Description: CVE-2015-5623 check perms on auto-draft
 Capabilities: When creating an auto-draft, ensure that the current user
 still has permission to do so.
Author: pento@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/33357
Applied-Upstream: 4.2.3
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2015-07-28
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/wp-admin/includes/dashboard.php
+++ b/wp-admin/includes/dashboard.php
@@ -416,6 +416,10 @@
 function wp_dashboard_quick_press( $error_msg = false ) {
 	global $post_ID;
 
+	if ( ! current_user_can( 'edit_posts' ) ) {
+		return;
+	}
+
 	/* Check if a new auto-draft (= no new post_ID) is needed or if the old can be used */
 	$last_post_id = (int) get_user_option( 'dashboard_quick_press_last_post_id' ); // Get the last post_ID
 	if ( $last_post_id ) {
--- a/wp-admin/post.php
+++ b/wp-admin/post.php
@@ -113,8 +113,9 @@
 	if ( ! wp_verify_nonce( $nonce, 'add-post' ) )
 		$error_msg = __( 'Unable to submit this form, please refresh and try again.' );
 
-	if ( ! current_user_can( 'edit_posts' ) )
-		$error_msg = __( 'Oops, you don&#8217;t have access to add new drafts.' );
+	if ( ! current_user_can( 'edit_posts' ) ) {
+		exit;
+	}
 
 	if ( $error_msg )
 		return wp_dashboard_quick_press( $error_msg );
--- a/wp-includes/capabilities.php
+++ b/wp-includes/capabilities.php
@@ -1117,8 +1117,10 @@
 	case 'edit_post':
 	case 'edit_page':
 		$post = get_post( $args[0] );
-		if ( empty( $post ) )
+		if ( empty( $post ) ) {
+			$caps[] = 'do_not_allow';
 			break;
+		}
 
 		if ( 'revision' == $post->post_type ) {
 			$post = get_post( $post->post_parent );
