From 08b6aa116e6c74a92fe033269efb82f7f4f4b447 Mon Sep 17 00:00:00 2001 From: ryan Date: Mon, 27 Jun 2011 20:47:04 +0000 Subject: [PATCH] Sanitize sort_column and sort_order in get_pages(). Escape search_term in WP_User_Search. Cast blog_id to int in get_blog_prefix(). Props duck_ git-svn-id: http://svn.automattic.com/wordpress/trunk@18350 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/deprecated.php | 6 +++--- wp-includes/post.php | 37 ++++++++++++++++++++++++++++++++ wp-includes/wp-db.php | 1 + 3 files changed, 41 insertions(+), 3 deletions(-) diff --git a/wp-admin/includes/deprecated.php b/wp-admin/includes/deprecated.php index 412629f162..3e02dbc2e9 100644 --- a/wp-admin/includes/deprecated.php +++ b/wp-admin/includes/deprecated.php @@ -454,7 +454,7 @@ class WP_User_Search { function WP_User_Search ($search_term = '', $page = '', $role = '') { _deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' ); - $this->search_term = $search_term; + $this->search_term = stripslashes( $search_term ); $this->raw_page = ( '' == $page ) ? false : (int) $page; $this->page = (int) ( '' == $page ) ? 1 : $page; $this->role = $role; @@ -485,7 +485,7 @@ class WP_User_Search { $searches = array(); $search_sql = 'AND ('; foreach ( array('user_login', 'user_nicename', 'user_email', 'user_url', 'display_name') as $col ) - $searches[] = $col . " LIKE '%$this->search_term%'"; + $searches[] = $wpdb->prepare( $col . ' LIKE %s', '%' . like_escape($this->search_term) . '%' ); $search_sql .= implode(' OR ', $searches); $search_sql .= ')'; } @@ -700,4 +700,4 @@ function get_others_pending($user_id) { function wp_dashboard_quick_press_output() { _deprecated_function( __FUNCTION__, '3.2', 'wp_dashboard_quick_press()' ); wp_dashboard_quick_press(); -} \ No newline at end of file +} diff --git a/wp-includes/post.php b/wp-includes/post.php index 8d82cc6bb6..2525724e8e 100644 --- a/wp-includes/post.php +++ b/wp-includes/post.php @@ -3448,6 +3448,43 @@ function &get_pages($args = '') { $where_post_type = $wpdb->prepare( "post_type = %s AND post_status IN ('$post_status')", $post_type ); } + $orderby_array = array(); + $allowed_keys = array('author', 'post_author', 'date', 'post_date', 'title', 'post_title', 'modified', + 'post_modified', 'modified_gmt', 'post_modified_gmt', 'menu_order', 'parent', 'post_parent', + 'ID', 'rand', 'comment_count'); + foreach ( explode( ',', $sort_column ) as $orderby ) { + $orderby = trim( $orderby ); + if ( !in_array( $orderby, $allowed_keys ) ) + continue; + + switch ( $orderby ) { + case 'menu_order': + break; + case 'ID': + $orderby = "$wpdb->posts.ID"; + break; + case 'rand': + $orderby = 'RAND()'; + break; + case 'comment_count': + $orderby = "$wpdb->posts.comment_count"; + break; + default: + if ( 0 === strpos( $orderby, 'post_' ) ) + $orderby = "$wpdb->posts." . $orderby; + else + $orderby = "$wpdb->posts.post_" . $orderby; + } + + $orderby_array[] = $orderby; + + } + $sort_column = ! empty( $orderby_array ) ? implode( ',', $orderby_array ) : "$wpdb->posts.post_title"; + + $sort_order = strtoupper( $sort_order ); + if ( '' !== $sort_order && !in_array( $sort_order, array( 'ASC', 'DESC' ) ) ) + $sort_order = 'ASC'; + $query = "SELECT * FROM $wpdb->posts $join WHERE ($where_post_type) $where "; $query .= $author_query; $query .= " ORDER BY " . $sort_column . " " . $sort_order ; diff --git a/wp-includes/wp-db.php b/wp-includes/wp-db.php index bc9dc9b81c..0cae3e638e 100644 --- a/wp-includes/wp-db.php +++ b/wp-includes/wp-db.php @@ -626,6 +626,7 @@ class wpdb { if ( is_multisite() ) { if ( null === $blog_id ) $blog_id = $this->blogid; + $blog_id = (int) $blog_id; if ( defined( 'MULTISITE' ) && ( 0 == $blog_id || 1 == $blog_id ) ) return $this->base_prefix; else