diff --git a/wp-includes/class-wp-block-patterns-registry.php b/wp-includes/class-wp-block-patterns-registry.php index fe85160bac..5a12515dd5 100644 --- a/wp-includes/class-wp-block-patterns-registry.php +++ b/wp-includes/class-wp-block-patterns-registry.php @@ -173,12 +173,21 @@ final class WP_Block_Patterns_Registry { } else { $patterns = &$this->registered_patterns; } - if ( ! isset( $patterns[ $pattern_name ]['content'] ) && isset( $patterns[ $pattern_name ]['filePath'] ) ) { + + $pattern_path = realpath( $patterns[ $pattern_name ]['filePath'] ?? '' ); + if ( + ! isset( $patterns[ $pattern_name ]['content'] ) && + is_string( $pattern_path ) && + ( str_ends_with( $pattern_path, '.php' ) || str_ends_with( $pattern_path, '.html' ) ) && + is_file( $pattern_path ) && + is_readable( $pattern_path ) + ) { ob_start(); include $patterns[ $pattern_name ]['filePath']; $patterns[ $pattern_name ]['content'] = ob_get_clean(); unset( $patterns[ $pattern_name ]['filePath'] ); } + return $patterns[ $pattern_name ]['content']; } diff --git a/wp-includes/class-wp-http-ixr-client.php b/wp-includes/class-wp-http-ixr-client.php index d4f7936cca..f8b0b144f8 100644 --- a/wp-includes/class-wp-http-ixr-client.php +++ b/wp-includes/class-wp-http-ixr-client.php @@ -89,7 +89,7 @@ class WP_HTTP_IXR_Client extends IXR_Client { echo '
' . htmlspecialchars( $xml ) . "\n
\n\n"; } - $response = wp_safe_remote_post( $url, $args ); + $response = wp_remote_post( $url, $args ); if ( is_wp_error( $response ) ) { $errno = $response->get_error_code(); diff --git a/wp-includes/html-api/class-wp-html-tag-processor.php b/wp-includes/html-api/class-wp-html-tag-processor.php index 9289d5d27f..733f44cc01 100644 --- a/wp-includes/html-api/class-wp-html-tag-processor.php +++ b/wp-includes/html-api/class-wp-html-tag-processor.php @@ -5061,4 +5061,13 @@ class WP_HTML_Tag_Processor { * @since 6.7.0 */ const TEXT_IS_WHITESPACE = 'TEXT_IS_WHITESPACE'; + + /** + * Wakeup magic method. + * + * @since 6.9.2 + */ + public function __wakeup() { + throw new \LogicException( __CLASS__ . ' should never be unserialized' ); + } } diff --git a/wp-includes/template-loader.php b/wp-includes/template-loader.php index ffd2567524..d08e461a88 100644 --- a/wp-includes/template-loader.php +++ b/wp-includes/template-loader.php @@ -112,7 +112,13 @@ if ( wp_using_themes() ) { * @param string $template The path of the template to include. */ $template = apply_filters( 'template_include', $template ); - if ( $template ) { + $template = is_string( $template ) ? realpath( $template ) : null; + if ( + is_string( $template ) && + ( str_ends_with( $template, '.php' ) || str_ends_with( $template, '.html' ) ) && + is_file( $template ) && + is_readable( $template ) + ) { /** * Fires immediately before including the template. * diff --git a/wp-includes/version.php b/wp-includes/version.php index 83abed4505..c41e2898f9 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '7.0-beta3-61879'; +$wp_version = '7.0-beta3-61880'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.