WordPress.org

Make WordPress Core

Changeset 44047


Ignore:
Timestamp:
12/13/2018 01:24:11 AM (9 months ago)
Author:
pento
Message:

Editor: Remove unwanted fields before saving posts.

The meta_input, file, and guid fields are not intended to be updated through user input.

Location:
branches/5.0/src/wp-admin
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/5.0/src/wp-admin/includes/ajax-actions.php

    r43811 r44047  
    20912091    }
    20922092
    2093     $post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
     2093    $post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array();
     2094
     2095    if ( is_wp_error( $post_data ) ) {
     2096        wp_die( $post_data->get_error_message() );
     2097    }
    20942098
    20952099    // If the context is custom header or background, make sure the uploaded file is an image.
  • branches/5.0/src/wp-admin/includes/post.php

    r43941 r44047  
    176176
    177177/**
     178 * Returns only allowed post data fields
     179 *
     180 * @since 4.9.9
     181 *
     182 * @param array $post_data Array of post data. Defaults to the contents of $_POST.
     183 * @return object|bool WP_Error on failure, true on success.
     184 */
     185function _wp_get_allowed_postdata( $post_data = null ) {
     186    if ( empty( $post_data ) ) {
     187        $post_data = $_POST;
     188    }
     189
     190    // Pass through errors
     191    if ( is_wp_error( $post_data ) ) {
     192        return $post_data;
     193    }
     194
     195    return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) );
     196}
     197
     198/**
    178199 * Update an existing post with values provided in $_POST.
    179200 *
     
    243264    if ( is_wp_error($post_data) )
    244265        wp_die( $post_data->get_error_message() );
     266    $translated = _wp_get_allowed_postdata( $post_data );
    245267
    246268    // Post Formats
     
    322344
    323345        /** This filter is documented in wp-admin/includes/media.php */
    324         $post_data = apply_filters( 'attachment_fields_to_save', $post_data, $attachment_data );
     346        $translated = apply_filters( 'attachment_fields_to_save', $translated, $attachment_data );
    325347    }
    326348
     
    367389            }
    368390
    369             $post_data['tax_input'][ $taxonomy ] = $clean_terms;
     391            $translated['tax_input'][ $taxonomy ] = $clean_terms;
    370392        }
    371393    }
     
    375397    update_post_meta( $post_ID, '_edit_last', get_current_user_id() );
    376398
    377     $success = wp_update_post( $post_data );
     399    $success = wp_update_post( $translated );
    378400    // If the save failed, see if we can sanity check the main fields and try again
    379401    if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) {
     
    381403
    382404        foreach ( $fields as $field ) {
    383             if ( isset( $post_data[ $field ] ) ) {
    384                 $post_data[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $post_data[ $field ] );
     405            if ( isset( $translated[ $field ] ) ) {
     406                $translated[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $translated[ $field ] );
    385407            }
    386408        }
    387409
    388         wp_update_post( $post_data );
     410        wp_update_post( $translated );
    389411    }
    390412
     
    546568        }
    547569
     570        $post_data['post_ID']        = $post_ID;
    548571        $post_data['post_type'] = $post->post_type;
    549572        $post_data['post_mime_type'] = $post->post_mime_type;
    550         $post_data['guid'] = $post->guid;
    551573
    552574        foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) {
     
    556578        }
    557579
    558         $post_data['ID'] = $post_ID;
    559         $post_data['post_ID'] = $post_ID;
    560 
    561580        $post_data = _wp_translate_postdata( true, $post_data );
    562581        if ( is_wp_error( $post_data ) ) {
     
    564583            continue;
    565584        }
    566 
    567         if ( isset( $post_data['post_format'] ) ) {
    568             set_post_format( $post_ID, $post_data['post_format'] );
     585        $post_data = _wp_get_allowed_postdata( $post_data );
     586
     587        if ( isset( $shared_post_data['post_format'] ) ) {
     588            set_post_format( $post_ID, $shared_post_data['post_format'] );
    569589            unset( $post_data['tax_input']['post_format'] );
    570590        }
     
    758778    if ( is_wp_error($translated) )
    759779        return $translated;
     780    $translated = _wp_get_allowed_postdata( $translated );
    760781
    761782    // Create the post.
    762     $post_ID = wp_insert_post( $_POST );
     783    $post_ID = wp_insert_post( $translated );
    763784    if ( is_wp_error( $post_ID ) )
    764785        return $post_ID;
     
    16861707    if ( is_wp_error( $post_data ) )
    16871708        return $post_data;
     1709    $post_data = _wp_get_allowed_postdata( $post_data );
    16881710
    16891711    $post_author = get_current_user_id();
  • branches/5.0/src/wp-admin/post.php

    r43861 r44047  
    190190    // Update the thumbnail filename
    191191    $newmeta = wp_get_attachment_metadata( $post_id, true );
    192     $newmeta['thumb'] = $_POST['thumb'];
     192    $newmeta['thumb'] = wp_basename( $_POST['thumb'] );
    193193
    194194    wp_update_attachment_metadata( $post_id, $newmeta );
Note: See TracChangeset for help on using the changeset viewer.