Changeset 56870
- Timestamp:
- 10/12/2023 02:59:09 PM (14 months ago)
- Location:
- branches/6.0
- Files:
-
- 17 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/6.0
- Property svn:mergeinfo changed
/trunk merged: 56833-56838
- Property svn:mergeinfo changed
-
branches/6.0/src/wp-admin/includes/ajax-actions.php
r55773 r56870 3823 3823 $shortcode = wp_unslash( $_POST['shortcode'] ); 3824 3824 3825 // Only process previews for media related shortcodes: 3826 $found_shortcodes = get_shortcode_tags_in_content( $shortcode ); 3827 $media_shortcodes = array( 3828 'audio', 3829 'embed', 3830 'playlist', 3831 'video', 3832 'gallery', 3833 ); 3834 3835 $other_shortcodes = array_diff( $found_shortcodes, $media_shortcodes ); 3836 3837 if ( ! empty( $other_shortcodes ) ) { 3838 wp_send_json_error(); 3839 } 3840 3825 3841 if ( ! empty( $_POST['post_ID'] ) ) { 3826 3842 $post = get_post( (int) $_POST['post_ID'] ); … … 3829 3845 // The embed shortcode requires a post. 3830 3846 if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) { 3831 if ( 'embed' === $shortcode) {3847 if ( in_array( 'embed', $found_shortcodes, true ) ) { 3832 3848 wp_send_json_error(); 3833 3849 } -
branches/6.0/src/wp-admin/includes/class-wp-comments-list-table.php
r52957 r56870 640 640 641 641 $this->user_can = current_user_can( 'edit_comment', $comment->comment_ID ); 642 643 $edit_post_cap = $post ? 'edit_post' : 'edit_posts'; 644 if ( 645 current_user_can( $edit_post_cap, $comment->comment_post_ID ) || 646 ( 647 empty( $post->post_password ) && 648 current_user_can( 'read_post', $comment->comment_post_ID ) 649 ) 650 ) { 651 // The user has access to the post 652 } else { 653 return false; 654 } 642 655 643 656 echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>"; -
branches/6.0/src/wp-admin/includes/class-wp-list-table.php
r53040 r56870 739 739 $pending_comments_number 740 740 ); 741 742 $post_object = get_post( $post_id ); 743 $edit_post_cap = $post_object ? 'edit_post' : 'edit_posts'; 744 if ( 745 current_user_can( $edit_post_cap, $post_id ) || 746 ( 747 empty( $post_object->post_password ) && 748 current_user_can( 'read_post', $post_id ) 749 ) 750 ) { 751 // The user has access to the post and thus can see comments 752 } else { 753 return false; 754 } 741 755 742 756 if ( ! $approved_comments && ! $pending_comments ) { -
branches/6.0/src/wp-admin/includes/dashboard.php
r53385 r56870 1086 1086 echo '<ul id="the-comment-list" data-wp-lists="list:comment">'; 1087 1087 foreach ( $comments as $comment ) { 1088 _wp_dashboard_recent_comments_row( $comment ); 1088 1089 $comment_post = get_post( $comment->comment_post_ID ); 1090 if ( 1091 current_user_can( 'edit_post', $comment->comment_post_ID ) || 1092 ( 1093 empty( $comment_post->post_password ) && 1094 current_user_can( 'read_post', $comment->comment_post_ID ) 1095 ) 1096 ) { 1097 _wp_dashboard_recent_comments_row( $comment ); 1098 } 1089 1099 } 1090 1100 echo '</ul>'; -
branches/6.0/src/wp-admin/includes/user.php
r53063 r56870 607 607 * 608 608 * @since 5.6.0 609 * @since 6.2.0 Allow insecure HTTP connections for the local environment. 610 * @since 6.3.2 Validates the success and reject URLs to prevent javascript pseudo protocol being executed. 