Changeset 56886
- Timestamp:
- 10/12/2023 03:15:04 PM (14 months ago)
- Location:
- branches/5.7
- Files:
-
- 17 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/5.7
- Property svn:mergeinfo changed
/trunk merged: 56833-56838
- Property svn:mergeinfo changed
-
branches/5.7/src/wp-admin/includes/ajax-actions.php
r55778 r56886 3766 3766 $shortcode = wp_unslash( $_POST['shortcode'] ); 3767 3767 3768 // Only process previews for media related shortcodes: 3769 $found_shortcodes = get_shortcode_tags_in_content( $shortcode ); 3770 $media_shortcodes = array( 3771 'audio', 3772 'embed', 3773 'playlist', 3774 'video', 3775 'gallery', 3776 ); 3777 3778 $other_shortcodes = array_diff( $found_shortcodes, $media_shortcodes ); 3779 3780 if ( ! empty( $other_shortcodes ) ) { 3781 wp_send_json_error(); 3782 } 3783 3768 3784 if ( ! empty( $_POST['post_ID'] ) ) { 3769 3785 $post = get_post( (int) $_POST['post_ID'] ); … … 3772 3788 // The embed shortcode requires a post. 3773 3789 if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) { 3774 if ( 'embed' === $shortcode) {3790 if ( in_array( 'embed', $found_shortcodes, true ) ) { 3775 3791 wp_send_json_error(); 3776 3792 } -
branches/5.7/src/wp-admin/includes/class-wp-comments-list-table.php
r49193 r56886 622 622 } 623 623 $this->user_can = current_user_can( 'edit_comment', $comment->comment_ID ); 624 625 $edit_post_cap = $post ? 'edit_post' : 'edit_posts'; 626 if ( 627 current_user_can( $edit_post_cap, $comment->comment_post_ID ) || 628 ( 629 empty( $post->post_password ) && 630 current_user_can( 'read_post', $comment->comment_post_ID ) 631 ) 632 ) { 633 // The user has access to the post 634 } else { 635 return false; 636 } 624 637 625 638 echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>"; -
branches/5.7/src/wp-admin/includes/class-wp-list-table.php
r50362 r56886 735 735 $pending_comments_number 736 736 ); 737 738 $post_object = get_post( $post_id ); 739 $edit_post_cap = $post_object ? 'edit_post' : 'edit_posts'; 740 if ( 741 current_user_can( $edit_post_cap, $post_id ) || 742 ( 743 empty( $post_object->post_password ) && 744 current_user_can( 'read_post', $post_id ) 745 ) 746 ) { 747 // The user has access to the post and thus can see comments 748 } else { 749 return false; 750 } 737 751 738 752 if ( ! $approved_comments && ! $pending_comments ) { -
branches/5.7/src/wp-admin/includes/dashboard.php
r50234 r56886 1053 1053 echo '<ul id="the-comment-list" data-wp-lists="list:comment">'; 1054 1054 foreach ( $comments as $comment ) { 1055 _wp_dashboard_recent_comments_row( $comment ); 1055 1056 $comment_post = get_post( $comment->comment_post_ID ); 1057 if ( 1058 current_user_can( 'edit_post', $comment->comment_post_ID ) || 1059 ( 1060 empty( $comment_post->post_password ) && 1061 current_user_can( 'read_post', $comment->comment_post_ID ) 1062 ) 1063 ) { 1064 _wp_dashboard_recent_comments_row( $comment ); 1065 } 1056 1066 } 1057 1067 echo '</ul>'; -
branches/5.7/src/wp-admin/includes/user.php
r49927 r56886 600 600 * 601 601 * @since 5.6.0 602 * @since 6.2.0 Allow insecure HTTP connections for the local environment. 603 * @since 6.3.2 Validates the success and reject URLs to prevent javascript pseudo protocol being executed. 