diff -r 34716fd837a4 -r be944660c56a wp/wp-includes/class-wp-xmlrpc-server.php --- a/wp/wp-includes/class-wp-xmlrpc-server.php Tue Dec 15 15:52:01 2020 +0100 +++ b/wp/wp-includes/class-wp-xmlrpc-server.php Wed Sep 21 18:19:35 2022 +0200 @@ -14,7 +14,7 @@ * options, etc. * * As of WordPress 3.5.0, XML-RPC is enabled by default. It can be disabled - * via the {@see 'xmlrpc_enabled'} filter found in wp_xmlrpc_server::login(). + * via the {@see 'xmlrpc_enabled'} filter found in wp_xmlrpc_server::set_is_enabled(). * * @since 1.5.0 * @@ -50,6 +50,13 @@ protected $auth_failed = false; /** + * Flags that XML-RPC is enabled + * + * @var bool + */ + private $is_enabled; + + /** * Registers all of the XMLRPC methods that XMLRPC server understands. * * Sets up server and method property. Passes XMLRPC @@ -164,6 +171,51 @@ * @param string[] $methods An array of XML-RPC methods, keyed by their methodName. */ $this->methods = apply_filters( 'xmlrpc_methods', $this->methods ); + + $this->set_is_enabled(); + } + + /** + * Set wp_xmlrpc_server::$is_enabled property. + * + * Determine whether the xmlrpc server is enabled on this WordPress install + * and set the is_enabled property accordingly. + * + * @since 5.7.3 + */ + private function set_is_enabled() { + /* + * Respect old get_option() filters left for back-compat when the 'enable_xmlrpc' + * option was deprecated in 3.5.0. Use the 'xmlrpc_enabled' hook instead. + */ + $is_enabled = apply_filters( 'pre_option_enable_xmlrpc', false ); + if ( false === $is_enabled ) { + $is_enabled = apply_filters( 'option_enable_xmlrpc', true ); + } + + /** + * Filters whether XML-RPC methods requiring authentication are enabled. + * + * Contrary to the way it's named, this filter does not control whether XML-RPC is *fully* + * enabled, rather, it only controls whether XML-RPC methods requiring authentication - such + * as for publishing purposes - are enabled. + * + * Further, the filter does not control whether pingbacks or other custom endpoints that don't + * require authentication are enabled. This behavior is expected, and due to how parity was matched + * with the `enable_xmlrpc` UI option the filter replaced when it was introduced in 3.5. + * + * To disable XML-RPC methods that require authentication, use: + * + * add_filter( 'xmlrpc_enabled', '__return_false' ); + * + * For more granular control over all XML-RPC methods and requests, see the {@see 'xmlrpc_methods'} + * and {@see 'xmlrpc_element_limit'} hooks. + * + * @since 3.5.0 + * + * @param bool $is_enabled Whether XML-RPC is enabled. Default true. + */ + $this->is_enabled = apply_filters( 'xmlrpc_enabled', $is_enabled ); } /** @@ -228,43 +280,10 @@ * * @param string $username User's username. * @param string $password User's password. - * @return WP_User|bool WP_User object if authentication passed, false otherwise + * @return WP_User|false WP_User object if authentication passed, false otherwise */ public function login( $username, $password ) { - /* - * Respect old get_option() filters left for back-compat when the 'enable_xmlrpc' - * option was deprecated in 3.5.0. Use the 'xmlrpc_enabled' hook instead. - */ - $enabled = apply_filters( 'pre_option_enable_xmlrpc', false ); - if ( false === $enabled ) { - $enabled = apply_filters( 'option_enable_xmlrpc', true ); - } - - /** - * Filters whether XML-RPC methods requiring authentication are enabled. - * - * Contrary to the way it's named, this filter does not control whether XML-RPC is *fully* - * enabled, rather, it only controls whether XML-RPC methods requiring authentication - such - * as for publishing purposes - are enabled. - * - * Further, the filter does not control whether pingbacks or other custom endpoints