Changeset 56864
- Timestamp:
- 10/12/2023 02:50:31 PM (14 months ago)
- Location:
- branches/4.8/src
- Files:
-
- 13 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/4.8/src/wp-admin/includes/ajax-actions.php
r55786 r56864 3113 3113 $shortcode = wp_unslash( $_POST['shortcode'] ); 3114 3114 3115 // Only process previews for media related shortcodes: 3116 $found_shortcodes = get_shortcode_tags_in_content( $shortcode ); 3117 $media_shortcodes = array( 3118 'audio', 3119 'embed', 3120 'playlist', 3121 'video', 3122 'gallery', 3123 ); 3124 3125 $other_shortcodes = array_diff( $found_shortcodes, $media_shortcodes ); 3126 3127 if ( ! empty( $other_shortcodes ) ) { 3128 wp_send_json_error(); 3129 } 3130 3115 3131 if ( ! empty( $_POST['post_ID'] ) ) { 3116 3132 $post = get_post( (int) $_POST['post_ID'] ); … … 3119 3135 // the embed shortcode requires a post 3120 3136 if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) { 3121 if ( 'embed' === $shortcode) {3137 if ( in_array( 'embed', $found_shortcodes, true ) ) { 3122 3138 wp_send_json_error(); 3123 3139 } -
branches/4.8/src/wp-admin/includes/class-wp-comments-list-table.php
r41023 r56864 500 500 $this->user_can = current_user_can( 'edit_comment', $comment->comment_ID ); 501 501 502 $edit_post_cap = $post ? 'edit_post' : 'edit_posts'; 503 if ( 504 current_user_can( $edit_post_cap, $comment->comment_post_ID ) || 505 ( 506 empty( $post->post_password ) && 507 current_user_can( 'read_post', $comment->comment_post_ID ) 508 ) 509 ) { 510 // The user has access to the post 511 } else { 512 return false; 513 } 514 502 515 echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>"; 503 516 $this->single_row_columns( $comment ); -
branches/4.8/src/wp-admin/includes/class-wp-list-table.php
r39600 r56864 655 655 $pending_phrase = sprintf( _n( '%s pending comment', '%s pending comments', $pending_comments ), $pending_comments_number ); 656 656 657 // No comments at all. 657 $post_object = get_post( $post_id ); 658 $edit_post_cap = $post_object ? 'edit_post' : 'edit_posts'; 659 if ( 660 current_user_can( $edit_post_cap, $post_id ) || 661 ( 662 empty( $post_object->post_password ) && 663 current_user_can( 'read_post', $post_id ) 664 ) 665 ) { 666 // The user has access to the post and thus can see comments 667 } else { 668 return false; 669 } 670 658 671 if ( ! $approved_comments && ! $pending_comments ) { 659 672 printf( '<span aria-hidden="true">—</span><span class="screen-reader-text">%s</span>', -
branches/4.8/src/wp-admin/includes/dashboard.php
r40866 r56864 920 920 921 921 echo '<ul id="the-comment-list" data-wp-lists="list:comment">'; 922 foreach ( $comments as $comment ) 923 _wp_dashboard_recent_comments_row( $comment ); 922 foreach ( $comments as $comment ) { 923 $comment_post = get_post( $comment->comment_post_ID ); 924 if ( 925 current_user_can( 'edit_post', $comment->comment_post_ID ) || 926 ( 927 empty( $comment_post->post_password ) && 928 current_user_can( 'read_post', $comment->comment_post_ID ) 929 ) 930 ) { 931 _wp_dashboard_recent_comments_row( $comment ); 932 } 933 } 924 934 echo '</ul>'; 925 935 -
branches/4.8/src/wp-includes/Requests/Hooks.php
r38049 r56864 66 66 return true; 67 67 } 68 69 public function __wakeup() { 70 throw new \LogicException( __CLASS__ . ' should never be unserialized' ); 71 } 68 72 } -
branches/4.8/src/wp-includes/Requests/IRI.php
