Make WordPress Core


Ignore:
Timestamp:
10/12/2023 03:12:09 PM (9 months ago)
Author:
davidbaumwald
Message:

Grouped backports to the 5.6 branch.

  • Comments: Prevent users who can not see a post from seeing comments on it.
  • Shortcodes: Restrict media shortcode ajax to certain type.
  • REST API: Ensure no-cache headers are sent when methods are overridden.
  • REST API: Limit search_columns for users without list_users.
  • Prevent unintended behavior when certain objects are unserialized.
  • Application Passwords: Prevent the use of some pseudo protocols in application passwords.

Merges [56833], [56834], [56835], [56836], [56837], and [56838] to the 5.6 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.

Location:
branches/5.6
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.6

  • branches/5.6/src/wp-includes/media.php

    r55781 r56882  
    22492249        }
    22502250    } elseif ( ! empty( $atts['exclude'] ) ) {
     2251        $post_parent_id = $id;
    22512252        $attachments = get_children(
    22522253            array(
     
    22612262        );
    22622263    } else {
     2264        $post_parent_id = $id;
    22632265        $attachments = get_children(
    22642266            array(
     
    22712273            )
    22722274        );
     2275    }
     2276
     2277    if ( ! empty( $post_parent_id ) ) {
     2278        $post_parent = get_post( $post_parent_id );
     2279
     2280        // terminate the shortcode execution if user cannot read the post or password-protected
     2281        if (
     2282        ( ! is_post_publicly_viewable( $post_parent->ID ) && ! current_user_can( 'read_post', $post_parent->ID ) )
     2283        || post_password_required( $post_parent ) ) {
     2284            return '';
     2285        }
    22732286    }
    22742287
     
    25992612    }
    26002613
     2614    if ( ! empty( $args['post_parent'] ) ) {
     2615        $post_parent = get_post( $id );
     2616
     2617        // terminate the shortcode execution if user cannot read the post or password-protected
     2618        if ( ! current_user_can( 'read_post', $post_parent->ID ) || post_password_required( $post_parent ) ) {
     2619            return '';
     2620        }
     2621    }
     2622
    26012623    if ( empty( $attachments ) ) {
    26022624        return '';
Note: See TracChangeset for help on using the changeset viewer.