Changeset 56873
- Timestamp:
- 10/12/2023 03:02:41 PM (14 months ago)
- Location:
- branches/5.1
- Files:
-
- 15 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/5.1
- Property svn:mergeinfo changed
/trunk merged: 56833-56836,56838
- Property svn:mergeinfo changed
-
branches/5.1/src/wp-admin/includes/ajax-actions.php
r55790 r56873 3497 3497 $shortcode = wp_unslash( $_POST['shortcode'] ); 3498 3498 3499 // Only process previews for media related shortcodes: 3500 $found_shortcodes = get_shortcode_tags_in_content( $shortcode ); 3501 $media_shortcodes = array( 3502 'audio', 3503 'embed', 3504 'playlist', 3505 'video', 3506 'gallery', 3507 ); 3508 3509 $other_shortcodes = array_diff( $found_shortcodes, $media_shortcodes ); 3510 3511 if ( ! empty( $other_shortcodes ) ) { 3512 wp_send_json_error(); 3513 } 3514 3499 3515 if ( ! empty( $_POST['post_ID'] ) ) { 3500 3516 $post = get_post( (int) $_POST['post_ID'] ); … … 3503 3519 // the embed shortcode requires a post 3504 3520 if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) { 3505 if ( 'embed' === $shortcode) {3521 if ( in_array( 'embed', $found_shortcodes, true ) ) { 3506 3522 wp_send_json_error(); 3507 3523 } -
branches/5.1/src/wp-admin/includes/class-wp-comments-list-table.php
r44631 r56873 555 555 $this->user_can = current_user_can( 'edit_comment', $comment->comment_ID ); 556 556 557 $edit_post_cap = $post ? 'edit_post' : 'edit_posts'; 558 if ( 559 current_user_can( $edit_post_cap, $comment->comment_post_ID ) || 560 ( 561 empty( $post->post_password ) && 562 current_user_can( 'read_post', $comment->comment_post_ID ) 563 ) 564 ) { 565 // The user has access to the post 566 } else { 567 return false; 568 } 569 557 570 echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>"; 558 571 $this->single_row_columns( $comment ); -
branches/5.1/src/wp-admin/includes/class-wp-list-table.php
r44574 r56873 666 666 $pending_phrase = sprintf( _n( '%s pending comment', '%s pending comments', $pending_comments ), $pending_comments_number ); 667 667 668 // No comments at all. 668 $post_object = get_post( $post_id ); 669 $edit_post_cap = $post_object ? 'edit_post' : 'edit_posts'; 670 if ( 671 current_user_can( $edit_post_cap, $post_id ) || 672 ( 673 empty( $post_object->post_password ) && 674 current_user_can( 'read_post', $post_id ) 675 ) 676 ) { 677 // The user has access to the post and thus can see comments 678 } else { 679 return false; 680 } 681 669 682 if ( ! $approved_comments && ! $pending_comments ) { 670 683 printf( -
branches/5.1/src/wp-admin/includes/dashboard.php
r44815 r56873 948 948 echo '<ul id="the-comment-list" data-wp-lists="list:comment">'; 949 949 foreach ( $comments as $comment ) { 950 _wp_dashboard_recent_comments_row( $comment ); 950 $comment_post = get_post( $comment->comment_post_ID ); 951 if ( 952 current_user_can( 'edit_post', $comment->comment_post_ID ) || 953 ( 954 empty( $comment_post->post_password ) && 955 current_user_can( 'read_post', $comment->comment_post_ID ) 956 ) 957 ) { 958 _wp_dashboard_recent_comments_row( $comment ); 959 } 951 960 } 952 961 echo '</ul>'; -
branches/5.1/src/wp-includes/Requests/Hooks.php
r38049 r56873 66 66 return true; 67 67 } 68 69 public function __wakeup() { 70 throw new \LogicException( __CLASS__ . ' should never be unserialized' ); 71 } 68 72 } -
branches/5.1/src/wp-includes/Requests/IRI.php
r38727 r56873 704 704 } 705 705 706 public function __wakeup() { 707 $class_props = get_class_vars( __CLASS__ ); 708 $string_props = array( 'scheme', 'iuserinfo', 'ihost', 'port', 'ipath', 'iquery', 'ifragment' ); 709 $array_props = array( 'normalization' ); 710 foreach ( $class_props as $prop => $default_value ) { 711 if ( in_array( $prop, $string_props, true ) && ! is_string( $this->$prop ) ) { 712 throw new UnexpectedValueException(); 713 } elseif ( in_array( $prop, $array_props, true ) && ! is_array( $this->$prop ) ) { 714 throw new UnexpectedValueException(); 715 } 716 $this->$prop = null; 717 } 718 } 719 706 720 /** 707 721 * Set the entire IRI. Returns true on success, false on failure (if there -
