WordPress.org

Make WordPress Core

Changeset 2667


Ignore:
Timestamp:
06/28/2005 10:16:08 PM (16 years ago)
Author:
ryan
Message:

Escape XMLRPC args.

Location:
branches/1.5
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/1.5/wp-includes/functions-post.php

    r2612 r2667  
    1212    extract($postarr);
    1313   
    14     // Do some escapes for safety
    15     $post_title = $wpdb->escape($post_title);
    1614    $post_name = sanitize_title($post_title);
    17     $post_excerpt = $wpdb->escape($post_excerpt);
    18     $post_content = $wpdb->escape($post_content);
    1915    $post_author = (int) $post_author;
    2016
     
    116112    if ( 0 == count($post_category) || !is_array($post_category) )
    117113        $post_category = array($post_default_category);
    118 
    119     // Do some escapes for safety
    120     $post_title   = $wpdb->escape($post_title);
    121     $post_excerpt = $wpdb->escape($post_excerpt);
    122     $post_content = $wpdb->escape($post_content);
    123114
    124115    $post_modified = current_time('mysql');
  • branches/1.5/xmlrpc.php

    r2606 r2667  
    128128    }
    129129
    130 
    131 
     130    function escape(&$array) {
     131        global $wpdb;
     132
     133        foreach ($array as $k => $v) {
     134            if (is_array($v)) {
     135                $this->escape($array[$k]);
     136            } else {
     137                $array[$k] = $wpdb->escape($v);
     138            }
     139        }
     140    }
    132141
    133142    /* Blogger API functions
     
    138147    /* blogger.getUsersBlogs will make more sense once we support multiple blogs */
    139148    function blogger_getUsersBlogs($args) {
     149
     150        $this->escape($args);
    140151
    141152      $user_login = $args[1];
     
    163174    function blogger_getUserInfo($args) {
    164175
     176        $this->escape($args);
     177
    165178      $user_login = $args[1];
    166179      $user_pass  = $args[2];
     
    173186
    174187      $struct = array(
    175         'nickname'  => $user_data->user_nickname,
     188        'nickname'  => $user_data->nickname,
    176189        'userid'    => $user_data->ID,
    177190        'url'       => $user_data->user_url,
    178191        'email'     => $user_data->user_email,
    179         'lastname'  => $user_data->user_lastname,
    180         'firstname' => $user_data->user_firstname
     192        'lastname'  => $user_data->last_name,
     193        'firstname' => $user_data->first_name
    181194      );
    182195
     
    187200    /* blogger.getPost ...gets a post */
    188201    function blogger_getPost($args) {
     202
     203        $this->escape($args);
    189204
    190205      $post_ID    = $args[1];
     
    221236      global $wpdb;
    222237
     238        $this->escape($args);
     239
    223240      $blog_ID    = $args[1]; /* though we don't use it yet */
    224241      $user_login = $args[2];
     
    267284    function blogger_getTemplate($args) {
    268285
     286        $this->escape($args);
     287
    269288      $blog_ID    = $args[1];
    270289      $user_login = $args[2];
     
    299318    /* blogger.setTemplate updates the content of blog_filename */
    300319    function blogger_setTemplate($args) {
     320
     321        $this->escape($args);
    301322
    302323      $blog_ID    = $args[1];
     
    336357      global $wpdb;
    337358
     359        $this->escape($args);
     360
    338361      $blog_ID    = $args[1]; /* though we don't use it yet */
    339362      $user_login = $args[2];
     
    383406      global $wpdb;
    384407
     408        $this->escape($args);
     409
    385410      $post_ID     = $args[1];
    386411      $user_login  = $args[2];
     
    399424      }
    400425
     426        $this->escape($actual_post);
     427
    401428      $post_author_data = get_userdata($actual_post['post_author']);
    402429      $user_data = get_userdatabylogin($user_login);
     
    407434
    408435      extract($actual_post);
     436
    409437      $content = $newcontent;
    410438
     
    431459
    432460      global $wpdb;
     461
     462        $this->escape($args);
    433463
    434464      $post_ID     = $args[1];
     
    471501    function mw_newPost($args) {
    472502
    473       global $wpdb;
     503      global $wpdb, $post_default_category;
     504
     505        $this->escape($args);
    474506
    475507      $blog_ID     = $args[0]; // we will support this in the near future
     
