Make WordPress Core


Ignore:
Timestamp:
10/12/2023 03:03:26 PM (8 months ago)
Author:
joemcgill
Message:

Grouped backports to the 5.9 branch.

  • REST API: Limit search_columns for users without list_users.
  • Comments: Prevent users who can not see a post from seeing comments on it.
  • Application Passwords: Prevent the use of some pseudo protocols in application passwords.
  • Restrict media shortcode ajax to certain type
  • REST API: Ensure no-cache headers are sent when methods are overriden.
  • Prevent unintended behavior when certain objects are unserialized.

Merges [56833], [56834], [56835], [56836], [56837], and [56838] to the 5.9 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.

Location:
branches/5.9
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.9

  • branches/5.9/src/wp-includes/rest-api/class-wp-rest-server.php

    r52204 r56875  
    332332
    333333        /**
    334          * Filters whether to send nocache headers on a REST API request.
    335          *
    336          * @since 4.4.0
    337          *
    338          * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
    339          */
    340         $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
    341         if ( $send_no_cache_headers ) {
    342             foreach ( wp_get_nocache_headers() as $header => $header_value ) {
    343                 if ( empty( $header_value ) ) {
    344                     $this->remove_header( $header );
    345                 } else {
    346                     $this->send_header( $header, $header_value );
    347                 }
    348             }
    349         }
    350 
    351         /**
    352334         * Filters whether the REST API is enabled.
    353335         *
     
    403385         * header.
    404386         */
     387        $method_overridden = false;
    405388        if ( isset( $_GET['_method'] ) ) {
    406389            $request->set_method( $_GET['_method'] );
    407390        } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) {
    408391            $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );
     392            $method_overridden = true;
    409393        }
    410394
     
    464448         */
    465449        $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this );
     450
     451        /**
     452         * Filters whether to send nocache headers on a REST API request.
     453         *
     454         * @since 4.4.0
     455         * @since 6.x.x Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php
     456         *
     457         * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
     458         */
     459        $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
     460
     461        // send no cache headers if the $send_no_cache_headers is true
     462        // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4xx response code.
     463        if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) {
     464            foreach ( wp_get_nocache_headers() as $header => $header_value ) {
     465                if ( empty( $header_value ) ) {
     466                    $this->remove_header( $header );
     467                } else {
     468                    $this->send_header( $header, $header_value );
     469                }
     470            }
     471        }
    466472
    467473        if ( ! $served ) {
Note: See TracChangeset for help on using the changeset viewer.