602 604 * 603 605 * @param array $request { … … 615 617 $error = new WP_Error(); 616 618 617 if ( ! empty( $request['success_url'] ) ) { 618 $scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME ); 619 620 if ( 'http' === $scheme ) { 619 if ( isset( $request['success_url'] ) ) { 620 $validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] ); 621 if ( is_wp_error( $validated_success_url ) ) { 621 622 $error->add( 622 'invalid_redirect_scheme',623 __( 'The success url must be served over a secure connection.')623 $validated_success_url->get_error_code(), 624 $validated_success_url->get_error_message() 624 625 ); 625 626 } 626 627 } 627 628 628 if ( ! empty( $request['reject_url'] ) ) { 629 $scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME ); 630 631 if ( 'http' === $scheme ) { 629 if ( isset( $request['reject_url'] ) ) { 630 $validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] ); 631 if ( is_wp_error( $validated_reject_url ) ) { 632 632 $error->add( 633 'invalid_redirect_scheme',634 __( 'The rejection url must be served over a secure connection.')633 $validated_reject_url->get_error_code(), 634 $validated_reject_url->get_error_message() 635 635 ); 636 636 } … … 661 661 return true; 662 662 } 663 664 /** 665 * Validates the redirect URL protocol scheme. The protocol can be anything except http and javascript. 666 * 667 * @since 6.3.2 668 * 669 * @param string $url - The redirect URL to be validated. 670 * 671 * @return true|WP_Error True if the redirect URL is valid, a WP_Error object otherwise. 672 */ 673 function wp_is_authorize_application_redirect_url_valid( $url ) { 674 $bad_protocols = array( 'javascript', 'data' ); 675 if ( empty( $url ) ) { 676 return true; 677 } 678 679 // Based on https://www.rfc-editor.org/rfc/rfc2396#section-3.1 680 $valid_scheme_regex = '/^[a-zA-Z][a-zA-Z0-9+.-]*:/'; 681 if ( ! preg_match( $valid_scheme_regex, $url ) ) { 682 return new WP_Error( 683 'invalid_redirect_url_format', 684 __( 'Invalid URL format.' ) 685 ); 686 } 687 688 /** 689 * Filters the list of invalid protocols used in applications redirect URLs. 690 * 691 * @since 6.3.2 692 * 693 * @param string[] $bad_protocols Array of invalid protocols. 694 * @param string $url The redirect URL to be validated. 695 */ 696 $invalid_protocols = array_map( 'strtolower', apply_filters( 'wp_authorize_application_redirect_url_invalid_protocols', $bad_protocols, $url ) ); 697 698 $scheme = wp_parse_url( $url, PHP_URL_SCHEME ); 699 $host = wp_parse_url( $url, PHP_URL_HOST ); 700 $is_local = 'local' === wp_get_environment_type(); 701 702 // validates if the proper URI format is applied to the $url 703 if ( empty( $host ) || empty( $scheme ) || in_array( strtolower( $scheme ), $invalid_protocols, true ) ) { 704 return new WP_Error( 705 'invalid_redirect_url_format', 706 __( 'Invalid URL format.' ) 707 ); 708 } 709 710 if ( 'http' === $scheme && ! $is_local ) { 711 return new WP_Error( 712 'invalid_redirect_scheme', 713 __( 'The URL must be served over a secure connection.' ) 714 ); 715 } 716 717 return true; 718 } -
branches/5.7/src/wp-includes/Requests/Hooks.php
r46586 r56886 66 66 return true; 67 67 } 68 69 public function __wakeup() { 70 throw new \LogicException( __CLASS__ . ' should never be unserialized' ); 71 } 68 72 } -
branches/5.7/src/wp-includes/Requests/IRI.php
r46586 r56886 704 704 } 705 705 706 public function __wakeup() { 707 $class_props = get_class_vars( __CLASS__ ); 708 $string_props = array( 'scheme', 'iuserinfo', 'ihost', 'port', 'ipath', 'iquery', 'ifragment' ); 709 $array_props = array( 'normalization' ); 710 foreach ( $class_props as $prop => $default_value ) { 711 if ( in_array( $prop, $string_props, true ) && ! is_string( $this->$prop ) ) { 712 throw new UnexpectedValueException(); 713 } elseif ( in_array( $prop, $array_props, true ) && ! is_array( $this->$prop ) ) { 714 throw new UnexpectedValueException(); 715 } 716 $this->$prop = null; 717 } 718 } 719 706 720 /** 707 721 * Set the entire IRI. Returns true on success, false on failure (if there -
branches/5.7/src/wp-includes/Requests/Session.php
r46586 r56886 228 228 } 229 229 230 public function __wakeup() { 231 throw new \LogicException( __CLASS__ . ' should never be unserialized' ); 232 } 233 230 234 /** 231 235 * Merge a request's data with the default data -