that don't - * require authentication are enabled. This behavior is expected, and due to how parity was matched - * with the `enable_xmlrpc` UI option the filter replaced when it was introduced in 3.5. - * - * To disable XML-RPC methods that require authentication, use: - * - * add_filter( 'xmlrpc_enabled', '__return_false' ); - * - * For more granular control over all XML-RPC methods and requests, see the {@see 'xmlrpc_methods'} - * and {@see 'xmlrpc_element_limit'} hooks. - * - * @since 3.5.0 - * - * @param bool $enabled Whether XML-RPC is enabled. Default true. - */ - $enabled = apply_filters( 'xmlrpc_enabled', $enabled ); - - if ( ! $enabled ) { + if ( ! $this->is_enabled ) { $this->error = new IXR_Error( 405, sprintf( __( 'XML-RPC services are disabled on this site.' ) ) ); return false; } @@ -286,8 +305,8 @@ * * @since 3.5.0 * - * @param string $error The XML-RPC error message. - * @param WP_Error $user WP_Error object. + * @param IXR_Error $error The XML-RPC error message. + * @param WP_Error $user WP_Error object. */ $this->error = apply_filters( 'xmlrpc_login_error', $this->error, $user ); return false; @@ -336,6 +355,30 @@ } /** + * Send error response to client. + * + * Send an XML error response to the client. If the endpoint is enabled + * an HTTP 200 response is always sent per the XML-RPC specification. + * + * @since 5.7.3 + * + * @param IXR_Error|string $error Error code or an error object. + * @param false $message Error message. Optional. + */ + public function error( $error, $message = false ) { + // Accepts either an error object or an error code and message + if ( $message && ! is_object( $error ) ) { + $error = new IXR_Error( $error, $message ); + } + + if ( ! $this->is_enabled ) { + status_header( $error->code ); + } + + $this->output( $error->getXml() ); + } + + /** * Retrieve custom fields for post. * * @since 2.5.0 @@ -681,10 +724,13 @@ * equal to the method's name, e.g., wp.getUsersBlogs, wp.newPost, etc. * * @since 2.5.0 + * @since 5.7.0 Added the `$args` and `$server` parameters. * - * @param string $name The method name. + * @param string $name The method name. + * @param array|string $args The escaped arguments passed to the method. + * @param wp_xmlrpc_server $server The XML-RPC server instance. */ - do_action( 'xmlrpc_call', 'wp.getUsersBlogs' ); + do_action( 'xmlrpc_call', 'wp.getUsersBlogs', $args, $this ); $blogs = (array) get_blogs_of_user( $user->ID ); $struct = array(); @@ -743,8 +789,8 @@ /** * Prepares taxonomy data for return in an XML-RPC object. * - * @param object $taxonomy The unprepared taxonomy data. - * @param array $fields The subset of taxonomy fields to return. + * @param WP_Taxonomy $taxonomy The unprepared taxonomy data. + * @param array $fields The subset of taxonomy fields to return. * @return array The prepared taxonomy data. */ protected function _prepare_taxonomy( $taxonomy, $fields ) { @@ -766,7 +812,7 @@ } if ( in_array( 'menu', $fields, true ) ) { - $_taxonomy['show_in_menu'] = (bool) $_taxonomy->show_in_menu; + $_taxonomy['show_in_menu'] = (bool) $taxonomy->show_in_menu; } if ( in_array( 'object_type', $fields, true ) ) { @@ -798,13 +844,13 @@ } // For integers which may be larger than XML-RPC supports ensure we return strings. - $_term['term_id'] = strval( $_term['term_id'] ); - $_term['term_group'] = strval( $_term['term_group'] ); - $_term['term_taxonomy_id'] = strval( $_term['term_taxonomy_id'] ); - $_term['parent'] = strval( $_term['parent'] ); + $_term['term_id'] = (string) $_term['term_id']; + $_term['term_group'] = (string) $_term['term_group']; + $_term['term_taxonomy_id'] = (string) $_term['term_taxonomy_id']; + $_term['parent'] = (string) $_term['parent']; // Count we are happy