From cd3fde69bb2739279f28c20733e4579e88441c97 Mon Sep 17 00:00:00 2001
From: Scott Taylor <wonderboymusic@git.wordpress.org>
Date: Sun, 11 Jan 2015 22:26:55 +0000
Subject: [PATCH] In `WP_oEmbed`, only allow `__call()` to run against a
 whitelist of methods, `$compat_methods`.

See #30891.


git-svn-id: https://develop.svn.wordpress.org/trunk@31148 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/class-oembed.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/class-oembed.php b/src/wp-includes/class-oembed.php
index a3b7e554cb..e5bc4a7627 100644
--- a/src/wp-includes/class-oembed.php
+++ b/src/wp-includes/class-oembed.php
@@ -21,6 +21,8 @@ class WP_oEmbed {
 	public $providers = array();
 	public static $early_providers = array();
 
+	private $compat_methods = array( '_fetch_with_format', '_parse_json', '_parse_xml', '_parse_body' );
+
 	/**
 	 * Constructor
 	 *
@@ -170,7 +172,10 @@ class WP_oEmbed {
 	 * @return mixed|bool Return value of the callback, false otherwise.
 	 */
 	public function __call( $name, $arguments ) {
-		return call_user_func_array( array( $this, $name ), $arguments );
+		if ( in_array( $name, $this->compat_methods ) ) {
+			return call_user_func_array( array( $this, $name ), $arguments );
+		}
+		return false;
 	}
 
 	/**