Mirrors/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2025-02-20 19:56:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
f92af0238e
WordPress/wp-includes/rest-api/endpoints
History
K. Adam White c418ba0205 REST API: Only check password value in query parameters while checking post permissions. 
The `password` property which gets sent as part of a request POST body while setting a post's password should not be checked when calculating post visibility permissions.

That value in the request body is intended to update the post, not to authenticate, and may be malformed or an invalid non-string type which would cause a fatal when checking against the hashed post password value.

Query parameter `?password=` values are the correct interface to check, and are also guaranteed to be strings.

Props mlf20, devansh016, antonvlasenko, TimothyBlynJacobs, kadamwhite.
Fixes #61837.


Built from https://develop.svn.wordpress.org/trunk@59036


git-svn-id: http://core.svn.wordpress.org/trunk@58432 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-09-17 22:19:14 +00:00
..
class-wp-rest-application-passwords-controller.php
class-wp-rest-attachments-controller.php Docs: Correct alignment for rest_insert_attachment action DocBlock. 2024-08-08 02:27:18 +00:00
class-wp-rest-autosaves-controller.php REST API: Fix issue with Template and Template Part Revision/Autosave REST API controllers. 2023-10-10 14:05:21 +00:00
class-wp-rest-block-directory-controller.php
class-wp-rest-block-pattern-categories-controller.php Docs: Correct @return values for a few REST API class methods. 2024-07-10 11:12:16 +00:00
class-wp-rest-block-patterns-controller.php Coding Standards: Apply changes after running composer format. 2024-06-13 15:06:07 +00:00
class-wp-rest-block-renderer-controller.php
class-wp-rest-block-types-controller.php REST API: Remove a few unused variables in foreach loops. 2024-07-09 13:53:16 +00:00
class-wp-rest-blocks-controller.php Coding Standards: Remove extra space in a comment in WP_REST_Blocks_Controller. 2023-10-31 14:23:21 +00:00
class-wp-rest-comments-controller.php General: Consistently cast return value to int in functions that use ceil(). 2024-02-17 15:24:08 +00:00
class-wp-rest-controller.php Coding Standards: Include one space after function keyword for closures. 2023-09-12 15:23:18 +00:00
class-wp-rest-edit-site-export-controller.php Docs: Correct @return values for a few REST API class methods. 2024-07-10 11:12:16 +00:00
class-wp-rest-font-collections-controller.php Editor: Ensure font collection metadata can be properly localized. 2024-02-21 19:27:14 +00:00
class-wp-rest-font-faces-controller.php Editor (Font Library): Store font subdirectory in post meta. 2024-06-05 23:19:17 +00:00
class-wp-rest-font-families-controller.php Editor: Add theme.json v3 migrations. 2024-06-04 11:55:14 +00:00
class-wp-rest-global-styles-controller.php Docs: Various docblock improvements and corrections. 2024-09-11 12:08:19 +00:00
class-wp-rest-global-styles-revisions-controller.php Block Themes: Add support for relative URLs in top-level theme.json styles 2024-05-31 01:19:14 +00:00
class-wp-rest-menu-items-controller.php Docs: Various docblock improvements and corrections. 2024-09-11 12:08:19 +00:00
class-wp-rest-menu-locations-controller.php Docs: Correct @return values for a few REST API class methods. 2024-07-10 11:12:16 +00:00
class-wp-rest-menus-controller.php REST API: Correct the docblocks for various permission related methods. 2023-08-18 17:46:18 +00:00
class-wp-rest-navigation-fallback-controller.php General: Remove discouraged @return void annotations. 2023-10-16 15:17:23 +00:00
class-wp-rest-pattern-directory-controller.php General: Introduce wp_get_wp_version() to get unmodified version. 2024-07-27 00:27:16 +00:00
class-wp-rest-plugins-controller.php Plugins: Correct the item schema for the plugins REST API endpoint. 2024-09-17 21:33:14 +00:00
class-wp-rest-post-statuses-controller.php REST API: Remove a few unused variables in foreach loops. 2024-07-09 13:53:16 +00:00
class-wp-rest-post-types-controller.php REST API: Add template and template_lock to post types endpoint. 2024-06-21 13:06:12 +00:00
class-wp-rest-posts-controller.php REST API: Only check password value in query parameters while checking post permissions. 2024-09-17 22:19:14 +00:00
class-wp-rest-revisions-controller.php General: Consistently cast return value to int in functions that use ceil(). 2024-02-17 15:24:08 +00:00
class-wp-rest-search-controller.php REST API: Prevent error when passing invalid type parameter to search endpoint. 2024-03-15 11:25:06 +00:00
class-wp-rest-settings-controller.php Options: Add 'label' argument to register_setting. 2024-05-29 08:53:09 +00:00
class-wp-rest-sidebars-controller.php Coding Standards: Restore more descriptive variable names in a few class methods. 2023-09-14 12:46:20 +00:00
class-wp-rest-site-health-controller.php Coding Standards: Include one space after function keyword for closures. 2023-09-12 15:23:18 +00:00
class-wp-rest-taxonomies-controller.php Docs: Correct @return values for a few REST API class methods. 2024-07-10 11:12:16 +00:00
class-wp-rest-template-autosaves-controller.php REST API: Fix issue with Template and Template Part Revision/Autosave REST API controllers. 2023-10-10 14:05:21 +00:00
class-wp-rest-template-revisions-controller.php Docs: Improve docblock for WP_REST_Template_Revisions_Controller::get_parent(). 2024-05-15 11:18:12 +00:00
class-wp-rest-templates-controller.php Docs: Fix multi-line inline comments in WP_REST_Templates_Controller. 2024-07-11 13:40:15 +00:00
class-wp-rest-terms-controller.php Docs: Fix typos in various REST API DocBlocks and comments. 2024-07-11 06:24:17 +00:00
class-wp-rest-themes-controller.php REST API: Remove a few unused variables in foreach loops. 2024-07-09 13:53:16 +00:00
class-wp-rest-url-details-controller.php Docs: Fix typos in various REST API DocBlocks and comments. 2024-07-11 06:24:17 +00:00
class-wp-rest-users-controller.php Coding Standards: Apply changes after running composer format. 2024-06-13 15:06:07 +00:00
class-wp-rest-widget-types-controller.php Coding Standards: Restore more descriptive variable names in a few class methods. 2023-09-14 12:46:20 +00:00
class-wp-rest-widgets-controller.php Docs: Correct @return values for a few REST API class methods. 2024-07-10 11:12:16 +00:00