Sanitize guid on save and display. Sanitize mime type on save. Don't allow changing mime type via edit form handlers. Protect hidden meta.
git-svn-id: http://svn.automattic.com/wordpress/trunk@17994 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
117d081812
commit
81a5f821fb
|
@ -396,7 +396,7 @@ case 'delete-meta' :
|
||||||
if ( !$meta = get_post_meta_by_id( $id ) )
|
if ( !$meta = get_post_meta_by_id( $id ) )
|
||||||
die('1');
|
die('1');
|
||||||
|
|
||||||
if ( !current_user_can( 'edit_post', $meta->post_id ) )
|
if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) )
|
||||||
die('-1');
|
die('-1');
|
||||||
if ( delete_meta( $meta->meta_id ) )
|
if ( delete_meta( $meta->meta_id ) )
|
||||||
die('1');
|
die('1');
|
||||||
|
@ -865,6 +865,8 @@ case 'add-meta' :
|
||||||
die('0'); // if meta doesn't exist
|
die('0'); // if meta doesn't exist
|
||||||
if ( !current_user_can( 'edit_post', $meta->post_id ) )
|
if ( !current_user_can( 'edit_post', $meta->post_id ) )
|
||||||
die('-1');
|
die('-1');
|
||||||
|
if ( is_protected_meta( $meta->meta_key ) )
|
||||||
|
die('-1');
|
||||||
if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
|
if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
|
||||||
if ( !$u = update_meta( $mid, $key, $value ) )
|
if ( !$u = update_meta( $mid, $key, $value ) )
|
||||||
die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems).
|
die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems).
|
||||||
|
|
|
@ -1201,7 +1201,7 @@ function get_media_item( $attachment_id, $args = null ) {
|
||||||
$toggle_on = __( 'Show' );
|
$toggle_on = __( 'Show' );
|
||||||
$toggle_off = __( 'Hide' );
|
$toggle_off = __( 'Hide' );
|
||||||
|
|
||||||
$filename = basename( $post->guid );
|
$filename = esc_html( basename( $post->guid ) );
|
||||||
$title = esc_attr( $post->post_title );
|
$title = esc_attr( $post->post_title );
|
||||||
|
|
||||||
if ( $_tags = get_the_tags( $attachment_id ) ) {
|
if ( $_tags = get_the_tags( $attachment_id ) ) {
|
||||||
|
|
|
@ -138,6 +138,7 @@ function edit_post( $post_data = null ) {
|
||||||
$post_ID = (int) $post_data['post_ID'];
|
$post_ID = (int) $post_data['post_ID'];
|
||||||
$post = get_post( $post_ID );
|
$post = get_post( $post_ID );
|
||||||
$post_data['post_type'] = $post->post_type;
|
$post_data['post_type'] = $post->post_type;
|
||||||
|
$post_data['post_mime_type'] = $post->post_mime_type;
|
||||||
|
|
||||||
$ptype = get_post_type_object($post_data['post_type']);
|
$ptype = get_post_type_object($post_data['post_type']);
|
||||||
if ( !current_user_can( $ptype->cap->edit_post, $post_ID ) ) {
|
if ( !current_user_can( $ptype->cap->edit_post, $post_ID ) ) {
|
||||||
|
@ -199,6 +200,8 @@ function edit_post( $post_data = null ) {
|
||||||
continue;
|
continue;
|
||||||
if ( $meta->post_id != $post_ID )
|
if ( $meta->post_id != $post_ID )
|
||||||
continue;
|
continue;
|
||||||
|
if ( is_protected_meta( $key ) )
|
||||||
|
continue;
|
||||||
update_meta( $key, $value['key'], $value['value'] );
|
update_meta( $key, $value['key'], $value['value'] );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -209,6 +212,8 @@ function edit_post( $post_data = null ) {
|
||||||
continue;
|
continue;
|
||||||
if ( $meta->post_id != $post_ID )
|
if ( $meta->post_id != $post_ID )
|
||||||
continue;
|
continue;
|
||||||
|
if ( is_protected_meta( $key ) )
|
||||||
|
continue;
|
||||||
delete_meta( $key );
|
delete_meta( $key );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -527,6 +532,8 @@ function wp_write_post() {
|
||||||
return new WP_Error( 'edit_posts', __( 'You are not allowed to create posts or drafts on this site.' ) );
|
return new WP_Error( 'edit_posts', __( 'You are not allowed to create posts or drafts on this site.' ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$_POST['post_mime_type'] = '';
|
||||||
|
|
||||||
// Check for autosave collisions
|
// Check for autosave collisions
|
||||||
// Does this need to be updated? ~ Mark
|
// Does this need to be updated? ~ Mark
