diff --git a/src/wp-admin/admin-header.php b/src/wp-admin/admin-header.php
index d5ceeccd61..b91dad9610 100644
--- a/src/wp-admin/admin-header.php
+++ b/src/wp-admin/admin-header.php
@@ -75,13 +75,13 @@ wp_enqueue_script( 'svg-painter' );
$admin_body_class = preg_replace('/[^a-z0-9_-]+/i', '-', $hook_suffix);
?>
diff --git a/src/wp-admin/custom-background.php b/src/wp-admin/custom-background.php
index 7326f7e83c..9b1ab048a4 100644
--- a/src/wp-admin/custom-background.php
+++ b/src/wp-admin/custom-background.php
@@ -541,6 +541,7 @@ if ( current_theme_supports( 'custom-background', 'default-color' ) )
* @deprecated 3.5.0
*/
public function wp_set_background_image() {
+ check_ajax_referer( 'custom-background' );
if ( ! current_user_can('edit_theme_options') || ! isset( $_POST['attachment_id'] ) ) exit;
$attachment_id = absint($_POST['attachment_id']);
/** This filter is documented in wp-admin/includes/media.php */
diff --git a/src/wp-admin/custom-header.php b/src/wp-admin/custom-header.php
index d345766afa..006012eeff 100644
--- a/src/wp-admin/custom-header.php
+++ b/src/wp-admin/custom-header.php
@@ -322,7 +322,7 @@ class Custom_Image_Header {
?>
addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
function tb_close(){var win=window.dialogArguments||opener||parent||top;win.tb_remove();}
-var ajaxurl = '',
- pagenow = 'id; ?>',
- typenow = 'post_type; ?>',
- adminpage = '',
- thousandsSeparator = 'number_format['thousands_sep'] ); ?>',
- decimalPoint = 'number_format['decimal_point'] ); ?>',
+var ajaxurl = '',
+ pagenow = 'id ); ?>',
+ typenow = 'post_type ); ?>',
+ adminpage = '',
+ thousandsSeparator = 'number_format['thousands_sep'] ); ?>',
+ decimalPoint = 'number_format['decimal_point'] ); ?>',
isRtl = ;
-
+
diff --git a/src/wp-admin/network/site-users.php b/src/wp-admin/network/site-users.php
index 42f71b5acf..93a20dc2df 100644
--- a/src/wp-admin/network/site-users.php
+++ b/src/wp-admin/network/site-users.php
@@ -211,7 +211,7 @@ if ( ! wp_is_large_network( 'users' ) && apply_filters( 'show_network_site_users
require( ABSPATH . 'wp-admin/admin-header.php' ); ?>
diff --git a/src/wp-includes/Requests/Utility/FilteredIterator.php b/src/wp-includes/Requests/Utility/FilteredIterator.php
index 76a29e7228..b90cbcd76a 100644
--- a/src/wp-includes/Requests/Utility/FilteredIterator.php
+++ b/src/wp-includes/Requests/Utility/FilteredIterator.php
@@ -42,4 +42,5 @@ class Requests_Utility_FilteredIterator extends ArrayIterator {
$value = call_user_func($this->callback, $value);
return $value;
}
+
}
diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php
index 826f2efdfe..ef9298d8b1 100644
--- a/src/wp-includes/class-wp-xmlrpc-server.php
+++ b/src/wp-includes/class-wp-xmlrpc-server.php
@@ -3638,6 +3638,21 @@ class wp_xmlrpc_server extends IXR_Server {
return new IXR_Error( 403, __( 'Comment is required.' ) );
}
+ if (
+ 'publish' === get_post_status( $post_id ) &&
+ ! current_user_can( 'edit_post', $post_id ) &&
+ post_password_required( $post_id )
+ ) {
+ return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
+ }
+
+ if (
+ 'private' === get_post_status( $post_id ) &&
+ ! current_user_can( 'read_post', $post_id )
+ ) {
+ return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
+ }
+
$comment = array(
'comment_post_ID' => $post_id,
'comment_content' => $content_struct['content'],
@@ -4023,8 +4038,10 @@ class wp_xmlrpc_server extends IXR_Server {
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.getMediaItem' );
- if ( ! $attachment = get_post($attachment_id) )
+ $attachment = get_post( $attachment_id );
+ if ( ! $attachment || 'attachment' !== $attachment->post_type ) {
return new IXR_Error( 404, __( 'Invalid attachment ID.' ) );
+ }
return $this->_prepare_media_item( $attachment );
}
diff --git a/src/wp-includes/embed.php b/src/wp-includes/embed.php
index 176988057b..e10c95687a 100644
--- a/src/wp-includes/embed.php
+++ b/src/wp-includes/embed.php
@@ -1094,7 +1094,12 @@ function wp_filter_pre_oembed_result( $result, $url, $args ) {
$sites = get_sites( $qv );
$site = reset( $sites );
- if ( $site && (int) $site->blog_id !== get_current_blog_id() ) {
+ // Do not allow embeds for deleted/archived/spam sites.
