WordPress.org

Make WordPress Core

Changeset 17994


Ignore:
Timestamp:
05/22/2011 11:19:42 PM (7 years ago)
Author:
ryan
Message:

Sanitize guid on save and display. Sanitize mime type on save. Don't allow changing mime type via edit form handlers. Protect hidden meta.

Location:
trunk
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin-ajax.php

    r17897 r17994  
    397397        die('1');
    398398
    399     if ( !current_user_can( 'edit_post', $meta->post_id ) )
     399    if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) )
    400400        die('-1');
    401401    if ( delete_meta( $meta->meta_id ) )
     
    866866        if ( !current_user_can( 'edit_post', $meta->post_id ) )
    867867            die('-1');
     868        if ( is_protected_meta( $meta->meta_key ) )
     869            die('-1');
    868870        if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
    869871            if ( !$u = update_meta( $mid, $key, $value ) )
  • trunk/wp-admin/includes/media.php

    r17971 r17994  
    12021202    $toggle_off = __( 'Hide' );
    12031203
    1204     $filename = basename( $post->guid );
     1204    $filename = esc_html( basename( $post->guid ) );
    12051205    $title = esc_attr( $post->post_title );
    12061206
  • trunk/wp-admin/includes/post.php

    r17964 r17994  
    139139    $post = get_post( $post_ID );
    140140    $post_data['post_type'] = $post->post_type;
     141    $post_data['post_mime_type'] = $post->post_mime_type;
    141142
    142143    $ptype = get_post_type_object($post_data['post_type']);
     
    200201            if ( $meta->post_id != $post_ID )
    201202                continue;
     203            if ( is_protected_meta( $key ) )
     204                continue;
    202205            update_meta( $key, $value['key'], $value['value'] );
    203206        }
     
    209212                continue;
    210213            if ( $meta->post_id != $post_ID )
     214                continue;
     215            if ( is_protected_meta( $key ) )
    211216                continue;
    212217            delete_meta( $key );
     
    528533    }
    529534
     535    $_POST['post_mime_type'] = '';
     536
    530537    // Check for autosave collisions
    531538    // Does this need to be updated? ~ Mark
     
    633640    $post_ID = (int) $post_ID;
    634641
    635     $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
    636 
    637642    $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
    638643    $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
     
    651656            $metakey = $metakeyinput; // default
    652657
    653         if ( in_array($metakey, $protected) )
     658        if ( is_protected_meta( $metakey ) )
    654659            return false;
    655660
     
    757762    global $wpdb;
    758763
    759     $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
    760 
    761764    $meta_key = stripslashes($meta_key);
    762765
    763     if ( in_array($meta_key, $protected) )
     766    if ( is_protected_meta( $meta_key ) )
    764767        return false;
    765768
  • trunk/wp-admin/includes/template.php

    r17952 r17994  
    466466function _list_meta_row( $entry, &$count ) {
    467467    static $update_nonce = false;
     468
     469    if ( is_protected_meta( $entry['meta_key'] ) )
     470        return;
     471
    468472    if ( !$update_nonce )
    469473        $update_nonce = wp_create_nonce( 'add-meta' );
  • trunk/wp-includes/default-filters.php

    r17918 r17994  
    5959// Save URL
    6060foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
    61     'pre_link_rss' ) as $filter ) {
     61    'pre_link_rss', 'pre_post_guid' ) as $filter ) {
    6262    add_filter( $filter, 'wp_strip_all_tags' );
    6363    add_filter( $filter, 'esc_url_raw'       );
     
    6666
    6767// Display URL
    68 foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url' ) as $filter ) {
     68foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) {
    6969    if ( is_admin() )
    7070        add_filter( $filter, 'wp_strip_all_tags' );
     
    8686    add_filter( $filter, 'sanitize_key' );
    8787}
     88
     89// Mime types
     90add_filter( 'pre_post_mime_type', 'sanitize_mime_type' );
     91add_filter( 'post_mime_type', 'sanitize_mime_type' );
    8892
    8993// Places to balance tags on input
  • trunk/wp-includes/formatting.php

    r17990 r17994  
    28902890}
    28912891
     2892/**
     2893 * Sanitize a mime type
     2894 *
     2895 * @since 3.2.0
     2896 *
     2897 * @param string $mime_type Mime type
     2898 * @return string Sanitized mime type
     2899 */
     2900function sanitize_mime_type( $mime_type ) {
     2901    $sani_mime_type = preg_replace( '/[^-*.a-zA-Z0-9\/]/', '', $mime_type );
     2902    return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
     2903}
     2904
    28922905?>
  • trunk/wp-includes/meta.php

    r17746 r17994  
    4646    $meta_key = stripslashes($meta_key);
    4747    $meta_value = stripslashes_deep($meta_value);
     48    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
    4849
    4950    $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
     
    114115    $meta_key = stripslashes($meta_key);
    115116    $meta_value = stripslashes_deep($meta_value);
     117    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
    116118
    117119    $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
     
    577579    return $wpdb->$table_name;
    578580}
     581
     582/**
     583 * Determine whether a meta key is protected
     584 *
     585 * @since 3.2.0
     586 *
     587 * @param string $meta_key Meta key
     588 * @return bool True if the key is protected, false otherwise.
     589 */
     590function is_protected_meta( $meta_key, $meta_type = null ) {
     591    $protected = (  '_' == $meta_key[0] );
     592
     593    return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
     594}
     595
     596/**
     597 * Sanitize meta value
     598 *
     599 * @since 3.2.0
     600 *
     601 * @param string $meta_key Meta key
     602 * @param mixed $meta_value Meta value to sanitize
     603 * @param string $meta_type Type of meta
     604 * @return mixed Sanitized $meta_value
     605 */
     606function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) {
     607    return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );
     608}
     609
    579610?>
  • trunk/wp-includes/theme.php

    r17989 r17994  
    14411441        $url = str_replace( 'https://', 'http://', $url );
    14421442
    1443     return $url;
     1443    return esc_url_raw( $url );
    14441444}
    14451445
     
    15261526
    15271527    foreach ( (array) $headers as $header ) {
    1528         $url = $header->guid;
     1528        $url = esc_url_raw( $header->guid );
    15291529        $header = basename($url);
    15301530        $header_images[$header] = array();
Note: See TracChangeset for help on using the changeset viewer.