From e88a48a066ab2200ce3091b131d43e2fab2460a4 Mon Sep 17 00:00:00 2001 From: Pascal Birchler Date: Tue, 16 May 2017 08:09:42 +0000 Subject: [PATCH] Whitelist post arguments in XML-RPC Built from https://develop.svn.wordpress.org/trunk@40677 git-svn-id: http://core.svn.wordpress.org/trunk@40540 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/class-wp-xmlrpc-server.php | 30 ++++++++++++++++++++------ wp-includes/version.php | 2 +- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/wp-includes/class-wp-xmlrpc-server.php b/wp-includes/class-wp-xmlrpc-server.php index 5084da65cb..7bbde05c2b 100644 --- a/wp-includes/class-wp-xmlrpc-server.php +++ b/wp-includes/class-wp-xmlrpc-server.php @@ -1295,10 +1295,31 @@ class wp_xmlrpc_server extends IXR_Server { * @return IXR_Error|string */ protected function _insert_post( $user, $content_struct ) { - $defaults = array( 'post_status' => 'draft', 'post_type' => 'post', 'post_author' => 0, - 'post_password' => '', 'post_excerpt' => '', 'post_content' => '', 'post_title' => '' ); + $defaults = array( + 'post_status' => 'draft', + 'post_type' => 'post', + 'post_author' => null, + 'post_password' => null, + 'post_excerpt' => null, + 'post_content' => null, + 'post_title' => null, + 'post_date' => null, + 'post_date_gmt' => null, + 'post_format' => null, + 'post_name' => null, + 'post_thumbnail' => null, + 'post_parent' => null, + 'ping_status' => null, + 'comment_status' => null, + 'custom_fields' => null, + 'terms_names' => null, + 'terms' => null, + 'sticky' => null, + 'enclosure' => null, + 'ID' => null, + ); - $post_data = wp_parse_args( $content_struct, $defaults ); + $post_data = wp_parse_args( array_intersect_key( $content_struct, $defaults ), $defaults ); $post_type = get_post_type_object( $post_data['post_type'] ); if ( ! $post_type ) @@ -1488,9 +1509,6 @@ class wp_xmlrpc_server extends IXR_Server { $post_data['tax_input'] = $terms; unset( $post_data['terms'], $post_data['terms_names'] ); - } else { - // Do not allow direct submission of 'tax_input', clients must use 'terms' and/or 'terms_names'. - unset( $post_data['tax_input'], $post_data['post_category'], $post_data['tags_input'] ); } if ( isset( $post_data['post_format'] ) ) { diff --git a/wp-includes/version.php b/wp-includes/version.php index 2614f176c1..7cf6b4c2b0 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.8-beta1-40676'; +$wp_version = '4.8-beta1-40677'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.