Ticket #2591: TAKE_5.diff
File TAKE_5.diff, 9.3 KB (added by , 18 years ago) |
---|
-
wp-includes/post.php
229 229 } 230 230 } 231 231 232 $original = $value; 233 if ( is_array($value) || is_object($value) ) 234 $value = $wpdb->escape(serialize($value)); 232 $post_meta_cache[$post_id][$key][] = $value; 235 233 234 $value = prepare_data($value); 235 $value = $wpdb->escape($value); 236 236 237 $wpdb->query("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value) VALUES ('$post_id','$key','$value')"); 237 238 238 $post_meta_cache[$post_id][$key][] = $original;239 240 239 return true; 241 240 } 242 241 … … 311 310 $post_id = (int) $post_id; 312 311 313 312 $original_value = $value; 314 if ( is_array($value) || is_object($value) )315 $value = $wpdb->escape(serialize($value));313 $value = prepare_data($value); 314 $value = $wpdb->escape($value); 316 315 317 316 $original_prev = $prev_value; 318 if ( is_array($prev_value) || is_object($prev_value) )319 $prev_value = $wpdb->escape(serialize($prev_value));317 $prev_value = prepare_data($prev_value); 318 $prev_value = $wpdb->escape($prev_value); 320 319 321 320 if (! $wpdb->get_var("SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = '$key' AND post_id = '$post_id'") ) { 322 321 return false; -
wp-includes/pluggable.php
78 78 79 79 if ($metavalues) { 80 80 foreach ( $metavalues as $meta ) { 81 @ $value = unserialize($meta->meta_value); 82 if ($value === FALSE) 83 $value = $meta->meta_value; 81 $value = maybe_unserialize($meta->meta_value); 84 82 $user->{$meta->meta_key} = $value; 85 83 86 84 // We need to set user_level from meta, not row … … 131 129 132 130 if ($metavalues) { 133 131 foreach ( $metavalues as $meta ) { 134 @ $value = unserialize($meta->meta_value); 135 if ($value === FALSE) 136 $value = $meta->meta_value; 132 $value = maybe_unserialize($meta->meta_value); 137 133 $user->{$meta->meta_key} = $value; 138 134 139 135 // We need to set user_level from meta, not row -
wp-includes/functions.php
156 156 } 157 157 158 158 function maybe_unserialize($original) { 159 if ( false !== $gm = @ unserialize($original) )160 return $gm;161 else162 159 if ( is_serialized($original) ) // don't attempt to unserialize data that wasn't serialized going in 160 if ( false !== $gm = @ unserialize($original) ) 161 return $gm; 162 return $original; 163 163 } 164 164 165 function is_serialized($data) { 166 if ( !is_string($data) ) // if it isn't a string, it isn't serialized 167 return false; 168 $data = trim($data); 169 if ( preg_match("/^[adobis]:[0-9]+:.*[;}]/si",$data) ) // this should fetch all legitimately serialized data 170 return true; 171 return false; 172 } 173 174 function is_serialized_string($data) { 175 if ( !is_string($data) ) // if it isn't a string, it isn't a serialized string 176 return false; 177 $data = trim($data); 178 if ( preg_match("/^s:[0-9]+:.*[;}]/si",$data) ) // this should fetch all serialized strings 179 return true; 180 return false; 181 } 182 165 183 /* Options functions */ 166 184 167 185 function get_option($setting) { … … 239 257 } 240 258 241 259 $_newvalue = $newvalue; 242 if ( is_array($newvalue) || is_object($newvalue) ) 243 $newvalue = serialize($newvalue); 260 $newvalue = prepare_data($newvalue); 244 261 245 262 wp_cache_set($option_name, $newvalue, 'options'); 246 263 … … 262 279 if ( false !== get_option($name) ) 263 280 return; 264 281 265 if ( is_array($value) || is_object($value) ) 266 $value = serialize($value); 282 $value = prepare_data($value); 267 283 268 284 wp_cache_set($name, $value, 'options'); 269 285 … … 285 301 return true; 286 302 } 287 303 304 function prepare_data($data) { 305 if ( is_string($data) ) 306 $data = trim($data); 307 elseif ( is_array($data) || is_object($data) ) 308 return serialize($data); 309 if ( is_serialized($data) ) 310 return serialize($data); 311 return $data; 312 } 313 288 314 function gzip_compression() { 289 315 if ( !get_option('gzipcompression') ) return false; 290 316 -
wp-includes/user.php
114 114 return false; 115 115 $meta_key = preg_replace('|[^a-z0-9_]|i', '', $meta_key); 116 116 117 if ( is_array($meta_value) || is_object($meta_value) ) 118 $meta_value = serialize($meta_value); 119 $meta_value = trim( $meta_value ); 117 // FIXME: usermeta data is assumed to be already escaped 118 $meta_value = stripslashes($meta_value); 119 $meta_value = prepare_data($meta_value); 120 $meta_value = $wpdb->escape($meta_value); 120 121 121 122 if (empty($meta_value)) { 122 123 return delete_usermeta($user_id, $meta_key); -
