Changeset 56857
- Timestamp:
- 10/12/2023 02:34:12 PM (14 months ago)
- Location:
- branches/4.5/src
- Files:
-
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/4.5/src/wp-admin/includes/ajax-actions.php
r55780 r56857 2988 2988 $shortcode = wp_unslash( $_POST['shortcode'] ); 2989 2989 2990 // Only process previews for media related shortcodes: 2991 $found_shortcodes = get_shortcode_tags_in_content( $shortcode ); 2992 $media_shortcodes = array( 2993 'audio', 2994 'embed', 2995 'playlist', 2996 'video', 2997 'gallery', 2998 ); 2999 3000 $other_shortcodes = array_diff( $found_shortcodes, $media_shortcodes ); 3001 3002 if ( ! empty( $other_shortcodes ) ) { 3003 wp_send_json_error(); 3004 } 3005 2990 3006 if ( ! empty( $_POST['post_ID'] ) ) { 2991 3007 $post = get_post( (int) $_POST['post_ID'] ); … … 2994 3010 // the embed shortcode requires a post 2995 3011 if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) { 2996 if ( 'embed' === $shortcode) {3012 if ( in_array( 'embed', $found_shortcodes, true ) ) { 2997 3013 wp_send_json_error(); 2998 3014 } -
branches/4.5/src/wp-admin/includes/class-wp-comments-list-table.php
r36521 r56857 496 496 $this->user_can = current_user_can( 'edit_comment', $comment->comment_ID ); 497 497 498 $edit_post_cap = $post ? 'edit_post' : 'edit_posts'; 499 if ( 500 current_user_can( $edit_post_cap, $comment->comment_post_ID ) || 501 ( 502 empty( $post->post_password ) && 503 current_user_can( 'read_post', $comment->comment_post_ID ) 504 ) 505 ) { 506 // The user has access to the post 507 } else { 508 return false; 509 } 510 498 511 echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>"; 499 512 $this->single_row_columns( $comment ); -
branches/4.5/src/wp-admin/includes/class-wp-list-table.php
r35818 r56857 656 656 $pending_phrase = sprintf( _n( '%s pending comment', '%s pending comments', $pending_comments ), $pending_comments_number ); 657 657 658 // No comments at all. 658 $post_object = get_post( $post_id ); 659 $edit_post_cap = $post_object ? 'edit_post' : 'edit_posts'; 660 if ( 661 current_user_can( $edit_post_cap, $post_id ) || 662 ( 663 empty( $post_object->post_password ) && 664 current_user_can( 'read_post', $post_id ) 665 ) 666 ) { 667 // The user has access to the post and thus can see comments 668 } else { 669 return false; 670 } 671 659 672 if ( ! $approved_comments && ! $pending_comments ) { 660 673 printf( '<span aria-hidden="true">—</span><span class="screen-reader-text">%s</span>', -
branches/4.5/src/wp-admin/includes/dashboard.php
r36964 r56857 907 907 908 908 echo '<ul id="the-comment-list" data-wp-lists="list:comment">'; 909 foreach ( $comments as $comment ) 910 _wp_dashboard_recent_comments_row( $comment ); 909 foreach ( $comments as $comment ) { 910 $comment_post = get_post( $comment->comment_post_ID ); 911 if ( 912 current_user_can( 'edit_post', $comment->comment_post_ID ) || 913 ( 914 empty( $comment_post->post_password ) && 915 current_user_can( 'read_post', $comment->comment_post_ID ) 916 ) 917 ) { 918 _wp_dashboard_recent_comments_row( $comment ); 919 } 920 } 911 921 echo '</ul>'; 912 922 -
branches/4.5/src/wp-includes/class-wp-theme.php
r39811 r56857 529 529 530 530 /** 531 * Perform reinitialization tasks. 532 * 533 * Prevents a callback from being injected during unserialization of an object. 534 * 535 * @return void 536 */ 537 public function __wakeup() { 538 if ( $this->parent && ! $this->parent instanceof self ) { 539 throw new UnexpectedValueException(); 540 } 541 if ( $this->headers && ! is_array( $this->headers ) ) { 542 throw new UnexpectedValueException(); 543 } 544 foreach ( $this->headers as $value ) { 545 if ( ! is_string( $value ) ) { 546 throw new UnexpectedValueException(); 547 } 548 } 549 $this->headers_sanitized = array(); 550 } 551 552 /** 531 553 * Adds theme data to cache. 532 554 * … … 1372 1394 return strnatcasecmp( $a->display( 'Name', false, true ), $b->display( 'Name', false, true ) ); 1373 1395 } 1396 1397 private static function _check_headers_property_has_correct_type( $headers ) { 1398 if ( ! is_array( $headers ) ) { 1399 return false; 1400 } 1401 foreach ( $headers as $key => $value ) { 1402 if ( ! is_string( $key ) || ! is_string( $value ) ) { 1403 return false; 1404 } 1405 } 1406 return true; 1407 } 1374 1408 } -
branches/4.5/src/wp-includes/media.php
