Context Navigation

← Previous Change
Next Change →

class-wp-rest-server.php

Timestamp:

10/12/2023 02:59:09 PM (2 years ago)

Author:

joemcgill

Message:

Grouped backports to the 6.0 branch.

REST API: Limit search_columns for users without list_users.
Comments: Prevent users who can not see a post from seeing comments on it.
Application Passwords: Prevent the use of some pseudo protocols in application passwords.
Restrict media shortcode ajax to certain type
REST API: Ensure no-cache headers are sent when methods are overriden.
Prevent unintended behavior when certain objects are unserialized.

Merges [56833], [56834], [56835], [56836], [56837], and [56838] to the 6.0 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.

Location:

branches/6.0

Files:

: 2 edited

. (modified) (1 prop)
src/wp-includes/rest-api/class-wp-rest-server.php (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

branches/6.0
- Property svn:mergeinfo changed
  /trunk merged: 56833-56838

branches/6.0/src/wp-includes/rest-api/class-wp-rest-server.php

-                      r53110
+                      r56870
         /**
-         * Filters whether to send nocache headers on a REST API request.
+         *
-         * @since 4.4.0
+         *
-         * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
-         */
-        $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
-        if ( $send_no_cache_headers ) {
-            foreach ( wp_get_nocache_headers() as $header => $header_value ) {
-                if ( empty( $header_value ) ) {
-                    $this->remove_header( $header );
-                } else {
-                    $this->send_header( $header, $header_value );
+                }
+            }
+        }
-        /**
          * Filters whether the REST API is enabled.
+         *
 …
          * header.
          */
+        $method_overridden = false;
         if ( isset( $_GET['_method'] ) ) {
             $request->set_method( $_GET['_method'] );
         } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) {
             $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );
+            $method_overridden = true;
+        }
 …
          */
         $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this );
+        /**
+         * Filters whether to send nocache headers on a REST API request.
+         *
+         * @since 4.4.0
+         * @since 6.x.x Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php
+         *
+         * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
+         */
+        $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
+        // send no cache headers if the $send_no_cache_headers is true
+        // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4xx response code.
+        if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) {
+            foreach ( wp_get_nocache_headers() as $header => $header_value ) {
+                if ( empty( $header_value ) ) {
+                    $this->remove_header( $header );
+                } else {
+                    $this->send_header( $header, $header_value );
+                }
+            }
+        }
         if ( ! $served ) {

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core

Context Navigation

Changeset 56870 for branches/6.0/src/wp-includes/rest-api/class-wp-rest-server.php

Legend:

branches/6.0

branches/6.0/src/wp-includes/rest-api/class-wp-rest-server.php

Download in other formats: