Context Navigation

← Previous Change
Next Change →

class-wp-rest-server.php

Timestamp:

10/12/2023 02:43:19 PM (17 months ago)

Author:

davidbaumwald

Message:

Grouped backports to the 4.6 branch.

Comments: Prevent users who can not see a post from seeing comments on it.
Shortcodes: Restrict media shortcode ajax to certain type.
REST API: Ensure no-cache headers are sent when methods are overridden.
Prevent unintended behavior when certain objects are unserialized.

Merges [56834], [56835], [56836], and [56838] to the 4.6 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.

File:

: 1 edited

branches/4.6/src/wp-includes/rest-api/class-wp-rest-server.php (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

branches/4.6/src/wp-includes/rest-api/class-wp-rest-server.php

-                      r38037
+                      r56859
         /**
-         * Send nocache headers on authenticated requests.
+         *
-         * @since 4.4.0
+         *
-         * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
-         */
-        $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
-        if ( $send_no_cache_headers ) {
-            foreach ( wp_get_nocache_headers() as $header => $header_value ) {
-                $this->send_header( $header, $header_value );
+            }
+        }
-        /**
          * Filters whether the REST API is enabled.
+         *
 …
          * header.
          */
+        $method_overridden = false;
         if ( isset( $_GET['_method'] ) ) {
             $request->set_method( $_GET['_method'] );
         } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) {
             $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );
+            $method_overridden = true;
+        }
 …
          */
         $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this );
+        /**
+         * Filters whether to send nocache headers on a REST API request.
+         *
+         * @since 4.4.0
+         * @since 6.x.x Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php
+         *
+         * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
+         */
+        $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
+        // send no cache headers if the $send_no_cache_headers is true
+        // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4xx response code.
+        if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) {
+            foreach ( wp_get_nocache_headers() as $header => $header_value ) {
+                $this->send_header( $header, $header_value );
+            }
+        }
         if ( ! $served ) {

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core

Context Navigation

Changeset 56859 for branches/4.6/src/wp-includes/rest-api/class-wp-rest-server.php

Legend:

branches/4.6/src/wp-includes/rest-api/class-wp-rest-server.php

Download in other formats: