Editor: Remove unwanted fields before saving posts.

The `meta_input`, `file`, and `guid` fields are not intended to be updated through user input.

Merges [44047] to the 4.5 branch.


Built from https://develop.svn.wordpress.org/branches/4.5@44060


git-svn-id: http://core.svn.wordpress.org/branches/4.5@43890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Gary Pendergast 2018-12-13 01:45:20 +00:00
parent baa754b110
commit ab40c9608a
3 changed files with 41 additions and 15 deletions

View File

@ -2026,7 +2026,11 @@ function wp_ajax_upload_attachment() {
$post_id = null; $post_id = null;
} }
$post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array(); $post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array();
if ( is_wp_error( $post_data ) ) {
wp_die( $post_data->get_error_message() );
}
// If the context is custom header or background, make sure the uploaded file is an image. // If the context is custom header or background, make sure the uploaded file is an image.
if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) { if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) {

View File

@ -175,6 +175,27 @@ function _wp_translate_postdata( $update = false, $post_data = null ) {
return $post_data; return $post_data;
} }
/**
* Returns only allowed post data fields
*
* @since 4.9.9
*
* @param array $post_data Array of post data. Defaults to the contents of $_POST.
* @return object|bool WP_Error on failure, true on success.
*/
function _wp_get_allowed_postdata( $post_data = null ) {
if ( empty( $post_data ) ) {
$post_data = $_POST;
}
// Pass through errors
if ( is_wp_error( $post_data ) ) {
return $post_data;
}
return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) );
}
/** /**
* Update an existing post with values provided in $_POST. * Update an existing post with values provided in $_POST.
* *
@ -243,6 +264,7 @@ function edit_post( $post_data = null ) {
$post_data = _wp_translate_postdata( true, $post_data ); $post_data = _wp_translate_postdata( true, $post_data );
if ( is_wp_error($post_data) ) if ( is_wp_error($post_data) )
wp_die( $post_data->get_error_message() ); wp_die( $post_data->get_error_message() );
$translated = _wp_get_allowed_postdata( $post_data );
// Post Formats // Post Formats
if ( isset( $post_data['post_format'] ) ) if ( isset( $post_data['post_format'] ) )
@ -320,7 +342,7 @@ function edit_post( $post_data = null ) {
$attachment_data = isset( $post_data['attachments'][ $post_ID ] ) ? $post_data['attachments'][ $post_ID ] : array(); $attachment_data = isset( $post_data['attachments'][ $post_ID ] ) ? $post_data['attachments'][ $post_ID ] : array();
/** This filter is documented in wp-admin/includes/media.php */ /** This filter is documented in wp-admin/includes/media.php */
$post_data = apply_filters( 'attachment_fields_to_save', $post_data, $attachment_data ); $translated = apply_filters( 'attachment_fields_to_save', $translated, $attachment_data );
} }
// Convert taxonomy input to term IDs, to avoid ambiguity. // Convert taxonomy input to term IDs, to avoid ambiguity.
@ -365,7 +387,7 @@ function edit_post( $post_data = null ) {
} }
} }
$post_data['tax_input'][ $taxonomy ] = $clean_terms; $translated['tax_input'][ $taxonomy ] = $clean_terms;
} }
} }
@ -373,18 +395,18 @@ function edit_post( $post_data = null ) {
update_post_meta( $post_ID, '_edit_last', get_current_user_id() ); update_post_meta( $post_ID, '_edit_last', get_current_user_id() );
$success = wp_update_post( $post_data ); $success = wp_update_post( $translated );
// If the save failed, see if we can sanity check the main fields and try again // If the save failed, see if we can sanity check the main fields and try again
