Make WordPress Core

Changeset 44056


Ignore:
Timestamp:
12/13/2018 01:40:40 AM (5 years ago)
Author:
pento
Message:

Editor: Remove unwanted fields before saving posts.

The meta_input, file, and guid fields are not intended to be updated through user input.

Merges [44047] to the 4.7 branch.

Location:
branches/4.7
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/4.7

  • branches/4.7/src/wp-admin/includes/ajax-actions.php

    r39326 r44056  
    20312031    }
    20322032
    2033     $post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
     2033    $post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array();
     2034
     2035    if ( is_wp_error( $post_data ) ) {
     2036        wp_die( $post_data->get_error_message() );
     2037    }
    20342038
    20352039    // If the context is custom header or background, make sure the uploaded file is an image.
  • branches/4.7/src/wp-admin/includes/post.php

    r39629 r44056  
    177177
    178178/**
     179 * Returns only allowed post data fields
     180 *
     181 * @since 4.9.9
     182 *
     183 * @param array $post_data Array of post data. Defaults to the contents of $_POST.
     184 * @return object|bool WP_Error on failure, true on success.
     185 */
     186function _wp_get_allowed_postdata( $post_data = null ) {
     187    if ( empty( $post_data ) ) {
     188        $post_data = $_POST;
     189    }
     190
     191    // Pass through errors
     192    if ( is_wp_error( $post_data ) ) {
     193        return $post_data;
     194    }
     195
     196    return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) );
     197}
     198
     199/**
    179200 * Update an existing post with values provided in $_POST.
    180201 *
     
    244265    if ( is_wp_error($post_data) )
    245266        wp_die( $post_data->get_error_message() );
     267    $translated = _wp_get_allowed_postdata( $post_data );
    246268
    247269    // Post Formats
     
    323345
    324346        /** This filter is documented in wp-admin/includes/media.php */
    325         $post_data = apply_filters( 'attachment_fields_to_save', $post_data, $attachment_data );
     347        $translated = apply_filters( 'attachment_fields_to_save', $translated, $attachment_data );
    326348    }
    327349
     
    368390            }
    369391
    370             $post_data['tax_input'][ $taxonomy ] = $clean_terms;
     392            $translated['tax_input'][ $taxonomy ] = $clean_terms;
    371393        }
    372394    }
     
    376398    update_post_meta( $post_ID, '_edit_last', get_current_user_id() );
    377399
    378     $success = wp_update_post( $post_data );
     400    $success = wp_update_post( $translated );
    379401    // If the save failed, see if we can sanity check the main fields and try again
    380402    if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) {
     
    382404
    383405        foreach ( $fields as $field ) {
    384             if ( isset( $post_data[ $field ] ) ) {
    385                 $post_data[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $post_data[ $field ] );
     406            if ( isset( $translated[ $field ] ) ) {
     407                $translated[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $translated[ $field ] );
    386408            }
    387409        }
    388410
    389         wp_update_post( $post_data );
     411        wp_update_post( $translated );
    390412    }
    391413
     
    547569        }
    548570
     571        $post_data['post_ID']        = $post_ID;
    549572        $post_data['post_type'] = $post->post_type;
    550573        $post_data['post_mime_type'] = $post->post_mime_type;
    551         $post_data['guid'] = $post->guid;
    552574
    553575        foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) {
     
    557579        }
    558580
    559         $post_data['ID'] = $post_ID;
    560         $post_data['post_ID'] = $post_ID;
    561 
    562581        $post_data = _wp_translate_postdata( true, $post_data );
    563582        if ( is_wp_error( $post_data ) ) {
     
    565584            continue;
    566585        }
     586        $post_data = _wp_get_allowed_postdata( $post_data );
    567587
    568588        $updated[] = wp_update_post( $post_data );
     
    575595        }
    576596
    577         if ( isset( $post_data['post_format'] ) )
    578             set_post_format( $post_ID, $post_data['post_format'] );
     597        if ( isset( $shared_post_data['post_format'] ) )
     598            set_post_format( $post_ID, $shared_post_data['post_format'] );
    579599    }
    580600
     
    757777    if ( is_wp_error($translated) )
    758778        return $translated;
     779    $translated = _wp_get_allowed_postdata( $translated );
    759780
    760781    // Create the post.
    761     $post_ID = wp_insert_post( $_POST );
     782    $post_ID = wp_insert_post( $translated );
    762783    if ( is_wp_error( $post_ID ) )
    763784        return $post_ID;
     
    16651686    if ( is_wp_error( $post_data ) )
    16661687        return $post_data;
     1688    $post_data = _wp_get_allowed_postdata( $post_data );
    16671689
    16681690    $post_author = get_current_user_id();
  • branches/4.7/src/wp-admin/post.php

    r44054 r44056  
    190190    // Update the thumbnail filename
    191191    $newmeta = wp_get_attachment_metadata( $post_id, true );
    192     $newmeta['thumb'] = $_POST['thumb'];
     192    $newmeta['thumb'] = wp_basename( $_POST['thumb'] );
    193193
    194194    wp_update_attachment_metadata( $post_id, $newmeta );
Note: See TracChangeset for help on using the changeset viewer.