REST API: Prevent attachment ID/image source mismatch when editing an image.

Fixes #50565. Built from https://develop.svn.wordpress.org/trunk@48498 git-svn-id: http://core.svn.wordpress.org/trunk@48260 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-06-28 07:45:02 +02:00 · 2020-07-16 21:56:08 +00:00 · 2020-07-16 21:56:08 +00:00 · 2d728713ac
commit 2d728713ac
parent 4a237f2d48
2 changed files with 12 additions and 2 deletions
--- a/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
@ -421,7 +421,11 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 		$image_file = wp_get_original_image_path( $attachment_id );
 		$image_meta = wp_get_attachment_metadata( $attachment_id );

-		if ( ! $image_meta || ! $image_file ) {
+		if (
+			! $image_meta ||
+			! $image_file ||
+			! wp_image_file_matches_image_meta( $request['src'], $image_meta )
+		) {
 			return new WP_Error(
 				'rest_unknown_attachment',
 				__( 'Unable to get meta information for file.' ),
@ -1289,6 +1293,12 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 				'minimum'     => 0,
 				'maximum'     => 100,
 			),
+			'src'      => array(
+				'description' => __( 'URL to the edited image file.' ),
+				'type'        => 'string',
+				'format'      => 'uri',
+				'required'    => true,
+			),
 		);
 	}

--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -13,7 +13,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '5.5-beta2-48497';
+$wp_version = '5.5-beta2-48498';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.