529    }
     530
     531    /**
    510532     * Adds theme data to cache.
    511533     *
     
    13041326        return strnatcasecmp( $a->display( 'Name', false, true ), $b->display( 'Name', false, true ) );
    13051327    }
     1328
     1329    private static function _check_headers_property_has_correct_type( $headers ) {
     1330        if ( ! is_array( $headers ) ) {
     1331            return false;
     1332        }
     1333        foreach ( $headers as $key => $value ) {
     1334            if ( ! is_string( $key ) || ! is_string( $value ) ) {
     1335                return false;
     1336            }
     1337        }
     1338        return true;
     1339    }
    13061340}
  • branches/4.3/src/wp-includes/media.php

    r55776 r56852  
    10291029        }
    10301030    } elseif ( ! empty( $atts['exclude'] ) ) {
     1031        $post_parent_id = $id;
    10311032        $attachments = get_children( array( 'post_parent' => $id, 'exclude' => $atts['exclude'], 'post_status' => 'inherit', 'post_type' => 'attachment', 'post_mime_type' => 'image', 'order' => $atts['order'], 'orderby' => $atts['orderby'] ) );
    10321033    } else {
     1034        $post_parent_id = $id;
    10331035        $attachments = get_children( array( 'post_parent' => $id, 'post_status' => 'inherit', 'post_type' => 'attachment', 'post_mime_type' => 'image', 'order' => $atts['order'], 'orderby' => $atts['orderby'] ) );
     1036    }
     1037
     1038    if ( ! empty( $post_parent_id ) ) {
     1039        $post_parent = get_post( $post_parent_id );
     1040
     1041        // terminate the shortcode execution if user cannot read the post or password-protected
     1042        if (
     1043        ( ! is_post_publicly_viewable( $post_parent->ID ) && ! current_user_can( 'read_post', $post_parent->ID ) )
     1044        || post_password_required( $post_parent ) ) {
     1045            return '';
     1046        }
    10341047    }
    10351048
     
    13271340    }
    13281341
     1342    if ( ! empty( $args['post_parent'] ) ) {
     1343        $post_parent = get_post( $id );
     1344
     1345        // terminate the shortcode execution if user cannot read the post or password-protected
     1346        if ( ! current_user_can( 'read_post', $post_parent->ID ) || post_password_required( $post_parent ) ) {
     1347            return '';
     1348        }
     1349    }
     1350
    13291351    if ( empty( $attachments ) ) {
    13301352        return '';
  • branches/4.3/src/wp-includes/shortcodes.php

    r34144 r56852  
    172172
    173173/**
    174  * Search content for shortcodes and filter shortcodes through their hooks.
     174 * Returns a list of registered shortcode names found in the given content.
     175 *
     176 * Example usage:
     177 *
     178 *     get_shortcode_tags_in_content( '[audio src="file.mp3"][/audio] [foo] [gallery ids="1,2,3"]' );
     179 *     // array( 'audio', 'gallery' )
     180 *
     181 * @since 6.3.2
     182 *
     183 * @param string $content The content to check.
     184 * @return string[] An array of registered shortcode names found in the content.
     185 */
     186function get_shortcode_tags_in_content( $content ) {
     187    if ( false === strpos( $content, '[' ) ) {
     188        return array();
     189    }
     190
     191    preg_match_all( '/' . get_shortcode_regex() . '/', $content, $matches, PREG_SET_ORDER );
     192    if ( empty( $matches ) ) {
     193        return array();
     194    }
     195
     196    $tags = array();
     197    foreach ( $matches as $shortcode ) {
     198        $tags[] = $shortcode[2];
     199
     200        if ( ! empty( $shortcode[5] ) ) {
     201            $deep_tags = get_shortcode_tags_in_content( $shortcode[5] );
     202            if ( ! empty( $deep_tags ) ) {
     203                $tags = array_merge( $tags, $deep_tags );
     204            }
     205        }
     206    }
     207
     208    return $tags;
     209}
     210
     211/**
     212 * Searches content for shortcodes and filter shortcodes through their hooks.
    175213 *
    176214 * If there are no shortcode tags defined, then the content will be returned
Note: See TracChangeset for help on using the changeset viewer.