Description: Heartbeat: Ensure post locks are released.
 Prevent an attacker from locking a post from being edited
 CVE-2015-5731
Author: ocean90@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/33542
Applied-Upstream: changeset 33542
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2015-08-05
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/wp-admin/includes/post.php
+++ b/wp-admin/includes/post.php
@@ -1317,7 +1317,7 @@
 		// Allow plugins to prevent some users overriding the post lock
 		if ( $override ) {
 			?>
-			<a class="button button-primary wp-tab-last" href="<?php echo esc_url( add_query_arg( 'get-post-lock', '1', get_edit_post_link( $post->ID, 'url' ) ) ); ?>"><?php _e('Take over'); ?></a>
+			<a class="button button-primary wp-tab-last" href="<?php echo esc_url( add_query_arg( 'get-post-lock', '1', wp_nonce_url( get_edit_post_link( $post->ID, 'url' ), 'lock-post_' . $post->ID ) ) ); ?>"><?php _e('Take over'); ?></a>
 			<?php
 		}
 
--- a/wp-admin/post.php
+++ b/wp-admin/post.php
@@ -146,6 +146,7 @@
 		wp_die( __( 'You can&#8217;t edit this item because it is in the Trash. Please restore it and try again.' ) );
 
 	if ( ! empty( $_GET['get-post-lock'] ) ) {
+		check_admin_referer( 'lock-post_' . $post_id );
 		wp_set_post_lock( $post_id );
 		wp_redirect( get_edit_post_link( $post_id, 'url' ) );
 		exit();
