Get WordPress

Make WordPress Core

Changeset 56867

Timestamp:
10/12/2023 02:54:10 PM (9 months ago)
Author:
joemcgill
Message:

Grouped backports to the 6.1 branch.

  • REST API: Limit search_columns for users without list_users.
  • Comments: Prevent users who can not see a post from seeing comments on it.
  • Application Passwords: Prevent the use of some pseudo protocols in application passwords.
  • Restrict media shortcode ajax to certain type
  • REST API: Ensure no-cache headers are sent when methods are overriden.
  • Prevent unintended behavior when certain objects are unserialized.

Merges [56833], [56834], [56835], [56836], [56837], and [56838] to the 6.1 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.

Location:
branches/6.1
Files:
17 edited

Legend:

Unmodified
Added
Removed

  • branches/6.1

  • branches/6.1/src/wp-admin/includes/ajax-actions.php

    r55771 r56867  
    38533853    $shortcode = wp_unslash( $_POST['shortcode'] );
    38543854
     3855
     3856
     3857
     3858
     3859
     3860
     3861
     3862
     3863
     3864
     3865
     3866
     3867
     3868
     3869
     3870
    38553871    if ( ! empty( $_POST['post_ID'] ) ) {
    38563872        $post = get_post( (int) $_POST['post_ID'] );
     
    38593875    // The embed shortcode requires a post.
    38603876    if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) {
    3861         if ( 'embed' === $shortcode ) {
     3877        if ( ) {
    38623878            wp_send_json_error();
    38633879        }

  • branches/6.1/src/wp-admin/includes/class-wp-comments-list-table.php

    r54378 r56867  
    637637
    638638        $this->user_can = current_user_can( 'edit_comment', $comment->comment_ID );
     639
     640
     641
     642
     643
     644
     645
     646
     647
     648
     649
     650
     651
    639652
    640653        echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>";

  • branches/6.1/src/wp-admin/includes/class-wp-list-table.php

    r54378 r56867  
    812812            $pending_comments_number
    813813        );
     814
     815
     816
     817
     818
     819
     820
     821
     822
     823
     824
     825
     826
     827
    814828
    815829        if ( ! $approved_comments && ! $pending_comments ) {

  • branches/6.1/src/wp-admin/includes/dashboard.php

    r54638 r56867  
    10921092        echo '<ul id="the-comment-list" data-wp-lists="list:comment">';
    10931093        foreach ( $comments as $comment ) {
    1094             _wp_dashboard_recent_comments_row( $comment );
     1094
     1095            $comment_post = get_post( $comment->comment_post_ID );
     1096            if (
     1097                current_user_can( 'edit_post', $comment->comment_post_ID ) ||
     1098                (
     1099                    empty( $comment_post->post_password ) &&
     1100                    current_user_can( 'read_post', $comment->comment_post_ID )
     1101                )
     1102            ) {
     1103                _wp_dashboard_recent_comments_row( $comment );
     1104            }
    10951105        }
    10961106        echo '</ul>';

  • branches/6.1/src/wp-admin/includes/user.php

    r53458 r56867  
    607607 *
    608608 * @since 5.6.0
     609
     610
    609611 *
    610612 * @param array   $request {
     
    622624    $error = new WP_Error();
    623625
    624     if ( ! empty( $request['success_url'] ) ) {
    625         $scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME );
    626 
    627         if ( 'http' === $scheme ) {
     626    if ( isset( $request['success_url'] ) ) {
     627        $validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] );
     628        if ( is_wp_error( $validated_success_url ) ) {
    628629            $error->add(
    629                 'invalid_redirect_scheme',
    630                 __( 'The success URL must be served over a secure connection.' )
     630                ,
     631                )
    631632            );
    632633        }
    633634    }
    634635
    635     if ( ! empty( $request['reject_url'] ) ) {
    636         $scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME );
    637 
    638         if ( 'http' === $scheme ) {
     636    if ( isset( $request['reject_url'] ) ) {
     637        $validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] );
     638        if ( is_wp_error( $validated_reject_url ) ) {
    639639            $error->add(
    640                 'invalid_redirect_scheme',
    641                 __( 'The rejection URL must be served over a secure connection.' )
     640                ,
     641                )
    642642            );
    643643        }
     
    668668    return true;
    669669}
     670
     671
     672
     673
     674
     675
     676
     677
     678
     679
     680
     681
     682
     683
     684
     685
     686
     687
     688
     689
     690
     691
     692
     693
     694
     695
     696
     697
     698
     699
     700
     701
     702
     703
     704
     705
     706
     707
     708
     709
     710
     711
     712
     713
     714
     715
     716
     717
     718
     719
     720
     721
     722
     723
     724
     725

  • branches/6.1/src/wp-includes/Requests/Hooks.php

    r52328 r56867  
    6666        return true;
    6767    }
     68
     69
     70
     71
    6872}