|
||||||
$temp_id = false;
|
$temp_id = false;
|
||||||
|
@ -632,8 +639,6 @@ function add_meta( $post_ID ) {
|
||||||
global $wpdb;
|
global $wpdb;
|
||||||
$post_ID = (int) $post_ID;
|
$post_ID = (int) $post_ID;
|
||||||
|
|
||||||
$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
|
|
||||||
|
|
||||||
$metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
|
$metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
|
||||||
$metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
|
$metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
|
||||||
$metavalue = isset($_POST['metavalue']) ? maybe_serialize( stripslashes_deep( $_POST['metavalue'] ) ) : '';
|
$metavalue = isset($_POST['metavalue']) ? maybe_serialize( stripslashes_deep( $_POST['metavalue'] ) ) : '';
|
||||||
|
@ -650,7 +655,7 @@ function add_meta( $post_ID ) {
|
||||||
if ( $metakeyinput)
|
if ( $metakeyinput)
|
||||||
$metakey = $metakeyinput; // default
|
$metakey = $metakeyinput; // default
|
||||||
|
|
||||||
if ( in_array($metakey, $protected) )
|
if ( is_protected_meta( $metakey ) )
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
wp_cache_delete($post_ID, 'post_meta');
|
wp_cache_delete($post_ID, 'post_meta');
|
||||||
|
@ -756,11 +761,9 @@ function has_meta( $postid ) {
|
||||||
function update_meta( $meta_id, $meta_key, $meta_value ) {
|
function update_meta( $meta_id, $meta_key, $meta_value ) {
|
||||||
global $wpdb;
|
global $wpdb;
|
||||||
|
|
||||||
$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
|
|
||||||
|
|
||||||
$meta_key = stripslashes($meta_key);
|
$meta_key = stripslashes($meta_key);
|
||||||
|
|
||||||
if ( in_array($meta_key, $protected) )
|
if ( is_protected_meta( $meta_key ) )
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if ( '' === trim( $meta_value ) )
|
if ( '' === trim( $meta_value ) )
|
||||||
|
|
|
@ -465,6 +465,10 @@ function list_meta( $meta ) {
|
||||||
*/
|
*/
|
||||||
function _list_meta_row( $entry, &$count ) {
|
function _list_meta_row( $entry, &$count ) {
|
||||||
static $update_nonce = false;
|
static $update_nonce = false;
|
||||||
|
|
||||||
|
if ( is_protected_meta( $entry['meta_key'] ) )
|
||||||
|
return;
|
||||||
|
|
||||||
if ( !$update_nonce )
|
if ( !$update_nonce )
|
||||||
$update_nonce = wp_create_nonce( 'add-meta' );
|
$update_nonce = wp_create_nonce( 'add-meta' );
|
||||||
|
|
||||||
|
|
|
@ -58,14 +58,14 @@ foreach ( array( 'comment_author_email', 'user_email' ) as $filter ) {
|
||||||
|
|
||||||
// Save URL
|
// Save URL
|
||||||
foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
|
foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
|
||||||
'pre_link_rss' ) as $filter ) {
|
'pre_link_rss', 'pre_post_guid' ) as $filter ) {
|
||||||
add_filter( $filter, 'wp_strip_all_tags' );
|
add_filter( $filter, 'wp_strip_all_tags' );
|
||||||
add_filter( $filter, 'esc_url_raw' );
|
add_filter( $filter, 'esc_url_raw' );
|
||||||
add_filter( $filter, 'wp_filter_kses' );
|
add_filter( $filter, 'wp_filter_kses' );
|
||||||
}
|
}
|
||||||
|
|
||||||
// Display URL
|
// Display URL
|
||||||
foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url' ) as $filter ) {
|
foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) {
|
||||||
if ( is_admin() )
|
if ( is_admin() )
|
||||||
add_filter( $filter, 'wp_strip_all_tags' );
|
add_filter( $filter, 'wp_strip_all_tags' );
|
||||||
add_filter( $filter, 'esc_url' );
|
add_filter( $filter, 'esc_url' );
|
||||||
|
@ -86,6 +86,10 @@ foreach ( array( 'pre_post_status', 'pre_post_comment_status', 'pre_post_ping_st
|
||||||
add_filter( $filter, 'sanitize_key' );
|
add_filter( $filter, 'sanitize_key' );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Mime types
|
||||||
|
add_filter( 'pre_post_mime_type', 'sanitize_mime_type' );
|
||||||
|
add_filter( 'post_mime_type', 'sanitize_mime_type' );
|
||||||
|
|
||||||
// Places to balance tags on input
|
// Places to balance tags on input
|
||||||
foreach ( array( 'content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content' ) as $filter ) {