+ if ( ! empty( $site->deleted ) || ! empty( $site->spam ) || ! empty( $site->archived ) ) {
+ return false;
+ }
+
+ if ( $site && get_current_blog_id() !== (int) $site->blog_id ) {
switch_to_blog( $site->blog_id );
$switched_blog = true;
}
diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php
index 5ed80f0c80..a8a25d3449 100644
--- a/src/wp-includes/formatting.php
+++ b/src/wp-includes/formatting.php
@@ -1090,9 +1090,9 @@ function wp_check_invalid_utf8( $string, $strip = false ) {
* @return string String with Unicode encoded for URI.
*/
function utf8_uri_encode( $utf8_string, $length = 0 ) {
- $unicode = '';
- $values = array();
- $num_octets = 1;
+ $unicode = '';
+ $values = array();
+ $num_octets = 1;
$unicode_length = 0;
mbstring_binary_safe_encoding();
@@ -1104,9 +1104,10 @@ function utf8_uri_encode( $utf8_string, $length = 0 ) {
$value = ord( $utf8_string[ $i ] );
if ( $value < 128 ) {
- if ( $length && ( $unicode_length >= $length ) )
+ if ( $length && ( $unicode_length >= $length ) ) {
break;
- $unicode .= chr($value);
+ }
+ $unicode .= chr( $value );
$unicode_length++;
} else {
if ( count( $values ) == 0 ) {
@@ -2007,7 +2008,7 @@ function sanitize_title_with_dashes( $title, $raw_title = '', $context = 'displa
if (function_exists('mb_strtolower')) {
$title = mb_strtolower($title, 'UTF-8');
}
- $title = utf8_uri_encode($title, 200);
+ $title = utf8_uri_encode( $title, 200 );
}
$title = strtolower($title);
diff --git a/src/wp-includes/meta.php b/src/wp-includes/meta.php
index 73dadb498f..cd88d99f1d 100644
--- a/src/wp-includes/meta.php
+++ b/src/wp-includes/meta.php
@@ -923,8 +923,9 @@ function _get_meta_table($type) {
* term, or user).
* @return bool True if the key is protected, false otherwise.
*/
-function is_protected_meta( $meta_key, $meta_type = null ) {
- $protected = ( '_' == $meta_key[0] );
+function is_protected_meta( $meta_key, $meta_type = '' ) {
+ $sanitized_key = preg_replace( "/[^\x20-\x7E\p{L}]/", '', $meta_key );
+ $protected = strlen( $sanitized_key ) > 0 && ( '_' === $sanitized_key[0] );
/**
* Filters whether a meta key is protected.