to return as an integer because people really shouldn't use terms that much. - $_term['count'] = intval( $_term['count'] ); + $_term['count'] = (int) $_term['count']; // Get term meta. $_term['custom_fields'] = $this->get_term_custom_fields( $_term['term_id'] ); @@ -856,7 +902,7 @@ */ protected function _prepare_post( $post, $fields ) { // Holds the data for this post. built up based on $fields. - $_post = array( 'post_id' => strval( $post['ID'] ) ); + $_post = array( 'post_id' => (string) $post['ID'] ); // Prepare common post fields. $post_fields = array( @@ -872,11 +918,11 @@ 'post_password' => $post['post_password'], 'post_excerpt' => $post['post_excerpt'], 'post_content' => $post['post_content'], - 'post_parent' => strval( $post['post_parent'] ), + 'post_parent' => (string) $post['post_parent'], 'post_mime_type' => $post['post_mime_type'], 'link' => get_permalink( $post['ID'] ), 'guid' => $post['guid'], - 'menu_order' => intval( $post['menu_order'] ), + 'menu_order' => (int) $post['menu_order'], 'comment_status' => $post['comment_status'], 'ping_status' => $post['ping_status'], 'sticky' => ( 'post' === $post['post_type'] && is_sticky( $post['ID'] ) ), @@ -1003,13 +1049,13 @@ /** * Prepares media item data for return in an XML-RPC object. * - * @param object $media_item The unprepared media item data. - * @param string $thumbnail_size The image size to use for the thumbnail URL. + * @param WP_Post $media_item The unprepared media item data. + * @param string $thumbnail_size The image size to use for the thumbnail URL. * @return array The prepared media item data. */ protected function _prepare_media_item( $media_item, $thumbnail_size = 'thumbnail' ) { $_media_item = array( - 'attachment_id' => strval( $media_item->ID ), + 'attachment_id' => (string) $media_item->ID, 'date_created_gmt' => $this->_convert_date_gmt( $media_item->post_date_gmt, $media_item->post_date ), 'parent' => $media_item->post_parent, 'link' => wp_get_attachment_url( $media_item->ID ), @@ -1032,9 +1078,9 @@ * * @since 3.4.0 * - * @param array $_media_item An array of media item data. - * @param object $media_item Media item object. - * @param string $thumbnail_size Image size. + * @param array $_media_item An array of media item data. + * @param WP_Post $media_item Media item object. + * @param string $thumbnail_size Image size. */ return apply_filters( 'xmlrpc_prepare_media_item', $_media_item, $media_item, $thumbnail_size ); } @@ -1042,7 +1088,7 @@ /** * Prepares page data for return in an XML-RPC object. * - * @param object $page The unprepared page data. + * @param WP_Post $page The unprepared page data. * @return array The prepared page data. */ protected function _prepare_page( $page ) { @@ -1122,7 +1168,7 @@ /** * Prepares comment data for return in an XML-RPC object. * - * @param object $comment The unprepared comment data. + * @param WP_Comment $comment The unprepared comment data. * @return array The prepared comment data. */ protected function _prepare_comment( $comment ) { @@ -1174,7 +1220,7 @@ * @return array The prepared user data. */ protected function _prepare_user( $user, $fields ) { - $_user = array( 'user_id' => strval( $user->ID ) ); + $_user = array( 'user_id' => (string) $user->ID ); $user_fields = array( 'username' => $user->user_login, @@ -1294,7 +1340,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.newPost' ); + do_action( 'xmlrpc_call', 'wp.newPost', $args, $this ); unset( $content_struct['ID'] ); @@ -1307,6 +1353,7 @@ * @since 3.4.0 * * @param int $count Number to compare to one. + * @return bool True if the number is greater than one, false otherwise. */ private function _is_greater_than_one( $count ) { return $count > 1; @@ -1646,7 +1693,7 @@ } } - return strval( $post_ID ); + return (string) $post_ID; } /** @@ -1686,7 +1733,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.editPost' ); + do_action( 'xmlrpc_call', 'wp.editPost', $args, $this ); $post = get_post( $post_id, ARRAY_A ); @@ -1769,7 +1816,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.deletePost' ); + do_action( 'xmlrpc_call', 'wp.deletePost', $args, $this ); $post = get_post( $post_id, ARRAY_A ); if ( empty( $post['ID'] ) ) { @@ -1869,7 +1916,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getPost' ); + do_action( 'xmlrpc_call', 'wp.getPost', $args, $this ); $post = get_post( $post_id, ARRAY_A ); @@ -1930,7 +1977,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getPosts' ); + do_action( 'xmlrpc_call', 'wp.getPosts', $args, $this ); $query = array(); @@ -2029,7 +2076,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.newTerm' ); + do_action( 'xmlrpc_call', 'wp.newTerm', $args, $this ); if ( ! taxonomy_exists( $content_struct['taxonomy'] ) ) { return new IXR_Error( 403, __( 'Invalid taxonomy.' ) ); @@ -2093,7 +2140,7 @@ $this->set_term_custom_fields( $term['term_id'], $content_struct['custom_fields'] ); } - return strval( $term['term_id'] ); + return (string) $term['term_id']; } /** @@ -2134,7 +2181,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.editTerm' ); + do_action( 'xmlrpc_call', 'wp.editTerm', $args, $this ); if ( ! taxonomy_exists( $content_struct['taxonomy'] ) ) { return new IXR_Error( 403, __( 'Invalid taxonomy.' ) ); @@ -2230,7 +2277,7 @@ * @type string $taxnomy_name Taxonomy name. * @type int $term_id Term ID. * } - * @return bool|IXR_Error True on success, IXR_Error instance on failure. + * @return true|IXR_Error True on success, IXR_Error instance on failure. */ public function wp_deleteTerm( $args ) { if ( ! $this->minimum_args( $args, 5 ) ) { @@ -2250,7 +2297,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.deleteTerm' ); + do_action( 'xmlrpc_call', 'wp.deleteTerm', $args, $this ); if ( ! taxonomy_exists( $taxonomy ) ) { return new IXR_Error( 403, __( 'Invalid taxonomy.' ) ); @@ -2329,7 +2376,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getTerm' ); + do_action( 'xmlrpc_call', 'wp.getTerm', $args, $this ); if ( ! taxonomy_exists( $taxonomy ) ) { return new IXR_Error( 403, __( 'Invalid taxonomy.' ) ); @@ -2394,7 +2441,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getTerms' ); + do_action( 'xmlrpc_call', 'wp.getTerms', $args, $this ); if ( ! taxonomy_exists( $taxonomy ) ) { return new IXR_Error( 403, __( 'Invalid taxonomy.' ) ); @@ -2500,7 +2547,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getTaxonomy' ); + do_action( 'xmlrpc_call', 'wp.getTaxonomy', $args, $this ); if ( ! taxonomy_exists( $taxonomy ) ) { return new IXR_Error( 403, __( 'Invalid taxonomy.' ) ); @@ -2558,7 +2605,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getTaxonomies' ); + do_action( 'xmlrpc_call', 'wp.getTaxonomies', $args, $this ); $taxonomies = get_taxonomies( $filter, 'objects' ); @@ -2644,7 +2691,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getUser' ); + do_action( 'xmlrpc_call', 'wp.getUser', $args, $this ); if ( ! current_user_can( 'edit_user', $user_id ) ) { return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this user.' ) ); @@ -2707,7 +2754,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getUsers' ); + do_action( 'xmlrpc_call', 'wp.getUsers', $args, $this ); if ( ! current_user_can( 'list_users' ) ) { return new IXR_Error( 401, __( 'Sorry, you are not allowed to list users.' ) ); @@ -2787,7 +2834,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getProfile' ); + do_action( 'xmlrpc_call', 'wp.getProfile', $args, $this ); if ( ! current_user_can( 