Sanitize guid on save and display. Sanitize mime type on save. Don't allow changing mime type via edit form handlers. Protect hidden meta.

git-svn-id: http://svn.automattic.com/wordpress/trunk@17994 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2011-05-22 23:19:42 +00:00
parent 117d081812
commit 81a5f821fb
8 changed files with 69 additions and 12 deletions

View File

@ -396,7 +396,7 @@ case 'delete-meta' :
if ( !$meta = get_post_meta_by_id( $id ) ) if ( !$meta = get_post_meta_by_id( $id ) )
die('1'); die('1');
if ( !current_user_can( 'edit_post', $meta->post_id ) ) if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) )
die('-1'); die('-1');
if ( delete_meta( $meta->meta_id ) ) if ( delete_meta( $meta->meta_id ) )
die('1'); die('1');
@ -865,6 +865,8 @@ case 'add-meta' :
die('0'); // if meta doesn't exist die('0'); // if meta doesn't exist
if ( !current_user_can( 'edit_post', $meta->post_id ) ) if ( !current_user_can( 'edit_post', $meta->post_id ) )
die('-1'); die('-1');
if ( is_protected_meta( $meta->meta_key ) )
die('-1');
if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) { if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
if ( !$u = update_meta( $mid, $key, $value ) ) if ( !$u = update_meta( $mid, $key, $value ) )
die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems). die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems).

View File

@ -1201,7 +1201,7 @@ function get_media_item( $attachment_id, $args = null ) {
$toggle_on = __( 'Show' ); $toggle_on = __( 'Show' );
$toggle_off = __( 'Hide' ); $toggle_off = __( 'Hide' );
$filename = basename( $post->guid ); $filename = esc_html( basename( $post->guid ) );
$title = esc_attr( $post->post_title ); $title = esc_attr( $post->post_title );
if ( $_tags = get_the_tags( $attachment_id ) ) { if ( $_tags = get_the_tags( $attachment_id ) ) {

View File

@ -138,6 +138,7 @@ function edit_post( $post_data = null ) {
$post_ID = (int) $post_data['post_ID']; $post_ID = (int) $post_data['post_ID'];
$post = get_post( $post_ID ); $post = get_post( $post_ID );
$post_data['post_type'] = $post->post_type; $post_data['post_type'] = $post->post_type;
$post_data['post_mime_type'] = $post->post_mime_type;
$ptype = get_post_type_object($post_data['post_type']); $ptype = get_post_type_object($post_data['post_type']);
if ( !current_user_can( $ptype->cap->edit_post, $post_ID ) ) { if ( !current_user_can( $ptype->cap->edit_post, $post_ID ) ) {
@ -199,6 +200,8 @@ function edit_post( $post_data = null ) {
continue; continue;
if ( $meta->post_id != $post_ID ) if ( $meta->post_id != $post_ID )
continue; continue;
if ( is_protected_meta( $key ) )
continue;
update_meta( $key, $value['key'], $value['value'] ); update_meta( $key, $value['key'], $value['value'] );
} }
} }
@ -209,6 +212,8 @@ function edit_post( $post_data = null ) {
continue; continue;
if ( $meta->post_id != $post_ID ) if ( $meta->post_id != $post_ID )
continue; continue;
if ( is_protected_meta( $key ) )
continue;
delete_meta( $key ); delete_meta( $key );
} }
} }
@ -527,6 +532,8 @@ function wp_write_post() {
return new WP_Error( 'edit_posts', __( 'You are not allowed to create posts or drafts on this site.' ) ); return new WP_Error( 'edit_posts', __( 'You are not allowed to create posts or drafts on this site.' ) );
} }
$_POST['post_mime_type'] = '';
// Check for autosave collisions // Check for autosave collisions
// Does this need to be updated? ~ Mark // Does this need to be updated? ~ Mark
$temp_id = false; $temp_id = false;
@ -632,8 +639,6 @@ function add_meta( $post_ID ) {
global $wpdb; global $wpdb;
$post_ID = (int) $post_ID; $post_ID = (int) $post_ID;
$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
$metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : ''; $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
$metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : ''; $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
$metavalue = isset($_POST['metavalue']) ? maybe_serialize( stripslashes_deep( $_POST['metavalue'] ) ) : ''; $metavalue = isset($_POST['metavalue']) ? maybe_serialize( stripslashes_deep( $_POST['metavalue'] ) ) : '';
@ -650,7 +655,7 @@ function add_meta( $post_ID ) {
if ( $metakeyinput) if ( $metakeyinput)
$metakey = $metakeyinput; // default $metakey = $metakeyinput; // default
if ( in_array($metakey, $protected) ) if ( is_protected_meta( $metakey ) )
return false; return false;
wp_cache_delete($post_ID, 'post_meta'); wp_cache_delete($post_ID, 'post_meta');
@ -756,11 +761,9 @@ function has_meta( $postid ) {
function update_meta( $meta_id, $meta_key, $meta_value ) { function update_meta( $meta_id, $meta_key, $meta_value ) {
global $wpdb; global $wpdb;
$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
$meta_key = stripslashes($meta_key); $meta_key = stripslashes($meta_key);
if ( in_array($meta_key, $protected) ) if ( is_protected_meta( $meta_key ) )
return false; return false;
if ( '' === trim( $meta_value ) ) if ( '' === trim( $meta_value ) )