diff --git a/tests/phpunit/tests/formatting/Utf8UriEncode.php b/tests/phpunit/tests/formatting/Utf8UriEncode.php
index 2389c9a345..e5724441f8 100644
--- a/tests/phpunit/tests/formatting/Utf8UriEncode.php
+++ b/tests/phpunit/tests/formatting/Utf8UriEncode.php
@@ -12,7 +12,7 @@ class Tests_Formatting_Utf8UriEncode extends WP_UnitTestCase {
* @dataProvider data
*/
function test_percent_encodes_non_reserved_characters( $utf8, $urlencoded ) {
- $this->assertEquals($urlencoded, utf8_uri_encode( $utf8 ) );
+ $this->assertEquals( $urlencoded, utf8_uri_encode( $utf8 ) );
}
/**
diff --git a/tests/phpunit/tests/meta/isProtectedMeta.php b/tests/phpunit/tests/meta/isProtectedMeta.php
new file mode 100644
index 0000000000..c204d381f5
--- /dev/null
+++ b/tests/phpunit/tests/meta/isProtectedMeta.php
@@ -0,0 +1,55 @@
+assertTrue( is_protected_meta( $key ) );
+ }
+
+ public function protected_data() {
+ $protected_keys = array(
+ array( '_wp_attachment' ),
+ );
+ for ( $i = 0, $max = 31; $i < $max; $i ++ ) {
+ $protected_keys[] = array( chr( $i ) . '_wp_attachment' );
+ }
+ for ( $i = 127, $max = 159; $i <= $max; $i ++ ) {
+ $protected_keys[] = array( chr( $i ) . '_wp_attachment' );
+ }
+ $protected_keys[] = array( chr( 95 ) . '_wp_attachment' );
+
+ return $protected_keys;
+ }
+
+ /**
+ * @dataProvider unprotected_data
+ */
+ public function test_unprotected( $key ) {
+ $this->assertFalse( is_protected_meta( $key ) );
+ }
+
+ public function unprotected_data() {
+ $unprotected_keys = array(
+ array( 'singleword' ),
+ array( 'two_words' ),
+ array( 'ąŌ_not_so_protected_meta' ),
+ );
+
+ for ( $i = 32, $max = 94; $i <= $max; $i ++ ) {
+ $unprotected_keys[] = array( chr( $i ) . '_wp_attachment' );
+ }
+ for ( $i = 96, $max = 126; $i <= $max; $i ++ ) {
+ $unprotected_keys[] = array( chr( $i ) . '_wp_attachment' );
+ }
+
+ return $unprotected_keys;
+ }
+
+}
diff --git a/tests/phpunit/tests/multisite/site.php b/tests/phpunit/tests/multisite/site.php
index d0b460b752..9beb6a566d 100644
--- a/tests/phpunit/tests/multisite/site.php
+++ b/tests/phpunit/tests/multisite/site.php
@@ -445,6 +445,36 @@ class Tests_Multisite_Site extends WP_UnitTestCase {
remove_action( 'make_ham_blog', array( $this, '_action_counter_cb' ), 10 );
}
+ function test_content_from_spam_blog_is_not_available() {
+ $spam_blog_id = self::factory()->blog->create();
+ switch_to_blog( $spam_blog_id );
+ $post_data = array(
+ 'post_title' => 'Hello World!',
+ 'post_content' => 'Hello world content',
+ );
+ $post_id = self::factory()->post->create( $post_data );
+ $post = get_post( $post_id );
+ $spam_permalink = site_url() . '/?p=' . $post->ID;
+ $spam_embed_url = get_post_embed_url( $post_id );
+
+ restore_current_blog();
+ $this->assertNotEmpty( $spam_permalink );
+ $this->assertEquals( $post_data['post_title'], $post->post_title );
+
+ update_blog_status( $spam_blog_id, 'spam', 1 );
+
+ $post_id = self::factory()->post->create(
+ array(
+ 'post_content' => "\n $spam_permalink \n",
+ )
+ );
+ $post = get_post( $post_id );
+ $content = apply_filters( 'the_content', $post->post_content );
+
+ $this->assertNotContains( $post_data['post_title'], $content );
+ $this->assertNotContains( "src=\"{$spam_embed_url}#?", $content );
+ }
+
function test_update_blog_status_make_spam_blog_action() {
global $test_action_counter;
$test_action_counter = 0;