branches/5.1/src/wp-includes/Requests/Session.php
r38049 r56873 228 228 } 229 229 230 public function __wakeup() { 231 throw new \LogicException( __CLASS__ . ' should never be unserialized' ); 232 } 233 230 234 /** 231 235 * Merge a request's data with the default data -
branches/5.1/src/wp-includes/class-wp-block-type-registry.php
r44108 r56873 155 155 } 156 156 157 public function __wakeup() { 158 if ( ! $this->registered_block_types ) { 159 return; 160 } 161 if ( ! is_array( $this->registered_block_types ) ) { 162 throw new UnexpectedValueException(); 163 } 164 foreach ( $this->registered_block_types as $value ) { 165 if ( ! $value instanceof WP_Block_Type ) { 166 throw new UnexpectedValueException(); 167 } 168 } 169 } 170 157 171 /** 158 172 * Utility method to retrieve the main instance of the class. -
branches/5.1/src/wp-includes/class-wp-theme.php
r44717 r56873 628 628 629 629 /** 630 * Perform reinitialization tasks. 631 * 632 * Prevents a callback from being injected during unserialization of an object. 633 * 634 * @return void 635 */ 636 public function __wakeup() { 637 if ( $this->parent && ! $this->parent instanceof self ) { 638 throw new UnexpectedValueException(); 639 } 640 if ( $this->headers && ! is_array( $this->headers ) ) { 641 throw new UnexpectedValueException(); 642 } 643 foreach ( $this->headers as $value ) { 644 if ( ! is_string( $value ) ) { 645 throw new UnexpectedValueException(); 646 } 647 } 648 $this->headers_sanitized = array(); 649 } 650 651 /** 630 652 * Adds theme data to cache. 631 653 * … … 1605 1627 return strnatcasecmp( $a->name_translated, $b->name_translated ); 1606 1628 } 1629 1630 private static function _check_headers_property_has_correct_type( $headers ) { 1631 if ( ! is_array( $headers ) ) { 1632 return false; 1633 } 1634 foreach ( $headers as $key => $value ) { 1635 if ( ! is_string( $key ) || ! is_string( $value ) ) { 1636 return false; 1637 } 1638 } 1639 return true; 1640 } 1607 1641 } -
branches/5.1/src/wp-includes/media.php
r55790 r56873 1748 1748 } 1749 1749 } elseif ( ! empty( $atts['exclude'] ) ) { 1750 $attachments = get_children( 1750 $post_parent_id = $id; 1751 $attachments = get_children( 1751 1752 array( 1752 1753 'post_parent' => $id, … … 1760 1761 ); 1761 1762 } else { 1762 $attachments = get_children( 1763 $post_parent_id = $id; 1764 $attachments = get_children( 1763 1765 array( 1764 1766 'post_parent' => $id, … … 1770 1772 ) 1771 1773 ); 1774 } 1775 1776 if ( ! empty( $post_parent_id ) ) { 1777 $post_parent = get_post( $post_parent_id ); 1778 1779 // terminate the shortcode execution if user cannot read the post or password-protected 1780 if ( 1781 ( ! is_post_publicly_viewable( $post_parent->ID ) && ! current_user_can( 'read_post', $post_parent->ID ) ) 1782 || post_password_required( $post_parent ) ) { 1783 return ''; 1784 } 1772 1785 } 1773 1786 … … 2079 2092 } 2080 2093 2094 if ( ! empty( $args['post_parent'] ) ) { 2095 $post_parent = get_post( $id ); 2096 2097 // terminate the shortcode execution if user cannot read the post or password-protected 2098 if ( ! current_user_can( 'read_post', $post_parent->ID ) || post_password_required( $post_parent ) ) { 2099 return ''; 2100 } 2101 } 2102 2081 2103 if ( empty( $attachments ) ) { 2082 2104 return ''; -
branches/5.1/src/wp-includes/rest-api.php
r46490 r56873 827 827 828 828 if ( ! $result ) { 829 add_filter( 'rest_send_nocache_headers', '__return_true', 20 ); 829 830 return new WP_Error( 'rest_cookie_invalid_nonce', __( 'Cookie nonce is invalid' ), array( 'status' => 403 ) ); 830 831 } -
