diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php index 6be4a87a13..7d9266d80f 100644 --- a/wp-admin/admin-ajax.php +++ b/wp-admin/admin-ajax.php @@ -105,6 +105,7 @@ $core_actions_post = array( 'send-link-to-editor', 'send-attachment-to-editor', 'save-attachment-order', + 'media-create-image-subsizes', 'heartbeat', 'get-revision-diffs', 'save-user-color-scheme', diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php index 28db878ef5..d9b688851e 100644 --- a/wp-admin/includes/ajax-actions.php +++ b/wp-admin/includes/ajax-actions.php @@ -111,6 +111,7 @@ function wp_ajax_ajax_tag_search() { $taxonomy = sanitize_key( $_GET['tax'] ); $tax = get_taxonomy( $taxonomy ); + if ( ! $tax ) { wp_die( 0 ); } @@ -125,10 +126,12 @@ function wp_ajax_ajax_tag_search() { if ( ',' !== $comma ) { $s = str_replace( $comma, ',', $s ); } + if ( false !== strpos( $s, ',' ) ) { $s = explode( ',', $s ); $s = $s[ count( $s ) - 1 ]; } + $s = trim( $s ); /** @@ -193,6 +196,7 @@ function wp_ajax_wp_compression_test() { if ( ! isset( $_SERVER['HTTP_ACCEPT_ENCODING'] ) ) { wp_die( -1 ); } + if ( false !== stripos( $_SERVER['HTTP_ACCEPT_ENCODING'], 'deflate' ) && function_exists( 'gzdeflate' ) && ! $force_gzip ) { header( 'Content-Encoding: deflate' ); $out = gzdeflate( $test_str, 1 ); @@ -202,6 +206,7 @@ function wp_ajax_wp_compression_test() { } else { wp_die( -1 ); } + echo $out; wp_die(); } elseif ( 'no' == $_GET['test'] ) { @@ -230,6 +235,7 @@ function wp_ajax_imgedit_preview() { check_ajax_referer( "image_editor-$post_id" ); include_once( ABSPATH . 'wp-admin/includes/image-edit.php' ); + if ( ! stream_preview_image( $post_id ) ) { wp_die( -1 ); } @@ -295,6 +301,7 @@ function wp_ajax_autocomplete_user() { 'fields' => 'ID', ) ) : array() ); + $exclude_blog_users = ( $type == 'add' ? get_users( array( 'blog_id' => $id, @@ -481,14 +488,18 @@ function _wp_ajax_delete_comment_response( $comment_id, $delta = -1 ) { // What type of comment count are we looking for? $status = 'all'; $parsed = parse_url( $url ); + if ( isset( $parsed['query'] ) ) { parse_str( $parsed['query'], $query_vars ); + if ( ! empty( $query_vars['comment_status'] ) ) { $status = $query_vars['comment_status']; } + if ( ! empty( $query_vars['p'] ) ) { $post_id = (int) $query_vars['p']; } + if ( ! empty( $query_vars['comment_type'] ) ) { $type = $query_vars['comment_type']; } @@ -550,36 +561,45 @@ function _wp_ajax_add_hierarchical_term() { $action = $_POST['action']; $taxonomy = get_taxonomy( substr( $action, 4 ) ); check_ajax_referer( $action, '_ajax_nonce-add-' . $taxonomy->name ); + if ( ! current_user_can( $taxonomy->cap->edit_terms ) ) { wp_die( -1 ); } + $names = explode( ',', $_POST[ 'new' . $taxonomy->name ] ); $parent = isset( $_POST[ 'new' . $taxonomy->name . '_parent' ] ) ? (int) $_POST[ 'new' . $taxonomy->name . '_parent' ] : 0; + if ( 0 > $parent ) { $parent = 0; } + if ( $taxonomy->name == 'category' ) { $post_category = isset( $_POST['post_category'] ) ? (array) $_POST['post_category'] : array(); } else { $post_category = ( isset( $_POST['tax_input'] ) && isset( $_POST['tax_input'][ $taxonomy->name ] ) ) ? (array) $_POST['tax_input'][ $taxonomy->name ] : array(); } + $checked_categories = array_map( 'absint', (array) $post_category ); $popular_ids = wp_popular_terms_checklist( $taxonomy->name, 0, 10, false ); foreach ( $names as $cat_name ) { $cat_name = trim( $cat_name ); $category_nicename = sanitize_title( $cat_name ); + if ( '' === $category_nicename ) { continue; } $cat_id = wp_insert_term( $cat_name, $taxonomy->name, array( 'parent' => $parent ) ); + if ( ! $cat_id || is_wp_error( $cat_id ) ) { continue; } else { $cat_id = $cat_id['term_id']; } + $checked_categories[] = $cat_id; + if ( $parent ) { // Do these all at once in a second continue; } @@ -670,27 +690,32 @@ function wp_ajax_delete_comment() { $id = isset( $_POST['id'] ) ? (int) $_POST['id'] : 0; $comment = get_comment( $id ); + if ( ! $comment ) { wp_die( time() ); } + if ( ! current_user_can( 'edit_comment', $comment->comment_ID ) ) { wp_die( -1 ); } check_ajax_referer( "delete-comment_$id" ); $status = wp_get_comment_status( $comment ); + $delta = -1; - $delta = -1; if ( isset( $_POST['trash'] ) && 1 == $_POST['trash'] ) { if ( 'trash' == $status ) { wp_die( time() ); } + $r = wp_trash_comment( $comment ); } elseif ( isset( $_POST['untrash'] ) && 1 == $_POST['untrash'] ) { if ( 'trash' != $status ) { wp_die( time() ); } + $r = wp_untrash_comment( $comment ); + if ( ! isset( $_POST['comment_status'] ) || $_POST['comment_status'] != 