if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) { if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) {
$fields = array( 'post_title', 'post_content', 'post_excerpt' ); $fields = array( 'post_title', 'post_content', 'post_excerpt' );
foreach ( $fields as $field ) { foreach ( $fields as $field ) {
if ( isset( $post_data[ $field ] ) ) { if ( isset( $translated[ $field ] ) ) {
$post_data[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $post_data[ $field ] ); $translated[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $translated[ $field ] );
} }
} }
wp_update_post( $post_data ); wp_update_post( $translated );
} }
// Now that we have an ID we can fix any attachment anchor hrefs // Now that we have an ID we can fix any attachment anchor hrefs
@ -544,9 +566,9 @@ function bulk_edit_posts( $post_data = null ) {
unset( $post_data['tax_input']['category'] ); unset( $post_data['tax_input']['category'] );
} }
$post_data['post_ID'] = $post_ID;
$post_data['post_type'] = $post->post_type; $post_data['post_type'] = $post->post_type;
$post_data['post_mime_type'] = $post->post_mime_type; $post_data['post_mime_type'] = $post->post_mime_type;
$post_data['guid'] = $post->guid;
foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) { foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) {
if ( ! isset( $post_data[ $field ] ) ) { if ( ! isset( $post_data[ $field ] ) ) {
@ -554,14 +576,12 @@ function bulk_edit_posts( $post_data = null ) {
} }
} }
$post_data['ID'] = $post_ID;
$post_data['post_ID'] = $post_ID;
$post_data = _wp_translate_postdata( true, $post_data ); $post_data = _wp_translate_postdata( true, $post_data );
if ( is_wp_error( $post_data ) ) { if ( is_wp_error( $post_data ) ) {
$skipped[] = $post_ID; $skipped[] = $post_ID;
continue; continue;
} }
$post_data = _wp_get_allowed_postdata( $post_data );
$updated[] = wp_update_post( $post_data ); $updated[] = wp_update_post( $post_data );
@ -572,8 +592,8 @@ function bulk_edit_posts( $post_data = null ) {
unstick_post( $post_ID ); unstick_post( $post_ID );
} }
if ( isset( $post_data['post_format'] ) ) if ( isset( $shared_post_data['post_format'] ) )
set_post_format( $post_ID, $post_data['post_format'] ); set_post_format( $post_ID, $shared_post_data['post_format'] );
} }
return array( 'updated' => $updated, 'skipped' => $skipped, 'locked' => $locked ); return array( 'updated' => $updated, 'skipped' => $skipped, 'locked' => $locked );
@ -754,9 +774,10 @@ function wp_write_post() {
$translated = _wp_translate_postdata( false ); $translated = _wp_translate_postdata( false );
if ( is_wp_error($translated) ) if ( is_wp_error($translated) )
return $translated; return $translated;
$translated = _wp_get_allowed_postdata( $translated );
// Create the post. // Create the post.
$post_ID = wp_insert_post( $_POST ); $post_ID = wp_insert_post( $translated );
if ( is_wp_error( $post_ID ) ) if ( is_wp_error( $post_ID ) )
return $post_ID; return $post_ID;
@ -1664,6 +1685,7 @@ function wp_create_post_autosave( $post_data ) {
$post_data = _wp_translate_postdata( true, $post_data ); $post_data = _wp_translate_postdata( true, $post_data );
if ( is_wp_error( $post_data ) ) if ( is_wp_error( $post_data ) )
return $post_data; return $post_data;
$post_data = _wp_get_allowed_postdata( $post_data );
$post_author = get_current_user_id(); $post_author = get_current_user_id();

View File

@ -189,7 +189,7 @@ case 'editattachment':
// Update the thumbnail filename // Update the thumbnail filename
$newmeta = wp_get_attachment_metadata( $post_id, true ); $newmeta = wp_get_attachment_metadata( $post_id, true );
$newmeta['thumb'] = $_POST['thumb']; $newmeta['thumb'] = wp_basename( $_POST['thumb'] );
wp_update_attachment_metadata( $post_id, $newmeta ); wp_update_attachment_metadata( $post_id, $newmeta );