'edit_user', $user->ID ) ) { return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit your profile.' ) ); @@ -2837,7 +2884,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.editProfile' ); + do_action( 'xmlrpc_call', 'wp.editProfile', $args, $this ); if ( ! current_user_can( 'edit_user', $user->ID ) ) { return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit your profile.' ) ); @@ -2926,7 +2973,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getPage' ); + do_action( 'xmlrpc_call', 'wp.getPage', $args, $this ); // If we found the page then format the data. if ( $page->ID && ( 'page' === $page->post_type ) ) { @@ -2969,7 +3016,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getPages' ); + do_action( 'xmlrpc_call', 'wp.getPages', $args, $this ); $pages = get_posts( array( @@ -3024,7 +3071,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.newPage' ); + do_action( 'xmlrpc_call', 'wp.newPage', $args, $this ); // Mark this as content for a page. $args[3]['post_type'] = 'page'; @@ -3061,7 +3108,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.deletePage' ); + do_action( 'xmlrpc_call', 'wp.deletePage', $args, $this ); // Get the current page based on the 'page_id' and // make sure it is a page and not a post. @@ -3128,7 +3175,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.editPage' ); + do_action( 'xmlrpc_call', 'wp.editPage', $args, $this ); // Get the page data and make sure it is a page. $actual_page = get_post( $page_id, ARRAY_A ); @@ -3191,7 +3238,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getPageList' ); + do_action( 'xmlrpc_call', 'wp.getPageList', $args, $this ); // Get list of page IDs and titles. $page_list = $wpdb->get_results( @@ -3252,7 +3299,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getAuthors' ); + do_action( 'xmlrpc_call', 'wp.getAuthors', $args, $this ); $authors = array(); foreach ( get_users( array( 'fields' => array( 'ID', 'user_login', 'display_name' ) ) ) as $user ) { @@ -3296,7 +3343,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getKeywords' ); + do_action( 'xmlrpc_call', 'wp.getKeywords', $args, $this ); $tags = array(); @@ -3346,7 +3393,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.newCategory' ); + do_action( 'xmlrpc_call', 'wp.newCategory', $args, $this ); // Make sure the user is allowed to add a category. if ( ! current_user_can( 'manage_categories' ) ) { @@ -3429,7 +3476,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.deleteCategory' ); + do_action( 'xmlrpc_call', 'wp.deleteCategory', $args, $this ); if ( ! current_user_can( 'delete_term', $category_id ) ) { return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete this category.' ) ); @@ -3486,7 +3533,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.suggestCategories' ); + do_action( 'xmlrpc_call', 'wp.suggestCategories', $args, $this ); $category_suggestions = array(); $args = array( @@ -3532,7 +3579,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getComment' ); + do_action( 'xmlrpc_call', 'wp.getComment', $args, $this ); $comment = get_comment( $comment_id ); if ( ! $comment ) { @@ -3585,7 +3632,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getComments' ); + do_action( 'xmlrpc_call', 'wp.getComments', $args, $this ); if ( isset( $struct['status'] ) ) { $status = $struct['status']; @@ -3680,7 +3727,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.deleteComment' ); + do_action( 'xmlrpc_call', 'wp.deleteComment', $args, $this ); $status = wp_delete_comment( $comment_ID ); @@ -3748,7 +3795,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.editComment' ); + do_action( 'xmlrpc_call', 'wp.editComment', $args, $this ); $comment = array( 'comment_ID' => $comment_ID, ); @@ -3875,13 +3922,24 @@ return new IXR_Error( 403, __( 'Sorry, comments are closed for this item.' ) ); } - if ( empty( $content_struct['content'] ) ) { - return new IXR_Error( 403, __( 'Comment is required.' ) ); + if ( + 'publish' === get_post_status( $post_id ) && + ! current_user_can( 'edit_post', $post_id ) && + post_password_required( $post_id ) + ) { + return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) ); + } + + if ( + 'private' === get_post_status( $post_id ) && + ! current_user_can( 'read_post', $post_id ) + ) { + return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) ); } $comment = array( 'comment_post_ID' => $post_id, - 'comment_content' => $content_struct['content'], + 'comment_content' => trim( $content_struct['content'] ), ); if ( $logged_in ) { @@ -3912,7 +3970,7 @@ $comment['user_ID'] = 0; if ( get_option( 'require_name_email' ) ) { - if ( strlen( $comment['comment_author_email'] < 6 ) || '' === $comment['comment_author'] ) { + if ( strlen( $comment['comment_author_email'] ) < 6 || '' === $comment['comment_author'] ) { return new IXR_Error( 403, __( 'Comment author name and email are required.' ) ); } elseif ( ! is_email( $comment['comment_author_email'] ) ) { return new IXR_Error( 403, __( 'A valid email address is required.' ) ); @@ -3922,8 +3980,15 @@ $comment['comment_parent'] = isset( $content_struct['comment_parent'] ) ? absint( $content_struct['comment_parent'] ) : 0; + /** This filter is documented in wp-includes/comment.php */ + $allow_empty = apply_filters( 'allow_empty_comment', false, $comment ); + + if ( ! $allow_empty && '' === $comment['comment_content'] ) { + return new IXR_Error( 403, __( 'Comment is required.' ) ); + } + /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.newComment' ); + do_action( 'xmlrpc_call', 'wp.newComment', $args, $this ); $comment_ID = wp_new_comment( $comment, true ); if ( is_wp_error( $comment_ID ) ) { @@ -3977,7 +4042,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getCommentStatusList' ); + do_action( 'xmlrpc_call', 'wp.getCommentStatusList', $args, $this ); return get_comment_statuses(); } @@ -4019,7 +4084,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getCommentCount' ); + do_action( 'xmlrpc_call', 'wp.getCommentCount', $args, $this ); $count = wp_count_comments( $post_id ); @@ -4061,7 +4126,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getPostStatusList' ); + do_action( 'xmlrpc_call', 'wp.getPostStatusList', $args, $this ); return get_post_statuses(); } @@ -4096,7 +4161,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getPageStatusList' ); + do_action( 'xmlrpc_call', 'wp.getPageStatusList', $args, $this ); return get_page_statuses(); } @@ -4289,10 +4354,10 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getMediaItem' ); + do_action( 'xmlrpc_call', 'wp.getMediaItem', $args, $this ); $attachment = get_post( $attachment_id ); - if ( ! $attachment ) { + if ( ! $attachment || 'attachment' !== $attachment->post_type ) { return new IXR_Error( 404, __( 'Invalid attachment ID.' ) ); } @@ -4342,7 +4407,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getMediaLibrary' ); + do_action( 'xmlrpc_call', 'wp.getMediaLibrary', $args, $this ); $parent_id = ( isset( $struct['parent_id'] ) ) ? absint( $struct['parent_id'] ) : ''; $mime_type = ( isset( $struct['mime_type'] ) ) ? $struct['mime_type'] : ''; @@ -4398,7 +4463,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getPostFormats' ); + do_action( 'xmlrpc_call', 'wp.getPostFormats', $args, $this ); $formats = get_post_format_strings(); @@ -4478,7 +4543,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getPostType' ); + do_action( 'xmlrpc_call', 'wp.getPostType', $args, $this ); if ( ! post_type_exists( $post_type_name ) ) { return new IXR_Error( 403, __( 'Invalid post type.' ) ); @@ -4535,7 +4600,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getPostTypes' ); + do_action( 'xmlrpc_call', 'wp.getPostTypes', $args, $this ); $post_types = get_post_types( $filter, 'objects' ); @@ -4605,7 +4670,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.getRevisions' ); + do_action( 'xmlrpc_call', 'wp.getRevisions', $args, $this ); $post = get_post( $post_id ); if ( ! $post ) { @@ -4679,7 +4744,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'wp.restoreRevision' ); + do_action( 'xmlrpc_call', 'wp.restoreRevision', $args, $this ); $revision = wp_get_post_revision( $revision_id ); if ( ! $revision ) { @@ -4750,7 +4815,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'blogger.getUsersBlogs' ); + do_action( 'xmlrpc_call', 'blogger.getUsersBlogs', $args, $this ); $is_admin = current_user_can( 'manage_options' ); @@ -4836,7 +4901,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'blogger.getUserInfo' ); + do_action( 'xmlrpc_call', 'blogger.getUserInfo', $args, $this ); $struct = array( 'nickname' => $user->nickname, @@ -4886,7 +4951,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'blogger.getPost' ); + do_action( 'xmlrpc_call', 'blogger.getPost', $args, $this ); $categories = implode( ',', wp_get_post_categories( $post_ID ) ); @@ -4943,7 +5008,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'blogger.getRecentPosts' ); + do_action( 'xmlrpc_call', 'blogger.getRecentPosts', $args, $this ); $posts_list = wp_get_recent_posts( $query ); @@ -5033,7 +5098,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'blogger.newPost' ); + do_action( 'xmlrpc_call', 'blogger.newPost', $args, $this ); $cap = ( $publish ) ? 'publish_posts' : 'edit_posts'; if ( ! current_user_can( get_post_type_object( 'post' )->cap->create_posts ) || ! current_user_can( $cap ) ) { @@ -5110,7 +5175,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'blogger.editPost' ); + do_action( 'xmlrpc_call', 'blogger.editPost', $args, $this ); $actual_post = get_post( $post_ID, ARRAY_A ); @@ -5184,7 +5249,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'blogger.deletePost' ); + do_action( 'xmlrpc_call', 'blogger.deletePost', $args, $this ); $actual_post = get_post( $post_ID, ARRAY_A ); @@ -5272,7 +5337,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'metaWeblog.newPost' ); + do_action( 'xmlrpc_call', 'metaWeblog.newPost', $args, $this ); $page_template = ''; if ( ! empty( $content_struct['post_type'] ) ) { @@ -5565,7 +5630,7 @@ */ do_action( 'xmlrpc_call_success_mw_newPost', $post_ID, $args ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.NotLowercase - return strval( $post_ID ); + return (string) $post_ID; } /** @@ -5573,8 +5638,8 @@ * * @since 2.8.0 * - * @param integer $post_ID Post ID. - * @param array $enclosure Enclosure data. + * @param int $post_ID Post ID. + * @param array $enclosure Enclosure data. */ public function add_enclosure_if_new( $post_ID, $enclosure ) { if ( is_array( $enclosure ) && isset( $enclosure['url'] ) && isset( $enclosure['length'] ) && isset( $enclosure['type'] ) ) { @@ -5634,7 +5699,7 @@ * @type array $content_struct * @type int $publish * } - * @return bool|IXR_Error True on success. + * @return true|IXR_Error True on success. */ public function mw_editPost( $args ) { $this->escape( $args ); @@ -5651,7 +5716,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'metaWeblog.editPost' ); + do_action( 'xmlrpc_call', 'metaWeblog.editPost', $args, $this ); $postdata = get_post( $post_ID, ARRAY_A ); @@ -5989,7 +6054,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'metaWeblog.getPost' ); + do_action( 'xmlrpc_call', 'metaWeblog.getPost', $args, $this ); if ( '' !