Ticket #12416: 12416.diff
| File 12416.diff, 13.5 KB (added by Denis-de-Bernardy, 3 years ago) |
|---|
-
wp-includes/theme.php
1200 1200 function get_theme_mod($name, $default = false) { 1201 1201 $theme = get_current_theme(); 1202 1202 1203 $mods = get_option( esc_sql( "mods_$theme" ));1203 $mods = get_option( "mods_$theme" ); 1204 1204 1205 1205 if ( isset($mods[$name]) ) 1206 1206 return apply_filters( "theme_mod_$name", $mods[$name] ); -
wp-includes/functions.php
307 307 * @uses apply_filters() Calls 'option_$option', after checking the option, with 308 308 * the option value. 309 309 * 310 * @param string $option Name of option to retrieve. Should already be SQL-escaped310 * @param string $option Name of option to retrieve. Expected to not be SQL-escaped. 311 311 * @return mixed Value set for the option. 312 312 */ 313 313 function get_option( $option, $default = false ) { … … 339 339 if ( false === $value ) { 340 340 if ( defined( 'WP_INSTALLING' ) ) 341 341 $suppress = $wpdb->suppress_errors(); 342 // expected_slashed ($option) 343 $row = $wpdb->get_row( "SELECT option_value FROM $wpdb->options WHERE option_name = '$option' LIMIT 1" ); 342 $row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = '%s' LIMIT 1", $option ) ); 344 343 if ( defined( 'WP_INSTALLING' ) ) 345 344 $wpdb->suppress_errors( $suppress ); 346 345 … … 482 481 * @uses do_action() Calls 'update_option' hook before updating the option. 483 482 * @uses do_action() Calls 'update_option_$option' and 'updated_option' hooks on success. 484 483 * 485 * @param string $option Option name. Expected to not be SQL-escaped 486 * @param mixed $newvalue Option value. 484 * @param string $option Option name. Expected to not be SQL-escaped. 485 * @param mixed $newvalue Option value. Expected to not be SQL-escaped. 487 486 * @return bool False if value was not updated and true if value was updated. 488 487 */ 489 488 function update_option( $option, $newvalue ) { … … 491 490 492 491 wp_protect_special_option( $option ); 493 492 494 $safe_option = esc_sql( $option );495 493 $newvalue = sanitize_option( $option, $newvalue ); 496 $oldvalue = get_option( $ safe_option );494 $oldvalue = get_option( $option ); 497 495 $newvalue = apply_filters( 'pre_update_option_' . $option, $newvalue, $oldvalue ); 498 496 499 497 // If the new and old values are the same, no need to update. … … 516 514 if ( ! defined( 'WP_INSTALLING' ) ) { 517 515 $alloptions = wp_load_alloptions(); 518 516 if ( isset( $alloptions[$option] ) ) { 519 $alloptions[$option] = $ newvalue;520 wp_cache_set( 'alloptions', $ alloptions, 'options' );517 $alloptions[$option] = $_newvalue; 518 wp_cache_set( 'alloptions', $_alloptions, 'options' ); 521 519 } else { 522 wp_cache_set( $option, $ newvalue, 'options' );520 wp_cache_set( $option, $_newvalue, 'options' ); 523 521 } 524 522 } 525 523 … … 554 552 * @uses do_action() Calls 'add_option' hook before adding the option. 555 553 * @uses do_action() Calls 'add_option_$option' and 'added_option' hooks on success. 556 554 * 557 * @param string $option Name of option to add. Expect s to NOT be SQLescaped.558 * @param mixed $value Optional. Option value, can be anything. 555 * @param string $option Name of option to add. Expected to not be SQL-escaped. 556 * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped. 559 557 * @param mixed $deprecated Optional. Description. Not used anymore. 560 558 * @param bool $autoload Optional. Default is enabled. Whether to load the option when WordPress starts up. 561 559 * @return null returns when finished. … … 567 565 global $wpdb; 568 566 569 567 wp_protect_special_option( $option ); 570 $safe_option = esc_sql( $option );571 568 $value = sanitize_option( $option, $value ); 572 569 573 570 // Make sure the option doesn't already exist. We can check the 'notoptions' cache before we ask for a db query 574 571 $notoptions = wp_cache_get( 'notoptions', 'options' ); 575 572 if ( !is_array( $notoptions ) || !isset( $notoptions[$option] ) ) 576 if ( false !== get_option( $ safe_option ) )573 if ( false !== get_option( $option ) ) 577 574 return; 578 575 579 576 $_value = $value; 580 577 $value = maybe_serialize( $value ); 581 578 $autoload = ( 'no' === $autoload ) ? 'no' : 'yes'; 582 do_action( 'add_option', $option, $value ); 579 do_action( 'add_option', $option, $value ); // potentially serialized 583 580 if ( ! defined( 'WP_INSTALLING' ) ) { 584 581 if ( 'yes' == $autoload ) { 585 582 $alloptions = wp_load_alloptions(); … … 617 614 * @uses do_action() Calls 'delete_option' hook before option is deleted. 618 615 * @uses do_action() Calls 'deleted_option' and 'delete_option_$option' hooks on success. 619 616 * 620 * @param string $option Name of option to remove. 