609 611 * 610 612 * @param array $request { … … 622 624 $error = new WP_Error(); 623 625 624 if ( ! empty( $request['success_url'] ) ) { 625 $scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME ); 626 627 if ( 'http' === $scheme ) { 626 if ( isset( $request['success_url'] ) ) { 627 $validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] ); 628 if ( is_wp_error( $validated_success_url ) ) { 628 629 $error->add( 629 'invalid_redirect_scheme',630 __( 'The success URL must be served over a secure connection.')630 $validated_success_url->get_error_code(), 631 $validated_success_url->get_error_message() 631 632 ); 632 633 } 633 634 } 634 635 635 if ( ! empty( $request['reject_url'] ) ) { 636 $scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME ); 637 638 if ( 'http' === $scheme ) { 636 if ( isset( $request['reject_url'] ) ) { 637 $validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] ); 638 if ( is_wp_error( $validated_reject_url ) ) { 639 639 $error->add( 640 'invalid_redirect_scheme',641 __( 'The rejection URL must be served over a secure connection.')640 $validated_reject_url->get_error_code(), 641 $validated_reject_url->get_error_message() 642 642 ); 643 643 } … … 668 668 return true; 669 669 } 670 671 /** 672 * Validates the redirect URL protocol scheme. The protocol can be anything except http and javascript. 673 * 674 * @since 6.3.2 675 * 676 * @param string $url - The redirect URL to be validated. 677 * 678 * @return true|WP_Error True if the redirect URL is valid, a WP_Error object otherwise. 679 */ 680 function wp_is_authorize_application_redirect_url_valid( $url ) { 681 $bad_protocols = array( 'javascript', 'data' ); 682 if ( empty( $url ) ) { 683 return true; 684 } 685 686 // Based on https://www.rfc-editor.org/rfc/rfc2396#section-3.1 687 $valid_scheme_regex = '/^[a-zA-Z][a-zA-Z0-9+.-]*:/'; 688 if ( ! preg_match( $valid_scheme_regex, $url ) ) { 689 return new WP_Error( 690 'invalid_redirect_url_format', 691 __( 'Invalid URL format.' ) 692 ); 693 } 694 695 /** 696 * Filters the list of invalid protocols used in applications redirect URLs. 697 * 698 * @since 6.3.2 699 * 700 * @param string[] $bad_protocols Array of invalid protocols. 701 * @param string $url The redirect URL to be validated. 702 */ 703 $invalid_protocols = array_map( 'strtolower', apply_filters( 'wp_authorize_application_redirect_url_invalid_protocols', $bad_protocols, $url ) ); 704 705 $scheme = wp_parse_url( $url, PHP_URL_SCHEME ); 706 $host = wp_parse_url( $url, PHP_URL_HOST ); 707 $is_local = 'local' === wp_get_environment_type(); 708 709 // validates if the proper URI format is applied to the $url 710 if ( empty( $host ) || empty( $scheme ) || in_array( strtolower( $scheme ), $invalid_protocols, true ) ) { 711 return new WP_Error( 712 'invalid_redirect_url_format', 713 __( 'Invalid URL format.' ) 714 ); 715 } 716 717 if ( 'http' === $scheme && ! $is_local ) { 718 return new WP_Error( 719 'invalid_redirect_scheme', 720 __( 'The URL must be served over a secure connection.' ) 721 ); 722 } 723 724 return true; 725 } -
branches/6.0/src/wp-includes/Requests/Hooks.php
r52328 r56870 66 66 return true; 67 67 } 68 69 public function __wakeup() { 70 throw new \LogicException( __CLASS__ . ' should never be unserialized' ); 71 } 68 72 } -
branches/6.0/src/wp-includes/Requests/IRI.php
r52328 r56870 706 706 } 707 707 708 public function __wakeup() { 709 $class_props = get_class_vars( __CLASS__ ); 710 $string_props = array( 'scheme', 'iuserinfo', 'ihost', 'port', 'ipath', 'iquery', 'ifragment' ); 711 $array_props = array( 'normalization' ); 712 foreach ( $class_props as $prop => $default_value ) { 713 if ( in_array( $prop, $string_props, true ) && ! is_string( $this->$prop ) ) { 714 throw new UnexpectedValueException(); 715 } elseif ( in_array( $prop, $array_props, true ) && ! is_array( $this->$prop ) ) { 716 throw new UnexpectedValueException(); 717 } 718 $this->$prop = null; 719 } 720 } 721 708 722 /** 709 723 * Set the entire IRI. Returns true on success, false on failure (if there -
branches/6.0/src/wp-includes/Requests/Session.php
r52328 r56870 230 230 } 231 231 232 public function __wakeup() { 233 throw new \LogicException( __CLASS__ . ' should never be unserialized' ); 234 } 235 232 236 /** 233 237 * Merge a request's data with the default data -