r55780 r56857 1634 1634 } 1635 1635 } elseif ( ! empty( $atts['exclude'] ) ) { 1636 $post_parent_id = $id; 1636 1637 $attachments = get_children( array( 'post_parent' => $id, 'exclude' => $atts['exclude'], 'post_status' => 'inherit', 'post_type' => 'attachment', 'post_mime_type' => 'image', 'order' => $atts['order'], 'orderby' => $atts['orderby'] ) ); 1637 1638 } else { 1639 $post_parent_id = $id; 1638 1640 $attachments = get_children( array( 'post_parent' => $id, 'post_status' => 'inherit', 'post_type' => 'attachment', 'post_mime_type' => 'image', 'order' => $atts['order'], 'orderby' => $atts['orderby'] ) ); 1641 } 1642 1643 if ( ! empty( $post_parent_id ) ) { 1644 $post_parent = get_post( $post_parent_id ); 1645 1646 // terminate the shortcode execution if user cannot read the post or password-protected 1647 if ( 1648 ( ! is_post_publicly_viewable( $post_parent->ID ) && ! current_user_can( 'read_post', $post_parent->ID ) ) 1649 || post_password_required( $post_parent ) ) { 1650 return ''; 1651 } 1639 1652 } 1640 1653 … … 1938 1951 } 1939 1952 1953 if ( ! empty( $args['post_parent'] ) ) { 1954 $post_parent = get_post( $id ); 1955 1956 // terminate the shortcode execution if user cannot read the post or password-protected 1957 if ( ! current_user_can( 'read_post', $post_parent->ID ) || post_password_required( $post_parent ) ) { 1958 return ''; 1959 } 1960 } 1961 1940 1962 if ( empty( $attachments ) ) { 1941 1963 return ''; -
branches/4.5/src/wp-includes/rest-api.php
r46497 r56857 593 593 594 594 if ( ! $result ) { 595 add_filter( 'rest_send_nocache_headers', '__return_true', 20 ); 595 596 return new WP_Error( 'rest_cookie_invalid_nonce', __( 'Cookie nonce is invalid' ), array( 'status' => 403 ) ); 596 597 } -
branches/4.5/src/wp-includes/rest-api/class-wp-rest-server.php
r37163 r56857 238 238 239 239 /** 240 * Send nocache headers on authenticated requests. 241 * 242 * @since 4.4.0 243 * 244 * @param bool $rest_send_nocache_headers Whether to send no-cache headers. 245 */ 246 $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() ); 247 if ( $send_no_cache_headers ) { 248 foreach ( wp_get_nocache_headers() as $header => $header_value ) { 249 $this->send_header( $header, $header_value ); 250 } 251 } 252 253 /** 254 * Filter whether the REST API is enabled. 240 * Filters whether the REST API is enabled. 255 241 * 256 242 * @since 4.4.0 … … 315 301 * header. 316 302 */ 303 $method_overridden = false; 317 304 if ( isset( $_GET['_method'] ) ) { 318 305 $request->set_method( $_GET['_method'] ); 319 306 } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) { 320 307 $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ); 308 $method_overridden = true; 321 309 } 322 310 … … 376 364 */ 377 365 $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this ); 366 367 /** 368 * Filters whether to send nocache headers on a REST API request. 369 * 370 * @since 4.4.0 371 * @since 6.x.x Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php 372 * 373 * @param bool $rest_send_nocache_headers Whether to send no-cache headers. 374 */ 375 $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() ); 376 377 // send no cache headers if the $send_no_cache_headers is true 378 // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4xx response code. 379 if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) { 380 foreach ( wp_get_nocache_headers() as $header => $header_value ) { 381 $this->send_header( $header, $header_value ); 382 } 383 } 378 384 379 385 if ( ! $served ) { -
branches/4.5/src/wp-includes/shortcodes.php
r36097 r56857 186 186 187 187 /** 188 * Search content for shortcodes and filter shortcodes through their hooks. 188 * Returns a list of registered shortcode names found in the given content. 189 * 190 * Example usage: 191 * 192 * get_shortcode_tags_in_content( '[audio src="file.mp3"][/audio] [foo] [gallery ids="1,2,3"]' ); 193 * // array( 'audio', 'gallery' ) 194 * 195 * @since 6.3.2 196 * 197 * @param string $content The content to check. 198 * @return string[] An array of registered shortcode names found in the content. 199 */ 200 function get_shortcode_tags_in_content( $content ) { 201 if ( false === strpos( $content, '[' ) ) { 202 return array(); 203 } 204 205 preg_match_all( '/' . get_shortcode_regex() . '/', $content, $matches, PREG_SET_ORDER ); 206 if ( empty( $matches ) ) { 207 return array(); 208 } 209 210 $tags = array(); 211 foreach ( $matches as $shortcode ) { 212 $tags[] = $shortcode[2]; 213 214 if ( ! empty( $shortcode[5] ) ) { 215 $deep_tags = get_shortcode_tags_in_content( $shortcode[5] ); 216 if ( ! empty( $deep_tags ) ) { 217 $tags = array_merge( $tags, $deep_tags ); 218 } 219 } 220 } 221 222 return $tags; 223 } 224 225 /** 226 * Searches content for shortcodes and filter shortcodes through their hooks. 189 227 * 190 228 * If there are no shortcode tags defined, then the content will be returned
Note: See TracChangeset
for help on using the changeset viewer.