From 17a022e3d0807ef5422a41ff998653e0b5a3be57 Mon Sep 17 00:00:00 2001 From: Gary Pendergast Date: Thu, 7 Feb 2019 04:11:23 +0000 Subject: [PATCH] Admin: Re-add some validation from [44048] that was accidentally removed in [44165]. Props david.binda. See #45037. git-svn-id: https://develop.svn.wordpress.org/trunk@44726 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/post.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/wp-admin/post.php b/src/wp-admin/post.php index c932d72e18..22624dfce2 100644 --- a/src/wp-admin/post.php +++ b/src/wp-admin/post.php @@ -16,7 +16,9 @@ $submenu_file = 'edit.php'; wp_reset_vars( array( 'action' ) ); -if ( isset( $_GET['post'] ) ) { +if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] ) { + wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 ); +} elseif ( isset( $_GET['post'] ) ) { $post_id = $post_ID = (int) $_GET['post']; } elseif ( isset( $_POST['post_ID'] ) ) { $post_id = $post_ID = (int) $_POST['post_ID']; @@ -40,6 +42,10 @@ if ( $post ) { $post_type_object = get_post_type_object( $post_type ); } +if ( isset( $_POST['post_type'] ) && $post && $post_type !== $_POST['post_type'] ) { + wp_die( __( 'A post type mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 ); +} + if ( isset( $_POST['deletepost'] ) ) { $action = 'delete'; } elseif ( isset( $_POST['wp-preview'] ) && 'dopreview' == $_POST['wp-preview'] ) {