Escape XMLRPC args.

git-svn-id: http://svn.automattic.com/wordpress/trunk@2668 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2005-06-28 22:16:27 +00:00
parent bec4057356
commit 9c9ba0aef8
1 changed files with 59 additions and 1 deletions

View File

@ -127,8 +127,17 @@ class wp_xmlrpc_server extends IXR_Server {
return true; return true;
} }
function escape(&$array) {
global $wpdb;
foreach ($array as $k => $v) {
if (is_array($v)) {
$this->escape($array[$k]);
} else {
$array[$k] = $wpdb->escape($v);
}
}
}
/* Blogger API functions /* Blogger API functions
* specs on http://plant.blogger.com/api and http://groups.yahoo.com/group/bloggerDev/ * specs on http://plant.blogger.com/api and http://groups.yahoo.com/group/bloggerDev/
@ -138,6 +147,8 @@ class wp_xmlrpc_server extends IXR_Server {
/* blogger.getUsersBlogs will make more sense once we support multiple blogs */ /* blogger.getUsersBlogs will make more sense once we support multiple blogs */
function blogger_getUsersBlogs($args) { function blogger_getUsersBlogs($args) {
$this->escape($args);
$user_login = $args[1]; $user_login = $args[1];
$user_pass = $args[2]; $user_pass = $args[2];
@ -162,6 +173,8 @@ class wp_xmlrpc_server extends IXR_Server {
/* blogger.getUsersInfo gives your client some info about you, so you don't have to */ /* blogger.getUsersInfo gives your client some info about you, so you don't have to */
function blogger_getUserInfo($args) { function blogger_getUserInfo($args) {
$this->escape($args);
$user_login = $args[1]; $user_login = $args[1];
$user_pass = $args[2]; $user_pass = $args[2];
@ -187,6 +200,8 @@ class wp_xmlrpc_server extends IXR_Server {
/* blogger.getPost ...gets a post */ /* blogger.getPost ...gets a post */
function blogger_getPost($args) { function blogger_getPost($args) {
$this->escape($args);
$post_ID = $args[1]; $post_ID = $args[1];
$user_login = $args[2]; $user_login = $args[2];
$user_pass = $args[3]; $user_pass = $args[3];
@ -220,6 +235,8 @@ class wp_xmlrpc_server extends IXR_Server {
global $wpdb; global $wpdb;
$this->escape($args);
$blog_ID = $args[1]; /* though we don't use it yet */ $blog_ID = $args[1]; /* though we don't use it yet */
$user_login = $args[2]; $user_login = $args[2];
$user_pass = $args[3]; $user_pass = $args[3];
@ -266,6 +283,8 @@ class wp_xmlrpc_server extends IXR_Server {
/* blogger.getTemplate returns your blog_filename */ /* blogger.getTemplate returns your blog_filename */
function blogger_getTemplate($args) { function blogger_getTemplate($args) {
$this->escape($args);
$blog_ID = $args[1]; $blog_ID = $args[1];
$user_login = $args[2]; $user_login = $args[2];
$user_pass = $args[3]; $user_pass = $args[3];
@ -299,6 +318,8 @@ class wp_xmlrpc_server extends IXR_Server {
/* blogger.setTemplate updates the content of blog_filename */ /* blogger.setTemplate updates the content of blog_filename */
function blogger_setTemplate($args) { function blogger_setTemplate($args) {
$this->escape($args);
$blog_ID = $args[1]; $blog_ID = $args[1];
$user_login = $args[2]; $user_login = $args[2];
$user_pass = $args[3]; $user_pass = $args[3];
@ -335,6 +356,8 @@ class wp_xmlrpc_server extends IXR_Server {
global $wpdb; global $wpdb;
$this->escape($args);
$blog_ID = $args[1]; /* though we don't use it yet */ $blog_ID = $args[1]; /* though we don't use it yet */