View File

@ -465,6 +465,10 @@ function list_meta( $meta ) {
*/ */
function _list_meta_row( $entry, &$count ) { function _list_meta_row( $entry, &$count ) {
static $update_nonce = false; static $update_nonce = false;
if ( is_protected_meta( $entry['meta_key'] ) )
return;
if ( !$update_nonce ) if ( !$update_nonce )
$update_nonce = wp_create_nonce( 'add-meta' ); $update_nonce = wp_create_nonce( 'add-meta' );

View File

@ -58,14 +58,14 @@ foreach ( array( 'comment_author_email', 'user_email' ) as $filter ) {
// Save URL // Save URL
foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image', foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
'pre_link_rss' ) as $filter ) { 'pre_link_rss', 'pre_post_guid' ) as $filter ) {
add_filter( $filter, 'wp_strip_all_tags' ); add_filter( $filter, 'wp_strip_all_tags' );
add_filter( $filter, 'esc_url_raw' ); add_filter( $filter, 'esc_url_raw' );
add_filter( $filter, 'wp_filter_kses' ); add_filter( $filter, 'wp_filter_kses' );
} }
// Display URL // Display URL
foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url' ) as $filter ) { foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) {
if ( is_admin() ) if ( is_admin() )
add_filter( $filter, 'wp_strip_all_tags' ); add_filter( $filter, 'wp_strip_all_tags' );
add_filter( $filter, 'esc_url' ); add_filter( $filter, 'esc_url' );
@ -86,6 +86,10 @@ foreach ( array( 'pre_post_status', 'pre_post_comment_status', 'pre_post_ping_st
add_filter( $filter, 'sanitize_key' ); add_filter( $filter, 'sanitize_key' );
} }
// Mime types
add_filter( 'pre_post_mime_type', 'sanitize_mime_type' );
add_filter( 'post_mime_type', 'sanitize_mime_type' );
// Places to balance tags on input // Places to balance tags on input
foreach ( array( 'content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content' ) as $filter ) { foreach ( array( 'content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content' ) as $filter ) {
add_filter( $filter, 'balanceTags', 50 ); add_filter( $filter, 'balanceTags', 50 );

View File

@ -2889,4 +2889,17 @@ function capital_P_dangit( $text ) {
} }
/**
* Sanitize a mime type
*
* @since 3.2.0
*
* @param string $mime_type Mime type
* @return string Sanitized mime type
*/
function sanitize_mime_type( $mime_type ) {
$sani_mime_type = preg_replace( '/[^-*.a-zA-Z0-9\/]/', '', $mime_type );
return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
}
?> ?>

View File

@ -45,6 +45,7 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique =
// expected_slashed ($meta_key) // expected_slashed ($meta_key)
$meta_key = stripslashes($meta_key); $meta_key = stripslashes($meta_key);
$meta_value = stripslashes_deep($meta_value); $meta_value = stripslashes_deep($meta_value);
$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
$check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique ); $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
if ( null !== $check ) if ( null !== $check )
@ -113,6 +114,7 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v
// expected_slashed ($meta_key) // expected_slashed ($meta_key)
$meta_key = stripslashes($meta_key); $meta_key = stripslashes($meta_key);
$meta_value = stripslashes_deep($meta_value); $meta_value = stripslashes_deep($meta_value);
$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
$check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value ); $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
if ( null !== $check ) if ( null !== $check )
@ -576,4 +578,33 @@ function _get_meta_table($type) {
return $wpdb->$table_name; return $wpdb->$table_name;
} }
/**
* Determine whether a meta key is protected
*
* @since 3.2.0
*
* @param string $meta_key Meta key
* @return bool True if the key is protected, false otherwise.
*/
function is_protected_meta( $meta_key, $meta_type = null ) {
$protected = ( '_' == $meta_key[0] );
return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
}
/**
* Sanitize meta value
*
* @since 3.2.0
*
* @param string $meta_key Meta key
* @param mixed $meta_value Meta value to sanitize
* @param string $meta_type Type of meta
* @return mixed Sanitized $meta_value
*/
function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) {
return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );
}
?> ?>

View File

@ -1440,7 +1440,7 @@ function get_header_image() {
else else
$url = str_replace( 'https://', 'http://', $url ); $url = str_replace( 'https://', 'http://', $url );
return $url; return esc_url_raw( $url );
} }
/** /**
@ -1525,7 +1525,7 @@ function get_uploaded_header_images() {
return array(); return array();
foreach ( (array) $headers as $header ) { foreach ( (array) $headers as $header ) {
$url = $header->guid; $url = esc_url_raw( $header->guid );
$header = basename($url); $header = basename($url);
$header_images[$header] = array(); $header_images[$header] = array();
$header_images[$header]['url'] = $url; $header_images[$header]['url'] = $url;