From f57be206f76748cdb226dfacc2687480d7a9b0f4 Mon Sep 17 00:00:00 2001
From: Weston Ruter <westonruter@git.wordpress.org>
Date: Wed, 12 Jul 2017 22:50:57 +0000
Subject: [PATCH] REST API: Remove `_wpnonce` value from being used in hashed
 oEmbed proxy cache key.

Amends [40628].
Props r-a-y, westonruter.
See #40450.
Fixes #41048.


git-svn-id: https://develop.svn.wordpress.org/trunk@41035 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/class-wp-oembed-controller.php |  1 +
 tests/phpunit/tests/oembed/controller.php      | 15 ++++++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/class-wp-oembed-controller.php b/src/wp-includes/class-wp-oembed-controller.php
index d825c415d2..e6dae0670d 100644
--- a/src/wp-includes/class-wp-oembed-controller.php
+++ b/src/wp-includes/class-wp-oembed-controller.php
@@ -159,6 +159,7 @@ final class WP_oEmbed_Controller {
 		$args = $request->get_params();
 
 		// Serve oEmbed data from cache if set.
+		unset( $args['_wpnonce'] );
 		$cache_key = 'oembed_' . md5( serialize( $args ) );
 		$data = get_transient( $cache_key );
 		if ( ! empty( $data ) ) {
diff --git a/tests/phpunit/tests/oembed/controller.php b/tests/phpunit/tests/oembed/controller.php
index a23c799e41..ef6b42edd0 100644
--- a/tests/phpunit/tests/oembed/controller.php
+++ b/tests/phpunit/tests/oembed/controller.php
@@ -10,6 +10,7 @@ class Test_oEmbed_Controller extends WP_UnitTestCase {
 	 */
 	protected $server;
 	protected static $editor;
+	protected static $administrator;
 	protected static $subscriber;
 	const YOUTUBE_VIDEO_ID = 'OQSNhk5ICTI';
 	const INVALID_OEMBED_URL = 'https://www.notreallyanoembedprovider.com/watch?v=awesome-cat-video';
@@ -22,6 +23,10 @@ class Test_oEmbed_Controller extends WP_UnitTestCase {
 			'role'       => 'editor',
 			'user_email' => 'editor@example.com',
 		) );
+		self::$administrator = $factory->user->create( array(
+			'role'       => 'administrator',
+			'user_email' => 'administrator@example.com',
+		) );
 	}
 
 	public static function wpTearDownAfterClass() {
@@ -477,14 +482,22 @@ class Test_oEmbed_Controller extends WP_UnitTestCase {
 
 	public function test_proxy_with_valid_oembed_provider() {
 		wp_set_current_user( self::$editor );
-
 		$request = new WP_REST_Request( 'GET', '/oembed/1.0/proxy' );
 		$request->set_param( 'url', 'https://www.youtube.com/watch?v=' . self::YOUTUBE_VIDEO_ID );
+		$request->set_param( '_wpnonce', wp_create_nonce( 'wp_rest' ) );
 		$response = $this->server->dispatch( $request );
 		$this->assertEquals( 200, $response->get_status() );
 		$this->assertEquals( 1, $this->request_count );
 
 		// Subsequent request is cached and so it should not cause a request.
+		$this->server->dispatch( $request );
+		$this->assertEquals( 1, $this->request_count );
+
+		// Rest with another user should also be cached.
+		wp_set_current_user( self::$administrator );
+		$request = new WP_REST_Request( 'GET', '/oembed/1.0/proxy' );
+		$request->set_param( 'url', 'https://www.youtube.com/watch?v=' . self::YOUTUBE_VIDEO_ID );
+		$request->set_param( '_wpnonce', wp_create_nonce( 'wp_rest' ) );
 		$response = $this->server->dispatch( $request );
 		$this->assertEquals( 1, $this->request_count );