branches/6.0/src/wp-includes/class-wp-block-patterns-registry.php
r53405 r56870 187 187 } 188 188 189 public function __wakeup() { 190 if ( ! $this->registered_patterns ) { 191 return; 192 } 193 if ( ! is_array( $this->registered_patterns ) ) { 194 throw new UnexpectedValueException(); 195 } 196 foreach ( $this->registered_patterns as $value ) { 197 if ( ! is_array( $value ) ) { 198 throw new UnexpectedValueException(); 199 } 200 } 201 $this->registered_patterns_outside_init = array(); 202 } 203 189 204 /** 190 205 * Utility method to retrieve the main instance of the class. -
branches/6.0/src/wp-includes/class-wp-block-type-registry.php
r51154 r56870 168 168 } 169 169 170 public function __wakeup() { 171 if ( ! $this->registered_block_types ) { 172 return; 173 } 174 if ( ! is_array( $this->registered_block_types ) ) { 175 throw new UnexpectedValueException(); 176 } 177 foreach ( $this->registered_block_types as $value ) { 178 if ( ! $value instanceof WP_Block_Type ) { 179 throw new UnexpectedValueException(); 180 } 181 } 182 } 183 170 184 /** 171 185 * Utility method to retrieve the main instance of the class. -
branches/6.0/src/wp-includes/class-wp-theme.php
r53417 r56870 715 715 716 716 /** 717 * Perform reinitialization tasks. 718 * 719 * Prevents a callback from being injected during unserialization of an object. 720 * 721 * @return void 722 */ 723 public function __wakeup() { 724 if ( $this->parent && ! $this->parent instanceof self ) { 725 throw new UnexpectedValueException(); 726 } 727 if ( $this->headers && ! is_array( $this->headers ) ) { 728 throw new UnexpectedValueException(); 729 } 730 foreach ( $this->headers as $value ) { 731 if ( ! is_string( $value ) ) { 732 throw new UnexpectedValueException(); 733 } 734 } 735 $this->headers_sanitized = array(); 736 } 737 738 /** 717 739 * Adds theme data to cache. 718 740 * … … 1772 1794 return strnatcasecmp( $a->name_translated, $b->name_translated ); 1773 1795 } 1796 1797 private static function _check_headers_property_has_correct_type( $headers ) { 1798 if ( ! is_array( $headers ) ) { 1799 return false; 1800 } 1801 foreach ( $headers as $key => $value ) { 1802 if ( ! is_string( $key ) || ! is_string( $value ) ) { 1803 return false; 1804 } 1805 } 1806 return true; 1807 } 1774 1808 } -
branches/6.0/src/wp-includes/media.php
r55773 r56870 2378 2378 } 2379 2379 } elseif ( ! empty( $atts['exclude'] ) ) { 2380 $post_parent_id = $id; 2380 2381 $attachments = get_children( 2381 2382 array( … … 2390 2391 ); 2391 2392 } else { 2393 $post_parent_id = $id; 2392 2394 $attachments = get_children( 2393 2395 array( … … 2400 2402 ) 2401 2403 ); 2404 } 2405 2406 if ( ! empty( $post_parent_id ) ) { 2407 $post_parent = get_post( $post_parent_id ); 2408 2409 // terminate the shortcode execution if user cannot read the post or password-protected 2410 if ( 2411 ( ! is_post_publicly_viewable( $post_parent->ID ) && ! current_user_can( 'read_post', $post_parent->ID ) ) 2412 || post_password_required( $post_parent ) ) { 2413 return ''; 2414 } 2402 2415 } 2403 2416 … … 2728 2741 } 2729 2742 2743 if ( ! empty( $args['post_parent'] ) ) { 2744 $post_parent = get_post( $id ); 2745 2746 // terminate the shortcode execution if user cannot read the post or password-protected 2747 if ( ! current_user_can( 'read_post', $post_parent->ID ) || post_password_required( $post_parent ) ) { 2748 return ''; 2749 } 2750 } 2751 2730 2752 if ( empty( $attachments ) ) { 2731 2753 return ''; -
branches/6.0/src/wp-includes/rest-api.php
r53217 r56870 1053 1053 1054 1054 if ( ! $result ) { 1055 add_filter( 'rest_send_nocache_headers', '__return_true', 20 ); 1055 1056 return new WP_Error( 'rest_cookie_invalid_nonce', __( 'Cookie check failed' ), array( 'status' => 403 ) ); 1056 1057 } -