$user_login = $args[2]; $user_login = $args[2];
$user_pass = $args[3]; $user_pass = $args[3];
@ -382,6 +405,8 @@ class wp_xmlrpc_server extends IXR_Server {
global $wpdb; global $wpdb;
$this->escape($args);
$post_ID = $args[1]; $post_ID = $args[1];
$user_login = $args[2]; $user_login = $args[2];
$user_pass = $args[3]; $user_pass = $args[3];
@ -398,6 +423,8 @@ class wp_xmlrpc_server extends IXR_Server {
return new IXR_Error(404, 'Sorry, no such post.'); return new IXR_Error(404, 'Sorry, no such post.');
} }
$this->escape($actual_post);
$post_author_data = get_userdata($actual_post['post_author']); $post_author_data = get_userdata($actual_post['post_author']);
$user_data = get_userdatabylogin($user_login); $user_data = get_userdatabylogin($user_login);
@ -406,6 +433,7 @@ class wp_xmlrpc_server extends IXR_Server {
} }
extract($actual_post); extract($actual_post);
$content = $newcontent; $content = $newcontent;
$post_title = xmlrpc_getposttitle($content); $post_title = xmlrpc_getposttitle($content);
@ -431,6 +459,8 @@ class wp_xmlrpc_server extends IXR_Server {
global $wpdb; global $wpdb;
$this->escape($args);
$post_ID = $args[1]; $post_ID = $args[1];
$user_login = $args[2]; $user_login = $args[2];
$user_pass = $args[3]; $user_pass = $args[3];
@ -472,6 +502,8 @@ class wp_xmlrpc_server extends IXR_Server {
global $wpdb, $post_default_category; global $wpdb, $post_default_category;
$this->escape($args);
$blog_ID = $args[0]; // we will support this in the near future $blog_ID = $args[0]; // we will support this in the near future
$user_login = $args[1]; $user_login = $args[1];
$user_pass = $args[2]; $user_pass = $args[2];
@ -553,6 +585,8 @@ class wp_xmlrpc_server extends IXR_Server {
global $wpdb, $post_default_category; global $wpdb, $post_default_category;
$this->escape($args);
$post_ID = $args[0]; $post_ID = $args[0];
$user_login = $args[1]; $user_login = $args[1];
$user_pass = $args[2]; $user_pass = $args[2];
@ -570,6 +604,7 @@ class wp_xmlrpc_server extends IXR_Server {
$postdata = wp_get_single_post($post_ID, ARRAY_A); $postdata = wp_get_single_post($post_ID, ARRAY_A);
extract($postdata); extract($postdata);
$this->escape($postdata);
$post_title = $content_struct['title']; $post_title = $content_struct['title'];
$post_content = apply_filters( 'content_save_pre', $content_struct['description'] ); $post_content = apply_filters( 'content_save_pre', $content_struct['description'] );
@ -631,6 +666,8 @@ class wp_xmlrpc_server extends IXR_Server {
global $wpdb; global $wpdb;
$this->escape($args);
$post_ID = $args[0]; $post_ID = $args[0];
$user_login = $args[1]; $user_login = $args[1];
$user_pass = $args[2]; $user_pass = $args[2];
@ -684,6 +721,8 @@ class wp_xmlrpc_server extends IXR_Server {
/* metaweblog.getRecentPosts ...returns recent posts */ /* metaweblog.getRecentPosts ...returns recent posts */
function mw_getRecentPosts($args) { function mw_getRecentPosts($args) {
$this->escape($args);
$blog_ID = $args[0]; $blog_ID = $args[0];
$user_login = $args[1]; $user_login = $args[1];
$user_pass = $args[2]; $user_pass = $args[2];
@ -748,6 +787,8 @@ class wp_xmlrpc_server extends IXR_Server {
global $wpdb; global $wpdb;
$this->escape($args);
$blog_ID = $args[0]; $blog_ID = $args[0];
$user_login = $args[1]; $user_login = $args[1];
