Make WordPress Core


Ignore:
Timestamp:
10/12/2023 02:59:09 PM (8 months ago)
Author:
joemcgill
Message:

Grouped backports to the 6.0 branch.

  • REST API: Limit search_columns for users without list_users.
  • Comments: Prevent users who can not see a post from seeing comments on it.
  • Application Passwords: Prevent the use of some pseudo protocols in application passwords.
  • Restrict media shortcode ajax to certain type
  • REST API: Ensure no-cache headers are sent when methods are overriden.
  • Prevent unintended behavior when certain objects are unserialized.

Merges [56833], [56834], [56835], [56836], [56837], and [56838] to the 6.0 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.

Location:
branches/6.0
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/6.0

  • branches/6.0/src/wp-includes/media.php

    r55773 r56870  
    23782378        }
    23792379    } elseif ( ! empty( $atts['exclude'] ) ) {
     2380        $post_parent_id = $id;
    23802381        $attachments = get_children(
    23812382            array(
     
    23902391        );
    23912392    } else {
     2393        $post_parent_id = $id;
    23922394        $attachments = get_children(
    23932395            array(
     
    24002402            )
    24012403        );
     2404    }
     2405
     2406    if ( ! empty( $post_parent_id ) ) {
     2407        $post_parent = get_post( $post_parent_id );
     2408
     2409        // terminate the shortcode execution if user cannot read the post or password-protected
     2410        if (
     2411        ( ! is_post_publicly_viewable( $post_parent->ID ) && ! current_user_can( 'read_post', $post_parent->ID ) )
     2412        || post_password_required( $post_parent ) ) {
     2413            return '';
     2414        }
    24022415    }
    24032416
     
    27282741    }
    27292742
     2743    if ( ! empty( $args['post_parent'] ) ) {
     2744        $post_parent = get_post( $id );
     2745
     2746        // terminate the shortcode execution if user cannot read the post or password-protected
     2747        if ( ! current_user_can( 'read_post', $post_parent->ID ) || post_password_required( $post_parent ) ) {
     2748            return '';
     2749        }
     2750    }
     2751
    27302752    if ( empty( $attachments ) ) {
    27312753        return '';
Note: See TracChangeset for help on using the changeset viewer.