617 * @param string $option Name of option to remove. Expected to not be SQL-escaped. 621 618 * @return bool True, if option is successfully deleted. False on failure. 622 619 */ 623 620 function delete_option( $option ) { … … 626 623 wp_protect_special_option( $option ); 627 624 628 625 // Get the ID, if no ID then return 629 // expected_slashed ($option) 630 $row = $wpdb->get_row( "SELECT autoload FROM $wpdb->options WHERE option_name = '$option'" ); 626 $row = $wpdb->get_row( $wpdb->prepare( "SELECT autoload FROM $wpdb->options WHERE option_name = '%s'", $option ) ); 631 627 if ( is_null( $row ) ) 632 628 return false; 633 629 do_action( 'delete_option', $option ); 634 // expected_slashed ($option) 635 $result = $wpdb->query( "DELETE FROM $wpdb->options WHERE option_name = '$option'" ); 630 $result = $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->options WHERE option_name = '%s'", $option) ); 636 631 if ( ! defined( 'WP_INSTALLING' ) ) { 637 632 if ( 'yes' == $row->autoload ) { 638 633 $alloptions = wp_load_alloptions(); … … 662 657 * @uses do_action() Calls 'delete_transient_$transient' hook before transient is deleted. 663 658 * @uses do_action() Calls 'deleted_transient' hook on success. 664 659 * 665 * @param string $transient Transient name. Expected to not be SQL-escaped 660 * @param string $transient Transient name. Expected to not be SQL-escaped. 666 661 * @return bool true if successful, false otherwise 667 662 */ 668 663 function delete_transient( $transient ) { … … 673 668 if ( $_wp_using_ext_object_cache ) { 674 669 $result = wp_cache_delete( $transient, 'transient' ); 675 670 } else { 676 $option = '_transient_' . esc_sql( $transient );671 $option = '_transient_' . $transient; 677 672 $result = delete_option( $option ); 678 673 } 679 674 … … 711 706 if ( $_wp_using_ext_object_cache ) { 712 707 $value = wp_cache_get( $transient, 'transient' ); 713 708 } else { 714 $safe_transient = esc_sql( $transient ); 715 $transient_option = '_transient_' . $safe_transient; 709 $transient_option = '_transient_' . $transient; 716 710 if ( ! defined( 'WP_INSTALLING' ) ) { 717 711 // If option is not in alloptions, it is not autoloaded and thus has a timeout 718 712 $alloptions = wp_load_alloptions(); 719 713 if ( !isset( $alloptions[$transient_option] ) ) { 720 $transient_timeout = '_transient_timeout_' . $ safe_transient;714 $transient_timeout = '_transient_timeout_' . $transient; 721 715 if ( get_option( $transient_timeout ) < time() ) { 722 716 delete_option( $transient_option ); 723 717 delete_option( $transient_timeout ); … … 746 740 * transient value to be stored. 747 741 * @uses do_action() Calls 'set_transient_$transient' and 'setted_transient' hooks on success. 748 742 * 749 * @param string $transient Transient name. Expected to not be SQL-escaped 750 * @param mixed $value Transient value. 743 * @param string $transient Transient name. Expected to not be SQL-escaped. 744 * @param mixed $value Transient value. Expected to not be SQL-escaped. 751 745 * @param int $expiration Time until expiration in seconds, default 0 752 746 * @return bool False if value was not set and true if value was set. 753 747 */ … … 761 755 } else { 762 756 $transient_timeout = '_transient_timeout_' . $transient; 763 757 $transient = '_transient_' . $transient; 764 $safe_transient = esc_sql( $transient ); 765 if ( false === get_option( $safe_transient ) ) { 758 if ( false === get_option( $transient ) ) { 766 759 $autoload = 'yes'; 767 760 if ( $expiration ) { 768 761 $autoload = 'no'; … … 1000 993 * @return mixed A scalar data 1001 994 */ 1002 995 function maybe_serialize( $data ) { 1003 if ( is_array( $data ) || is_object( $data ) )996 if ( !is_scalar( $data ) ) 1004 997 return serialize( $data ); 1005 998 1006 if ( is_serialized( $data ) )1007 return serialize( $data );1008 1009 999 return $data; 1010 1000 } 1011 1001 … … 3378 3368 * @uses apply_filters() Calls 'site_option_$option', after checking the option, with 3379 3369 * the option value. 3380 3370 * 3381 * @param string $option Name of option to retrieve. Should already be SQL-escaped3371 * @param string $option Name of option to retrieve. Expected to not be SQL-escaped. 3382 3372 * @param mixed $default Optional value to return if option doesn't exist. Default false. 3383 3373 * @param bool $use_cache Whether to use cache. Multisite only. Default true. 3384 3374 * @return mixed Value set for the option. … … 3425 3415 * option value to be stored. 3426 3416 * @uses do_action() Calls 'add_site_option_$option' and 'add_site_option' hooks on success. 3427 3417 * 3428 * @param string $option Name of option to add. Expect s to not be SQLescaped.3429 * @param mixed $value Optional. Option value, can be anything. 