branches/5.7/src/wp-includes/class-wp-block-patterns-registry.php
r50234 r56886 125 125 } 126 126 127 public function __wakeup() { 128 if ( ! $this->registered_patterns ) { 129 return; 130 } 131 if ( ! is_array( $this->registered_patterns ) ) { 132 throw new UnexpectedValueException(); 133 } 134 foreach ( $this->registered_patterns as $value ) { 135 if ( ! is_array( $value ) ) { 136 throw new UnexpectedValueException(); 137 } 138 } 139 $this->registered_patterns_outside_init = array(); 140 } 141 127 142 /** 128 143 * Utility method to retrieve the main instance of the class. -
branches/5.7/src/wp-includes/class-wp-block-type-registry.php
r50419 r56886 153 153 } 154 154 155 public function __wakeup() { 156 if ( ! $this->registered_block_types ) { 157 return; 158 } 159 if ( ! is_array( $this->registered_block_types ) ) { 160 throw new UnexpectedValueException(); 161 } 162 foreach ( $this->registered_block_types as $value ) { 163 if ( ! $value instanceof WP_Block_Type ) { 164 throw new UnexpectedValueException(); 165 } 166 } 167 } 168 155 169 /** 156 170 * Utility method to retrieve the main instance of the class. -
branches/5.7/src/wp-includes/class-wp-theme.php
r49946 r56886 677 677 678 678 /** 679 * Perform reinitialization tasks. 680 * 681 * Prevents a callback from being injected during unserialization of an object. 682 * 683 * @return void 684 */ 685 public function __wakeup() { 686 if ( $this->parent && ! $this->parent instanceof self ) { 687 throw new UnexpectedValueException(); 688 } 689 if ( $this->headers && ! is_array( $this->headers ) ) { 690 throw new UnexpectedValueException(); 691 } 692 foreach ( $this->headers as $value ) { 693 if ( ! is_string( $value ) ) { 694 throw new UnexpectedValueException(); 695 } 696 } 697 $this->headers_sanitized = array(); 698 } 699 700 /** 679 701 * Adds theme data to cache. 680 702 * … … 1660 1682 return strnatcasecmp( $a->name_translated, $b->name_translated ); 1661 1683 } 1684 1685 private static function _check_headers_property_has_correct_type( $headers ) { 1686 if ( ! is_array( $headers ) ) { 1687 return false; 1688 } 1689 foreach ( $headers as $key => $value ) { 1690 if ( ! is_string( $key ) || ! is_string( $value ) ) { 1691 return false; 1692 } 1693 } 1694 return true; 1695 } 1662 1696 } -
branches/5.7/src/wp-includes/media.php
r55778 r56886 2339 2339 } 2340 2340 } elseif ( ! empty( $atts['exclude'] ) ) { 2341 $post_parent_id = $id; 2341 2342 $attachments = get_children( 2342 2343 array( … … 2351 2352 ); 2352 2353 } else { 2354 $post_parent_id = $id; 2353 2355 $attachments = get_children( 2354 2356 array( … … 2361 2363 ) 2362 2364 ); 2365 } 2366 2367 if ( ! empty( $post_parent_id ) ) { 2368 $post_parent = get_post( $post_parent_id ); 2369 2370 // terminate the shortcode execution if user cannot read the post or password-protected 2371 if ( 2372 ( ! is_post_publicly_viewable( $post_parent->ID ) && ! current_user_can( 'read_post', $post_parent->ID ) ) 2373 || post_password_required( $post_parent ) ) { 2374 return ''; 2375 } 2363 2376 } 2364 2377 … … 2689 2702 } 2690 2703 2704 if ( ! empty( $args['post_parent'] ) ) { 2705 $post_parent = get_post( $id ); 2706 2707 // terminate the shortcode execution if user cannot read the post or password-protected 2708 if ( ! current_user_can( 'read_post', $post_parent->ID ) || post_password_required( $post_parent ) ) { 2709 return ''; 2710 } 2711 } 2712 2691 2713 if ( empty( $attachments ) ) { 2692 2714 return ''; -
branches/5.7/src/wp-includes/rest-api.php
r50656 r56886 1013 1013 1014 1014 if ( ! $result ) { 1015 add_filter( 'rest_send_nocache_headers', '__return_true', 20 ); 1015 1016 return new WP_Error( 'rest_cookie_invalid_nonce', __( 'Cookie nonce is invalid' ), array( 'status' => 403 ) ); 1016 1017 } -