    508540        $post_content = $post_content . "\n<!--more-->\n" . $post_more;
    509541      }
    510        
     542
     543        $to_ping = $content_struct['mt_tb_ping_urls'];
     544
    511545      // Do some timestamp voodoo
    512546      $dateCreatedd = $content_struct['dateCreated'];
     
    529563        }
    530564      } else {
    531         $post_category[] = 1;
     565        $post_category[] = $post_default_category;
    532566      }
    533567       
    534568      // We've got all the data -- post it:
    535       $postdata = compact('post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_title', 'post_category', 'post_status', 'post_excerpt', 'comment_status', 'ping_status');
     569      $postdata = compact('post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_title', 'post_category', 'post_status', 'post_excerpt', 'comment_status', 'ping_status', 'to_ping');
    536570
    537571      $post_ID = wp_insert_post($postdata);
     
    543577      logIO('O', "Posted ! ID: $post_ID");
    544578
    545       // FIXME: do we pingback always? pingback($content, $post_ID);
    546       trackback_url_list($content_struct['mt_tb_ping_urls'],$post_ID);
    547 
    548579      return strval($post_ID);
    549580    }
     
    553584    function mw_editPost($args) {
    554585
    555       global $wpdb;
     586      global $wpdb, $post_default_category;
     587
     588        $this->escape($args);
    556589
    557590      $post_ID     = $args[0];
     
    572605      $postdata = wp_get_single_post($post_ID, ARRAY_A);
    573606      extract($postdata);
     607        $this->escape($postdata);
    574608
    575609      $post_title = $content_struct['title'];
     
    582616        }
    583617      } else {
    584         $post_category[] = 1;
     618        $post_category[] = $post_default_category;
    585619      }
    586620
     
    592626        $post_content = $post_content . "\n<!--more-->\n" . $post_more;
    593627      }
     628
     629        $to_ping = $content_struct['mt_tb_ping_urls'];
    594630
    595631      $comment_status = (empty($content_struct['mt_allow_comments'])) ?
     
    613649
    614650      // We've got all the data -- post it:
    615       $newpost = compact('ID', 'post_content', 'post_title', 'post_category', 'post_status', 'post_excerpt', 'comment_status', 'ping_status', 'post_date', 'post_date_gmt');
    616 
    617       $post_ID = wp_update_post($newpost);
    618       if (!$post_ID) {
     651      $newpost = compact('ID', 'post_content', 'post_title', 'post_category', 'post_status', 'post_excerpt', 'comment_status', 'ping_status', 'post_date', 'post_date_gmt', 'to_ping');
     652
     653      $result = wp_update_post($newpost);
     654      if (!$result) {
    619655        return new IXR_Error(500, 'Sorry, your entry could not be edited. Something wrong happened.');
    620656      }
    621657
    622658      logIO('O',"(MW) Edited ! ID: $post_ID");
    623 
    624       // FIXME: do we pingback always? pingback($content, $post_ID);
    625       trackback_url_list($content_struct['mt_tb_ping_urls'], $post_ID);
    626659
    627660      return true;
     
    633666
    634667      global $wpdb;
     668
     669        $this->escape($args);
    635670
    636671      $post_ID     = $args[0];
     
    687722    function mw_getRecentPosts($args) {
    688723
     724        $this->escape($args);
     725
    689726      $blog_ID     = $args[0];
    690727      $user_login  = $args[1];
     
    751788      global $wpdb;
    752789
     790        $this->escape($args);
     791
    753792      $blog_ID     = $args[0];
    754793      $user_login  = $args[1];
     
    783822      // http://mycvs.org/archives/2004/06/30/file-upload-to-wordpress-in-ecto/
    784823
     824        $this->escape($args);
     825
    785826      $blog_ID     = $args[0];
    786827      $user_login  = $args[1];
     
    862903    function mt_getRecentPostTitles($args) {
    863904
     905        $this->escape($args);
     906
    864907      $blog_ID     = $args[0];
    865908      $user_login  = $args[1];
     
    905948      global $wpdb;
    906949
     950        $this->escape($args);
     951
    907952      $blog_ID     = $args[0];
    908953      $user_login  = $args[1];
     
    931976    /* mt.getPostCategories ...returns a post's categories */
    932977    function mt_getPostCategories($args) {
     978
     979        $this->escape($args);
    933980
    934981      $post_ID     = $args[0];
     
