From ed4e7b01d45ad04772af497a876ad6c6d4b4c544 Mon Sep 17 00:00:00 2001
From: Scott Taylor <scott.c.taylor@mac.com>
Date: Sun, 11 Jan 2015 22:27:23 +0000
Subject: [PATCH] In `WP_oEmbed`, only allow `__call()` to run against a
 whitelist of methods, `$compat_methods`.

See #30891.

Built from https://develop.svn.wordpress.org/trunk@31148


git-svn-id: http://core.svn.wordpress.org/trunk@31129 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/class-oembed.php | 7 ++++++-
 wp-includes/version.php      | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/wp-includes/class-oembed.php b/wp-includes/class-oembed.php
index a3b7e554cb..e5bc4a7627 100644
--- a/wp-includes/class-oembed.php
+++ b/wp-includes/class-oembed.php
@@ -21,6 +21,8 @@ class WP_oEmbed {
 	public $providers = array();
 	public static $early_providers = array();
 
+	private $compat_methods = array( '_fetch_with_format', '_parse_json', '_parse_xml', '_parse_body' );
+
 	/**
 	 * Constructor
 	 *
@@ -170,7 +172,10 @@ class WP_oEmbed {
 	 * @return mixed|bool Return value of the callback, false otherwise.
 	 */
 	public function __call( $name, $arguments ) {
-		return call_user_func_array( array( $this, $name ), $arguments );
+		if ( in_array( $name, $this->compat_methods ) ) {
+			return call_user_func_array( array( $this, $name ), $arguments );
+		}
+		return false;
 	}
 
 	/**
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 0c2da5b9ee..8de4ca0146 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.2-alpha-31147';
+$wp_version = '4.2-alpha-31148';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.