r38727 r56864 704 704 } 705 705 706 public function __wakeup() { 707 $class_props = get_class_vars( __CLASS__ ); 708 $string_props = array( 'scheme', 'iuserinfo', 'ihost', 'port', 'ipath', 'iquery', 'ifragment' ); 709 $array_props = array( 'normalization' ); 710 foreach ( $class_props as $prop => $default_value ) { 711 if ( in_array( $prop, $string_props, true ) && ! is_string( $this->$prop ) ) { 712 throw new UnexpectedValueException(); 713 } elseif ( in_array( $prop, $array_props, true ) && ! is_array( $this->$prop ) ) { 714 throw new UnexpectedValueException(); 715 } 716 $this->$prop = null; 717 } 718 } 719 706 720 /** 707 721 * Set the entire IRI. Returns true on success, false on failure (if there -
branches/4.8/src/wp-includes/Requests/Session.php
r38049 r56864 228 228 } 229 229 230 public function __wakeup() { 231 throw new \LogicException( __CLASS__ . ' should never be unserialized' ); 232 } 233 230 234 /** 231 235 * Merge a request's data with the default data -
branches/4.8/src/wp-includes/class-wp-theme.php
r40301 r56864 548 548 549 549 /** 550 * Perform reinitialization tasks. 551 * 552 * Prevents a callback from being injected during unserialization of an object. 553 * 554 * @return void 555 */ 556 public function __wakeup() { 557 if ( $this->parent && ! $this->parent instanceof self ) { 558 throw new UnexpectedValueException(); 559 } 560 if ( $this->headers && ! is_array( $this->headers ) ) { 561 throw new UnexpectedValueException(); 562 } 563 foreach ( $this->headers as $value ) { 564 if ( ! is_string( $value ) ) { 565 throw new UnexpectedValueException(); 566 } 567 } 568 $this->headers_sanitized = array(); 569 } 570 571 /** 550 572 * Adds theme data to cache. 551 573 * … … 1515 1537 return strnatcasecmp( $a->display( 'Name', false, true ), $b->display( 'Name', false, true ) ); 1516 1538 } 1539 1540 private static function _check_headers_property_has_correct_type( $headers ) { 1541 if ( ! is_array( $headers ) ) { 1542 return false; 1543 } 1544 foreach ( $headers as $key => $value ) { 1545 if ( ! is_string( $key ) || ! is_string( $value ) ) { 1546 return false; 1547 } 1548 } 1549 return true; 1550 } 1517 1551 } -
branches/4.8/src/wp-includes/media.php
r55786 r56864 1690 1690 } 1691 1691 } elseif ( ! empty( $atts['exclude'] ) ) { 1692 $post_parent_id = $id; 1692 1693 $attachments = get_children( array( 'post_parent' => $id, 'exclude' => $atts['exclude'], 'post_status' => 'inherit', 'post_type' => 'attachment', 'post_mime_type' => 'image', 'order' => $atts['order'], 'orderby' => $atts['orderby'] ) ); 1693 1694 } else { 1695 $post_parent_id = $id; 1694 1696 $attachments = get_children( array( 'post_parent' => $id, 'post_status' => 'inherit', 'post_type' => 'attachment', 'post_mime_type' => 'image', 'order' => $atts['order'], 'orderby' => $atts['orderby'] ) ); 1697 } 1698 1699 if ( ! empty( $post_parent_id ) ) { 1700 $post_parent = get_post( $post_parent_id ); 1701 1702 // terminate the shortcode execution if user cannot read the post or password-protected 1703 if ( 1704 ( ! is_post_publicly_viewable( $post_parent->ID ) && ! current_user_can( 'read_post', $post_parent->ID ) ) 1705 || post_password_required( $post_parent ) ) { 1706 return ''; 1707 } 1695 1708 } 1696 1709 … … 1994 2007 } 1995 2008 2009 if ( ! empty( $args['post_parent'] ) ) { 2010 $post_parent = get_post( $id ); 2011 2012 // terminate the shortcode execution if user cannot read the post or password-protected 2013 if ( ! current_user_can( 'read_post', $post_parent->ID ) || post_password_required( $post_parent ) ) { 2014 return ''; 2015 } 2016 } 2017 1996 2018 if ( empty( $attachments ) ) { 1997 2019 return ''; -
branches/4.8/src/wp-includes/rest-api.php
r46494 r56864 749 749 750 750 if ( ! $result ) { 751 add_filter( 'rest_send_nocache_headers', '__return_true', 20 ); 751 752 return new WP_Error( 'rest_cookie_invalid_nonce', __( 'Cookie nonce is invalid' ), array( 'status' => 403 ) ); 752 753 } -
