diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php index d2a8d4d20c..a7e0b48dd0 100644 --- a/wp-admin/admin-ajax.php +++ b/wp-admin/admin-ajax.php @@ -396,7 +396,7 @@ case 'delete-meta' : if ( !$meta = get_post_meta_by_id( $id ) ) die('1'); - if ( !current_user_can( 'edit_post', $meta->post_id ) ) + if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) ) die('-1'); if ( delete_meta( $meta->meta_id ) ) die('1'); @@ -855,6 +855,8 @@ case 'add-meta' : die('0'); // if meta doesn't exist if ( !current_user_can( 'edit_post', $meta->post_id ) ) die('-1'); + if ( is_protected_meta( $meta->meta_key ) ) + die('-1'); if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) { if ( !$u = update_meta( $mid, $key, $value ) ) die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems). diff --git a/wp-admin/includes/media.php b/wp-admin/includes/media.php index c9d603ea8f..7e27ded133 100644 --- a/wp-admin/includes/media.php +++ b/wp-admin/includes/media.php @@ -1192,7 +1192,7 @@ function get_media_item( $attachment_id, $args = null ) { $toggle_on = __( 'Show' ); $toggle_off = __( 'Hide' ); - $filename = basename( $post->guid ); + $filename = esc_html( basename( $post->guid ) ); $title = esc_attr( $post->post_title ); if ( $_tags = get_the_tags( $attachment_id ) ) { diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php index 12cbaa0f92..93606fa5d8 100644 --- a/wp-admin/includes/post.php +++ b/wp-admin/includes/post.php @@ -138,6 +138,7 @@ function edit_post( $post_data = null ) { $post_ID = (int) $post_data['post_ID']; $post = get_post( $post_ID ); $post_data['post_type'] = $post->post_type; + $post_data['post_mime_type'] = $post->post_mime_type; $ptype = get_post_type_object($post_data['post_type']); if ( !current_user_can( $ptype->cap->edit_post, $post_ID ) ) { @@ -199,6 +200,8 @@ function edit_post( $post_data = null ) { continue; if ( $meta->post_id != $post_ID ) continue; + if ( is_protected_meta( $key ) ) + continue; update_meta( $key, $value['key'], $value['value'] ); } } @@ -209,6 +212,8 @@ function edit_post( $post_data = null ) { continue; if ( $meta->post_id != $post_ID ) continue; + if ( is_protected_meta( $key ) ) + continue; delete_meta( $key ); } } @@ -527,6 +532,8 @@ function wp_write_post() { return new WP_Error( 'edit_posts', __( 'You are not allowed to create posts or drafts on this site.' ) ); } + $_POST['post_mime_type'] = ''; + // Check for autosave collisions // Does this need to be updated? ~ Mark $temp_id = false; @@ -632,8 +639,6 @@ function add_meta( $post_ID ) { global $wpdb; $post_ID = (int) $post_ID; - $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' ); - $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : ''; $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : ''; $metavalue = isset($_POST['metavalue']) ? maybe_serialize( stripslashes_deep( $_POST['metavalue'] ) ) : ''; @@ -650,7 +655,7 @@ function add_meta( $post_ID ) { if ( $metakeyinput) $metakey = $metakeyinput; // default - if ( in_array($metakey, $protected) ) + if ( is_protected_meta( $metakey ) ) return false; wp_cache_delete($post_ID, 'post_meta'); @@ -756,11 +761,9 @@ function has_meta( $postid ) { function update_meta( $meta_id, $meta_key, $meta_value ) { global $wpdb; - $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' ); - $meta_key = stripslashes($meta_key); - if ( in_array($meta_key, $protected) ) + if ( is_protected_meta( $meta_key ) ) return false; if ( '' === trim( $meta_value ) ) diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php index b345c36b76..2f16b3c125 100644 --- a/wp-admin/includes/template.php +++ b/wp-admin/includes/template.php @@ -465,6 +465,10 @@ function list_meta( $meta ) { */ function _list_meta_row( $entry, &$count ) { static $update_nonce = false; + + if ( is_protected_meta( $entry['meta_key'] ) ) + return; + if ( !$update_nonce ) $update_nonce = wp_create_nonce( 'add-meta' ); diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php index e3e5dfba12..30c145b320 100644 --- a/wp-includes/default-filters.php +++ b/wp-includes/default-filters.php @@ -58,14 +58,14 @@ foreach ( array( 'comment_author_email', 'user_email' ) as $filter ) { // Save URL foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image', - 'pre_link_rss' ) as $filter ) { + 'pre_link_rss', 'pre_post_guid' ) as $filter ) { add_filter( $filter, 'wp_strip_all_tags' ); add_filter( $filter, 'esc_url_raw' ); add_filter( $filter, 'wp_filter_kses' ); } // Display URL -foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url' ) as $filter ) { +foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) { if ( is_admin() ) add_filter( $filter, 'wp_strip_all_tags' ); add_filter( $filter, 'esc_url' ); @@ -86,6 +86,10 @@ foreach ( array( 'pre_post_status', 'pre_post_comment_status', 'pre_post_ping_st add_filter( $filter, 'sanitize_key' ); } +// Mime types +add_filter( 'pre_post_mime_type', 'sanitize_mime_type' ); +add_filter( 'post_mime_type', 'sanitize_mime_type' ); + // Places to balance tags on input foreach ( array( 'content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content' ) as $filter ) { add_filter( $filter, 'balanceTags', 50 ); diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index 1aad3b79fa..d0a0e3c8da 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -2903,4 +2903,17 @@ function capital_P_dangit( $text ) { } +/** + * Sanitize a mime type + * + * @since 3.2.0 + * + * @param string $mime_type Mime type + * @return string Sanitized mime type + */ +function sanitize_mime_type( $mime_type ) { + $sani_mime_type = preg_replace( '/[^-*.a-zA-Z0-9\/]/', '', $mime_type ); + return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type ); +} + ?> diff --git a/wp-includes/meta.php b/wp-includes/meta.php index 27a1288187..6c10cb6b81 100644 --- a/wp-includes/meta.php +++ b/wp-includes/meta.php @@ -45,6 +45,7 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique = // expected_slashed ($meta_key) $meta_key = stripslashes($meta_key); $meta_value = stripslashes_deep($meta_value); + $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type ); $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique ); if ( null !== $check ) @@ -113,6 +114,7 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v // expected_slashed ($meta_key) $meta_key = stripslashes($meta_key); $meta_value = stripslashes_deep($meta_value); + $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type ); $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value ); if ( null !== $check ) @@ -488,4 +490,33 @@ function _get_meta_table($type) { return $wpdb->$table_name; } + +/** + * Determine whether a meta key is protected + * + * @since 3.2.0 + * + * @param string $meta_key Meta key + * @return bool True if the key is protected, false otherwise. + */ +function is_protected_meta( $meta_key, $meta_type = null ) { + $protected = ( '_' == $meta_key[0] ); + + return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type ); +} + +/** + * Sanitize meta value + * + * @since 3.2.0 + * + * @param string $meta_key Meta key + * @param mixed $meta_value Meta value to sanitize + * @param string $meta_type Type of meta + * @return mixed Sanitized $meta_value + */ +function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) { + return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type ); +} + ?> diff --git a/wp-includes/theme.php b/wp-includes/theme.php index c2960557db..14176ac712 100644 --- a/wp-includes/theme.php +++ b/wp-includes/theme.php @@ -1435,7 +1435,7 @@ function get_header_image() { else $url = str_replace( 'https://', 'http://', $url ); - return $url; + return esc_url_raw( $url ); } /**