    9601007    function mt_setPostCategories($args) {
    9611008
     1009        $this->escape($args);
     1010
    9621011      $post_ID     = $args[0];
    9631012      $user_login  = $args[1];
     
    10421091    function mt_publishPost($args) {
    10431092
     1093        $this->escape($args);
     1094
    10441095      $post_ID     = $args[0];
    10451096      $user_login  = $args[1];
     
    10621113      $cats = wp_get_post_cats('',$post_ID);
    10631114      $postdata['post_category'] = $cats;
     1115        $this->escape($postdata);
    10641116
    10651117      $result = wp_update_post($postdata);
     
    10761128    /* pingback.ping gets a pingback and registers it */
    10771129    function pingback_ping($args) {
    1078         // original code by Mort (http://mort.mine.nu:8080 -- site seems dead)
    1079         // refactored to return error codes and avoid deep ifififif headaches
    10801130        global $wpdb, $wp_version;
     1131
     1132        $this->escape($args);
    10811133
    10821134        $pagelinkedfrom = $args[0];
     
    10921144        // Check if the page linked to is in our site
    10931145        $pos1 = strpos($pagelinkedto, str_replace('http://', '', str_replace('www.', '', get_settings('home'))));
    1094         if(!$pos1) {
    1095             return new IXR_Error(0, '');
    1096         }
    1097 
     1146        if( !$pos1 )
     1147            return new IXR_Error(0, 'Is there no link to us?');
    10981148
    10991149        // let's find which post is linked to
     
    11251175            } elseif (is_string($urltest['fragment'])) {
    11261176                // ...or a string #title, a little more complicated
    1127                 $title = preg_replace('/[^a-zA-Z0-9]/', '.', $urltest['fragment']);
     1177                $title = preg_replace('/[^a-z0-9]/i', '.', $urltest['fragment']);
    11281178                $sql = "SELECT ID FROM $wpdb->posts WHERE post_title RLIKE '$title'";
    11291179                if (! ($post_ID = $wpdb->get_var($sql)) ) {
     
    11371187            return new IXR_Error(33, 'The specified target URI cannot be used as a target. It either doesn\'t exist, or it is not a pingback-enabled resource.');
    11381188        }
     1189        $post_ID = (int) $post_ID;
    11391190
    11401191
    11411192        logIO("O","(PB) URI='$pagelinkedto' ID='$post_ID' Found='$way'");
    11421193
    1143         $sql = 'SELECT post_author FROM '.$wpdb->posts.' WHERE ID = '.$post_ID;
    1144         $result = $wpdb->get_results($sql);
    1145 
    1146         if (!$wpdb->num_rows) {
    1147             // Post_ID not found
     1194        $post = $wpdb->get_row("SELECT post_author FROM $wpdb->posts WHERE ID = '$post_ID'");
     1195
     1196        if ( !$post ) // Post_ID not found
    11481197            return new IXR_Error(33, 'The specified target URI cannot be used as a target. It either doesn\'t exist, or it is not a pingback-enabled resource.');
    1149         }
    1150 
     1198
     1199        // Check if pings are on
     1200        if ( 'closed' == $post->ping_status )
     1201            return new IXR_Error(33, 'The specified target URI cannot be used as a target. It either doesn\'t exist, or it is not a pingback-enabled resource.');
    11511202
    11521203        // Let's check that the remote site didn't already pingback this entry
    11531204        $result = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post_ID' AND comment_author_url = '$pagelinkedfrom'");
    11541205
    1155         if ($wpdb->num_rows) {
    1156             // We already have a Pingback from this URL
     1206        if ( $wpdb->num_rows ) // We already have a Pingback from this URL
    11571207            return new IXR_Error(48, 'The pingback has already been registered.');
    1158         }
    1159 
    11601208
    11611209        // very stupid, but gives time to the 'from' server to publish !
     
