Changeset 56865
- Timestamp:
- 10/12/2023 02:51:26 PM (14 months ago)
- Location:
- branches/4.9/src
- Files:
-
- 13 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/4.9/src/wp-admin/includes/ajax-actions.php
r55787 r56865 3141 3141 $shortcode = wp_unslash( $_POST['shortcode'] ); 3142 3142 3143 // Only process previews for media related shortcodes: 3144 $found_shortcodes = get_shortcode_tags_in_content( $shortcode ); 3145 $media_shortcodes = array( 3146 'audio', 3147 'embed', 3148 'playlist', 3149 'video', 3150 'gallery', 3151 ); 3152 3153 $other_shortcodes = array_diff( $found_shortcodes, $media_shortcodes ); 3154 3155 if ( ! empty( $other_shortcodes ) ) { 3156 wp_send_json_error(); 3157 } 3158 3143 3159 if ( ! empty( $_POST['post_ID'] ) ) { 3144 3160 $post = get_post( (int) $_POST['post_ID'] ); … … 3147 3163 // the embed shortcode requires a post 3148 3164 if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) { 3149 if ( 'embed' === $shortcode) {3165 if ( in_array( 'embed', $found_shortcodes, true ) ) { 3150 3166 wp_send_json_error(); 3151 3167 } -
branches/4.9/src/wp-admin/includes/class-wp-comments-list-table.php
r41683 r56865 501 501 $this->user_can = current_user_can( 'edit_comment', $comment->comment_ID ); 502 502 503 $edit_post_cap = $post ? 'edit_post' : 'edit_posts'; 504 if ( 505 current_user_can( $edit_post_cap, $comment->comment_post_ID ) || 506 ( 507 empty( $post->post_password ) && 508 current_user_can( 'read_post', $comment->comment_post_ID ) 509 ) 510 ) { 511 // The user has access to the post 512 } else { 513 return false; 514 } 515 503 516 echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>"; 504 517 $this->single_row_columns( $comment ); -
branches/4.9/src/wp-admin/includes/class-wp-list-table.php
r41161 r56865 623 623 $pending_phrase = sprintf( _n( '%s pending comment', '%s pending comments', $pending_comments ), $pending_comments_number ); 624 624 625 // No comments at all. 625 $post_object = get_post( $post_id ); 626 $edit_post_cap = $post_object ? 'edit_post' : 'edit_posts'; 627 if ( 628 current_user_can( $edit_post_cap, $post_id ) || 629 ( 630 empty( $post_object->post_password ) && 631 current_user_can( 'read_post', $post_id ) 632 ) 633 ) { 634 // The user has access to the post and thus can see comments 635 } else { 636 return false; 637 } 638 626 639 if ( ! $approved_comments && ! $pending_comments ) { 627 640 printf( '<span aria-hidden="true">—</span><span class="screen-reader-text">%s</span>', -
branches/4.9/src/wp-admin/includes/dashboard.php
r44106 r56865 920 920 921 921 echo '<ul id="the-comment-list" data-wp-lists="list:comment">'; 922 foreach ( $comments as $comment ) 923 _wp_dashboard_recent_comments_row( $comment ); 922 foreach ( $comments as $comment ) { 923 $comment_post = get_post( $comment->comment_post_ID ); 924 if ( 925 current_user_can( 'edit_post', $comment->comment_post_ID ) || 926 ( 927 empty( $comment_post->post_password ) && 928 current_user_can( 'read_post', $comment->comment_post_ID ) 929 ) 930 ) { 931 _wp_dashboard_recent_comments_row( $comment ); 932 } 933 } 924 934 echo '</ul>'; 925 935 -
branches/4.9/src/wp-includes/Requests/Hooks.php
r38049 r56865 66 66 return true; 67 67 } 68 69 public function __wakeup() { 70 throw new \LogicException( __CLASS__ . ' should never be unserialized' ); 71 } 68 72 } -
branches/4.9/src/wp-includes/Requests/IRI.php
