Make WordPress Core


Ignore:
Timestamp:
10/12/2023 03:06:49 PM (16 months ago)
Author:
davidbaumwald
Message:

Grouped backports to the 5.4 branch.

  • Comments: Prevent users who can not see a post from seeing comments on it.
  • Shortcodes: Restrict media shortcode ajax to certain type.
  • REST API: Ensure no-cache headers are sent when methods are overridden.
  • REST API: Limit search_columns for users without list_users.
  • Prevent unintended behavior when certain objects are unserialized.

Merges [56833], [56834], [56835], [56836], and [56838] to the 5.4 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.

Location:
branches/5.4
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.4

  • branches/5.4/src/wp-includes/rest-api/class-wp-rest-server.php

    r47351 r56878  
    248248
    249249        /**
    250          * Send nocache headers on authenticated requests.
    251          *
    252          * @since 4.4.0
    253          *
    254          * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
    255          */
    256         $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
    257         if ( $send_no_cache_headers ) {
    258             foreach ( wp_get_nocache_headers() as $header => $header_value ) {
    259                 if ( empty( $header_value ) ) {
    260                     $this->remove_header( $header );
    261                 } else {
    262                     $this->send_header( $header, $header_value );
    263                 }
    264             }
    265         }
    266 
    267         /**
    268250         * Filters whether the REST API is enabled.
    269251         *
     
    331313         * header.
    332314         */
     315        $method_overridden = false;
    333316        if ( isset( $_GET['_method'] ) ) {
    334317            $request->set_method( $_GET['_method'] );
    335318        } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) {
    336319            $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );
     320            $method_overridden = true;
    337321        }
    338322
     
    392376         */
    393377        $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this );
     378
     379        /**
     380         * Filters whether to send nocache headers on a REST API request.
     381         *
     382         * @since 4.4.0
     383         * @since 6.x.x Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php
     384         *
     385         * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
     386         */
     387        $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
     388
     389        // send no cache headers if the $send_no_cache_headers is true
     390        // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4xx response code.
     391        if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) {
     392            foreach ( wp_get_nocache_headers() as $header => $header_value ) {
     393                if ( empty( $header_value ) ) {
     394                    $this->remove_header( $header );
     395                } else {
     396                    $this->send_header( $header, $header_value );
     397                }
     398            }
     399        }
    394400
    395401        if ( ! $served ) {
Note: See TracChangeset for help on using the changeset viewer.