WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Whitelist post arguments in XML-RPC 

Built from https://develop.svn.wordpress.org/trunk@40677


git-svn-id: http://core.svn.wordpress.org/trunk@40540 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Pascal Birchler 2017-05-16 08:09:42 +00:00
parent d8f94986b2
commit e88a48a066
2 changed files with 25 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
wp-includes/class-wp-xmlrpc-server.php
View File

@ -1295,10 +1295,31 @@ class wp_xmlrpc_server extends IXR_Server {
* @return IXR_Error|string * @return IXR_Error|string
*/ */
protected function _insert_post( $user, $content_struct ) { protected function _insert_post( $user, $content_struct ) {
$defaults = array( 'post_status' => 'draft', 'post_type' => 'post', 'post_author' => 0, $defaults = array(
'post_password' => '', 'post_excerpt' => '', 'post_content' => '', 'post_title' => '' ); 'post_status' => 'draft',
'post_type' => 'post',
'post_author' => null,
'post_password' => null,
'post_excerpt' => null,
'post_content' => null,
'post_title' => null,
'post_date' => null,
'post_date_gmt' => null,
'post_format' => null,
'post_name' => null,
'post_thumbnail' => null,
'post_parent' => null,
'ping_status' => null,
'comment_status' => null,
'custom_fields' => null,
'terms_names' => null,
'terms' => null,
'sticky' => null,
'enclosure' => null,
'ID' => null,
);
$post_data = wp_parse_args( $content_struct, $defaults ); $post_data = wp_parse_args( array_intersect_key( $content_struct, $defaults ), $defaults );
$post_type = get_post_type_object( $post_data['post_type'] ); $post_type = get_post_type_object( $post_data['post_type'] );
if ( ! $post_type ) if ( ! $post_type )
@ -1488,9 +1509,6 @@ class wp_xmlrpc_server extends IXR_Server {
$post_data['tax_input'] = $terms; $post_data['tax_input'] = $terms;
unset( $post_data['terms'], $post_data['terms_names'] ); unset( $post_data['terms'], $post_data['terms_names'] );
} else {
// Do not allow direct submission of 'tax_input', clients must use 'terms' and/or 'terms_names'.
unset( $post_data['tax_input'], $post_data['post_category'], $post_data['tags_input'] );
} }
if ( isset( $post_data['post_format'] ) ) { if ( isset( $post_data['post_format'] ) ) {

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.8-beta1-40676'; $wp_version = '4.8-beta1-40677';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.