Make WordPress Core


Ignore:
Timestamp:
10/12/2023 02:48:17 PM (9 months ago)
Author:
davidbaumwald
Message:

Grouped backports to the 4.7 branch.

  • Comments: Prevent users who can not see a post from seeing comments on it.
  • Shortcodes: Restrict media shortcode ajax to certain type.
  • REST API: Ensure no-cache headers are sent when methods are overridden.
  • REST API: Limit search_columns for users without list_users.
  • Prevent unintended behavior when certain objects are unserialized.

Merges [56834], [56835], [56836], [56838], and [56840] to the 4.7 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/4.7/src/wp-includes/rest-api/class-wp-rest-server.php

    r40336 r56862  
    244244
    245245        /**
    246          * Send nocache headers on authenticated requests.
    247          *
    248          * @since 4.4.0
    249          *
    250          * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
    251          */
    252         $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
    253         if ( $send_no_cache_headers ) {
    254             foreach ( wp_get_nocache_headers() as $header => $header_value ) {
    255                 $this->send_header( $header, $header_value );
    256             }
    257         }
    258 
    259         /**
    260246         * Filters whether the REST API is enabled.
    261247         *
     
    312298         * header.
    313299         */
     300        $method_overridden = false;
    314301        if ( isset( $_GET['_method'] ) ) {
    315302            $request->set_method( $_GET['_method'] );
    316303        } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) {
    317304            $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );
     305            $method_overridden = true;
    318306        }
    319307
     
    373361         */
    374362        $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this );
     363
     364        /**
     365         * Filters whether to send nocache headers on a REST API request.
     366         *
     367         * @since 4.4.0
     368         * @since 6.x.x Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php
     369         *
     370         * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
     371         */
     372        $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
     373
     374        // send no cache headers if the $send_no_cache_headers is true
     375        // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4xx response code.
     376        if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) {
     377            foreach ( wp_get_nocache_headers() as $header => $header_value ) {
     378                $this->send_header( $header, $header_value );
     379            }
     380        }
    375381
    376382        if ( ! $served ) {
Note: See TracChangeset for help on using the changeset viewer.