    11681216
    11691217        // Work around bug in strip_tags():
    1170         $linea = str_replace('<!DOCTYPE','<DOCTYPE',$linea);
    1171         $linea = strip_tags($linea, '<title><a>');
    1172         $linea = strip_all_but_one_link($linea, $pagelinkedto);
    1173         // I don't think we need this? -- emc3
    1174         //$linea = preg_replace('#&([^amp\;])#is', '&amp;$1', $linea);
    1175         if ( empty($matchtitle) ) {
    1176             preg_match('|<title>([^<]*?)</title>|is', $linea, $matchtitle);
     1218        $linea = str_replace('<!DOC', '<DOC', $linea);
     1219        $linea = preg_replace( '/[\s\r\n\t]+/', ' ', $linea ); // normalize spaces
     1220        $linea = preg_replace( "/ <(h1|h2|h3|h4|h5|h6|p|th|td|li|dt|dd|pre|caption|input|textarea|button|body)[^>]*>/", "\n\n", $linea );
     1221
     1222        preg_match('|<title>([^<]*?)</title>|is', $linea, $matchtitle);
     1223        $title = $matchtitle[1];
     1224        if ( empty( $title ) )
     1225            return new IXR_Error(32, 'We cannot find a title on that page.');
     1226
     1227        $linea = strip_tags( $linea, '<a>' ); // just keep the tag we need
     1228
     1229        $p = explode( "\n\n", $linea );
     1230       
     1231        $sem_regexp_pb = "/(\\/|\\\|\*|\?|\+|\.|\^|\\$|\(|\)|\[|\]|\||\{|\})/";
     1232        $sem_regexp_fix = "\\\\$1";
     1233        $link = preg_replace( $sem_regexp_pb, $sem_regexp_fix, $pagelinkedfrom );
     1234       
     1235        $finished = false;
     1236        foreach ( $p as $para ) {
     1237            if ( $finished )
     1238                continue;
     1239            if ( strstr( $para, $pagelinkedto ) ) {
     1240                $context = preg_replace( "/.*<a[^>]+".$link."[^>]*>([^>]+)<\/a>.*/", "$1", $para );
     1241                $excerpt = strip_tags( $para );
     1242                $excerpt = trim( $excerpt );
     1243                $use     = preg_quote( $context );
     1244                $excerpt = preg_replace("|.*?\s(.{0,100}$use.{0,100})\s|s", "$1", $excerpt);
     1245                $finished = true;
     1246            }
    11771247        }
    1178         $pos2 = strpos($linea, $pagelinkedto);
    1179         $pos3 = strpos($linea, str_replace('http://www.', 'http://', $pagelinkedto));
    1180         if (is_integer($pos2) || is_integer($pos3)) {
    1181             // The page really links to us :)
    1182             $pos4 = (is_integer($pos2)) ? $pos2 : $pos3;
    1183             $start = $pos4-100;
    1184             $context = substr($linea, $start, 250);
    1185             $context = str_replace("\n", ' ', $context);
    1186             $context = str_replace('&amp;', '&', $context);
    1187         }
    1188 
    1189         if (empty($context)) {
    1190             // URL pattern not found
    1191             return new IXR_Error(17, 'The source URI does not contain a link to the target URI, and so cannot be used as a source.');
    1192         }
    1193 
    1194 
    1195         // Check if pings are on
    1196         $pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts WHERE ID = $post_ID");
    1197         if ('closed' == $pingstatus) {
    1198             return new IXR_Error(33, 'The specified target URI cannot be used as a target. It either doesn\'t exist, or it is not a pingback-enabled resource.');
    1199         }
    1200 
    12011248
    12021249        $pagelinkedfrom = preg_replace('#&([^amp\;])#is', '&amp;$1', $pagelinkedfrom);
    1203         $title = (!strlen($matchtitle[1])) ? $pagelinkedfrom : $matchtitle[1];
    1204         $original_context = strip_tags($context);
    1205         $context = '[...] ';
    1206         $context .= wp_specialchars($original_context);
    1207         $context .= ' [...]';
     1250
     1251        $context = '[...] ' . wp_specialchars( $excerpt ) . ' [...]';
    12081252        $original_pagelinkedfrom = $pagelinkedfrom;
    1209         $pagelinkedfrom = addslashes($pagelinkedfrom);
     1253        $pagelinkedfrom = addslashes( $pagelinkedfrom );
    12101254        $original_title = $title;
    12111255
     
    12161260        $comment_type = 'pingback';
    12171261
    1218         $pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts WHERE ID = $post_ID");
    1219    
    1220         if ('open' != $pingstatus)
    1221             die('Sorry, pingbacks are closed for this item.');
    1222 
    12231262        $commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_url', 'comment_content', 'comment_type');
    12241263
     
    12361275
    12371276        global $wpdb;
     1277
     1278        $this->escape($args);
    12381279
    12391280        $url = $args;
Note: See TracChangeset for help on using the changeset viewer.