r38727 r56865 704 704 } 705 705 706 public function __wakeup() { 707 $class_props = get_class_vars( __CLASS__ ); 708 $string_props = array( 'scheme', 'iuserinfo', 'ihost', 'port', 'ipath', 'iquery', 'ifragment' ); 709 $array_props = array( 'normalization' ); 710 foreach ( $class_props as $prop => $default_value ) { 711 if ( in_array( $prop, $string_props, true ) && ! is_string( $this->$prop ) ) { 712 throw new UnexpectedValueException(); 713 } elseif ( in_array( $prop, $array_props, true ) && ! is_array( $this->$prop ) ) { 714 throw new UnexpectedValueException(); 715 } 716 $this->$prop = null; 717 } 718 } 719 706 720 /** 707 721 * Set the entire IRI. Returns true on success, false on failure (if there -
branches/4.9/src/wp-includes/Requests/Session.php
r38049 r56865 228 228 } 229 229 230 public function __wakeup() { 231 throw new \LogicException( __CLASS__ . ' should never be unserialized' ); 232 } 233 230 234 /** 231 235 * Merge a request's data with the default data -
branches/4.9/src/wp-includes/class-wp-theme.php
r43028 r56865 536 536 537 537 /** 538 * Perform reinitialization tasks. 539 * 540 * Prevents a callback from being injected during unserialization of an object. 541 * 542 * @return void 543 */ 544 public function __wakeup() { 545 if ( $this->parent && ! $this->parent instanceof self ) { 546 throw new UnexpectedValueException(); 547 } 548 if ( $this->headers && ! is_array( $this->headers ) ) { 549 throw new UnexpectedValueException(); 550 } 551 foreach ( $this->headers as $value ) { 552 if ( ! is_string( $value ) ) { 553 throw new UnexpectedValueException(); 554 } 555 } 556 $this->headers_sanitized = array(); 557 } 558 559 /** 538 560 * Adds theme data to cache. 539 561 * … … 1487 1509 return strnatcasecmp( $a->display( 'Name', false, true ), $b->display( 'Name', false, true ) ); 1488 1510 } 1511 1512 private static function _check_headers_property_has_correct_type( $headers ) { 1513 if ( ! is_array( $headers ) ) { 1514 return false; 1515 } 1516 foreach ( $headers as $key => $value ) { 1517 if ( ! is_string( $key ) || ! is_string( $value ) ) { 1518 return false; 1519 } 1520 } 1521 return true; 1522 } 1489 1523 } -
branches/4.9/src/wp-includes/media.php
r55787 r56865 1688 1688 } 1689 1689 } elseif ( ! empty( $atts['exclude'] ) ) { 1690 $post_parent_id = $id; 1690 1691 $attachments = get_children( array( 'post_parent' => $id, 'exclude' => $atts['exclude'], 'post_status' => 'inherit', 'post_type' => 'attachment', 'post_mime_type' => 'image', 'order' => $atts['order'], 'orderby' => $atts['orderby'] ) ); 1691 1692 } else { 1693 $post_parent_id = $id; 1692 1694 $attachments = get_children( array( 'post_parent' => $id, 'post_status' => 'inherit', 'post_type' => 'attachment', 'post_mime_type' => 'image', 'order' => $atts['order'], 'orderby' => $atts['orderby'] ) ); 1695 } 1696 1697 if ( ! empty( $post_parent_id ) ) { 1698 $post_parent = get_post( $post_parent_id ); 1699 1700 // terminate the shortcode execution if user cannot read the post or password-protected 1701 if ( 1702 ( ! is_post_publicly_viewable( $post_parent->ID ) && ! current_user_can( 'read_post', $post_parent->ID ) ) 1703 || post_password_required( $post_parent ) ) { 1704 return ''; 1705 } 1693 1706 } 1694 1707 … … 1992 2005 } 1993 2006 2007 if ( ! empty( $args['post_parent'] ) ) { 2008 $post_parent = get_post( $id ); 2009 2010 // terminate the shortcode execution if user cannot read the post or password-protected 2011 if ( ! current_user_can( 'read_post', $post_parent->ID ) || post_password_required( $post_parent ) ) { 2012 return ''; 2013 } 2014 } 2015 1994 2016 if ( empty( $attachments ) ) { 1995 2017 return ''; -
branches/4.9/src/wp-includes/rest-api.php
r46493 r56865 784 784 785 785 if ( ! $result ) { 786 add_filter( 'rest_send_nocache_headers', '__return_true', 20 ); 786 787 return new WP_Error( 'rest_cookie_invalid_nonce', __( 'Cookie nonce is invalid' ), array( 'status' => 403 ) ); 787 788 } -