'trash' ) { // undo trash, not in trash $delta = 1; } @@ -698,12 +723,15 @@ function wp_ajax_delete_comment() { if ( 'spam' == $status ) { wp_die( time() ); } + $r = wp_spam_comment( $comment ); } elseif ( isset( $_POST['unspam'] ) && 1 == $_POST['unspam'] ) { if ( 'spam' != $status ) { wp_die( time() ); } + $r = wp_unspam_comment( $comment ); + if ( ! isset( $_POST['comment_status'] ) || $_POST['comment_status'] != 'spam' ) { // undo spam, not in spam $delta = 1; } @@ -716,6 +744,7 @@ function wp_ajax_delete_comment() { if ( $r ) { // Decide if we need to send back '1' or a more complicated response including page links and comment counts _wp_ajax_delete_comment_response( $comment->comment_ID, $delta ); } + wp_die( 0 ); } @@ -734,6 +763,7 @@ function wp_ajax_delete_tag() { $taxonomy = ! empty( $_POST['taxonomy'] ) ? $_POST['taxonomy'] : 'post_tag'; $tag = get_term( $tag_id, $taxonomy ); + if ( ! $tag || is_wp_error( $tag ) ) { wp_die( 1 ); } @@ -754,6 +784,7 @@ function wp_ajax_delete_link() { $id = isset( $_POST['id'] ) ? (int) $_POST['id'] : 0; check_ajax_referer( "delete-bookmark_$id" ); + if ( ! current_user_can( 'manage_links' ) ) { wp_die( -1 ); } @@ -780,6 +811,7 @@ function wp_ajax_delete_meta() { check_ajax_referer( "delete-meta_$id" ); $meta = get_metadata_by_mid( 'post', $id ); + if ( ! $meta ) { wp_die( 1 ); } @@ -787,9 +819,11 @@ function wp_ajax_delete_meta() { if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'delete_post_meta', $meta->post_id, $meta->meta_key ) ) { wp_die( -1 ); } + if ( delete_meta( $meta->meta_id ) ) { wp_die( 1 ); } + wp_die( 0 ); } @@ -804,9 +838,10 @@ function wp_ajax_delete_post( $action ) { if ( empty( $action ) ) { $action = 'delete-post'; } - $id = isset( $_POST['id'] ) ? (int) $_POST['id'] : 0; + $id = isset( $_POST['id'] ) ? (int) $_POST['id'] : 0; check_ajax_referer( "{$action}_$id" ); + if ( ! current_user_can( 'delete_post', $id ) ) { wp_die( -1 ); } @@ -833,9 +868,10 @@ function wp_ajax_trash_post( $action ) { if ( empty( $action ) ) { $action = 'trash-post'; } - $id = isset( $_POST['id'] ) ? (int) $_POST['id'] : 0; + $id = isset( $_POST['id'] ) ? (int) $_POST['id'] : 0; check_ajax_referer( "{$action}_$id" ); + if ( ! current_user_can( 'delete_post', $id ) ) { wp_die( -1 ); } @@ -868,6 +904,7 @@ function wp_ajax_untrash_post( $action ) { if ( empty( $action ) ) { $action = 'untrash-post'; } + wp_ajax_trash_post( $action ); } @@ -882,9 +919,10 @@ function wp_ajax_delete_page( $action ) { if ( empty( $action ) ) { $action = 'delete-page'; } - $id = isset( $_POST['id'] ) ? (int) $_POST['id'] : 0; + $id = isset( $_POST['id'] ) ? (int) $_POST['id'] : 0; check_ajax_referer( "{$action}_$id" ); + if ( ! current_user_can( 'delete_page', $id ) ) { wp_die( -1 ); } @@ -906,9 +944,9 @@ function wp_ajax_delete_page( $action ) { * @since 3.1.0 */ function wp_ajax_dim_comment() { - $id = isset( $_POST['id'] ) ? (int) $_POST['id'] : 0; - + $id = isset( $_POST['id'] ) ? (int) $_POST['id'] : 0; $comment = get_comment( $id ); + if ( ! $comment ) { $x = new WP_Ajax_Response( array( @@ -928,11 +966,13 @@ function wp_ajax_dim_comment() { } $current = wp_get_comment_status( $comment ); + if ( isset( $_POST['new'] ) && $_POST['new'] == $current ) { wp_die( time() ); } check_ajax_referer( "approve-comment_$id" ); + if ( in_array( $current, array( 'unapproved', 'spam' ) ) ) { $result = wp_set_comment_status( $comment, 'approve', true ); } else { @@ -965,27 +1005,35 @@ function wp_ajax_add_link_category( $action ) { if ( empty( $action ) ) { $action = 'add-link-category'; } + check_ajax_referer( $action ); $tax = get_taxonomy( 'link_category' ); + if ( ! current_user_can( $tax->cap->manage_terms ) ) { wp_die( -1 ); } + $names = explode( ',', wp_unslash( $_POST['newcat'] ) ); $x = new WP_Ajax_Response(); + foreach ( $names as $cat_name ) { $cat_name = trim( $cat_name ); $slug = sanitize_title( $cat_name ); + if ( '' === $slug ) { continue; } $cat_id = wp_insert_term( $cat_name, 'link_category' ); + if ( ! $cat_id || is_wp_error( $cat_id ) ) { continue; } else { $cat_id = $cat_id['term_id']; } + $cat_name = esc_html( $cat_name ); + $x->add( array( 'what' => 'link-category', @@ -1022,6 +1070,7 @@ function wp_ajax_add_tag() { if ( ! $tag || is_wp_error( $tag ) ) { $message = __( 'An error has occurred. Please reload the page and try again.' ); + if ( is_wp_error( $tag ) && $tag->get_error_message() ) { $message = $tag->get_error_message(); } @@ -1057,6 +1106,7 @@ function wp_ajax_add_tag() { 'supplemental' => compact( 'parents', 'noparents' ), ) ); + $x->add( array( 