From 062568e6b67b1d39926dc45da5e84d8d3e7de329 Mon Sep 17 00:00:00 2001
From: Rachel Baker <rachel@rachelbaker.me>
Date: Wed, 29 Aug 2018 03:23:25 +0000
Subject: [PATCH] REST API: Limit the scope of wp-admin files required in
 WP_REST_Attachments_Controller methods.

Narrow the scope of the included wp-admin files loaded for `wp_generate_attachment_metadata()`, `wp_handle_upload()`, `wp_tempnam()`, and `wp_handle_sideload()`. Requires only wp-admin/includes/file.php and wp-admin/includes/image.php instead of wp-admin/includes/admin.php.

Props lonelyvegan, soulseekah, pratikthink.
Fixes #43757.
Built from https://develop.svn.wordpress.org/trunk@43589


git-svn-id: http://core.svn.wordpress.org/trunk@43418 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 .../class-wp-rest-attachments-controller.php         | 12 ++++++------
 wp-includes/version.php                              |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
index 90ab5185fd..813de1c013 100644
--- a/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
@@ -169,8 +169,8 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 		 */
 		do_action( 'rest_insert_attachment', $attachment, $request, true );
 
-		// Include admin functions to get access to wp_generate_attachment_metadata().
-		require_once ABSPATH . 'wp-admin/includes/admin.php';
+		// Include admin function to get access to wp_generate_attachment_metadata().
+		require_once ABSPATH . 'wp-admin/includes/image.php';
 
 		wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) );
 
@@ -536,8 +536,8 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 		// Get the content-type.
 		$type = array_shift( $headers['content_type'] );
 
-		/** Include admin functions to get access to wp_tempnam() and wp_handle_sideload() */
-		require_once ABSPATH . 'wp-admin/includes/admin.php';
+		/** Include admin functions to get access to wp_tempnam() and wp_handle_sideload(). */
+		require_once ABSPATH . 'wp-admin/includes/file.php';
 
 		// Save the file.
 		$tmpfname = wp_tempnam( $filename );
@@ -736,8 +736,8 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 			return $size_check;
 		}
 
-		/** Include admin functions to get access to wp_handle_upload() */
-		require_once ABSPATH . 'wp-admin/includes/admin.php';
+		/** Include admin function to get access to wp_handle_upload(). */
+		require_once ABSPATH . 'wp-admin/includes/file.php';
 
 		$file = wp_handle_upload( $files['file'], $overrides );
 
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 1a4d6ec01f..f3f7357592 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.0-alpha-43588';
+$wp_version = '5.0-alpha-43589';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.