branches/6.0/src/wp-includes/rest-api/class-wp-rest-server.php
r53110 r56870 332 332 333 333 /** 334 * Filters whether to send nocache headers on a REST API request.335 *336 * @since 4.4.0337 *338 * @param bool $rest_send_nocache_headers Whether to send no-cache headers.339 */340 $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );341 if ( $send_no_cache_headers ) {342 foreach ( wp_get_nocache_headers() as $header => $header_value ) {343 if ( empty( $header_value ) ) {344 $this->remove_header( $header );345 } else {346 $this->send_header( $header, $header_value );347 }348 }349 }350 351 /**352 334 * Filters whether the REST API is enabled. 353 335 * … … 403 385 * header. 404 386 */ 387 $method_overridden = false; 405 388 if ( isset( $_GET['_method'] ) ) { 406 389 $request->set_method( $_GET['_method'] ); 407 390 } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) { 408 391 $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ); 392 $method_overridden = true; 409 393 } 410 394 … … 465 449 */ 466 450 $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this ); 451 452 /** 453 * Filters whether to send nocache headers on a REST API request. 454 * 455 * @since 4.4.0 456 * @since 6.x.x Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php 457 * 458 * @param bool $rest_send_nocache_headers Whether to send no-cache headers. 459 */ 460 $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() ); 461 462 // send no cache headers if the $send_no_cache_headers is true 463 // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4xx response code. 464 if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) { 465 foreach ( wp_get_nocache_headers() as $header => $header_value ) { 466 if ( empty( $header_value ) ) { 467 $this->remove_header( $header ); 468 } else { 469 $this->send_header( $header, $header_value ); 470 } 471 } 472 } 467 473 468 474 if ( ! $served ) { -
branches/6.0/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
r52978 r56870 319 319 320 320 if ( ! empty( $prepared_args['search'] ) ) { 321 if ( ! current_user_can( 'list_users' ) ) { 322 $prepared_args['search_columns'] = array( 'ID', 'user_login', 'user_nicename', 'display_name' ); 323 } 321 324 $prepared_args['search'] = '*' . $prepared_args['search'] . '*'; 322 325 } -
branches/6.0/src/wp-includes/shortcodes.php
r51154 r56870 171 171 172 172 /** 173 * Search content for shortcodes and filter shortcodes through their hooks. 173 * Returns a list of registered shortcode names found in the given content. 174 * 175 * Example usage: 176 * 177 * get_shortcode_tags_in_content( '[audio src="file.mp3"][/audio] [foo] [gallery ids="1,2,3"]' ); 178 * // array( 'audio', 'gallery' ) 179 * 180 * @since 6.3.2 181 * 182 * @param string $content The content to check. 183 * @return string[] An array of registered shortcode names found in the content. 184 */ 185 function get_shortcode_tags_in_content( $content ) { 186 if ( false === strpos( $content, '[' ) ) { 187 return array(); 188 } 189 190 preg_match_all( '/' . get_shortcode_regex() . '/', $content, $matches, PREG_SET_ORDER ); 191 if ( empty( $matches ) ) { 192 return array(); 193 } 194 195 $tags = array(); 196 foreach ( $matches as $shortcode ) { 197 $tags[] = $shortcode[2]; 198 199 if ( ! empty( $shortcode[5] ) ) { 200 $deep_tags = get_shortcode_tags_in_content( $shortcode[5] ); 201 if ( ! empty( $deep_tags ) ) { 202 $tags = array_merge( $tags, $deep_tags ); 203 } 204 } 205 } 206 207 return $tags; 208 } 209 210 /** 211 * Searches content for shortcodes and filter shortcodes through their hooks. 174 212 * 175 213 * This function is an alias for do_shortcode().
Note: See TracChangeset
for help on using the changeset viewer.