Ticket #6476: gallery-orderby-sanitized-r7585.patch

wp-includes/post.php

@@ -460 +460 @@
         if (!empty($exclusions))
                 $exclusions .= ')';
 
+        // orderby
+        if ( preg_match( '/.+ (ASC|DESC)/i', $orderby ) )
+                $order = ''; // orderby has its own order, so we'll use that
+
         $query  = "SELECT DISTINCT * FROM $wpdb->posts ";
         $query .= empty( $category ) ? '' : ", $wpdb->term_relationships, $wpdb->term_taxonomy  ";
         $query .= empty( $meta_key ) ? '' : ", $wpdb->postmeta ";

wp-includes/media.php

@@ -339 +339 @@
         $output = apply_filters('post_gallery', '', $attr);
         if ( $output != '' )
                 return $output;
-                
+
         extract(shortcode_atts(array(
-                'orderby'    => 'menu_order ASC, ID ASC',
+                'orderby'    => '',
                 'id'         => $post->ID,
                 'itemtag'    => 'dl',
                 'icontag'    => 'dt',
@@ -351 +351 @@
         ), $attr));
 
         $id = intval($id);
-        $orderby = addslashes($orderby);
-        $attachments = get_children("post_parent=$id&post_type=attachment&post_mime_type=image&orderby=\"{$orderby}\"");
+        
+        $order_cols = array(
+                'id' => 'ID',
+                'menu_order' => 'menu_order',
+                'name' => 'post_name',
+                'date' => 'post_date',
+                'title' => 'post_title',
+                'caption' => 'post_excerpt',
+                'random' => 'rand()',
+        );
+        $orderby = sanitize_orderby($orderby, $order_cols);
+        if ( !$orderby )
+                $orderby = 'menu_order ASC, ID ASC';
+                
+        $attachments = get_children("post_parent=$id&post_type=attachment&post_mime_type=image&orderby={$orderby}");
 
         if ( empty($attachments) )
                 return '';
@@ -426 +439 @@
 function adjacent_image_link($prev = true) {
         global $post;
         $post = get_post($post);
-        $attachments = array_values(get_children("post_parent=$post->post_parent&post_type=attachment&post_mime_type=image&orderby=\"menu_order ASC, ID ASC\""));
+        $attachments = array_values(get_children("post_parent=$post->post_parent&post_type=attachment&post_mime_type=image&orderby=menu_order ASC, ID ASC"));
 
         foreach ( $attachments as $k => $attachment )
                 if ( $attachment->ID == $post->ID )

wp-includes/formatting.php

@@ -366 +366 @@
         return $title;
 }
 
+// take a user-provided orderby string like 'foo, -bar' and turn it into a valid SQL ORDER BY clause
+function sanitize_orderby($orderby, $column_names) {
+        $out = array();
+        $items = explode(',', $orderby);
+        foreach ($items as $item) {
+                // items might look like 'foo', '+foo' or '-foo'
+                if ( preg_match('/^([-+]?)\s*(\w+)$/', trim($item), $m) ) {
+                        $direction = ( $m[1] == '-' ? 'DESC' : 'ASC' );
+                        $column = strtolower($m[2]);
+                        if ( isset( $column_names[$column] ) )
+                                $out[] = "{$column_names[$column]} {$direction}";
+                }
+        }
+
+        return join(', ', $out);
+}
+
 function convert_chars($content, $deprecated = '') {
         // Translation of invalid Unicode references range to valid range
         $wp_htmltranswinuni = array(