Admin: Re-add some validation from [44048] that was accidentally removed in [44165].

Props david.binda.
See #45037.


Built from https://develop.svn.wordpress.org/trunk@44726


git-svn-id: http://core.svn.wordpress.org/trunk@44557 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/post.php

@@ -16,7 +16,9 @@ $submenu_file = 'edit.php';
 
 wp_reset_vars( array( 'action' ) );
 
-if ( isset( $_GET['post'] ) ) {
+if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] ) {
+	wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
+} elseif ( isset( $_GET['post'] ) ) {
 	$post_id = $post_ID = (int) $_GET['post'];
 } elseif ( isset( $_POST['post_ID'] ) ) {
 	$post_id = $post_ID = (int) $_POST['post_ID'];
@@ -40,6 +42,10 @@ if ( $post ) {
 	$post_type_object = get_post_type_object( $post_type );
 }
 
+if ( isset( $_POST['post_type'] ) && $post && $post_type !== $_POST['post_type'] ) {
+	wp_die( __( 'A post type mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
+}
+
 if ( isset( $_POST['deletepost'] ) ) {
 	$action = 'delete';
 } elseif ( isset( $_POST['wp-preview'] ) && 'dopreview' == $_POST['wp-preview'] ) {

wp-includes/version.php

@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.1-beta3-44725';
+$wp_version = '5.1-beta3-44726';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.