branches/4.8/src/wp-includes/rest-api/class-wp-rest-server.php
r41093 r56864 244 244 245 245 /** 246 * Send nocache headers on authenticated requests.246 * Filters whether the REST API is enabled. 247 247 * 248 248 * @since 4.4.0 249 * @deprecated 4.7.0 Use the rest_authentication_errors filter to restrict access to the API 250 * 251 * @param bool $rest_enabled Whether the REST API is enabled. Default true. 252 */ 253 apply_filters_deprecated( 'rest_enabled', array( true ), '4.7.0', 'rest_authentication_errors', 254 __( 'The REST API can no longer be completely disabled, the rest_authentication_errors filter can be used to restrict access to the API, instead.' ) 255 ); 256 257 /** 258 * Filters whether jsonp is enabled. 259 * 260 * @since 4.4.0 261 * 262 * @param bool $jsonp_enabled Whether jsonp is enabled. Default true. 263 */ 264 $jsonp_enabled = apply_filters( 'rest_jsonp_enabled', true ); 265 266 $jsonp_callback = null; 267 268 if ( isset( $_GET['_jsonp'] ) ) { 269 if ( ! $jsonp_enabled ) { 270 echo $this->json_error( 'rest_callback_disabled', __( 'JSONP support is disabled on this site.' ), 400 ); 271 return false; 272 } 273 274 $jsonp_callback = $_GET['_jsonp']; 275 if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) { 276 echo $this->json_error( 'rest_callback_invalid', __( 'Invalid JSONP callback function.' ), 400 ); 277 return false; 278 } 279 } 280 281 if ( empty( $path ) ) { 282 if ( isset( $_SERVER['PATH_INFO'] ) ) { 283 $path = $_SERVER['PATH_INFO']; 284 } else { 285 $path = '/'; 286 } 287 } 288 289 $request = new WP_REST_Request( $_SERVER['REQUEST_METHOD'], $path ); 290 291 $request->set_query_params( wp_unslash( $_GET ) ); 292 $request->set_body_params( wp_unslash( $_POST ) ); 293 $request->set_file_params( $_FILES ); 294 $request->set_headers( $this->get_headers( wp_unslash( $_SERVER ) ) ); 295 $request->set_body( $this->get_raw_data() ); 296 297 /* 298 * HTTP method override for clients that can't use PUT/PATCH/DELETE. First, we check 299 * $_GET['_method']. If that is not set, we check for the HTTP_X_HTTP_METHOD_OVERRIDE 300 * header. 301 */ 302 $method_overridden = false; 303 if ( isset( $_GET['_method'] ) ) { 304 $request->set_method( $_GET['_method'] ); 305 } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) { 306 $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ); 307 $method_overridden = true; 308 } 309 310 $result = $this->check_authentication(); 311 312 if ( ! is_wp_error( $result ) ) { 313 $result = $this->dispatch( $request ); 314 } 315 316 // Normalize to either WP_Error or WP_REST_Response... 317 $result = rest_ensure_response( $result ); 318 319 // ...then convert WP_Error across. 320 if ( is_wp_error( $result ) ) { 321 $result = $this->error_to_response( $result ); 322 } 323 324 /** 325 * Filters the API response. 326 * 327 * Allows modification of the response before returning. 328 * 329 * @since 4.4.0 330 * @since 4.5.0 Applied to embedded responses. 331 * 332 * @param WP_HTTP_Response $result Result to send to the client. Usually a WP_REST_Response. 333 * @param WP_REST_Server $this Server instance. 334 * @param WP_REST_Request $request Request used to generate the response. 335 */ 336 $result = apply_filters( 'rest_post_dispatch', rest_ensure_response( $result ), $this, $request ); 337 338 // Wrap the response in an envelope if asked for. 339 if ( isset( $_GET['_envelope'] ) ) { 340 $result = $this->envelope_response( $result, isset( $_GET['_embed'] ) ); 341 } 342 343 // Send extra data from response objects. 