branches/5.1/src/wp-includes/rest-api/class-wp-rest-server.php
r43582 r56873 240 240 241 241 /** 242 * Send nocache headers on authenticated requests.243 *244 * @since 4.4.0245 *246 * @param bool $rest_send_nocache_headers Whether to send no-cache headers.247 */248 $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );249 if ( $send_no_cache_headers ) {250 foreach ( wp_get_nocache_headers() as $header => $header_value ) {251 if ( empty( $header_value ) ) {252 $this->remove_header( $header );253 } else {254 $this->send_header( $header, $header_value );255 }256 }257 }258 259 /**260 242 * Filters whether the REST API is enabled. 261 243 * … … 318 300 * header. 319 301 */ 302 $method_overridden = false; 320 303 if ( isset( $_GET['_method'] ) ) { 321 304 $request->set_method( $_GET['_method'] ); 322 305 } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) { 323 306 $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ); 307 $method_overridden = true; 324 308 } 325 309 … … 379 363 */ 380 364 $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this ); 365 366 /** 367 * Filters whether to send nocache headers on a REST API request. 368 * 369 * @since 4.4.0 370 * @since 6.x.x Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php 371 * 372 * @param bool $rest_send_nocache_headers Whether to send no-cache headers. 373 */ 374 $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() ); 375 376 // send no cache headers if the $send_no_cache_headers is true 377 // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4xx response code. 378 if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) { 379 foreach ( wp_get_nocache_headers() as $header => $header_value ) { 380 if ( empty( $header_value ) ) { 381 $this->remove_header( $header ); 382 } else { 383 $this->send_header( $header, $header_value ); 384 } 385 } 386 } 381 387 382 388 if ( ! $served ) { -
branches/5.1/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
r44641 r56873 284 284 285 285 if ( ! empty( $prepared_args['search'] ) ) { 286 if ( ! current_user_can( 'list_users' ) ) { 287 $prepared_args['search_columns'] = array( 'ID', 'user_login', 'user_nicename', 'display_name' ); 288 } 286 289 $prepared_args['search'] = '*' . $prepared_args['search'] . '*'; 287 290 } -
branches/5.1/src/wp-includes/shortcodes.php
r43549 r56873 161 161 162 162 /** 163 * Search content for shortcodes and filter shortcodes through their hooks. 163 * Returns a list of registered shortcode names found in the given content. 164 * 165 * Example usage: 166 * 167 * get_shortcode_tags_in_content( '[audio src="file.mp3"][/audio] [foo] [gallery ids="1,2,3"]' ); 168 * // array( 'audio', 'gallery' ) 169 * 170 * @since 6.3.2 171 * 172 * @param string $content The content to check. 173 * @return string[] An array of registered shortcode names found in the content. 174 */ 175 function get_shortcode_tags_in_content( $content ) { 176 if ( false === strpos( $content, '[' ) ) { 177 return array(); 178 } 179 180 preg_match_all( '/' . get_shortcode_regex() . '/', $content, $matches, PREG_SET_ORDER ); 181 if ( empty( $matches ) ) { 182 return array(); 183 } 184 185 $tags = array(); 186 foreach ( $matches as $shortcode ) { 187 $tags[] = $shortcode[2]; 188 189 if ( ! empty( $shortcode[5] ) ) { 190 $deep_tags = get_shortcode_tags_in_content( $shortcode[5] ); 191 if ( ! empty( $deep_tags ) ) { 192 $tags = array_merge( $tags, $deep_tags ); 193 } 194 } 195 } 196 197 return $tags; 198 } 199 200 /** 201 * Searches content for shortcodes and filter shortcodes through their hooks. 164 202 * 165 203 * If there are no shortcode tags defined, then the content will be returned
Note: See TracChangeset
for help on using the changeset viewer.