3418 * @param string $option Name of option to add. Expected to not be SQL-escaped. 3419 * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped. 3430 3420 * @return bool False if option was not added and true if option was added. 3431 3421 */ 3432 3422 function add_site_option( $option, $value ) { … … 3469 3459 * @uses do_action() Calls 'delete_site_option' and 'delete_site_option_$option' 3470 3460 * hooks on success. 3471 3461 * 3472 * @param string $option Name of option to remove. Expected to be SQL-escaped.3462 * @param string $option Name of option to remove. Expected to not be SQL-escaped. 3473 3463 * @return bool True, if succeed. False, if failure. 3474 3464 */ 3475 3465 function delete_site_option( $option ) { … … 3511 3501 * option value to be stored. 3512 3502 * @uses do_action() Calls 'update_site_option_$option' and 'update_site_option' hooks on success. 3513 3503 * 3514 * @param string $option Name of option. Expected to not be SQL-escaped 3515 * @param mixed $value Option value. 3504 * @param string $option Name of option. Expected to not be SQL-escaped. 3505 * @param mixed $value Option value. Expected to not be SQL-escaped. 3516 3506 * @return bool False if value was not updated and true if value was updated. 3517 3507 */ 3518 3508 function update_site_option( $option, $value ) { … … 3558 3548 * @uses do_action() Calls 'delete_site_transient_$transient' hook before transient is deleted. 3559 3549 * @uses do_action() Calls 'deleted_site_transient' hook on success. 3560 3550 * 3561 * @param string $transient Transient name. Expected to not be SQL-escaped 3551 * @param string $transient Transient name. Expected to not be SQL-escaped. 3562 3552 * @return bool True if successful, false otherwise 3563 3553 */ 3564 3554 function delete_site_transient( $transient ) { … … 3568 3558 if ( $_wp_using_ext_object_cache ) { 3569 3559 $result = wp_cache_delete( $transient, 'site-transient' ); 3570 3560 } else { 3571 $option = '_site_transient_' . esc_sql( $transient );3561 $option = '_site_transient_' . $transient; 3572 3562 $result = delete_site_option( $option ); 3573 3563 } 3574 3564 if ( $result ) … … 3593 3583 * @uses apply_filters() Calls 'site_transient_$option' hook, after checking the transient, with 3594 3584 * the transient value. 3595 3585 * 3596 * @param string $transient Transient name. Expected to not be SQL-escaped 3586 * @param string $transient Transient name. Expected to not be SQL-escaped. 3597 3587 * @return mixed Value of transient 3598 3588 */ 3599 3589 function get_site_transient( $transient ) { … … 3608 3598 } else { 3609 3599 // Core transients that do not have a timeout. Listed here so querying timeouts can be avoided. 3610 3600 $no_timeout = array('update_core', 'update_plugins', 'update_themes'); 3611 $transient_option = '_site_transient_' . esc_sql( $transient );3601 $transient_option = '_site_transient_' . $transient; 3612 3602 if ( ! in_array( $transient, $no_timeout ) ) { 3613 $transient_timeout = '_site_transient_timeout_' . esc_sql( $transient );3603 $transient_timeout = '_site_transient_timeout_' . $transient; 3614 3604 $timeout = get_site_option( $transient_timeout ); 3615 3605 if ( false !== $timeout && $timeout < time() ) { 3616 3606 delete_site_option( $transient_option ); … … 3640 3630 * transient value to be stored. 3641 3631 * @uses do_action() Calls 'set_site_transient_$transient' and 'setted_site_transient' hooks on success. 3642 3632 * 3643 * @param string $transient Transient name. Expected to not be SQL-escaped 3644 * @param mixed $value Transient value. 3633 * @param string $transient Transient name. Expected to not be SQL-escaped. 3634 * @param mixed $value Transient value. Expected to not be SQL-escaped. 3645 3635 * @param int $expiration Time until expiration in seconds, default 0 3646 3636 * @return bool False if value was not set and true if value was set. 3647 3637 */ … … 3655 3645 } else { 3656 3646 $transient_timeout = '_site_transient_timeout_' . $transient; 3657 3647 $transient = '_site_transient_' . $transient; 3658 $safe_transient = esc_sql( $transient ); 3659 if ( false === get_site_option( $safe_transient ) ) { 3648 if ( false === get_site_option( $transient ) ) { 3660 3649 if ( $expiration ) 3661 3650 add_site_option( $transient_timeout, time() + $expiration ); 3662 3651 $result = add_site_option( $transient, $value ); -
wp-includes/formatting.php
2441 2441 2442 2442 case 'siteurl': 2443 2443 case 'home': 2444 $value = stripslashes($value); 2445 $value = esc_url($value); 2444 $value = esc_url_raw($value); 2446 2445 break; 2447 2446 default : 2448 2447 $value = apply_filters("sanitize_option_{$option}", $value, $option);