|
foreach ( array( 'content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content' ) as $filter ) {
|
||||||
add_filter( $filter, 'balanceTags', 50 );
|
add_filter( $filter, 'balanceTags', 50 );
|
||||||
|
|
|
@ -2889,4 +2889,17 @@ function capital_P_dangit( $text ) {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sanitize a mime type
|
||||||
|
*
|
||||||
|
* @since 3.2.0
|
||||||
|
*
|
||||||
|
* @param string $mime_type Mime type
|
||||||
|
* @return string Sanitized mime type
|
||||||
|
*/
|
||||||
|
function sanitize_mime_type( $mime_type ) {
|
||||||
|
$sani_mime_type = preg_replace( '/[^-*.a-zA-Z0-9\/]/', '', $mime_type );
|
||||||
|
return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
|
||||||
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
|
|
@ -45,6 +45,7 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique =
|
||||||
// expected_slashed ($meta_key)
|
// expected_slashed ($meta_key)
|
||||||
$meta_key = stripslashes($meta_key);
|
$meta_key = stripslashes($meta_key);
|
||||||
$meta_value = stripslashes_deep($meta_value);
|
$meta_value = stripslashes_deep($meta_value);
|
||||||
|
$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
|
||||||
|
|
||||||
$check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
|
$check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
|
||||||
if ( null !== $check )
|
if ( null !== $check )
|
||||||
|
@ -113,6 +114,7 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v
|
||||||
// expected_slashed ($meta_key)
|
// expected_slashed ($meta_key)
|
||||||
$meta_key = stripslashes($meta_key);
|
$meta_key = stripslashes($meta_key);
|
||||||
$meta_value = stripslashes_deep($meta_value);
|
$meta_value = stripslashes_deep($meta_value);
|
||||||
|
$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
|
||||||
|
|
||||||
$check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
|
$check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
|
||||||
if ( null !== $check )
|
if ( null !== $check )
|
||||||
|
@ -576,4 +578,33 @@ function _get_meta_table($type) {
|
||||||
|
|
||||||
return $wpdb->$table_name;
|
return $wpdb->$table_name;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determine whether a meta key is protected
|
||||||
|
*
|
||||||
|
* @since 3.2.0
|
||||||
|
*
|
||||||
|
* @param string $meta_key Meta key
|
||||||
|
* @return bool True if the key is protected, false otherwise.
|
||||||
|
*/
|
||||||
|
function is_protected_meta( $meta_key, $meta_type = null ) {
|
||||||
|
$protected = ( '_' == $meta_key[0] );
|
||||||
|
|
||||||
|
return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sanitize meta value
|
||||||
|
*
|
||||||
|
* @since 3.2.0
|
||||||
|
*
|
||||||
|
* @param string $meta_key Meta key
|
||||||
|
* @param mixed $meta_value Meta value to sanitize
|
||||||
|
* @param string $meta_type Type of meta
|
||||||
|
* @return mixed Sanitized $meta_value
|
||||||
|
*/
|
||||||
|
function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) {
|
||||||
|
return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );
|
||||||
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
|
|
@ -1440,7 +1440,7 @@ function get_header_image() {
|
||||||
else
|
else
|
||||||
$url = str_replace( 'https://', 'http://', $url );
|
$url = str_replace( 'https://', 'http://', $url );
|
||||||
|
|
||||||
return $url;
|
return esc_url_raw( $url );
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -1525,7 +1525,7 @@ function get_uploaded_header_images() {
|
||||||
return array();
|
return array();
|
||||||
|
|
||||||
foreach ( (array) $headers as $header ) {
|
foreach ( (array) $headers as $header ) {
|
||||||
$url = $header->guid;
|
$url = esc_url_raw( $header->guid );
|
||||||
$header = basename($url);
|
$header = basename($url);
|
||||||
$header_images[$header] = array();
|
$header_images[$header] = array();
|
||||||
$header_images[$header]['url'] = $url;
|
$header_images[$header]['url'] = $url;
|
||||||
|
|
Loading…
Reference in New Issue