Changeset 56862 for branches/4.7/src/wp-includes/rest-api/class-wp-rest-server.php

Timestamp:

10/12/2023 02:48:17 PM (20 months ago)

Author:

davidbaumwald

Message:

Grouped backports to the 4.7 branch.

• Comments: Prevent users who can not see a post from seeing comments on it.
• Shortcodes: Restrict media shortcode ajax to certain type.
• REST API: Ensure no-cache headers are sent when methods are overridden.
• REST API: Limit search_columns for users without list_users.
• Prevent unintended behavior when certain objects are unserialized.

Merges [56834], [56835], [56836], [56838], and [56840] to the 4.7 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.

File:

• branches/4.7/src/wp-includes/rest-api/class-wp-rest-server.php (modified) (3 diffs)

branches/4.7/src/wp-includes/rest-api/class-wp-rest-server.php

@@ -244 +244 @@
 
         /**
-         * Send nocache headers on authenticated requests.
-         *
-         * @since 4.4.0
-         *
-         * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
-         */
-        $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
-        if ( $send_no_cache_headers ) {
-            foreach ( wp_get_nocache_headers() as $header => $header_value ) {
-                $this->send_header( $header, $header_value );
-            }
-        }
-
-        /**
          * Filters whether the REST API is enabled.
          *
@@ -312 +298 @@
          * header.
          */
+        $method_overridden = false;
         if ( isset( $_GET['_method'] ) ) {
             $request->set_method( $_GET['_method'] );
         } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) {
             $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );
+            $method_overridden = true;
         }
 
@@ -373 +361 @@
          */
         $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this );
+
+        /**
+         * Filters whether to send nocache headers on a REST API request.
+         *
+         * @since 4.4.0
+         * @since 6.x.x Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php
+         *
+         * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
+         */
+        $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
+
+        // send no cache headers if the $send_no_cache_headers is true
+        // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4xx response code.
+        if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) {
+            foreach ( wp_get_nocache_headers() as $header => $header_value ) {
+                $this->send_header( $header, $header_value );
+            }
+        }
 
         if ( ! $served ) {