== $postdata['post_date'] ) { $post_date = $this->_convert_date( $postdata['post_date'] ); @@ -6130,7 +6195,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'metaWeblog.getRecentPosts' ); + do_action( 'xmlrpc_call', 'metaWeblog.getRecentPosts', $args, $this ); $posts_list = wp_get_recent_posts( $query ); @@ -6251,7 +6316,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'metaWeblog.getCategories' ); + do_action( 'xmlrpc_call', 'metaWeblog.getCategories', $args, $this ); $categories_struct = array(); @@ -6312,7 +6377,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'metaWeblog.newMediaObject' ); + do_action( 'xmlrpc_call', 'metaWeblog.newMediaObject', $args, $this ); if ( ! current_user_can( 'upload_files' ) ) { $this->error = new IXR_Error( 401, __( 'Sorry, you are not allowed to upload files.' ) ); @@ -6431,7 +6496,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'mt.getRecentPostTitles' ); + do_action( 'xmlrpc_call', 'mt.getRecentPostTitles', $args, $this ); $posts_list = wp_get_recent_posts( $query ); @@ -6493,7 +6558,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'mt.getCategoryList' ); + do_action( 'xmlrpc_call', 'mt.getCategoryList', $args, $this ); $categories_struct = array(); @@ -6551,10 +6616,10 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'mt.getPostCategories' ); + do_action( 'xmlrpc_call', 'mt.getPostCategories', $args, $this ); $categories = array(); - $catids = wp_get_post_categories( intval( $post_ID ) ); + $catids = wp_get_post_categories( (int) $post_ID ); // First listed category will be the primary category. $isPrimary = true; foreach ( $catids as $catid ) { @@ -6598,7 +6663,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'mt.setPostCategories' ); + do_action( 'xmlrpc_call', 'mt.setPostCategories', $args, $this ); if ( ! get_post( $post_ID ) ) { return new IXR_Error( 404, __( 'Invalid post ID.' ) ); @@ -6627,7 +6692,7 @@ */ public function mt_supportedMethods() { /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'mt.supportedMethods' ); + do_action( 'xmlrpc_call', 'mt.supportedMethods', array(), $this ); return array_keys( $this->methods ); } @@ -6639,7 +6704,7 @@ */ public function mt_supportedTextFilters() { /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'mt.supportedTextFilters' ); + do_action( 'xmlrpc_call', 'mt.supportedTextFilters', array(), $this ); /** * Filters the MoveableType text filters list for XML-RPC. @@ -6665,7 +6730,7 @@ global $wpdb; /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'mt.getTrackbackPings' ); + do_action( 'xmlrpc_call', 'mt.getTrackbackPings', $post_ID, $this ); $actual_post = get_post( $post_ID, ARRAY_A ); @@ -6722,7 +6787,7 @@ } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'mt.publishPost' ); + do_action( 'xmlrpc_call', 'mt.publishPost', $args, $this ); $postdata = get_post( $post_ID, ARRAY_A ); if ( ! $postdata ) { @@ -6764,7 +6829,7 @@ global $wpdb; /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'pingback.ping' ); + do_action( 'xmlrpc_call', 'pingback.ping', $args, $this ); $this->escape( $args ); @@ -6811,7 +6876,7 @@ $post_ID = (int) $blah[1]; } elseif ( isset( $urltest['fragment'] ) ) { // An #anchor is there, it's either... - if ( intval( $urltest['fragment'] ) ) { + if ( (int) $urltest['fragment'] ) { // ...an integer #XXXX (simplest case), $post_ID = (int) $urltest['fragment']; } elseif ( preg_match( '/post-[0-9]+/', $urltest['fragment'] ) ) { @@ -7003,7 +7068,7 @@ global $wpdb; /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ - do_action( 'xmlrpc_call', 'pingback.extensions.getPingbacks' ); + do_action( 'xmlrpc_call', 'pingback.extensions.getPingbacks', $url, $this ); $url = $this->escape( $url );