Sanitize guid on save and display. Sanitize mime type on save. Don't allow changing mime type via edit form handlers. Protect hidden meta.
git-svn-id: http://svn.automattic.com/wordpress/branches/3.1@18018 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
9428fe6b04
commit
4c0827af14
|
@ -396,7 +396,7 @@ case 'delete-meta' :
|
|||
if ( !$meta = get_post_meta_by_id( $id ) )
|
||||
die('1');
|
||||
|
||||
if ( !current_user_can( 'edit_post', $meta->post_id ) )
|
||||
if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) )
|
||||
die('-1');
|
||||
if ( delete_meta( $meta->meta_id ) )
|
||||
die('1');
|
||||
|
@ -855,6 +855,8 @@ case 'add-meta' :
|
|||
die('0'); // if meta doesn't exist
|
||||
if ( !current_user_can( 'edit_post', $meta->post_id ) )
|
||||
die('-1');
|
||||
if ( is_protected_meta( $meta->meta_key ) )
|
||||
die('-1');
|
||||
if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
|
||||
if ( !$u = update_meta( $mid, $key, $value ) )
|
||||
die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems).
|
||||
|
|
|
@ -1192,7 +1192,7 @@ function get_media_item( $attachment_id, $args = null ) {
|
|||
$toggle_on = __( 'Show' );
|
||||
$toggle_off = __( 'Hide' );
|
||||
|
||||
$filename = basename( $post->guid );
|
||||
$filename = esc_html( basename( $post->guid ) );
|
||||
$title = esc_attr( $post->post_title );
|
||||
|
||||
if ( $_tags = get_the_tags( $attachment_id ) ) {
|
||||
|
|
|
@ -138,6 +138,7 @@ function edit_post( $post_data = null ) {
|
|||
$post_ID = (int) $post_data['post_ID'];
|
||||
$post = get_post( $post_ID );
|
||||
$post_data['post_type'] = $post->post_type;
|
||||
$post_data['post_mime_type'] = $post->post_mime_type;
|
||||
|
||||
$ptype = get_post_type_object($post_data['post_type']);
|
||||
if ( !current_user_can( $ptype->cap->edit_post, $post_ID ) ) {
|
||||
|
@ -199,6 +200,8 @@ function edit_post( $post_data = null ) {
|
|||
continue;
|
||||
if ( $meta->post_id != $post_ID )
|
||||
continue;
|
||||
if ( is_protected_meta( $key ) )
|
||||
continue;
|
||||
update_meta( $key, $value['key'], $value['value'] );
|
||||
}
|
||||
}
|
||||
|
@ -209,6 +212,8 @@ function edit_post( $post_data = null ) {
|
|||
continue;
|
||||
if ( $meta->post_id != $post_ID )
|
||||
continue;
|
||||
if ( is_protected_meta( $key ) )
|
||||
continue;
|
||||
delete_meta( $key );
|
||||
}
|
||||
}
|
||||
|
@ -527,6 +532,8 @@ function wp_write_post() {
|
|||
return new WP_Error( 'edit_posts', __( 'You are not allowed to create posts or drafts on this site.' ) );
|
||||
}
|
||||
|
||||
$_POST['post_mime_type'] = '';
|
||||
|
||||
// Check for autosave collisions
|
||||
// Does this need to be updated? ~ Mark
|
||||
$temp_id = false;
|
||||
|
@ -632,8 +639,6 @@ function add_meta( $post_ID ) {
|
|||
global $wpdb;
|
||||
$post_ID = (int) $post_ID;
|
||||
|
||||
$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
|
||||
|
||||
$metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
|
||||
$metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
|
||||
$metavalue = isset($_POST['metavalue']) ? maybe_serialize( stripslashes_deep( $_POST['metavalue'] ) ) : '';
|
||||
|
@ -650,7 +655,7 @@ function add_meta( $post_ID ) {
|
|||
if ( $metakeyinput)
|
||||
$metakey = $metakeyinput; // default
|
||||
|
||||
if ( in_array($metakey, $protected) )
|
||||
if ( is_protected_meta( $metakey ) )
|
||||
return false;
|
||||
|
||||
wp_cache_delete($post_ID, 'post_meta');
|
||||
|
@ -756,11 +761,9 @@ function has_meta( $postid ) {
|
|||
function update_meta( $meta_id, $meta_key, $meta_value ) {
|
||||
global $wpdb;
|
||||
|
||||
$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
|
||||
|
||||
$meta_key = stripslashes($meta_key);
|
||||
|
||||
if ( in_array($meta_key, $protected) )
|
||||
if ( is_protected_meta( $meta_key ) )
|
||||
return false;
|
||||
|
||||
if ( '' === trim( $meta_value ) )
|
||||
|
|
|
@ -465,6 +465,10 @@ function list_meta( $meta ) {
|
|||
*/
|
||||
function _list_meta_row( $entry, &$count ) {