branches/4.9/src/wp-includes/rest-api/class-wp-rest-server.php
r42422 r56865 236 236 237 237 /** 238 * Send nocache headers on authenticated requests.238 * Filters whether the REST API is enabled. 239 239 * 240 240 * @since 4.4.0 241 * @deprecated 4.7.0 Use the rest_authentication_errors filter to restrict access to the API 242 * 243 * @param bool $rest_enabled Whether the REST API is enabled. Default true. 244 */ 245 apply_filters_deprecated( 'rest_enabled', array( true ), '4.7.0', 'rest_authentication_errors', 246 __( 'The REST API can no longer be completely disabled, the rest_authentication_errors filter can be used to restrict access to the API, instead.' ) 247 ); 248 249 /** 250 * Filters whether jsonp is enabled. 251 * 252 * @since 4.4.0 253 * 254 * @param bool $jsonp_enabled Whether jsonp is enabled. Default true. 255 */ 256 $jsonp_enabled = apply_filters( 'rest_jsonp_enabled', true ); 257 258 $jsonp_callback = null; 259 260 if ( isset( $_GET['_jsonp'] ) ) { 261 if ( ! $jsonp_enabled ) { 262 echo $this->json_error( 'rest_callback_disabled', __( 'JSONP support is disabled on this site.' ), 400 ); 263 return false; 264 } 265 266 $jsonp_callback = $_GET['_jsonp']; 267 if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) { 268 echo $this->json_error( 'rest_callback_invalid', __( 'Invalid JSONP callback function.' ), 400 ); 269 return false; 270 } 271 } 272 273 if ( empty( $path ) ) { 274 if ( isset( $_SERVER['PATH_INFO'] ) ) { 275 $path = $_SERVER['PATH_INFO']; 276 } else { 277 $path = '/'; 278 } 279 } 280 281 $request = new WP_REST_Request( $_SERVER['REQUEST_METHOD'], $path ); 282 283 $request->set_query_params( wp_unslash( $_GET ) ); 284 $request->set_body_params( wp_unslash( $_POST ) ); 285 $request->set_file_params( $_FILES ); 286 $request->set_headers( $this->get_headers( wp_unslash( $_SERVER ) ) ); 287 $request->set_body( $this->get_raw_data() ); 288 289 /* 290 * HTTP method override for clients that can't use PUT/PATCH/DELETE. First, we check 291 * $_GET['_method']. If that is not set, we check for the HTTP_X_HTTP_METHOD_OVERRIDE 292 * header. 293 */ 294 $method_overridden = false; 295 if ( isset( $_GET['_method'] ) ) { 296 $request->set_method( $_GET['_method'] ); 297 } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) { 298 $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ); 299 $method_overridden = true; 300 } 301 302 $result = $this->check_authentication(); 303 304 if ( ! is_wp_error( $result ) ) { 305 $result = $this->dispatch( $request ); 306 } 307 308 // Normalize to either WP_Error or WP_REST_Response... 309 $result = rest_ensure_response( $result ); 310 311 // ...then convert WP_Error across. 312 if ( is_wp_error( $result ) ) { 313 $result = $this->error_to_response( $result ); 314 } 315 316 /** 317 * Filters the API response. 318 * 319 * Allows modification of the response before returning. 320 * 321 * @since 4.4.0 322 * @since 4.5.0 Applied to embedded responses. 323 * 324 * @param WP_HTTP_Response $result Result to send to the client. Usually a WP_REST_Response. 325 * @param WP_REST_Server $this Server instance. 326 * @param WP_REST_Request $request Request used to generate the response. 327 */ 328 $result = apply_filters( 'rest_post_dispatch', rest_ensure_response( $result ), $this, $request ); 329 330 // Wrap the response in an envelope if asked for. 331 if ( isset( $_GET['_envelope'] ) ) { 332 $result = $this->envelope_response( $result, isset( $_GET['_embed'] ) ); 333 } 334 335 // Send extra data from response objects. 