  • branches/6.1/src/wp-includes/Requests/IRI.php

    r52328 r56867  
    706706    }
    707707
     708
     709
     710
     711
     712
     713
     714
     715
     716
     717
     718
     719
     720
     721
    708722    /**
    709723     * Set the entire IRI. Returns true on success, false on failure (if there

  • branches/6.1/src/wp-includes/Requests/Session.php

    r52328 r56867  
    230230    }
    231231
     232
     233
     234
     235
    232236    /**
    233237     * Merge a request's data with the default data

  • branches/6.1/src/wp-includes/class-wp-block-patterns-registry.php

    r54133 r56867  
    189189    }
    190190
     191
     192
     193
     194
     195
     196
     197
     198
     199
     200
     201
     202
     203
     204
     205
    191206    /**
    192207     * Utility method to retrieve the main instance of the class.

  • branches/6.1/src/wp-includes/class-wp-block-type-registry.php

    r54133 r56867  
    169169    }
    170170
     171
     172
     173
     174
     175
     176
     177
     178
     179
     180
     181
     182
     183
     184
    171185    /**
    172186     * Utility method to retrieve the main instance of the class.

  • branches/6.1/src/wp-includes/class-wp-theme.php

    r54236 r56867  
    719719
    720720    /**
     721
     722
     723
     724
     725
     726
     727
     728
     729
     730
     731
     732
     733
     734
     735
     736
     737
     738
     739
     740
     741
     742
    721743     * Adds theme data to cache.
    722744     *
     
    17791801        return strnatcasecmp( $a->name_translated, $b->name_translated );
    17801802    }
     1803
     1804
     1805
     1806
     1807
     1808
     1809
     1810
     1811
     1812
     1813
     1814
    17811815}

  • branches/6.1/src/wp-includes/media.php

    r55771 r56867  
    24542454        }
    24552455    } elseif ( ! empty( $atts['exclude'] ) ) {
     2456
    24562457        $attachments = get_children(
    24572458            array(
     
    24662467        );
    24672468    } else {
     2469
    24682470        $attachments = get_children(
    24692471            array(
     
    24762478            )
    24772479        );
     2480
     2481
     2482
     2483
     2484
     2485
     2486
     2487
     2488
     2489
     2490
    24782491    }
    24792492
     
    28042817    }
    28052818
     2819
     2820
     2821
     2822
     2823
     2824
     2825
     2826
     2827
    28062828    if ( empty( $attachments ) ) {
    28072829        return '';

  • branches/6.1/src/wp-includes/rest-api.php

    r54518 r56867  
    10691069
    10701070    if ( ! $result ) {
     1071
    10711072        return new WP_Error( 'rest_cookie_invalid_nonce', __( 'Cookie check failed' ), array( 'status' => 403 ) );
    10721073    }

  • branches/6.1/src/wp-includes/rest-api/class-wp-rest-server.php

    r54339 r56867  
    360360
    361361        /**
    362          * Filters whether to send nocache headers on a REST API request.
    363          *
    364          * @since 4.4.0
    365          *
    366          * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
    367          */
    368         $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
    369         if ( $send_no_cache_headers ) {
    370             foreach ( wp_get_nocache_headers() as $header => $header_value ) {
    371                 if ( empty( $header_value ) ) {
    372                     $this->remove_header( $header );
    373                 } else {
    374                     $this->send_header( $header, $header_value );
    375                 }
    376             }
    377         }
    378 
    379         /**
    380362         * Filters whether the REST API is enabled.
    381363         *
     
    431413         * header.
    432414         */
     415
    433416        if ( isset( $_GET['_method'] ) ) {
    434417            $request->set_method( $_GET['_method'] );
    435418        } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) {
    436419            $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );
     420
    437421        }
    438422
     
    493477         */
    494478        $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this );
     479
     480
     481
     482
     483
     484
     485
     486
     487
     488
     489
     490
     491
     492
     493
     494
     495
     496
     497
     498
     499
     500
    495501
    496502        if ( ! $served ) {

  • branches/6.1/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    r54317 r56867  
    319319
    320320        if ( ! empty( $prepared_args['search'] ) ) {
     321
     322
     323
    321324            $prepared_args['search'] = '*' . $prepared_args['search'] . '*';
    322325        }

  • branches/6.1/src/wp-includes/shortcodes.php

    r54319 r56867  
    167167    }
    168168    return false;
     169
     170
     171
     172
     173
     174
     175
     176
     177
     178
     179
     180
     181
     182
     183
     184
     185
     186
     187
     188
     189
     190
     191
     192
     193
     194
     195
     196
     197
     198
     199
     200
     201
     202
     203
     204
     205
     206
    169207}
    170208
Note: See TracChangeset for help on using the changeset viewer.