Sanitize "cat" query var and cast to int before looking for a category template

git-svn-id: http://svn.automattic.com/wordpress/trunk@7586 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-04-02 13:15:21 +00:00 · 2008-04-02 13:15:21 +00:00 · 29a551d786
parent 8ca58c943e
commit 29a551d786
2 changed files with 3 additions and 2 deletions
--- a/wp-includes/query.php
+++ b/wp-includes/query.php
@ -519,6 +519,7 @@ class WP_Query {
 		$qv['day'] = (int) $qv['day'];
 		$qv['w'] = (int) $qv['w'];
 		$qv['m'] =  (int) $qv['m'];
+		$qv['cat'] = preg_replace( '|[^0-9,-]|', '', $qv['cat'] ); // comma separated list of positive or negative integers
 		if ( '' !== $qv['hour'] ) $qv['hour'] = (int) $qv['hour'];
 		if ( '' !== $qv['minute'] ) $qv['minute'] = (int) $qv['minute'];
 		if ( '' !== $qv['second'] ) $qv['second'] = (int) $qv['second'];
--- a/wp-includes/theme.php
+++ b/wp-includes/theme.php
@ -363,8 +363,8 @@ function get_author_template() {

 function get_category_template() {
 	$template = '';
-	if ( file_exists(TEMPLATEPATH . "/category-" . get_query_var('cat') . '.php') )
-		$template = TEMPLATEPATH . "/category-" . get_query_var('cat') . '.php';
+	if ( file_exists(TEMPLATEPATH . "/category-" . absint( get_query_var('cat') ) . '.php') )
+		$template = TEMPLATEPATH . "/category-" . absint( get_query_var('cat') ) . '.php';
 	elseif ( file_exists(TEMPLATEPATH . "/category.php") )
 		$template = TEMPLATEPATH . "/category.php";