Changeset 55780

Timestamp:

05/16/2023 03:39:32 PM (15 months ago)

Author:

SergeyBiryukov

Message:

Grouped backports to the 4.5 branch.

• Media: Prevent CSRF setting attachment thumbnails.
• Embeds: Add protocol validation for WordPress Embed code.

Merges [55763] and [55764] to the 4.5 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.

Location:

branches/4.5

Files:

• package-lock.json (modified) (1 diff)
• package.json (modified) (1 diff)
• src/wp-admin/about.php (modified) (1 diff)
• src/wp-admin/includes/ajax-actions.php (modified) (1 diff)
• src/wp-includes/js/media/views/frame/video-details.js (modified) (1 diff)
• src/wp-includes/js/wp-embed.js (modified) (2 diffs)
• src/wp-includes/media.php (modified) (1 diff)
• src/wp-includes/version.php (modified) (1 diff)
• tests/phpunit/tests/ajax/Attachments.php (modified) (1 diff)

branches/4.5/package-lock.json

@@ -1 +1 @@
 {
     "name": "WordPress",
-    "version": "4.5.28",
+    "version": "4.5.2",
     "lockfileVersion": 1,
     "requires": true,

branches/4.5/package.json

@@ -1 +1 @@
 {
     "name": "WordPress",
-    "version": "4.5.28",
+    "version": "4.5.2",
     "description": "WordPress is web software you can use to create a beautiful website or blog.",
     "repository": {

branches/4.5/src/wp-admin/about.php

@@ -41 +41 @@
         <div class="changelog point-releases">
             <h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
             <p>
                 <?php

branches/4.5/src/wp-admin/includes/ajax-actions.php

@@ -2169 +2169 @@
     }
 
+
+
+
+
     $post_ids = array();
     // For each URL, try to find its corresponding post ID.

branches/4.5/src/wp-includes/js/media/views/frame/video-details.js

@@ -105 +105 @@
             wp.ajax.send( 'set-attachment-thumbnail', {
                 data : {
+
                     urls: urls,
                     thumbnail_id: attachment.get( 'id' )

branches/4.5/src/wp-includes/js/wp-embed.js

@@ -38 +38 @@
         var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
             blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
+
             i, source, height, sourceURL, targetURL;
 
@@ -72 +73 @@
                 sourceURL.href = source.getAttribute( 'src' );
                 targetURL.href = data.value;
+
+
+
+
+
 
                 /* Only continue if link hostname matches iframe's hostname. */

branches/4.5/src/wp-includes/media.php

@@ -3287 +3287 @@
         'captions'  => ! apply_filters( 'disable_captions', '' ),
         'nonce'     => array(
-            'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
+            'sendToEditor'           => wp_create_nonce( 'media-send-to-editor' ),
+            'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ),
         ),
         'post'    => array(

branches/4.5/src/wp-includes/version.php

@@ -5 +5 @@
  * @global string $wp_version
  */
-$wp_version = '4.5.28-src';
+$wp_version = '4.5.2-src';
 
 /**

branches/4.5/tests/phpunit/tests/ajax/Attachments.php

@@ -110 +110 @@
         $this->assertEquals( $expected, $response['data'] );
     }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 }