Grouped backports to the 5.3 branch.

- Query: Improve sanitization within `WP_Tax_Query`.
- Query: Improve sanitization within `WP_Meta_Query`.
- Upgrade/Install: Avoid using `unserialize()` unnecessarily.
- Formatting: Correctly encode ASCII characters in post slugs.

Merges [52454-52457] to the 5.3 branch.
Props vortfu, dd32, ehtis, zieladam, whyisjake, xknown, peterwilsoncc, desrosj, iandunn.
Built from https://develop.svn.wordpress.org/branches/5.3@52470


git-svn-id: http://core.svn.wordpress.org/branches/5.3@52062 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
desrosj 2022-01-06 18:12:51 +00:00
parent e4fd5ef24d
commit fa48c2f4e6
5 changed files with 21 additions and 12 deletions

View File

@ -1595,8 +1595,8 @@ function upgrade_280() {
$start = 0; $start = 0;
while ( $rows = $wpdb->get_results( "SELECT option_name, option_value FROM $wpdb->options ORDER BY option_id LIMIT $start, 20" ) ) { while ( $rows = $wpdb->get_results( "SELECT option_name, option_value FROM $wpdb->options ORDER BY option_id LIMIT $start, 20" ) ) {
foreach ( $rows as $row ) { foreach ( $rows as $row ) {
$value = $row->option_value; $value = maybe_unserialize( $row->option_value );
if ( ! @unserialize( $value ) ) { if ( $value === $row->option_value ) {
$value = stripslashes( $value ); $value = stripslashes( $value );
} }
if ( $value !== $row->option_value ) { if ( $value !== $row->option_value ) {

View File

@ -812,7 +812,7 @@ class WP_Meta_Query {
$clause_compare = strtoupper( $clause['compare'] ); $clause_compare = strtoupper( $clause['compare'] );
$sibling_compare = strtoupper( $sibling['compare'] ); $sibling_compare = strtoupper( $sibling['compare'] );
if ( in_array( $clause_compare, $compatible_compares ) && in_array( $sibling_compare, $compatible_compares ) ) { if ( in_array( $clause_compare, $compatible_compares ) && in_array( $sibling_compare, $compatible_compares ) ) {
$alias = $sibling['alias']; $alias = preg_replace( '/\W/', '_', $sibling['alias'] );
break; break;
} }
} }

View File

@ -527,7 +527,7 @@ class WP_Tax_Query {
// The sibling must both have compatible operator to share its alias. // The sibling must both have compatible operator to share its alias.
if ( in_array( strtoupper( $sibling['operator'] ), $compatible_operators ) ) { if ( in_array( strtoupper( $sibling['operator'] ), $compatible_operators ) ) {
$alias = $sibling['alias']; $alias = preg_replace( '/\W/', '_', $sibling['alias'] );
break; break;
} }
} }
@ -556,7 +556,11 @@ class WP_Tax_Query {
return; return;
} }
$query['terms'] = array_unique( (array) $query['terms'] ); if ( 'slug' === $query['field'] || 'name' === $query['field'] ) {
$query['terms'] = array_unique( (array) $query['terms'] );
} else {
$query['terms'] = wp_parse_id_list( $query['terms'] );
}
if ( is_taxonomy_hierarchical( $query['taxonomy'] ) && $query['include_children'] ) { if ( is_taxonomy_hierarchical( $query['taxonomy'] ) && $query['include_children'] ) {
$this->transform_query( $query, 'term_id' ); $this->transform_query( $query, 'term_id' );

View File

@ -1155,12 +1155,14 @@ function wp_check_invalid_utf8( $string, $strip = false ) {
* Encode the Unicode values to be used in the URI. * Encode the Unicode values to be used in the URI.
* *
* @since 1.5.0 * @since 1.5.0
* @since 5.8.3 Added the `encode_ascii_characters` parameter.
* *
* @param string $utf8_string * @param string $utf8_string String to encode.
* @param int $length Max length of the string * @param int $length Max length of the string
* @param bool $encode_ascii_characters Whether to encode ascii characters such as < " '
* @return string String with Unicode encoded for URI. * @return string String with Unicode encoded for URI.
*/ */
function utf8_uri_encode( $utf8_string, $length = 0 ) { function utf8_uri_encode( $utf8_string, $length = 0, $encode_ascii_characters = false ) {
$unicode = ''; $unicode = '';
$values = array(); $values = array();
$num_octets = 1; $num_octets = 1;
@ -1175,11 +1177,14 @@ function utf8_uri_encode( $utf8_string, $length = 0 ) {
$value = ord( $utf8_string[ $i ] ); $value = ord( $utf8_string[ $i ] );
if ( $value < 128 ) { if ( $value < 128 ) {
if ( $length && ( $unicode_length >= $length ) ) { $char = chr( $value );
$encoded_char = $encode_ascii_characters ? rawurlencode( $char ) : $char;
$encoded_char_length = strlen( $encoded_char );
if ( $length && ( $unicode_length + $encoded_char_length ) > $length ) {
break; break;
} }
$unicode .= chr( $value ); $unicode .= $encoded_char;
$unicode_length++; $unicode_length += $encoded_char_length;
} else { } else {
if ( count( $values ) == 0 ) { if ( count( $values ) == 0 ) {
if ( $value < 224 ) { if ( $value < 224 ) {

View File

@ -4471,7 +4471,7 @@ function _truncate_post_slug( $slug, $length = 200 ) {
if ( $decoded_slug === $slug ) { if ( $decoded_slug === $slug ) {
$slug = substr( $slug, 0, $length ); $slug = substr( $slug, 0, $length );
} else { } else {
$slug = utf8_uri_encode( $decoded_slug, $length ); $slug = utf8_uri_encode( $decoded_slug, $length, true );
} }
} }