WordPress.org

Make WordPress Core

Changeset 18018


Ignore:
Timestamp:
05/24/2011 03:53:22 PM (8 years ago)
Author:
ryan
Message:

Sanitize guid on save and display. Sanitize mime type on save. Don't allow changing mime type via edit form handlers. Protect hidden meta.

Location:
branches/3.1
Files:
9 edited

Legend:

Unmodified
Added
Removed
  • branches/3.1

  • branches/3.1/wp-admin/admin-ajax.php

    r17354 r18018  
    397397        die('1');
    398398
    399     if ( !current_user_can( 'edit_post', $meta->post_id ) )
     399    if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) )
    400400        die('-1');
    401401    if ( delete_meta( $meta->meta_id ) )
     
    856856        if ( !current_user_can( 'edit_post', $meta->post_id ) )
    857857            die('-1');
     858        if ( is_protected_meta( $meta->meta_key ) )
     859            die('-1');
    858860        if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
    859861            if ( !$u = update_meta( $mid, $key, $value ) )
  • branches/3.1/wp-admin/includes/media.php

    r17569 r18018  
    11931193    $toggle_off = __( 'Hide' );
    11941194
    1195     $filename = basename( $post->guid );
     1195    $filename = esc_html( basename( $post->guid ) );
    11961196    $title = esc_attr( $post->post_title );
    11971197
  • branches/3.1/wp-admin/includes/post.php

    r17458 r18018  
    139139    $post = get_post( $post_ID );
    140140    $post_data['post_type'] = $post->post_type;
     141    $post_data['post_mime_type'] = $post->post_mime_type;
    141142
    142143    $ptype = get_post_type_object($post_data['post_type']);
     
    200201            if ( $meta->post_id != $post_ID )
    201202                continue;
     203            if ( is_protected_meta( $key ) )
     204                continue;
    202205            update_meta( $key, $value['key'], $value['value'] );
    203206        }
     
    209212                continue;
    210213            if ( $meta->post_id != $post_ID )
     214                continue;
     215            if ( is_protected_meta( $key ) )
    211216                continue;
    212217            delete_meta( $key );
     
    528533    }
    529534
     535    $_POST['post_mime_type'] = '';
     536
    530537    // Check for autosave collisions
    531538    // Does this need to be updated? ~ Mark
     
    633640    $post_ID = (int) $post_ID;
    634641
    635     $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
    636 
    637642    $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
    638643    $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
     
    651656            $metakey = $metakeyinput; // default
    652657
    653         if ( in_array($metakey, $protected) )
     658        if ( is_protected_meta( $metakey ) )
    654659            return false;
    655660
     
    757762    global $wpdb;
    758763
    759     $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
    760 
    761764    $meta_key = stripslashes($meta_key);
    762765
    763     if ( in_array($meta_key, $protected) )
     766    if ( is_protected_meta( $meta_key ) )
    764767        return false;
    765768
  • branches/3.1/wp-admin/includes/template.php

    r17411 r18018  
    466466function _list_meta_row( $entry, &$count ) {
    467467    static $update_nonce = false;
     468
     469    if ( is_protected_meta( $entry['meta_key'] ) )
     470        return;
     471
    468472    if ( !$update_nonce )
    469473        $update_nonce = wp_create_nonce( 'add-meta' );
  • branches/3.1/wp-includes/default-filters.php

    r18013 r18018  
    5959// Save URL
    6060foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
    61     'pre_link_rss' ) as $filter ) {
     61    'pre_link_rss', 'pre_post_guid' ) as $filter ) {
    6262    add_filter( $filter, 'wp_strip_all_tags' );
    6363    add_filter( $filter, 'esc_url_raw'       );
     
    6666
    6767// Display URL
    68 foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url' ) as $filter ) {
     68foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) {
    6969    if ( is_admin() )
    7070        add_filter( $filter, 'wp_strip_all_tags' );
     
    8686    add_filter( $filter, 'sanitize_key' );
    8787}
     88
     89// Mime types
     90add_filter( 'pre_post_mime_type', 'sanitize_mime_type' );
     91add_filter( 'post_mime_type', 'sanitize_mime_type' );
    8892
    8993// Places to balance tags on input
  • branches/3.1/wp-includes/formatting.php

    r18014 r18018  
    29042904}
    29052905
     2906/**
     2907 * Sanitize a mime type
     2908 *
     2909 * @since 3.2.0
     2910 *
     2911 * @param string $mime_type Mime type
     2912 * @return string Sanitized mime type
     2913 */
     2914function sanitize_mime_type( $mime_type ) {
     2915    $sani_mime_type = preg_replace( '/[^-*.a-zA-Z0-9\/]/', '', $mime_type );
     2916    return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
     2917}
     2918
    29062919?>
  • branches/3.1/wp-includes/meta.php

    r17531 r18018  
    4646    $meta_key = stripslashes($meta_key);
    4747    $meta_value = stripslashes_deep($meta_value);
     48    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
    4849
    4950    $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
     
    114115    $meta_key = stripslashes($meta_key);
    115116    $meta_value = stripslashes_deep($meta_value);
     117    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
    116118
    117119    $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
     
    489491    return $wpdb->$table_name;
    490492}
     493
     494/**
     495 * Determine whether a meta key is protected
     496 *
     497 * @since 3.2.0
     498 *
     499 * @param string $meta_key Meta key
     500 * @return bool True if the key is protected, false otherwise.
     501 */
     502function is_protected_meta( $meta_key, $meta_type = null ) {
     503    $protected = (  '_' == $meta_key[0] );
     504
     505    return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
     506}
     507
     508/**
     509 * Sanitize meta value
     510 *
     511 * @since 3.2.0
     512 *
     513 * @param string $meta_key Meta key
     514 * @param mixed $meta_value Meta value to sanitize
     515 * @param string $meta_type Type of meta
     516 * @return mixed Sanitized $meta_value
     517 */
     518function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) {
     519    return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );
     520}
     521
    491522?>
  • branches/3.1/wp-includes/theme.php

    r17316 r18018  
    14361436        $url = str_replace( 'https://', 'http://', $url );
    14371437
    1438     return $url;
     1438    return esc_url_raw( $url );
    14391439}
    14401440
Note: See TracChangeset for help on using the changeset viewer.