From f524de858c16b966686a0195fc60c8516f23627e Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Thu, 12 Dec 2019 18:57:27 +0000 Subject: [PATCH] Ensure that a user can publish_posts before making a post sticky. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Props: danielbachhuber, whyisjake, peterwilson, xknown. Brings r46893 to the 4.9 branch. Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes, `wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function. Brings r46895 to the 4.9 branch. Props: xknown, nickdaugherty, peterwilsoncc. Built from https://develop.svn.wordpress.org/branches/4.9@46918 git-svn-id: http://core.svn.wordpress.org/branches/4.9@46718 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/kses.php | 2 +- .../rest-api/endpoints/class-wp-rest-posts-controller.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/wp-includes/kses.php b/wp-includes/kses.php index 185ebda867..4d12e3434b 100644 --- a/wp-includes/kses.php +++ b/wp-includes/kses.php @@ -1385,7 +1385,7 @@ function wp_kses_html_error($string) { */ function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) { $string = preg_replace( '/(�*58(?![;0-9])|�*3a(?![;a-f0-9]))/i', '$1;', $string ); - $string2 = preg_split( '/:|�*58;|�*3a;/i', $string, 2 ); + $string2 = preg_split( '/:|�*58;|�*3a;|:/i', $string, 2 ); if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) { $string = trim( $string2[1] ); $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ); diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php index d48c03700c..0ece410435 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php @@ -491,7 +491,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to create posts as this user.' ), array( 'status' => rest_authorization_required_code() ) ); } - if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) { + if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) { return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) ); } @@ -633,7 +633,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to update posts as this user.' ), array( 'status' => rest_authorization_required_code() ) ); } - if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) { + if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) { return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) ); } @@ -922,7 +922,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { * @return stdClass|WP_Error Post object or WP_Error. */ protected function prepare_item_for_database( $request ) { - $prepared_post = new stdClass; + $prepared_post = new stdClass(); // Post ID. if ( isset( $request['id'] ) ) {