Grouped backports to the 4.2 branch.

- Query: Improve sanitization within `WP_Tax_Query`.
- Query: Improve sanitization within `WP_Meta_Query`.
- Upgrade/Install: Avoid using `unserialize()` unnecessarily.
- Formatting: Correctly encode ASCII characters in post slugs.

Merges [52454-52457] to the 4.2 branch.
Props vortfu, dd32, ehtis, zieladam, whyisjake, xknown, peterwilsoncc, desrosj, iandunn.
Built from https://develop.svn.wordpress.org/branches/4.2@52481


git-svn-id: http://core.svn.wordpress.org/branches/4.2@52073 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
desrosj 2022-01-06 18:20:40 +00:00
parent 23f87c7bc2
commit be121a35d7
5 changed files with 20 additions and 10 deletions

View File

@ -1163,8 +1163,8 @@ function upgrade_280() {
$start = 0;
while( $rows = $wpdb->get_results( "SELECT option_name, option_value FROM $wpdb->options ORDER BY option_id LIMIT $start, 20" ) ) {
foreach( $rows as $row ) {
$value = $row->option_value;
if ( !@unserialize( $value ) )
$value = maybe_unserialize( $row->option_value );
if ( $value === $row->option_value )
$value = stripslashes( $value );
if ( $value !== $row->option_value ) {
update_option( $row->option_name, $value );

View File

@ -908,12 +908,14 @@ function wp_check_invalid_utf8( $string, $strip = false ) {
* Encode the Unicode values to be used in the URI.
*
* @since 1.5.0
* @since 5.8.3 Added the `encode_ascii_characters` parameter.
*
* @param string $utf8_string
* @param int $length Max length of the string
* @param bool $encode_ascii_characters Whether to encode ascii characters such as < " '
* @return string String with Unicode encoded for URI.
*/
function utf8_uri_encode( $utf8_string, $length = 0 ) {
function utf8_uri_encode( $utf8_string, $length = 0, $encode_ascii_characters = false ) {
$unicode = '';
$values = array();
$num_octets = 1;
@ -928,10 +930,14 @@ function utf8_uri_encode( $utf8_string, $length = 0 ) {
$value = ord( $utf8_string[ $i ] );
if ( $value < 128 ) {
if ( $length && ( $unicode_length >= $length ) )
$char = chr( $value );
$encoded_char = $encode_ascii_characters ? rawurlencode( $char ) : $char;
$encoded_char_length = strlen( $encoded_char );
if ( $length && ( $unicode_length + $encoded_char_length ) > $length ) {
break;
$unicode .= chr($value);
$unicode_length++;
}
$unicode .= $encoded_char;
$unicode_length += $encoded_char_length;
} else {
if ( count( $values ) == 0 ) {
if ( $value < 224 ) {

View File

@ -1548,7 +1548,7 @@ class WP_Meta_Query {
$clause_compare = strtoupper( $clause['compare'] );
$sibling_compare = strtoupper( $sibling['compare'] );
if ( in_array( $clause_compare, $compatible_compares ) && in_array( $sibling_compare, $compatible_compares ) ) {
$alias = $sibling['alias'];
$alias = preg_replace( '/\W/', '_', $sibling['alias'] );
break;
}
}

View File

@ -3825,7 +3825,7 @@ function _truncate_post_slug( $slug, $length = 200 ) {
if ( $decoded_slug === $slug )
$slug = substr( $slug, 0, $length );
else
$slug = utf8_uri_encode( $decoded_slug, $length );
$slug = utf8_uri_encode( $decoded_slug, $length, true );
}
return rtrim( $slug, '-' );

View File

@ -1155,7 +1155,7 @@ class WP_Tax_Query {
// The sibling must both have compatible operator to share its alias.
if ( in_array( strtoupper( $sibling['operator'] ), $compatible_operators ) ) {
$alias = $sibling['alias'];
$alias = preg_replace( '/\W/', '_', $sibling['alias'] );
break;
}
}
@ -1185,7 +1185,11 @@ class WP_Tax_Query {
return;
}
if ( 'slug' === $query['field'] || 'name' === $query['field'] ) {
$query['terms'] = array_unique( (array) $query['terms'] );
} else {
$query['terms'] = wp_parse_id_list( $query['terms'] );
}
if ( is_taxonomy_hierarchical( $query['taxonomy'] ) && $query['include_children'] ) {
$this->transform_query( $query, 'term_id' );