|
||||
static $update_nonce = false;
|
||||
|
||||
if ( is_protected_meta( $entry['meta_key'] ) )
|
||||
return;
|
||||
|
||||
if ( !$update_nonce )
|
||||
$update_nonce = wp_create_nonce( 'add-meta' );
|
||||
|
||||
|
|
|
@ -58,14 +58,14 @@ foreach ( array( 'comment_author_email', 'user_email' ) as $filter ) {
|
|||
|
||||
// Save URL
|
||||
foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
|
||||
'pre_link_rss' ) as $filter ) {
|
||||
'pre_link_rss', 'pre_post_guid' ) as $filter ) {
|
||||
add_filter( $filter, 'wp_strip_all_tags' );
|
||||
add_filter( $filter, 'esc_url_raw' );
|
||||
add_filter( $filter, 'wp_filter_kses' );
|
||||
}
|
||||
|
||||
// Display URL
|
||||
foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url' ) as $filter ) {
|
||||
foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) {
|
||||
if ( is_admin() )
|
||||
add_filter( $filter, 'wp_strip_all_tags' );
|
||||
add_filter( $filter, 'esc_url' );
|
||||
|
@ -86,6 +86,10 @@ foreach ( array( 'pre_post_status', 'pre_post_comment_status', 'pre_post_ping_st
|
|||
add_filter( $filter, 'sanitize_key' );
|
||||
}
|
||||
|
||||
// Mime types
|
||||
add_filter( 'pre_post_mime_type', 'sanitize_mime_type' );
|
||||
add_filter( 'post_mime_type', 'sanitize_mime_type' );
|
||||
|
||||
// Places to balance tags on input
|
||||
foreach ( array( 'content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content' ) as $filter ) {
|
||||
add_filter( $filter, 'balanceTags', 50 );
|
||||
|
|
|
@ -2903,4 +2903,17 @@ function capital_P_dangit( $text ) {
|
|||
|
||||
}
|
||||
|
||||
/**
|
||||
* Sanitize a mime type
|
||||
*
|
||||
* @since 3.2.0
|
||||
*
|
||||
* @param string $mime_type Mime type
|
||||
* @return string Sanitized mime type
|
||||
*/
|
||||
function sanitize_mime_type( $mime_type ) {
|
||||
$sani_mime_type = preg_replace( '/[^-*.a-zA-Z0-9\/]/', '', $mime_type );
|
||||
return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
|
@ -45,6 +45,7 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique =
|
|||
// expected_slashed ($meta_key)
|
||||
$meta_key = stripslashes($meta_key);
|
||||
$meta_value = stripslashes_deep($meta_value);
|
||||
$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
|
||||
|
||||
$check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
|
||||
if ( null !== $check )
|
||||
|
@ -113,6 +114,7 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v
|
|||
// expected_slashed ($meta_key)
|
||||
$meta_key = stripslashes($meta_key);
|
||||
$meta_value = stripslashes_deep($meta_value);
|
||||
$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
|
||||
|
||||
$check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
|
||||
if ( null !== $check )
|
||||
|
@ -488,4 +490,33 @@ function _get_meta_table($type) {
|
|||
|
||||
return $wpdb->$table_name;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether a meta key is protected
|
||||
*
|
||||
* @since 3.2.0
|
||||
*
|
||||
* @param string $meta_key Meta key
|
||||
* @return bool True if the key is protected, false otherwise.
|
||||
*/
|
||||
function is_protected_meta( $meta_key, $meta_type = null ) {
|
||||
$protected = ( '_' == $meta_key[0] );
|
||||
|
||||
return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
|
||||
}
|
||||
|
||||
/**
|
||||
* Sanitize meta value
|
||||
*
|
||||
* @since 3.2.0
|
||||
*
|
||||
* @param string $meta_key Meta key
|
||||
* @param mixed $meta_value Meta value to sanitize
|
||||
* @param string $meta_type Type of meta
|
||||
* @return mixed Sanitized $meta_value
|
||||
*/
|
||||
function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) {
|
||||
return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
|
@ -1435,7 +1435,7 @@ function get_header_image() {
|
|||
else
|
||||
$url = str_replace( 'https://', 'http://', $url );
|
||||
|
||||
return $url;
|
||||
return esc_url_raw( $url );
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
Loading…
Reference in New Issue