Changeset 18018

Timestamp:

05/24/2011 03:53:22 PM (14 years ago)

Author:

ryan

Message:

Sanitize guid on save and display. Sanitize mime type on save. Don't allow changing mime type via edit form handlers. Protect hidden meta.

Location:

branches/3.1

Files:

• . (modified) (1 prop)
• wp-admin/admin-ajax.php (modified) (2 diffs)
• wp-admin/includes/media.php (modified) (1 diff)
• wp-admin/includes/post.php (modified) (7 diffs)
• wp-admin/includes/template.php (modified) (1 diff)
• wp-includes/default-filters.php (modified) (3 diffs)
• wp-includes/formatting.php (modified) (1 diff)
• wp-includes/meta.php (modified) (3 diffs)
• wp-includes/theme.php (modified) (1 diff)

branches/3.1/wp-admin/admin-ajax.php

@@ -397 +397 @@
         die('1');
 
-    if ( !current_user_can( 'edit_post', $meta->post_id ) )
+    if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) )
         die('-1');
     if ( delete_meta( $meta->meta_id ) )
@@ -856 +856 @@
         if ( !current_user_can( 'edit_post', $meta->post_id ) )
             die('-1');
+        if ( is_protected_meta( $meta->meta_key ) )
+            die('-1');
         if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
             if ( !$u = update_meta( $mid, $key, $value ) )

branches/3.1/wp-admin/includes/media.php

@@ -1193 +1193 @@
     $toggle_off = __( 'Hide' );
 
-    $filename = basename( $post->guid );
+    $filename = esc_html( basename( $post->guid ) );
     $title = esc_attr( $post->post_title );
 

branches/3.1/wp-admin/includes/post.php

@@ -139 +139 @@
     $post = get_post( $post_ID );
     $post_data['post_type'] = $post->post_type;
+    $post_data['post_mime_type'] = $post->post_mime_type;
 
     $ptype = get_post_type_object($post_data['post_type']);
@@ -200 +201 @@
             if ( $meta->post_id != $post_ID )
                 continue;
+            if ( is_protected_meta( $key ) )
+                continue;
             update_meta( $key, $value['key'], $value['value'] );
         }
@@ -209 +212 @@
                 continue;
             if ( $meta->post_id != $post_ID )
+                continue;
+            if ( is_protected_meta( $key ) )
                 continue;
             delete_meta( $key );
@@ -528 +533 @@
     }
 
+    $_POST['post_mime_type'] = '';
+
     // Check for autosave collisions
     // Does this need to be updated? ~ Mark
@@ -633 +640 @@
     $post_ID = (int) $post_ID;
 
-    $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
-
     $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
     $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
@@ -651 +656 @@
             $metakey = $metakeyinput; // default
 
-        if ( in_array($metakey, $protected) )
+        if ( is_protected_meta( $metakey ) )
             return false;
 
@@ -757 +762 @@
     global $wpdb;
 
-    $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
-
     $meta_key = stripslashes($meta_key);
 
-    if ( in_array($meta_key, $protected) )
+    if ( is_protected_meta( $meta_key ) )
         return false;
 

branches/3.1/wp-admin/includes/template.php

@@ -466 +466 @@
 function _list_meta_row( $entry, &$count ) {
     static $update_nonce = false;
+
+    if ( is_protected_meta( $entry['meta_key'] ) )
+        return;
+
     if ( !$update_nonce )
         $update_nonce = wp_create_nonce( 'add-meta' );

branches/3.1/wp-includes/default-filters.php

@@ -59 +59 @@
 // Save URL
 foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
-    'pre_link_rss' ) as $filter ) {
+    'pre_link_rss', 'pre_post_guid' ) as $filter ) {
     add_filter( $filter, 'wp_strip_all_tags' );
     add_filter( $filter, 'esc_url_raw'       );
@@ -66 +66 @@
 
 // Display URL
-foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url' ) as $filter ) {
+foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) {
     if ( is_admin() )
         add_filter( $filter, 'wp_strip_all_tags' );
@@ -86 +86 @@
     add_filter( $filter, 'sanitize_key' );
 }
+
+// Mime types
+add_filter( 'pre_post_mime_type', 'sanitize_mime_type' );
+add_filter( 'post_mime_type', 'sanitize_mime_type' );
 
 // Places to balance tags on input

branches/3.1/wp-includes/formatting.php

@@ -2904 +2904 @@
 }
 
+/**
+ * Sanitize a mime type
+ *
+ * @since 3.2.0
+ *
+ * @param string $mime_type Mime type
+ * @return string Sanitized mime type
+ */
+function sanitize_mime_type( $mime_type ) {
+    $sani_mime_type = preg_replace( '/[^-*.a-zA-Z0-9\/]/', '', $mime_type );
+    return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
+}
+
 ?>

branches/3.1/wp-includes/meta.php

@@ -46 +46 @@
     $meta_key = stripslashes($meta_key);
     $meta_value = stripslashes_deep($meta_value);
+    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
 
     $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
@@ -114 +115 @@
     $meta_key = stripslashes($meta_key);
     $meta_value = stripslashes_deep($meta_value);
+    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
 
     $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
@@ -489 +491 @@
     return $wpdb->$table_name;
 }
+
+/**
+ * Determine whether a meta key is protected
+ *
+ * @since 3.2.0
+ *
+ * @param string $meta_key Meta key
+ * @return bool True if the key is protected, false otherwise.
+ */
+function is_protected_meta( $meta_key, $meta_type = null ) {
+    $protected = (  '_' == $meta_key[0] );
+
+    return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
+}
+
+/**
+ * Sanitize meta value
+ *
+ * @since 3.2.0
+ *
+ * @param string $meta_key Meta key
+ * @param mixed $meta_value Meta value to sanitize
+ * @param string $meta_type Type of meta
+ * @return mixed Sanitized $meta_value
+ */
+function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) {
+    return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );
+}
+
 ?>

branches/3.1/wp-includes/theme.php

@@ -1436 +1436 @@
         $url = str_replace( 'https://', 'http://', $url );
 
-    return $url;
+    return esc_url_raw( $url );
 }