Sanitize guid on save and display. Sanitize mime type on save. Don't allow changing mime type via edit form handlers. Protect hidden meta.

git-svn-id: http://svn.automattic.com/wordpress/branches/3.1@18018 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2011-05-24 15:53:22 +00:00
parent 9428fe6b04
commit 4c0827af14
8 changed files with 68 additions and 11 deletions

View File

@ -396,7 +396,7 @@ case 'delete-meta' :
if ( !$meta = get_post_meta_by_id( $id ) )
die('1');
if ( !current_user_can( 'edit_post', $meta->post_id ) )
if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) )
die('-1');
if ( delete_meta( $meta->meta_id ) )
die('1');
@ -855,6 +855,8 @@ case 'add-meta' :
die('0'); // if meta doesn't exist
if ( !current_user_can( 'edit_post', $meta->post_id ) )
die('-1');
if ( is_protected_meta( $meta->meta_key ) )
die('-1');
if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
if ( !$u = update_meta( $mid, $key, $value ) )
die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems).

View File

@ -1192,7 +1192,7 @@ function get_media_item( $attachment_id, $args = null ) {
$toggle_on = __( 'Show' );
$toggle_off = __( 'Hide' );
$filename = basename( $post->guid );
$filename = esc_html( basename( $post->guid ) );
$title = esc_attr( $post->post_title );
if ( $_tags = get_the_tags( $attachment_id ) ) {

View File

@ -138,6 +138,7 @@ function edit_post( $post_data = null ) {
$post_ID = (int) $post_data['post_ID'];
$post = get_post( $post_ID );
$post_data['post_type'] = $post->post_type;
$post_data['post_mime_type'] = $post->post_mime_type;
$ptype = get_post_type_object($post_data['post_type']);
if ( !current_user_can( $ptype->cap->edit_post, $post_ID ) ) {
@ -199,6 +200,8 @@ function edit_post( $post_data = null ) {
continue;
if ( $meta->post_id != $post_ID )
continue;
if ( is_protected_meta( $key ) )
continue;
update_meta( $key, $value['key'], $value['value'] );
}
}
@ -209,6 +212,8 @@ function edit_post( $post_data = null ) {
continue;
if ( $meta->post_id != $post_ID )
continue;
if ( is_protected_meta( $key ) )
continue;
delete_meta( $key );
}
}
@ -527,6 +532,8 @@ function wp_write_post() {
return new WP_Error( 'edit_posts', __( 'You are not allowed to create posts or drafts on this site.' ) );
}
$_POST['post_mime_type'] = '';
// Check for autosave collisions
// Does this need to be updated? ~ Mark
$temp_id = false;
@ -632,8 +639,6 @@ function add_meta( $post_ID ) {
global $wpdb;
$post_ID = (int) $post_ID;
$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
$metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
$metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
$metavalue = isset($_POST['metavalue']) ? maybe_serialize( stripslashes_deep( $_POST['metavalue'] ) ) : '';
@ -650,7 +655,7 @@ function add_meta( $post_ID ) {
if ( $metakeyinput)
$metakey = $metakeyinput; // default
if ( in_array($metakey, $protected) )
if ( is_protected_meta( $metakey ) )
return false;
wp_cache_delete($post_ID, 'post_meta');
@ -756,11 +761,9 @@ function has_meta( $postid ) {
function update_meta( $meta_id, $meta_key, $meta_value ) {
global $wpdb;
$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
$meta_key = stripslashes($meta_key);
if ( in_array($meta_key, $protected) )
if ( is_protected_meta( $meta_key ) )
return false;
if ( '' === trim( $meta_value ) )

View File

@ -465,6 +465,10 @@ function list_meta( $meta ) {
*/
function _list_meta_row( $entry, &$count ) {
static $update_nonce = false;
if ( is_protected_meta( $entry['meta_key'] ) )
return;
if ( !$update_nonce )
$update_nonce = wp_create_nonce( 'add-meta' );

View File

@ -58,14 +58,14 @@ foreach ( array( 'comment_author_email', 'user_email' ) as $filter ) {
// Save URL
foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
'pre_link_rss' ) as $filter ) {
'pre_link_rss', 'pre_post_guid' ) as $filter ) {
add_filter( $filter, 'wp_strip_all_tags' );
add_filter( $filter, 'esc_url_raw' );
add_filter( $filter, 'wp_filter_kses' );
}
// Display URL
foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url' ) as $filter ) {
foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) {
if ( is_admin() )
add_filter( $filter, 'wp_strip_all_tags' );
add_filter( $filter, 'esc_url' );
@ -86,6 +86,10 @@ foreach ( array( 'pre_post_status', 'pre_post_comment_status', 'pre_post_ping_st
add_filter( $filter, 'sanitize_key' );
}
// Mime types
add_filter( 'pre_post_mime_type', 'sanitize_mime_type' );
add_filter( 'post_mime_type', 'sanitize_mime_type' );
// Places to balance tags on input
foreach ( array( 'content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content' ) as $filter ) {
add_filter( $filter, 'balanceTags', 50 );

View File

@ -2903,4 +2903,17 @@ function capital_P_dangit( $text ) {
}
/**
* Sanitize a mime type
*
* @since 3.2.0
*
* @param string $mime_type Mime type
* @return string Sanitized mime type
*/
function sanitize_mime_type( $mime_type ) {
$sani_mime_type = preg_replace( '/[^-*.a-zA-Z0-9\/]/', '', $mime_type );
return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
}
?>

View File

@ -45,6 +45,7 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique =
// expected_slashed ($meta_key)
$meta_key = stripslashes($meta_key);
$meta_value = stripslashes_deep($meta_value);
$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
$check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
if ( null !== $check )
@ -113,6 +114,7 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v
// expected_slashed ($meta_key)
$meta_key = stripslashes($meta_key);
$meta_value = stripslashes_deep($meta_value);
$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
$check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
if ( null !== $check )
@ -488,4 +490,33 @@ function _get_meta_table($type) {
return $wpdb->$table_name;
}
/**
* Determine whether a meta key is protected
*
* @since 3.2.0
*
* @param string $meta_key Meta key
* @return bool True if the key is protected, false otherwise.
*/
function is_protected_meta( $meta_key, $meta_type = null ) {
$protected = ( '_' == $meta_key[0] );
return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
}
/**
* Sanitize meta value
*
* @since 3.2.0
*
* @param string $meta_key Meta key
* @param mixed $meta_value Meta value to sanitize
* @param string $meta_type Type of meta
* @return mixed Sanitized $meta_value
*/
function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) {
return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );
}
?>

View File

@ -1435,7 +1435,7 @@ function get_header_image() {
else
$url = str_replace( 'https://', 'http://', $url );
return $url;
return esc_url_raw( $url );
}
/**