Grouped backports to the 4.1 branch.

- Media: Prevent CSRF setting attachment thumbnails.

Merges [55764] to the 4.1 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.

git-svn-id: https://develop.svn.wordpress.org/branches/4.1@55772 602fd350-edb4-49c9-b593-d223f7449a82

7 files changed, 31 insertions, 5 deletions

diff --git a/package-lock.json b/package-lock.json
index ae07038c25..9a89b66d34 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
 	"name": "WordPress",
-	"version": "4.1.37",
+	"version": "4.1.38",
 	"lockfileVersion": 1,
 	"requires": true,
 	"dependencies": {
diff --git a/package.json b/package.json
index 6359a9db97..69441d65cb 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "WordPress",
-	"version": "4.1.37",
+	"version": "4.1.38",
 	"description": "WordPress is web software you can use to create a beautiful website or blog.",
 	"repository": {
 		"type": "svn",
diff --git a/src/wp-admin/about.php b/src/wp-admin/about.php
index 8ad181f2b8..039e8474b4 100644
--- a/src/wp-admin/about.php
+++ b/src/wp-admin/about.php
@@ -42,7 +42,27 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 </h2>
 
 <div class="changelog point-releases">
-	<h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 37 ); ?></h3>
+	<h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 38 ); ?></h3>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed one security issue.' ),
+			'4.1.38'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '4.1.38' )
+			)
+		);
+		?>
+	</p>
 	<p>
 		<?php
 		printf(
diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
index 21dc7f3524..ac889a0fba 100644
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@@ -2011,6 +2011,10 @@ function wp_ajax_set_attachment_thumbnail() {
 		wp_send_json_error();
 	}
 
+	if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
+		wp_send_json_error();
+	}
+
 	$post_ids = array();
 	// For each URL, try to find its corresponding post ID.
 	foreach ( $_POST['urls'] as $url ) {
diff --git a/src/wp-includes/js/media-audiovideo.js b/src/wp-includes/js/media-audiovideo.js
index 6119ad9d76..e90299447f 100644
--- a/src/wp-includes/js/media-audiovideo.js
+++ b/src/wp-includes/js/media-audiovideo.js
@@ -588,6 +588,7 @@
 
 				wp.ajax.send( 'set-attachment-thumbnail', {
 					data : {
+						_ajax_nonce: wp.media.view.settings.nonce.setAttachmentThumbnail,
 						urls: urls,
 						thumbnail_id: attachment.get( 'id' )
 					}
diff --git a/src/wp-includes/media.php b/src/wp-includes/media.php
index 252765fafc..81e2f59b35 100644
--- a/src/wp-includes/media.php
+++ b/src/wp-includes/media.php
@@ -2862,7 +2862,8 @@ function wp_enqueue_media( $args = array() ) {
 		/** This filter is documented in wp-admin/includes/media.php */
 		'captions'  => ! apply_filters( 'disable_captions', '' ),
 		'nonce'     => array(
-			'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
+			'sendToEditor'           => wp_create_nonce( 'media-send-to-editor' ),
+			'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ),
 		),
 		'post'    => array(
 			'id' => 0,
diff --git a/src/wp-includes/version.php b/src/wp-includes/version.php
index 8cdd5dd781..27c670e612 100644
--- a/src/wp-includes/version.php
+++ b/src/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.1.37-src';
+$wp_version = '4.1.38-src';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.