WordPress.org

Make WordPress Core

Changeset 17994


Ignore:
Timestamp:
05/22/11 23:19:42 (4 years ago)
Author:
ryan
Message:

Sanitize guid on save and display. Sanitize mime type on save. Don't allow changing mime type via edit form handlers. Protect hidden meta.

Location:
trunk
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin-ajax.php

    r17897 r17994  
    397397        die('1'); 
    398398 
    399     if ( !current_user_can( 'edit_post', $meta->post_id ) ) 
     399    if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) ) 
    400400        die('-1'); 
    401401    if ( delete_meta( $meta->meta_id ) ) 
     
    866866        if ( !current_user_can( 'edit_post', $meta->post_id ) ) 
    867867            die('-1'); 
     868        if ( is_protected_meta( $meta->meta_key ) ) 
     869            die('-1'); 
    868870        if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) { 
    869871            if ( !$u = update_meta( $mid, $key, $value ) ) 
  • trunk/wp-admin/includes/media.php

    r17971 r17994  
    12021202    $toggle_off = __( 'Hide' ); 
    12031203 
    1204     $filename = basename( $post->guid ); 
     1204    $filename = esc_html( basename( $post->guid ) ); 
    12051205    $title = esc_attr( $post->post_title ); 
    12061206 
  • trunk/wp-admin/includes/post.php

    r17964 r17994  
    139139    $post = get_post( $post_ID ); 
    140140    $post_data['post_type'] = $post->post_type; 
     141    $post_data['post_mime_type'] = $post->post_mime_type; 
    141142 
    142143    $ptype = get_post_type_object($post_data['post_type']); 
     
    200201            if ( $meta->post_id != $post_ID ) 
    201202                continue; 
     203            if ( is_protected_meta( $key ) ) 
     204                continue; 
    202205            update_meta( $key, $value['key'], $value['value'] ); 
    203206        } 
     
    209212                continue; 
    210213            if ( $meta->post_id != $post_ID ) 
     214                continue; 
     215            if ( is_protected_meta( $key ) ) 
    211216                continue; 
    212217            delete_meta( $key ); 
     
    528533    } 
    529534 
     535    $_POST['post_mime_type'] = ''; 
     536 
    530537    // Check for autosave collisions 
    531538    // Does this need to be updated? ~ Mark 
     
    633640    $post_ID = (int) $post_ID; 
    634641 
    635     $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' ); 
    636  
    637642    $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : ''; 
    638643    $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : ''; 
     
    651656            $metakey = $metakeyinput; // default 
    652657 
    653         if ( in_array($metakey, $protected) ) 
     658        if ( is_protected_meta( $metakey ) ) 
    654659            return false; 
    655660 
     
    757762    global $wpdb; 
    758763 
    759     $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' ); 
    760  
    761764    $meta_key = stripslashes($meta_key); 
    762765 
    763     if ( in_array($meta_key, $protected) ) 
     766    if ( is_protected_meta( $meta_key ) ) 
    764767        return false; 
    765768 
  • trunk/wp-admin/includes/template.php

    r17952 r17994  
    466466function _list_meta_row( $entry, &$count ) { 
    467467    static $update_nonce = false; 
     468 
     469    if ( is_protected_meta( $entry['meta_key'] ) ) 
     470        return; 
     471 
    468472    if ( !$update_nonce ) 
    469473        $update_nonce = wp_create_nonce( 'add-meta' ); 
  • trunk/wp-includes/default-filters.php

    r17918 r17994  
    5959// Save URL 
    6060foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image', 
    61     'pre_link_rss' ) as $filter ) { 
     61    'pre_link_rss', 'pre_post_guid' ) as $filter ) { 
    6262    add_filter( $filter, 'wp_strip_all_tags' ); 
    6363    add_filter( $filter, 'esc_url_raw'       ); 
     
    6666 
    6767// Display URL 
    68 foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url' ) as $filter ) { 
     68foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) { 
    6969    if ( is_admin() ) 
    7070        add_filter( $filter, 'wp_strip_all_tags' ); 
     
    8686    add_filter( $filter, 'sanitize_key' ); 
    8787} 
     88 
     89// Mime types 
     90add_filter( 'pre_post_mime_type', 'sanitize_mime_type' ); 
     91add_filter( 'post_mime_type', 'sanitize_mime_type' ); 
    8892 
    8993// Places to balance tags on input 
  • trunk/wp-includes/formatting.php

    r17990 r17994  
    28902890} 
    28912891 
     2892/** 
     2893 * Sanitize a mime type 
     2894 * 
     2895 * @since 3.2.0 
     2896 * 
     2897 * @param string $mime_type Mime type 
     2898 * @return string Sanitized mime type 
     2899 */ 
     2900function sanitize_mime_type( $mime_type ) { 
     2901    $sani_mime_type = preg_replace( '/[^-*.a-zA-Z0-9\/]/', '', $mime_type ); 
     2902    return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type ); 
     2903} 
     2904 
    28922905?> 
  • trunk/wp-includes/meta.php

    r17746 r17994  
    4646    $meta_key = stripslashes($meta_key); 
    4747    $meta_value = stripslashes_deep($meta_value); 
     48    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type ); 
    4849 
    4950    $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique ); 
     
    114115    $meta_key = stripslashes($meta_key); 
    115116    $meta_value = stripslashes_deep($meta_value); 
     117    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type ); 
    116118 
    117119    $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value ); 
     
    577579    return $wpdb->$table_name; 
    578580} 
     581 
     582/** 
     583 * Determine whether a meta key is protected 
     584 * 
     585 * @since 3.2.0 
     586 * 
     587 * @param string $meta_key Meta key 
     588 * @return bool True if the key is protected, false otherwise. 
     589 */ 
     590function is_protected_meta( $meta_key, $meta_type = null ) { 
     591    $protected = (  '_' == $meta_key[0] ); 
     592 
     593    return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type ); 
     594} 
     595 
     596/** 
     597 * Sanitize meta value 
     598 * 
     599 * @since 3.2.0 
     600 * 
     601 * @param string $meta_key Meta key 
     602 * @param mixed $meta_value Meta value to sanitize 
     603 * @param string $meta_type Type of meta 
     604 * @return mixed Sanitized $meta_value 
     605 */ 
     606function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) { 
     607    return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type ); 
     608} 
     609 
    579610?> 
  • trunk/wp-includes/theme.php

    r17989 r17994  
    14411441        $url = str_replace( 'https://', 'http://', $url ); 
    14421442 
    1443     return $url; 
     1443    return esc_url_raw( $url ); 
    14441444} 
    14451445 
     
    15261526 
    15271527    foreach ( (array) $headers as $header ) { 
    1528         $url = $header->guid; 
     1528        $url = esc_url_raw( $header->guid ); 
    15291529        $header = basename($url); 
    15301530        $header_images[$header] = array(); 
Note: See TracChangeset for help on using the changeset viewer.