wp-admin/wp-admin.css
445 445 width: 250px; 446 446 } 447 447 448 input.disabled, textarea.disabled { 449 background: #ccc; 450 } 451 448 452 #adminmenu { 449 453 background: #83B4D8; 450 454 border-top: 3px solid #448abd; -
wp-admin/admin-functions.php
981 981 $style = ''; 982 982 if ('_' == $entry['meta_key'] { 0 }) 983 983 $style .= ' hidden'; 984 985 if ( is_serialized($entry['meta_value']) ) { 986 if ( 's' == $entry['meta_value']{0} ) { 987 // this is a serialized string, so we should display it 988 $entry['meta_value'] = maybe_unserialize($entry['meta_value']); 989 } else { 990 // this is a serialized array/object so we should NOT display it 991 --$count; 992 continue; 993 } 994 } 995 984 996 $key_js = js_escape($entry['meta_key']); 985 997 $entry['meta_key'] = wp_specialchars( $entry['meta_key'], true ); 986 998 $entry['meta_value'] = wp_specialchars( $entry['meta_value'], true ); … … 1056 1068 1057 1069 $metakeyselect = $wpdb->escape(stripslashes(trim($_POST['metakeyselect']))); 1058 1070 $metakeyinput = $wpdb->escape(stripslashes(trim($_POST['metakeyinput']))); 1059 $metavalue = $wpdb->escape(stripslashes(trim($_POST['metavalue']))); 1071 $metavalue = prepare_data(stripslashes((trim($_POST['metavalue'])))); 1072 $metavalue = $wpdb->escape($metavalue); 1060 1073 1061 1074 if ( ('0' === $metavalue || !empty ($metavalue)) && ((('#NONE#' != $metakeyselect) && !empty ($metakeyselect)) || !empty ($metakeyinput)) ) { 1062 1075 // We have a key/value pair. If both the select and the … … 1087 1100 1088 1101 function update_meta($mid, $mkey, $mvalue) { 1089 1102 global $wpdb; 1103 if ( is_serialized(stripslashes($mvalue)) ) // $mvalue looks to be already serialized, so we should serialize it again to prevent the data from coming out in a different form than it came in 1104 $mvalue = serialize($mvalue); 1090 1105 $mid = (int) $mid; 1091 1092 1106 return $wpdb->query("UPDATE $wpdb->postmeta SET meta_key = '$mkey', meta_value = '$mvalue' WHERE meta_id = '$mid'"); 1093 1107 } 1094 1108 -
wp-admin/options.php
124 124 <table width="98%"> 125 125 <?php 126 126 $options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name"); 127 foreach ( (array) $options as $option )128 $options_to_update[] = $option->option_name;129 $options_to_update = implode(',', $options_to_update);130 ?>131 127 132 <input type="hidden" name="page_options" value="<?php echo $options_to_update; ?>" />133 134 <?php135 128 foreach ( (array) $options as $option) : 136 $value = wp_specialchars($option->option_value, 'single'); 129 $disabled = ''; 130 if ( is_serialized($option->option_value) ) { 131 if ( 's' == $option->option_value{0} ) { 132 // this is a serialized string, so we should display it 133 $value = wp_specialchars(maybe_unserialize($option->option_value), 'single'); 134 $options_to_update[] = $option->option_name; 135 $class = 'all-options'; 136 } else { 137 $value = 'SERIALIZED DATA'; 138 $disabled = ' disabled="disabled"'; 139 $class = 'all-options disabled'; 140 } 141 } else { 142 $value = wp_specialchars($option->option_value, 'single'); 143 $options_to_update[] = $option->option_name; 144 $class = 'all-options'; 145 } 137 146 echo " 138 147 <tr> 139 148 <th scope='row'><label for='$option->option_name'>$option->option_name</label></th> 140 149 <td>"; 141 150 142 if (stristr($value, "\n")) echo "<textarea class=' all-options' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>$value</textarea>";143 else echo "<input class=' all-options' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . $value . "'/>";151 if (stristr($value, "\n")) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>$value</textarea>"; 152 else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . $value . "'$disabled />"; 144 153 145 154 echo "</td> 146 155 <td>$option->option_description</td> … … 148 157 endforeach; 149 158 ?> 150 159 </table> 151 <p class="submit"><input type="submit" name="Update" value="<?php _e('Update Options »') ?>" /></p> 160 <?php $options_to_update = implode(',', $options_to_update); ?> 161 <p class="submit"><input type="hidden" name="page_options" value="<?php echo wp_specialchars($options_to_update, true); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options »') ?>" /></p> 152 162 </form> 153 163 </div> 154 164