Make WordPress Core


Ignore:
Timestamp:
12/22/2023 02:10:18 AM (14 months ago)
Author:
isabel_brison
Message:

REST API: check parent and revision ids match before retrieving revision.

Adds a condition to check that parent id matches revision parent id in WP_REST_Revisions_Controller get_item method.

Props ramonopoly, adamsilverstein, danielbachhuber, spacedmonkey, andrewserong.
Fixes #59875.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php

    r56714 r57222  
    388388     *
    389389     * @since 4.7.0
     390     * @since 6.5.0 Added a condition to check that parent id matches revision parent id.
    390391     *
    391392     * @param WP_REST_Request $request Full details about the request.
     
    401402        if ( is_wp_error( $revision ) ) {
    402403            return $revision;
     404        }
     405
     406        if ( (int) $parent->ID !== (int) $revision->post_parent ) {
     407            return new WP_Error(
     408                'rest_revision_parent_id_mismatch',
     409                /* translators: %d: A post id. */
     410                sprintf( __( 'The revision does not belong to the specified parent with id of "%d"' ), $parent->ID ),
     411                array( 'status' => 404 )
     412            );
    403413        }
    404414
Note: See TracChangeset for help on using the changeset viewer.