336 $headers = $result->get_headers(); 337 $this->send_headers( $headers ); 338 339 $code = $result->get_status(); 340 $this->set_status( $code ); 341 342 /** 343 * Filters whether the request has already been served. 344 * 345 * Allow sending the request manually - by returning true, the API result 346 * will not be sent to the client. 347 * 348 * @since 4.4.0 349 * 350 * @param bool $served Whether the request has already been served. 351 * Default false. 352 * @param WP_HTTP_Response $result Result to send to the client. Usually a WP_REST_Response. 353 * @param WP_REST_Request $request Request used to generate the response. 354 * @param WP_REST_Server $this Server instance. 355 */ 356 $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this ); 357 358 /** 359 * Filters whether to send nocache headers on a REST API request. 360 * 361 * @since 4.4.0 362 * @since 6.x.x Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php 241 363 * 242 364 * @param bool $rest_send_nocache_headers Whether to send no-cache headers. 243 365 */ 244 366 $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() ); 245 if ( $send_no_cache_headers ) { 367 368 // send no cache headers if the $send_no_cache_headers is true 369 // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4xx response code. 370 if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) { 246 371 foreach ( wp_get_nocache_headers() as $header => $header_value ) { 247 372 if ( empty( $header_value ) ) { … … 252 377 } 253 378 } 254 255 /**256 * Filters whether the REST API is enabled.257 *258 * @since 4.4.0259 * @deprecated 4.7.0 Use the rest_authentication_errors filter to restrict access to the API260 *261 * @param bool $rest_enabled Whether the REST API is enabled. Default true.262 */263 apply_filters_deprecated( 'rest_enabled', array( true ), '4.7.0', 'rest_authentication_errors',264 __( 'The REST API can no longer be completely disabled, the rest_authentication_errors filter can be used to restrict access to the API, instead.' )265 );266 267 /**268 * Filters whether jsonp is enabled.269 *270 * @since 4.4.0271 *272 * @param bool $jsonp_enabled Whether jsonp is enabled. Default true.273 */274 $jsonp_enabled = apply_filters( 'rest_jsonp_enabled', true );275 276 $jsonp_callback = null;277 278 if ( isset( $_GET['_jsonp'] ) ) {279 if ( ! $jsonp_enabled ) {280 echo $this->json_error( 'rest_callback_disabled', __( 'JSONP support is disabled on this site.' ), 400 );281 return false;282 }283 284 $jsonp_callback = $_GET['_jsonp'];285 if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) {286 echo $this->json_error( 'rest_callback_invalid', __( 'Invalid JSONP callback function.' ), 400 );287 return false;288 }289 }290 291 if ( empty( $path ) ) {292 if ( isset( $_SERVER['PATH_INFO'] ) ) {293 $path = $_SERVER['PATH_INFO'];294 } else {295 $path = '/';296 }297 }298 299 $request = new WP_REST_Request( $_SERVER['REQUEST_METHOD'], $path );300 301 $request->set_query_params( wp_unslash( $_GET ) );302 $request->set_body_params( wp_unslash( $_POST ) );303 $request->set_file_params( $_FILES );304 $request->set_headers( $this->get_headers( wp_unslash( $_SERVER ) ) );305 $request->set_body( $this->get_raw_data() );306 307 /*308 * HTTP method override for clients that can't use PUT/PATCH/DELETE. First, we check309 * $_GET['_method']. If that is not set, we check for the HTTP_X_HTTP_METHOD_OVERRIDE310 * header.311 */312 if ( isset( $_GET['_method'] ) ) {313 $request->set_method( $_GET['_method'] );314 } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) {315 $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );316 }317 318 $result = $this->check_authentication();319 320 if ( ! is_wp_error( $result ) ) {321 $result = $this->dispatch( $request );322 }323 324 // Normalize to either WP_Error or WP_REST_Response...325 $result = rest_ensure_response( $result );326 327 // ...then convert WP_Error across.328 if ( is_wp_error( $result ) ) {329 $result = $this->error_to_response( $result );330 }331 332 /**333 * Filters the API response.334 *335 * Allows modification of the response before returning.336 *337 * @since 4.4.0338 * @since 4.5.0 Applied to embedded responses.339 *340 * @param WP_HTTP_Response $result Result to send to the client. Usually a WP_REST_Response.341 * @param WP_REST_Server $this Server instance.342 * @param WP_REST_Request $request Request used to generate the response.343 */344 $result = apply_filters( 'rest_post_dispatch', rest_ensure_response( $result ), $this, $request );345 346 // Wrap the response in an envelope if asked for.347 if ( isset( $_GET['_envelope'] ) ) {348 $result = $this->envelope_response( $result, isset( $_GET['_embed'] ) );349 }350 351 // Send extra data from response objects.352 $headers = $result->get_headers();353 $this->send_headers( $headers );354 355 $code = $result->get_status();356 $this->set_status( $code );357 358 /**359 * Filters whether the request has already been served.360 *361 * Allow sending the request manually - by returning true, the API result362 * will not be sent to the client.363 *364 * @since 4.4.0365 *366 * @param bool $served Whether the request has already been served.367 * Default false.368 * @param WP_HTTP_Response $result Result to send to the client. Usually a WP_REST_Response.369 * @param WP_REST_Request $request Request used to generate the response.370 * @param WP_REST_Server $this Server instance.371 */372 $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this );373 379 374 380 if ( ! $served ) { -
branches/4.9/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
r43445 r56865 272 272 273 273 if ( ! empty( $prepared_args['search'] ) ) { 274 if ( ! current_user_can( 'list_users' ) ) { 275 $prepared_args['search_columns'] = array( 'ID', 'user_login', 'user_nicename', 'display_name' ); 276 } 274 277 $prepared_args['search'] = '*' . $prepared_args['search'] . '*'; 275 278 } -
branches/4.9/src/wp-includes/shortcodes.php
r41286 r56865 160 160 161 161 /** 162 * Search content for shortcodes and filter shortcodes through their hooks. 162 * Returns a list of registered shortcode names found in the given content. 163 * 164 * Example usage: 165 * 166 * get_shortcode_tags_in_content( '[audio src="file.mp3"][/audio] [foo] [gallery ids="1,2,3"]' ); 167 * // array( 'audio', 'gallery' ) 168 * 169 * @since 6.3.2 170 * 171 * @param string $content The content to check. 172 * @return string[] An array of registered shortcode names found in the content. 173 */ 174 function get_shortcode_tags_in_content( $content ) { 175 if ( false === strpos( $content, '[' ) ) { 176 return array(); 177 } 178 179 preg_match_all( '/' . get_shortcode_regex() . '/', $content, $matches, PREG_SET_ORDER ); 180 if ( empty( $matches ) ) { 181 return array(); 182 } 183 184 $tags = array(); 185 foreach ( $matches as $shortcode ) { 186 $tags[] = $shortcode[2]; 187 188 if ( ! empty( $shortcode[5] ) ) { 189 $deep_tags = get_shortcode_tags_in_content( $shortcode[5] ); 190 if ( ! empty( $deep_tags ) ) { 191 $tags = array_merge( $tags, $deep_tags ); 192 } 193 } 194 } 195 196 return $tags; 197 } 198 199 /** 200 * Searches content for shortcodes and filter shortcodes through their hooks. 163 201 * 164 202 * If there are no shortcode tags defined, then the content will be returned
Note: See TracChangeset
for help on using the changeset viewer.