From cce06454da454b7ea9cf9246fab1c75d92072fbb Mon Sep 17 00:00:00 2001 From: westi Date: Sat, 20 Jun 2009 17:49:50 +0000 Subject: [PATCH] Introduce _deep_replace() and use it to improve the stripping of percent encoded values from urls. Fixes #10226 for 2.8.1 git-svn-id: http://svn.automattic.com/wordpress/branches/2.8@11616 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/theme-editor.php | 4 ++-- wp-includes/formatting.php | 33 +++++++++++++++++++++++++++++++-- wp-includes/pluggable.php | 13 ++----------- 3 files changed, 35 insertions(+), 15 deletions(-) diff --git a/wp-admin/theme-editor.php b/wp-admin/theme-editor.php index db79d786ea..15d418359e 100644 --- a/wp-admin/theme-editor.php +++ b/wp-admin/theme-editor.php @@ -65,8 +65,8 @@ case 'update': } $location = wp_kses_no_null($location); - $strip = array('%0d', '%0a'); - $location = str_replace($strip, '', $location); + $strip = array('%0d', '%0a', '%0D', '%0A'); + $location = _deep_replace($strip, $location); header("Location: $location"); exit(); diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index 26bfc694e0..7c42bbf210 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -2042,8 +2042,8 @@ function clean_url( $url, $protocols = null, $context = 'display' ) { if ('' == $url) return $url; $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url); - $strip = array('%0d', '%0a'); - $url = str_replace($strip, '', $url); + $strip = array('%0d', '%0a', '%0D', '%0A'); + $url = _deep_replace($strip, $url); $url = str_replace(';//', '://', $url); /* If the URL doesn't appear to contain a scheme, we * presume it needs http:// appended (unless a relative @@ -2067,6 +2067,35 @@ function clean_url( $url, $protocols = null, $context = 'display' ) { return apply_filters('clean_url', $url, $original_url, $context); } +/** + * Perform a deep string replace operation to ensure the values in $search are no longer present + * + * Repeats the replacement operation until it no longer replaces anything so as to remove "nested" values + * e.g. $subject = '%0%0%0DDD', $search ='%0D', $result ='' rather than the '%0%0DD' that + * str_replace would return + * + * @since 2.8.1 + * @access private + * + * @param string|array $search + * @param string $subject + * @return string The processed string + */ +function _deep_replace($search, $subject){ + $found = true; + while($found) { + $found = false; + foreach( (array) $search as $val ) { + while(strpos($subject, $val) !== false) { + $found = true; + $subject = str_replace($val, '', $subject); + } + } + } + + return $subject; +} + /** * Escapes data for use in a MySQL query * diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index 4132cc90ab..128d2dca75 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -880,17 +880,8 @@ function wp_sanitize_redirect($location) { $location = wp_kses_no_null($location); // remove %0d and %0a from location - $strip = array('%0d', '%0a'); - $found = true; - while($found) { - $found = false; - foreach( (array) $strip as $val ) { - while(strpos($location, $val) !== false) { - $found = true; - $location = str_replace($val, '', $location); - } - } - } + $strip = array('%0d', '%0a', '%0D', '%0A'); + $location = _deep_replace($strip, $location); return $location; } endif;