'what' => 'term', @@ -1064,6 +1114,7 @@ function wp_ajax_add_tag() { 'supplemental' => (array) $tag, ) ); + $x->send(); } @@ -1079,6 +1130,7 @@ function wp_ajax_get_tagcloud() { $taxonomy = sanitize_key( $_POST['tax'] ); $tax = get_taxonomy( $taxonomy ); + if ( ! $tax ) { wp_die( 0 ); } @@ -1123,7 +1175,6 @@ function wp_ajax_get_tagcloud() { } echo $return; - wp_die(); } @@ -1138,9 +1189,11 @@ function wp_ajax_get_tagcloud() { */ function wp_ajax_get_comments( $action ) { global $post_id; + if ( empty( $action ) ) { $action = 'get-comments'; } + check_ajax_referer( $action ); if ( empty( $post_id ) && ! empty( $_REQUEST['p'] ) ) { @@ -1167,6 +1220,7 @@ function wp_ajax_get_comments( $action ) { } $x = new WP_Ajax_Response(); + ob_start(); foreach ( $wp_list_table->items as $comment ) { if ( ! current_user_can( 'edit_comment', $comment->comment_ID ) && 0 === $comment->comment_approved ) { @@ -1183,6 +1237,7 @@ function wp_ajax_get_comments( $action ) { 'data' => $comment_list_item, ) ); + $x->send(); } @@ -1202,6 +1257,7 @@ function wp_ajax_replyto_comment( $action ) { $comment_post_ID = (int) $_POST['comment_post_ID']; $post = get_post( $comment_post_ID ); + if ( ! $post ) { wp_die( -1 ); } @@ -1217,6 +1273,7 @@ function wp_ajax_replyto_comment( $action ) { } $user = wp_get_current_user(); + if ( $user->exists() ) { $user_ID = $user->ID; $comment_author = wp_slash( $user->display_name ); @@ -1224,6 +1281,7 @@ function wp_ajax_replyto_comment( $action ) { $comment_author_url = wp_slash( $user->user_url ); $comment_content = trim( $_POST['content'] ); $comment_type = isset( $_POST['comment_type'] ) ? trim( $_POST['comment_type'] ) : ''; + if ( current_user_can( 'unfiltered_html' ) ) { if ( ! isset( $_POST['_wp_unfiltered_html_comment'] ) ) { $_POST['_wp_unfiltered_html_comment'] = ''; @@ -1245,9 +1303,11 @@ function wp_ajax_replyto_comment( $action ) { } $comment_parent = 0; + if ( isset( $_POST['comment_ID'] ) ) { $comment_parent = absint( $_POST['comment_ID'] ); } + $comment_auto_approved = false; $commentdata = compact( 'comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type', 'comment_parent', 'user_ID' ); @@ -1273,6 +1333,7 @@ function wp_ajax_replyto_comment( $action ) { } $comment = get_comment( $comment_id ); + if ( ! $comment ) { wp_die( 1 ); } @@ -1334,6 +1395,7 @@ function wp_ajax_edit_comment() { check_ajax_referer( 'replyto-comment', '_ajax_nonce-replyto-comment' ); $comment_id = (int) $_POST['comment_ID']; + if ( ! current_user_can( 'edit_comment', $comment_id ) ) { wp_die( -1 ); } @@ -1352,6 +1414,7 @@ function wp_ajax_edit_comment() { $wp_list_table = _get_list_table( $checkbox ? 'WP_Comments_List_Table' : 'WP_Post_Comments_List_Table', array( 'screen' => 'edit-comments' ) ); $comment = get_comment( $comment_id ); + if ( empty( $comment->comment_ID ) ) { wp_die( -1 ); } @@ -1390,8 +1453,8 @@ function wp_ajax_add_menu_item() { // For performance reasons, we omit some object properties from the checklist. // The following is a hacky way to restore them when adding non-custom items. - $menu_items_data = array(); + foreach ( (array) $_POST['menu-item'] as $menu_item_data ) { if ( ! empty( $menu_item_data['menu-item-type'] ) && @@ -1431,6 +1494,7 @@ function wp_ajax_add_menu_item() { foreach ( (array) $item_ids as $menu_item_id ) { $menu_obj = get_post( $menu_item_id ); + if ( ! empty( $menu_obj->ID ) ) { $menu_obj = wp_setup_nav_menu_item( $menu_obj ); $menu_obj->title = empty( $menu_obj->title ) ? __( 'Menu Item' ) : $menu_obj->title; @@ -1454,8 +1518,10 @@ function wp_ajax_add_menu_item() { 'link_before' => '', 'walker' => new $walker_class_name, ); + echo walk_nav_menu_tree( $menu_items, 0, (object) $args ); } + wp_die(); } @@ -1474,6 +1540,7 @@ function wp_ajax_add_meta() { if ( ! current_user_can( 'edit_post', $pid ) ) { wp_die( -1 ); } + if ( isset( $_POST['metakeyselect'] ) && '#NONE#' == $_POST['metakeyselect'] && empty( $_POST['metakeyinput'] ) ) { wp_die( 1 ); } @@ -1490,6 +1557,7 @@ function wp_ajax_add_meta() { $post_data['post_title'] = sprintf( __( 'Draft created on %1$s at %2$s' ), gmdate( __( 'F j, Y' ), $now ), gmdate( __( 'g:i a' ), $now ) ); $pid = edit_post( $post_data ); + if ( $pid ) { if ( is_wp_error( $pid ) ) { $x = new WP_Ajax_Response( @@ -1518,7 +1586,8 @@ function wp_ajax_add_meta() { $meta = get_metadata_by_mid( 'post', $mid ); $pid = (int) $meta->post_id; $meta = get_object_vars( $meta ); - $x = new WP_Ajax_Response( + + $x = new WP_Ajax_Response( array( 'what' => 'meta', 'id' => $mid, @@ -1531,18 +1600,25 @@ function wp_ajax_add_meta() { $mid = (int) key( $_POST['meta'] ); $key = wp_unslash( $_POST['meta'][ $mid ]['key'] ); $value = wp_unslash( $_POST['meta'][ $mid ]['value'] ); + if ( '' == trim( $key ) ) { wp_die( __( 'Please provide a custom field name.' ) ); } + $meta = get_metadata_by_mid( 'post', $mid ); + if ( ! $meta ) { wp_die( 0 ); // if meta doesn't exist } - if ( is_protected_meta( $meta->meta_key, 'post' ) || is_protected_meta( $key, 'post' ) || + + if ( + is_protected_meta( $meta->meta_key, 'post' ) || is_protected_meta( $key, 'post' ) || ! current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) || - ! current_user_can( 'edit_post_meta', $meta->post_id, $key ) ) { + ! current_user_can( 'edit_post_meta', $meta->post_id, $key ) + ) { wp_die( -1 ); } + if ( $meta->meta_value != $value || $meta->meta_key != $key ) { $u = update_metadata_by_mid( 'post', $mid, $value, $key ); if ( ! $u ) { @@ -1584,10 +1660,13 @@ function wp_ajax_add_user( $action ) { } check_ajax_referer( $action ); + if ( ! current_user_can( 'create_users' ) ) { wp_die( -1 ); } + $user_id = edit_user(); + if ( ! $user_id ) { wp_die( 0 ); } elseif ( is_wp_error( $user_id ) ) { @@ -1599,8 +1678,8 @@ function wp_ajax_add_user( $action ) { ); $x->send(); } - $user_object = get_userdata( $user_id ); + $user_object = get_userdata( $user_id ); $wp_list_table = _get_list_table( 'WP_Users_List_Table' ); $role = current( $user_object->roles ); @@ -1799,10 +1878,13 @@ function wp_ajax_menu_locations_save() { if ( ! current_user_can( 'edit_theme_options' ) ) { wp_die( -1 ); } + check_ajax_referer( 'add-menu_item', 'menu-settings-column-nonce' ); + if ( ! isset( $_POST['menu-locations'] ) ) { wp_die( 0 ); } + set_theme_mod( 'nav_menu_locations', array_map( 'absint', $_POST['menu-locations'] ) ); wp_die( 1 ); } @@ -1957,6 +2039,7 @@ function wp_ajax_inline_save() { if ( empty( $data['comment_status'] ) ) { $data['comment_status'] = 'closed'; } + if ( empty( $data['ping_status'] ) ) { $data['ping_status'] = 'closed'; } @@ -2012,6 +2095,7 @@ function wp_ajax_inline_save_tax() { $taxonomy = sanitize_key( $_POST['taxonomy'] ); $tax = get_taxonomy( $taxonomy ); + if ( ! $tax ) { wp_die( 0 ); } @@ -2032,6 +2116,7 @@ function wp_ajax_inline_save_tax() { $_POST['description'] = $tag->description; $updated = wp_update_term( $id, $taxonomy, $_POST ); + if ( $updated && ! is_wp_error( $updated ) ) { $tag = get_term( $updated['term_id'], $taxonomy ); if ( ! $tag || is_wp_error( $tag ) ) { @@ -2046,13 +2131,16 @@ function wp_ajax_inline_save_tax() { } wp_die( __( 'Item not updated.' ) ); } + $level = 0; $parent = $tag->parent; + while ( $parent > 0 ) { $parent_tag = get_term( $parent, $taxonomy ); $parent = $parent_tag->parent; $level++; } + $wp_list_table->single_row( $tag, $level ); wp_die(); } @@ -2076,6 +2164,7 @@ function wp_ajax_find_posts() { 'post_status' => 'any', 'posts_per_page' => 50, ); + if ( '' !== $s ) { $args['s'] = $s; } @@ -2141,10 +2230,13 @@ function wp_ajax_widgets_order() { // Save widgets order for all sidebars. if ( is_array( $_POST['sidebars'] ) ) { $sidebars = array(); + foreach ( wp_unslash( $_POST['sidebars'] ) as $key => $val ) { $sb = array(); + if ( ! empty( $val ) ) { $val = explode( ',', $val ); + foreach ( $val as $k => $v ) { if ( strpos( $v, 'widget-' ) === false ) { continue; @@ -2155,6 +2247,7 @@ function wp_ajax_widgets_order() { } $sidebars[ $key ] = $sb; } + wp_set_sidebars_widgets( $sidebars ); wp_die( 1 ); } @@ -2320,6 +2413,82 @@ function wp_ajax_delete_inactive_widgets() { wp_die(); } +/** + * Ajax handler for creating missing image sub-sizes for just uploaded images. + * + * @since 5.3.0 + */ +function wp_ajax_media_create_image_subsizes() { + check_ajax_referer( 'media-form' ); + + if ( ! current_user_can( 'upload_files' ) ) { + wp_send_json_error( array( 'message' => __( 'Sorry, you are not allowed to upload files.' ) ) ); + } + + // Using Plupload `file.id` as ref. + if ( ! empty( $_POST['_wp_temp_image_ref'] ) ) { + $image_ref = preg_replace( '/[^a-zA-Z0-9_]/', '', $_POST['_wp_temp_image_ref'] ); + } else { + wp_send_json_error( array( 'message' => __( 'Invalid file reference.' ) ) ); + } + + // Uploading of images usually fails while creating the sub-sizes, either because of a timeout or out of memory. + // At this point the file has been uploaded and an attachment post created, but because of the PHP fatal error + // the cliend doesn't know the attachment ID yet. + // To be able to find the new attachment_id in these cases we temporarily store an upload