Check caps for both old and new meta keys when changing the key for a mid. Properly handle slashes when checking meta caps. Props xknown. see #17850

git-svn-id: http://svn.automattic.com/wordpress/trunk@18449 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2011-07-21 19:32:12 +00:00
parent 62f427a096
commit 4e538ea9c8
2 changed files with 11 additions and 7 deletions

View File

@ -869,7 +869,9 @@ case 'add-meta' :
die(__('Please provide a custom field value.')); die(__('Please provide a custom field value.'));
if ( !$meta = get_post_meta_by_id( $mid ) ) if ( !$meta = get_post_meta_by_id( $mid ) )
die('0'); // if meta doesn't exist die('0'); // if meta doesn't exist
if ( is_protected_meta( $meta->meta_key, 'post' ) || !current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) ) if ( is_protected_meta( $meta->meta_key, 'post' ) || is_protected_meta( $key, 'post' ) ||
! current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) ||
! current_user_can( 'edit_post_meta', $meta->post_id, $key ) )
die('-1'); die('-1');
if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) { if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
if ( !$u = update_meta( $mid, $key, $value ) ) if ( !$u = update_meta( $mid, $key, $value ) )

View File

@ -667,7 +667,7 @@ function add_meta( $post_ID ) {
$metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : ''; $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
$metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : ''; $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
$metavalue = isset($_POST['metavalue']) ? maybe_serialize( stripslashes_deep( $_POST['metavalue'] ) ) : ''; $metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : '';
if ( is_string( $metavalue ) ) if ( is_string( $metavalue ) )
$metavalue = trim( $metavalue ); $metavalue = trim( $metavalue );
@ -684,6 +684,8 @@ function add_meta( $post_ID ) {
if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) ) if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) )
return false; return false;
$metakey = esc_sql( $metakey );
return add_post_meta( $post_ID, $metakey, $metavalue ); return add_post_meta( $post_ID, $metakey, $metavalue );
} }