$user_pass = $args[2]; $user_pass = $args[2];
@ -780,6 +821,8 @@ class wp_xmlrpc_server extends IXR_Server {
// adapted from a patch by Johann Richard // adapted from a patch by Johann Richard
// http://mycvs.org/archives/2004/06/30/file-upload-to-wordpress-in-ecto/ // http://mycvs.org/archives/2004/06/30/file-upload-to-wordpress-in-ecto/
$this->escape($args);
$blog_ID = $args[0]; $blog_ID = $args[0];
$user_login = $args[1]; $user_login = $args[1];
$user_pass = $args[2]; $user_pass = $args[2];
@ -859,6 +902,8 @@ class wp_xmlrpc_server extends IXR_Server {
/* mt.getRecentPostTitles ...returns recent posts' titles */ /* mt.getRecentPostTitles ...returns recent posts' titles */
function mt_getRecentPostTitles($args) { function mt_getRecentPostTitles($args) {
$this->escape($args);
$blog_ID = $args[0]; $blog_ID = $args[0];
$user_login = $args[1]; $user_login = $args[1];
$user_pass = $args[2]; $user_pass = $args[2];
@ -902,6 +947,8 @@ class wp_xmlrpc_server extends IXR_Server {
global $wpdb; global $wpdb;
$this->escape($args);
$blog_ID = $args[0]; $blog_ID = $args[0];
$user_login = $args[1]; $user_login = $args[1];
$user_pass = $args[2]; $user_pass = $args[2];
@ -929,6 +976,8 @@ class wp_xmlrpc_server extends IXR_Server {
/* mt.getPostCategories ...returns a post's categories */ /* mt.getPostCategories ...returns a post's categories */
function mt_getPostCategories($args) { function mt_getPostCategories($args) {
$this->escape($args);
$post_ID = $args[0]; $post_ID = $args[0];
$user_login = $args[1]; $user_login = $args[1];
$user_pass = $args[2]; $user_pass = $args[2];
@ -957,6 +1006,8 @@ class wp_xmlrpc_server extends IXR_Server {
/* mt.setPostCategories ...sets a post's categories */ /* mt.setPostCategories ...sets a post's categories */
function mt_setPostCategories($args) { function mt_setPostCategories($args) {
$this->escape($args);
$post_ID = $args[0]; $post_ID = $args[0];
$user_login = $args[1]; $user_login = $args[1];
$user_pass = $args[2]; $user_pass = $args[2];
@ -1039,6 +1090,8 @@ class wp_xmlrpc_server extends IXR_Server {
/* mt.publishPost ...sets a post's publish status to 'publish' */ /* mt.publishPost ...sets a post's publish status to 'publish' */
function mt_publishPost($args) { function mt_publishPost($args) {
$this->escape($args);
$post_ID = $args[0]; $post_ID = $args[0];
$user_login = $args[1]; $user_login = $args[1];
$user_pass = $args[2]; $user_pass = $args[2];
@ -1059,6 +1112,7 @@ class wp_xmlrpc_server extends IXR_Server {
// retain old cats // retain old cats
$cats = wp_get_post_cats('',$post_ID); $cats = wp_get_post_cats('',$post_ID);
$postdata['post_category'] = $cats; $postdata['post_category'] = $cats;
$this->escape($postdata);
$result = wp_update_post($postdata); $result = wp_update_post($postdata);
@ -1075,6 +1129,8 @@ class wp_xmlrpc_server extends IXR_Server {
function pingback_ping($args) { function pingback_ping($args) {
global $wpdb, $wp_version; global $wpdb, $wp_version;
$this->escape($args);
$pagelinkedfrom = $args[0]; $pagelinkedfrom = $args[0];
$pagelinkedto = $args[1]; $pagelinkedto = $args[1];
@ -1219,6 +1275,8 @@ class wp_xmlrpc_server extends IXR_Server {
global $wpdb; global $wpdb;
$this->escape($args);
$url = $args; $url = $args;
$post_ID = url_to_postid($url); $post_ID = url_to_postid($url);