344 $headers = $result->get_headers(); 345 $this->send_headers( $headers ); 346 347 $code = $result->get_status(); 348 $this->set_status( $code ); 349 350 /** 351 * Filters whether the request has already been served. 352 * 353 * Allow sending the request manually - by returning true, the API result 354 * will not be sent to the client. 355 * 356 * @since 4.4.0 357 * 358 * @param bool $served Whether the request has already been served. 359 * Default false. 360 * @param WP_HTTP_Response $result Result to send to the client. Usually a WP_REST_Response. 361 * @param WP_REST_Request $request Request used to generate the response. 362 * @param WP_REST_Server $this Server instance. 363 */ 364 $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this ); 365 366 /** 367 * Filters whether to send nocache headers on a REST API request. 368 * 369 * @since 4.4.0 370 * @since 6.x.x Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php 249 371 * 250 372 * @param bool $rest_send_nocache_headers Whether to send no-cache headers. 251 373 */ 252 374 $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() ); 253 if ( $send_no_cache_headers ) { 375 376 // send no cache headers if the $send_no_cache_headers is true 377 // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4xx response code. 378 if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) { 254 379 foreach ( wp_get_nocache_headers() as $header => $header_value ) { 255 380 if ( empty( $header_value ) ) { … … 260 385 } 261 386 } 262 263 /**264 * Filters whether the REST API is enabled.265 *266 * @since 4.4.0267 * @deprecated 4.7.0 Use the rest_authentication_errors filter to restrict access to the API268 *269 * @param bool $rest_enabled Whether the REST API is enabled. Default true.270 */271 apply_filters_deprecated( 'rest_enabled', array( true ), '4.7.0', 'rest_authentication_errors',272 __( 'The REST API can no longer be completely disabled, the rest_authentication_errors filter can be used to restrict access to the API, instead.' )273 );274 275 /**276 * Filters whether jsonp is enabled.277 *278 * @since 4.4.0279 *280 * @param bool $jsonp_enabled Whether jsonp is enabled. Default true.281 */282 $jsonp_enabled = apply_filters( 'rest_jsonp_enabled', true );283 284 $jsonp_callback = null;285 286 if ( isset( $_GET['_jsonp'] ) ) {287 if ( ! $jsonp_enabled ) {288 echo $this->json_error( 'rest_callback_disabled', __( 'JSONP support is disabled on this site.' ), 400 );289 return false;290 }291 292 $jsonp_callback = $_GET['_jsonp'];293 if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) {294 echo $this->json_error( 'rest_callback_invalid', __( 'Invalid JSONP callback function.' ), 400 );295 return false;296 }297 }298 299 if ( empty( $path ) ) {300 if ( isset( $_SERVER['PATH_INFO'] ) ) {301 $path = $_SERVER['PATH_INFO'];302 } else {303 $path = '/';304 }305 }306 307 $request = new WP_REST_Request( $_SERVER['REQUEST_METHOD'], $path );308 309 $request->set_query_params( wp_unslash( $_GET ) );310 $request->set_body_params( wp_unslash( $_POST ) );311 $request->set_file_params( $_FILES );312 $request->set_headers( $this->get_headers( wp_unslash( $_SERVER ) ) );313 $request->set_body( $this->get_raw_data() );314 315 /*316 * HTTP method override for clients that can't use PUT/PATCH/DELETE. First, we check317 * $_GET['_method']. If that is not set, we check for the HTTP_X_HTTP_METHOD_OVERRIDE318 * header.319 */320 if ( isset( $_GET['_method'] ) ) {321 $request->set_method( $_GET['_method'] );322 } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) {323 $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );324 }325 326 $result = $this->check_authentication();327 328 if ( ! is_wp_error( $result ) ) {329 $result = $this->dispatch( $request );330 }331 332 // Normalize to either WP_Error or WP_REST_Response...333 $result = rest_ensure_response( $result );334 335 // ...then convert WP_Error across.336 if ( is_wp_error( $result ) ) {337 $result = $this->error_to_response( $result );338 }339 340 /**341 * Filters the API response.342 *343 * Allows modification of the response before returning.344 *345 * @since 4.4.0346 * @since 4.5.0 Applied to embedded responses.347 *348 * @param WP_HTTP_Response $result Result to send to the client. Usually a WP_REST_Response.349 * @param WP_REST_Server $this Server instance.350 * @param WP_REST_Request $request Request used to generate the response.351 */352 $result = apply_filters( 'rest_post_dispatch', rest_ensure_response( $result ), $this, $request );353 354 // Wrap the response in an envelope if asked for.355 if ( isset( $_GET['_envelope'] ) ) {356 $result = $this->envelope_response( $result, isset( $_GET['_embed'] ) );357 }358 359 // Send extra data from response objects.360 $headers = $result->get_headers();361 $this->send_headers( $headers );362 363 $code = $result->get_status();364 $this->set_status( $code );365 366 /**367 * Filters whether the request has already been served.368 *369 * Allow sending the request manually - by returning true, the API result370 * will not be sent to the client.371 *372 * @since 4.4.0373 *374 * @param bool $served Whether the request has already been served.375 * Default false.376 * @param WP_HTTP_Response $result Result to send to the client. Usually a WP_REST_Response.377 * @param WP_REST_Request $request Request used to generate the response.378 * @param WP_REST_Server $this Server instance.379 */380 $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this );381 387 382 388 if ( ! $served ) { -
branches/4.8/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
r40378 r56864 261 261 262 262 if ( ! empty( $prepared_args['search'] ) ) { 263 if ( ! current_user_can( 'list_users' ) ) { 264 $prepared_args['search_columns'] = array( 'ID', 'user_login', 'user_nicename', 'display_name' ); 265 } 263 266 $prepared_args['search'] = '*' . $prepared_args['search'] . '*'; 264 267 } -
branches/4.8/src/wp-includes/shortcodes.php
r39665 r56864 186 186 187 187 /** 188 * Search content for shortcodes and filter shortcodes through their hooks. 188 * Returns a list of registered shortcode names found in the given content. 189 * 190 * Example usage: 191 * 192 * get_shortcode_tags_in_content( '[audio src="file.mp3"][/audio] [foo] [gallery ids="1,2,3"]' ); 193 * // array( 'audio', 'gallery' ) 194 * 195 * @since 6.3.2 196 * 197 * @param string $content The content to check. 198 * @return string[] An array of registered shortcode names found in the content. 199 */ 200 function get_shortcode_tags_in_content( $content ) { 201 if ( false === strpos( $content, '[' ) ) { 202 return array(); 203 } 204 205 preg_match_all( '/' . get_shortcode_regex() . '/', $content, $matches, PREG_SET_ORDER ); 206 if ( empty( $matches ) ) { 207 return array(); 208 } 209 210 $tags = array(); 211 foreach ( $matches as $shortcode ) { 212 $tags[] = $shortcode[2]; 213 214 if ( ! empty( $shortcode[5] ) ) { 215 $deep_tags = get_shortcode_tags_in_content( $shortcode[5] ); 216 if ( ! empty( $deep_tags ) ) { 217 $tags = array_merge( $tags, $deep_tags ); 218 } 219 } 220 } 221 222 return $tags; 223 } 224 225 /** 226 * Searches content for shortcodes and filter shortcodes through their hooks. 189 227 * 190 228 * If there are no shortcode tags defined, then the content will be returned
Note: See TracChangeset
for help on using the changeset viewer.