From 1e6a12db3805774f3e4133a9f54ff982b38924ee Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 25 Oct 2016 21:54:31 +0000 Subject: [PATCH] Feeds: Don't attempt to generate RSS feeds for invalid feed URLs such as `wp-content/feed`. Props stevenkword, JRGould, lyubomir_popov, johnbillion Fixes #30210 Built from https://develop.svn.wordpress.org/trunk@38929 git-svn-id: http://core.svn.wordpress.org/trunk@38872 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/functions.php | 12 ++++++++++++ wp-includes/version.php | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/wp-includes/functions.php b/wp-includes/functions.php index 0d0bf3bec0..d28b792537 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -1213,6 +1213,18 @@ function bool_from_yn( $yn ) { function do_feed() { global $wp_query; + // Determine if we are looking at the main comment feed + $is_main_comments_feed = ( $wp_query->is_comment_feed() && ! $wp_query->is_singular() ); + + /* + * Check the queried object for the existence of posts if it is not a feed for an archive, + * search result, or main comments. By checking for the absense of posts we can prevent rendering the feed + * templates at invalid endpoints. e.g.) /wp-content/plugins/feed/ + */ + if ( ! $wp_query->have_posts() && ! ( $wp_query->is_archive() || $wp_query->is_search() || $is_main_comments_feed ) ) { + wp_die( __( 'ERROR: This is not a valid feed.' ), '', array( 'response' => 404 ) ); + } + $feed = get_query_var( 'feed' ); // Remove the pad, if present. diff --git a/wp-includes/version.php b/wp-includes/version.php index 10be9fd97d..edcf686c2e 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-alpha-38928'; +$wp_version = '4.7-alpha-38929'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.