reference sent by the client + // in the original upload request. It is used to save a transient with the attachment_id as value. + // That reference currently is Plupload's `file.id` but can be any sufficiently random alpha-numeric string. + $attachment_id = get_transient( '_wp_temp_image_ref:' . $image_ref ); + + if ( empty( $attachment_id ) ) { + wp_send_json_error( array( 'message' => __( 'Upload failed. Please reload and try again.' ) ) ); + } + + if ( ! empty( $_POST['_wp_upload_failed_cleanup'] ) ) { + // Upload failed. Cleanup. + if ( wp_attachment_is_image( $attachment_id ) ) { + $attachment = get_post( $attachment_id ); + + // Posted at most 10 min ago. + if ( $attachment && ( time() - strtotime( $attachment->post_date_gmt ) < 600 ) ) { + /** + * Runs when an image upload fails during the post-processing phase, + * and the newly created attachment post is about to be deleted. + * + * @since 5.3.0 + * + * @param int $attachment_id The attachment post ID. + */ + do_action( 'wp_upload_failed_cleanup', $attachment_id ); + + wp_delete_attachment( $attachment_id, true ); + wp_send_json_success(); + } + } + } + + // This can still be pretty slow and cause timeout or out of memory errors. + // The js that handles the response would need to also handle HTTP 500 errors. + wp_update_image_subsizes( $attachment_id ); + + if ( ! empty( $_POST['_legasy_support'] ) ) { + // The old (inline) uploader. Only needs the attachment_id. + $response = array( 'id' => $attachment_id ); + } else { + // Media modal and Media Library grid view. + $response = wp_prepare_attachment_for_js( $attachment_id ); + + if ( ! $response ) { + wp_send_json_error( array( 'message' => __( 'Upload failed.' ) ) ); + } + } + + // At this point the image has been uploaded successfully. + delete_transient( '_wp_temp_image_ref:' . $image_ref ); + + wp_send_json_success( $response ); +} + /** * Ajax handler for uploading attachments * @@ -2349,6 +2518,7 @@ function wp_ajax_upload_attachment() { if ( isset( $_REQUEST['post_id'] ) ) { $post_id = $_REQUEST['post_id']; + if ( ! current_user_can( 'edit_post', $post_id ) ) { echo wp_json_encode( array( @@ -2375,6 +2545,7 @@ function wp_ajax_upload_attachment() { // If the context is custom header or background, make sure the uploaded file is an image. if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) { $wp_filetype = wp_check_filetype_and_ext( $_FILES['async-upload']['tmp_name'], $_FILES['async-upload']['name'] ); + if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) ) { echo wp_json_encode( array( @@ -2438,6 +2609,7 @@ function wp_ajax_upload_attachment() { */ function wp_ajax_image_editor() { $attachment_id = intval( $_POST['postid'] ); + if ( empty( $attachment_id ) || ! current_user_can( 'edit_post', $attachment_id ) ) { wp_die( -1 ); } @@ -2649,8 +2821,10 @@ function wp_ajax_wp_remove_post_lock() { if ( empty( $_POST['post_ID'] ) || empty( $_POST['active_post_lock'] ) ) { wp_die( 0 ); } + $post_id = (int) $_POST['post_ID']; $post = get_post( $post_id ); + if ( ! $post ) { wp_die( 0 ); } @@ -2662,6 +2836,7 @@ function wp_ajax_wp_remove_post_lock() { } $active_lock = array_map( 'absint', explode( ':', $_POST['active_post_lock'] ) ); + if ( $active_lock[1] != get_current_user_id() ) { wp_die( 0 ); } @@ -2686,6 +2861,7 @@ function wp_ajax_wp_remove_post_lock() { */ function wp_ajax_dismiss_wp_pointer() { $pointer = $_POST['pointer']; + if ( $pointer != sanitize_key( $pointer ) ) { wp_die( 0 ); } @@ -2766,6 +2942,7 @@ function wp_ajax_query_attachments() { 'year', 'monthnum', ); + foreach ( get_taxonomies_for_attachments( 'objects' ) as $t ) { if ( $t->query_var && isset( $query[ $t->query_var ] ) ) { $keys[] = $t->query_var; @@ -2774,9 +2951,12 @@ function wp_ajax_query_attachments() { $query = array_intersect_key( $query, array_flip( $keys ) ); $query['post_type'] = 'attachment'; - if ( MEDIA_TRASH - && ! empty( $_REQUEST['query']['post_status'] ) - && 'trash' === $_REQUEST['query']['post_status'] ) { + + if ( + MEDIA_TRASH && + ! empty( $_REQUEST['query']['post_status'] ) && + 'trash' === $_REQUEST['query']['post_status'] + ) { $query['post_status'] = 'trash'; } else { $query['post_status'] = 'inherit'; @@ -2869,10 +3049,12 @@ function wp_ajax_save_attachment() { if ( wp_attachment_is( 'audio', $post['ID'] ) ) { $changed = false; $id3data = wp_get_attachment_metadata( $post['ID'] ); + if ( ! is_array( $id3data ) ) { $changed = true; $id3data = array(); } + foreach ( wp_get_attachment_id3_keys( (object) $post, 'edit' ) as $key => $label ) { if ( isset( $changes[ $key ] ) ) { $changed = true; @@ -2912,6 +3094,7 @@ function wp_ajax_save_attachment_compat() { if ( empty( $_REQUEST['attachments'] ) || empty( $_REQUEST['attachments'][ $id ] ) ) { wp_send_json_error(); } + $attachment_data = $_REQUEST['attachments'][ $id ]; check_ajax_referer( 'update-post_' . $id, 'nonce' ); @@ -2943,6 +3126,7 @@ function wp_ajax_save_attachment_compat() { } $attachment = wp_prepare_attachment_for_js( $id ); + if ( ! $attachment ) { wp_send_json_error(); } @@ -2981,10 +3165,13 @@ function wp_ajax_save_attachment_order() { if ( ! current_user_can( 'edit_post', $attachment_id ) ) { continue; } + $attachment = get_post( $attachment_id ); + if ( ! $attachment ) { continue; } + if ( 'attachment' != $attachment->post_type ) { continue; } @@ -3028,6 +3215,7 @@ function wp_ajax_send_attachment_to_editor() { if ( current_user_can( 'edit_post', $id ) ) { // If this attachment is unattached, attach it. Primarily a back compat thing. $insert_into_post_id = intval( $_POST['post_id'] ); + if ( 0 == $post->post_parent && $insert_into_post_id ) { wp_update_post( array( @@ -3346,6 +3534,7 @@ function wp_ajax_query_themes() { } $update_php = network_admin_url( 'update.php?action=install-theme' ); + foreach ( $api->themes as &$theme ) { $theme->install_url = add_query_arg( array( @@ -3390,7 +3579,8 @@ function wp_ajax_query_themes() { $theme->author = wp_kses( $theme->author['display_name'], $themes_allowedtags ); $theme->version = wp_kses( $theme->version, $themes_allowedtags ); $theme->description = wp_kses( $theme->description, $themes_allowedtags ); - $theme->stars = wp_star_rating( + + $theme->stars = wp_star_rating( array( 'rating' => $theme->rating, 'type' => 'percent', @@ -3398,6 +3588,7 @@ function wp_ajax_query_themes() { 'echo' => false, ) ); + $theme->num_ratings = number_format_i18n( $theme->num_ratings ); $theme->preview_url = set_url_scheme( $theme->preview_url ); } @@ -3421,9 +3612,12 @@ function wp_ajax_parse_embed() { if ( empty( $_POST['shortcode'] ) ) { wp_send_json_error(); } + $post_id = isset( $_POST['post_ID'] ) ? intval( $_POST['post_ID'] ) : 0; + if ( $post_id > 0 ) { $post = get_post( $post_id ); + if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) { wp_send_json_error(); } @@ -3436,6 +3630,7 @@ function wp_ajax_parse_embed() { preg_match( '/' . get_shortcode_regex() . '/s', $shortcode, $matches ); $atts = shortcode_parse_atts( $matches[3] ); + if ( ! empty( $matches[5] ) ) { $url = $matches[5]; } elseif ( ! empty( $atts['src'] ) ) { @@ -3493,6 +3688,7 @@ function wp_ajax_parse_embed() { if ( has_shortcode( $parsed, 'audio' ) || has_shortcode( $parsed, 'video' ) ) { $styles = ''; $mce_styles = wpview_media_sandbox_styles(); + foreach ( $mce_styles as $style ) { $styles .= sprintf( '', $style ); } @@ -3500,9 +3696,11 @@ function wp_ajax_parse_embed() { $html = do_shortcode( $parsed ); global $wp_scripts; + if ( ! empty( $wp_scripts ) ) { $wp_scripts->done = array(); } + ob_start(); wp_print_scripts( array( 'mediaelement-vimeo', 'wp-mediaelement' ) ); $scripts = ob_get_clean(); @@ -3617,6 +3815,7 @@ function wp_ajax_parse_media_shortcode() { */ function wp_ajax_destroy_sessions() { $user = get_userdata( (int) $_POST['user_id'] ); + if ( $user ) { if ( ! current_user_can( 'edit_user', $user->ID ) ) { $user = false; @@ -3656,6 +3855,7 @@ function wp_ajax_crop_image() { $attachment_id = absint( $_POST['id'] ); check_ajax_referer( 'image_editor-' . $attachment_id, 'nonce' ); + if ( empty( $attachment_id ) || ! current_user_can( 'edit_post', $attachment_id ) ) { wp_send_json_error(); } @@ -4046,9 +4246,11 @@ function wp_ajax_delete_theme() { // Check filesystem credentials. `delete_theme()` will bail otherwise. $url = wp_nonce_url( 'themes.php?action=delete&stylesheet=' . urlencode( $stylesheet ), 'delete-theme_' . $stylesheet ); + ob_start(); $credentials = request_filesystem_credentials( $url ); ob_end_clean(); + if ( false === $credentials || ! WP_Filesystem( $credentials ) ) { global $wp_filesystem; @@ -4339,9 +4541,11 @@ function wp_ajax_delete_plugin() { // Check filesystem credentials. `delete_plugins()` will bail otherwise. $url = wp_nonce_url( 'plugins.php?action=delete-selected&verify-delete=1&checked[]=' . $plugin, 'bulk-plugins' ); + ob_start(); $credentials = request_filesystem_credentials( $url ); ob_end_clean(); + if ( false === $credentials || ! WP_Filesystem( $credentials ) ) { global $wp_filesystem; @@ -4481,6 +4685,7 @@ function wp_ajax_search_install_plugins() { */ function wp_ajax_edit_theme_plugin_file() { $r = wp_edit_theme_plugin_file( wp_unslash( $_POST ) ); // Validation of args is done in wp_edit_theme_plugin_file(). + if ( is_wp_error( $r ) ) { wp_send_json_error( array_merge( @@ -4510,6 +4715,7 @@ function wp_ajax_wp_privacy_export_personal_data() { if ( empty( $_POST['id'] ) ) { wp_send_json_error( __( 'Missing request ID.' ) ); } + $request_id = (int) $_POST['id']; if ( $request_id < 1 ) { @@ -4537,11 +4743,13 @@ function wp_ajax_wp_privacy_export_personal_data() { if ( ! isset( $_POST['exporter'] ) ) { wp_send_json_error( __( 'Missing exporter index.' ) ); } + $exporter_index = (int) $_POST['exporter']; if ( ! isset( $_POST['page'] ) ) { wp_send_json_error( __( 'Missing page index.' ) ); } + $page = (int) $_POST['page']; $send_as_email = isset( $_POST['sendAsEmail'] ) ? ( 'true' === $_POST['sendAsEmail'] ) : false; @@ -4595,6 +4803,7 @@ function wp_ajax_wp_privacy_export_personal_data() { sprintf( __( 'Expected an array describing the exporter at index %s.' ), $exporter_key ) ); } + if ( ! array_key_exists( 'exporter_friendly_name', $exporter ) ) { wp_send_json_error( /* translators: %s: Exporter array index. */ @@ -4610,6 +4819,7 @@ function wp_ajax_wp_privacy_export_personal_data() { sprintf( __( 'Exporter does not include a callback: %s.' ), esc_html( $exporter_friendly_name ) ) ); } + if ( ! is_callable( $exporter['callback'] ) ) { wp_send_json_error( /* translators: %s: Exporter friendly name. */ @@ -4630,18 +4840,21 @@ function wp_ajax_wp_privacy_export_personal_data() { sprintf( __( 'Expected response as an array from exporter: %s.' ), esc_html( $exporter_friendly_name ) ) ); } + if ( ! array_key_exists( 'data', $response ) ) { wp_send_json_error( /* translators: %s: Exporter friendly name. */ sprintf( __( 'Expected data in response array from exporter: %s.' ), esc_html( $exporter_friendly_name ) ) ); } + if ( ! is_array( $response['data'] ) ) { wp_send_json_error( /* translators: %s: Exporter friendly name. */ sprintf( __( 'Expected data array in response array from exporter: %s.' ), esc_html( $exporter_friendly_name ) ) ); } + if ( ! array_key_exists( 'done', $response ) ) { wp_send_json_error( /* translators: %s: Exporter friendly name. */ diff --git a/wp-admin/includes/image.php b/wp-admin/includes/image.php index 384fd8e9d0..1270a88c63 100644 --- a/wp-admin/includes/image.php +++ b/wp-admin/includes/image.php @@ -131,18 +131,29 @@ function wp_get_missing_image_subsizes( $attachment_id ) { * @since 5.3.0 * * @param int $attachment_id The image attachment post ID. - * @return array The updated image meta data array. + * @return array|WP_Error The updated image meta data array or WP_Error object + * if both the image meta and the attached file are missing. */ function wp_update_image_subsizes( $attachment_id ) { + $image_meta = wp_get_attachment_metadata( $attachment_id ); + $image_file = get_attached_file( $attachment_id ); + + if ( empty( $image_meta ) || ! is_array( $image_meta ) ) { + // Previously failed upload? + // If there is an uploaded file, make all sub-sizes and generate all of the attachment meta. + if ( ! empty( $image_file ) ) { + return wp_create_image_subsizes( $image_file, array(), $attachment_id ); + } else { + return new WP_Error( 'invalid_attachment', __( 'The attached file cannot be found.' ) ); + } + } + $missing_sizes = wp_get_missing_image_subsizes( $attachment_id ); - $image_meta = wp_get_attachment_metadata( $attachment_id ); if ( empty( $missing_sizes ) ) { return $image_meta; } - $image_file = get_attached_file( $attachment_id ); - // This also updates the image meta. return _wp_make_subsizes( $missing_sizes, $image_file, $image_meta, $attachment_id ); } diff --git a/wp-admin/includes/media.php b/wp-admin/includes/media.php index dcd3c42cad..956c31b25e 100644 --- a/wp-admin/includes/media.php +++ b/wp-admin/includes/media.php @@ -80,6 +80,7 @@ function the_media_upload_tabs() { if ( ! empty( $tabs ) ) { echo "
