From 5709654d4be1b61df0fbaf398060b520309dcd6f Mon Sep 17 00:00:00 2001 From: Ryan Boren Date: Wed, 26 Dec 2007 19:50:26 +0000 Subject: [PATCH] Limit post_password exposure. Props josephscott for the patch and xknown for the find. fixes #5535 for 2.4 git-svn-id: https://develop.svn.wordpress.org/trunk@6496 602fd350-edb4-49c9-b593-d223f7449a82 --- xmlrpc.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/xmlrpc.php b/xmlrpc.php index 731f98be41..b30b8cc153 100644 --- a/xmlrpc.php +++ b/xmlrpc.php @@ -1535,7 +1535,15 @@ class wp_xmlrpc_server extends IXR_Server { return $this->error; } + $this_user = set_current_user( 0, $user_login ); + foreach ($posts_list as $entry) { + if ( + !empty( $entry['post_password'] ) + && !current_user_can( 'edit_post', $entry['ID'] ) + ) { + unset( $entry['post_password'] ); + } $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']);