branches/5.7/src/wp-includes/rest-api/class-wp-rest-server.php
r50150 r56886 318 318 319 319 /** 320 * Filters whether to send nocache headers on a REST API request.321 *322 * @since 4.4.0323 *324 * @param bool $rest_send_nocache_headers Whether to send no-cache headers.325 */326 $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );327 if ( $send_no_cache_headers ) {328 foreach ( wp_get_nocache_headers() as $header => $header_value ) {329 if ( empty( $header_value ) ) {330 $this->remove_header( $header );331 } else {332 $this->send_header( $header, $header_value );333 }334 }335 }336 337 /**338 320 * Filters whether the REST API is enabled. 339 321 * … … 401 383 * header. 402 384 */ 385 $method_overridden = false; 403 386 if ( isset( $_GET['_method'] ) ) { 404 387 $request->set_method( $_GET['_method'] ); 405 388 } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) { 406 389 $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ); 390 $method_overridden = true; 407 391 } 408 392 … … 462 446 */ 463 447 $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this ); 448 449 /** 450 * Filters whether to send nocache headers on a REST API request. 451 * 452 * @since 4.4.0 453 * @since 6.x.x Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php 454 * 455 * @param bool $rest_send_nocache_headers Whether to send no-cache headers. 456 */ 457 $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() ); 458 459 // send no cache headers if the $send_no_cache_headers is true 460 // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4xx response code. 461 if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) { 462 foreach ( wp_get_nocache_headers() as $header => $header_value ) { 463 if ( empty( $header_value ) ) { 464 $this->remove_header( $header ); 465 } else { 466 $this->send_header( $header, $header_value ); 467 } 468 } 469 } 464 470 465 471 if ( ! $served ) { -
branches/5.7/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
r49955 r56886 303 303 304 304 if ( ! empty( $prepared_args['search'] ) ) { 305 if ( ! current_user_can( 'list_users' ) ) { 306 $prepared_args['search_columns'] = array( 'ID', 'user_login', 'user_nicename', 'display_name' ); 307 } 305 308 $prepared_args['search'] = '*' . $prepared_args['search'] . '*'; 306 309 } -
branches/5.7/src/wp-includes/shortcodes.php
r49963 r56886 161 161 162 162 /** 163 * Search content for shortcodes and filter shortcodes through their hooks. 163 * Returns a list of registered shortcode names found in the given content. 164 * 165 * Example usage: 166 * 167 * get_shortcode_tags_in_content( '[audio src="file.mp3"][/audio] [foo] [gallery ids="1,2,3"]' ); 168 * // array( 'audio', 'gallery' ) 169 * 170 * @since 6.3.2 171 * 172 * @param string $content The content to check. 173 * @return string[] An array of registered shortcode names found in the content. 174 */ 175 function get_shortcode_tags_in_content( $content ) { 176 if ( false === strpos( $content, '[' ) ) { 177 return array(); 178 } 179 180 preg_match_all( '/' . get_shortcode_regex() . '/', $content, $matches, PREG_SET_ORDER ); 181 if ( empty( $matches ) ) { 182 return array(); 183 } 184 185 $tags = array(); 186 foreach ( $matches as $shortcode ) { 187 $tags[] = $shortcode[2]; 188 189 if ( ! empty( $shortcode[5] ) ) { 190 $deep_tags = get_shortcode_tags_in_content( $shortcode[5] ); 191 if ( ! empty( $deep_tags ) ) { 192 $tags = array_merge( $tags, $deep_tags ); 193 } 194 } 195 } 196 197 return $tags; 198 } 199 200 /** 201 * Searches content for shortcodes and filter shortcodes through their hooks. 164 202 * 165 203 * This function is an alias for do_shortcode().
Note: See TracChangeset
for help on using the changeset viewer.