\n"; } } @@ -265,10 +267,10 @@ function _cleanup_image_add_caption( $matches ) { */ function media_send_to_editor( $html ) { ?> - + ); * @return int|WP_Error ID of the attachment or a WP_Error object on failure. */ function media_handle_upload( $file_id, $post_id, $post_data = array(), $overrides = array( 'test_form' => false ) ) { - $time = current_time( 'mysql' ); $post = get_post( $post_id ); + if ( $post ) { // The post date doesn't usually matter for pages, so don't backdate this upload. if ( 'page' !== $post->post_type && substr( $post->post_date, 0, 4 ) > 0 ) { @@ -306,12 +308,13 @@ function media_handle_upload( $file_id, $post_id, $post_data = array(), $overrid $ext = pathinfo( $name, PATHINFO_EXTENSION ); $name = wp_basename( $name, ".$ext" ); - $url = $file['url']; - $type = $file['type']; - $file = $file['file']; - $title = sanitize_text_field( $name ); - $content = ''; - $excerpt = ''; + $url = $file['url']; + $type = $file['type']; + $file = $file['file']; + $title = sanitize_text_field( $name ); + $content = ''; + $excerpt = ''; + $image_ref = false; if ( preg_match( '#^audio#', $type ) ) { $meta = wp_read_audio_metadata( $file ); @@ -356,6 +359,7 @@ function media_handle_upload( $file_id, $post_id, $post_data = array(), $overrid if ( ! empty( $meta['track_number'] ) ) { $track_number = explode( '/', $meta['track_number'] ); + if ( isset( $track_number[1] ) ) { /* translators: Audio file track information. 1: Audio track number, 2: Total audio tracks. */ $content .= ' ' . sprintf( __( 'Track %1$s of %2$s.' ), number_format_i18n( $track_number[0] ), number_format_i18n( $track_number[1] ) ); @@ -372,7 +376,13 @@ function media_handle_upload( $file_id, $post_id, $post_data = array(), $overrid // Use image exif/iptc data for title and caption defaults if possible. } elseif ( 0 === strpos( $type, 'image/' ) ) { + // Image file reference passed by the uploader. + if ( ! empty( $_POST['_wp_temp_image_ref'] ) ) { + $image_ref = preg_replace( '/[^a-zA-Z0-9_]/', '', $_POST['_wp_temp_image_ref'] ); + } + $image_meta = wp_read_image_metadata( $file ); + if ( $image_meta ) { if ( trim( $image_meta['title'] ) && ! is_numeric( sanitize_title( $image_meta['title'] ) ) ) { $title = $image_meta['title']; @@ -401,13 +411,26 @@ function media_handle_upload( $file_id, $post_id, $post_data = array(), $overrid unset( $attachment['ID'] ); // Save the data - $id = wp_insert_attachment( $attachment, $file, $post_id, true ); - if ( ! is_wp_error( $id ) ) { - wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) ); + $attachment_id = wp_insert_attachment( $attachment, $file, $post_id, true ); + + if ( ! is_wp_error( $attachment_id ) ) { + // If an image, keep the upload reference until all image sub-sizes are created. + if ( $image_ref ) { + set_transient( '_wp_temp_image_ref:' . $image_ref, $attachment_id, HOUR_IN_SECONDS ); + } + + // The image sub-sizes are created during wp_generate_attachment_metadata(). + // This is generally slow and may cause timeouts or out of memory errors. + wp_update_attachment_metadata( $attachment_id, wp_generate_attachment_metadata( $attachment_id, $file ) ); + + // At this point the image is uploaded successfully even if there were specific errors or some sub-sizes were not created. + // The transient is not needed any more. + if ( $image_ref ) { + delete_transient( '_wp_temp_image_ref:' . $image_ref ); + } } - return $id; - + return $attachment_id; } /** @@ -426,6 +449,7 @@ function media_handle_sideload( $file_array, $post_id, $desc = null, $post_data $time = current_time( 'mysql' ); $post = get_post( $post_id ); + if ( $post ) { if ( substr( $post->post_date, 0, 4 ) > 0 ) { $time = $post->post_date; @@ -433,6 +457,7 @@ function media_handle_sideload( $file_array, $post_id, $desc = null, $post_data } $file = wp_handle_sideload( $file_array, $overrides, $time ); + if ( isset( $file['error'] ) ) { return new WP_Error( 'upload_error', $file['error'] ); } @@ -445,10 +470,12 @@ function media_handle_sideload( $file_array, $post_id, $desc = null, $post_data // Use image exif/iptc data for title and caption defaults if possible. $image_meta = wp_read_image_metadata( $file ); + if ( $image_meta ) { if ( trim( $image_meta['title'] ) && ! is_numeric( sanitize_title( $image_meta['title'] ) ) ) { $title = $image_meta['title']; } + if ( trim( $image_meta['caption'] ) ) { $content = $image_meta['caption']; } @@ -474,12 +501,13 @@ function media_handle_sideload( $file_array, $post_id, $desc = null, $post_data unset( $attachment['ID'] ); // Save the attachment metadata - $id = wp_insert_attachment( $attachment, $file, $post_id, true ); - if ( ! is_wp_error( $id ) ) { - wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) ); + $attachment_id = wp_insert_attachment( $attachment, $file, $post_id, true ); + + if ( ! is_wp_error( $attachment_id ) ) { + wp_update_attachment_metadata( $attachment_id, wp_generate_attachment_metadata( $attachment_id, $file ) ); } - return $id; + return $attachment_id; } /** @@ -495,22 +523,25 @@ function media_handle_sideload( $file_array, $post_id, $desc = null, $post_data function wp_iframe( $content_func ) { _wp_admin_html_begin(); ?> -