Ensure that a user can publish_posts before making a post sticky.

Props: danielbachhuber, whyisjake, peterwilson, xknown.

Brings r46893 to the 4.8 branch.

Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes,

`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 4.8 branch.

Props: xknown, nickdaugherty, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.8@46917


git-svn-id: http://core.svn.wordpress.org/branches/4.8@46717 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Sergey Biryukov 2019-12-12 18:54:21 +00:00
parent c359dde932
commit b12e78ee0b
2 changed files with 4 additions and 4 deletions

View File

@ -1385,7 +1385,7 @@ function wp_kses_html_error($string) {
*/ */
function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) { function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) {
$string = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string ); $string = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 ); $string2 = preg_split( '/:|&#0*58;|&#x0*3a;|:/i', $string, 2 );
if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) { if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {
$string = trim( $string2[1] ); $string = trim( $string2[1] );
$protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ); $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );

View File

@ -501,7 +501,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to create posts as this user.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to create posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
} }
if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) { if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
} }
@ -645,7 +645,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to update posts as this user.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to update posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
} }
if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) { if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
} }
@ -938,7 +938,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
* @return stdClass|WP_Error Post object or WP_Error. * @return stdClass|WP_Error Post object or WP_Error.
*/ */
protected function prepare_item_for_database( $request ) { protected function prepare_item_for_database( $request ) {
$prepared_post = new stdClass; $prepared_post = new stdClass();
// Post ID. // Post ID.
if ( isset( $request['id'] ) ) { if ( isset( $request['id'] ) ) {