Make WordPress Core

Changeset 44076


Ignore:
Timestamp:
12/13/2018 02:04:05 AM (6 years ago)
Author:
pento
Message:

Editor: Remove unwanted fields before saving posts.

The meta_input, file, and guid fields are not intended to be updated through user input.

Merges [44047] to the 3.7 branch.

Location:
branches/3.7
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • branches/3.7

  • branches/3.7/src

  • branches/3.7/src/wp-admin/includes/ajax-actions.php

    r37808 r44076  
    16601660    }
    16611661
    1662     $post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
     1662    $post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array();
     1663
     1664    if ( is_wp_error( $post_data ) ) {
     1665        wp_die( $post_data->get_error_message() );
     1666    }
    16631667
    16641668    // If the context is custom header or background, make sure the uploaded file is an image.
  • branches/3.7/src/wp-admin/includes/post.php

    r37823 r44076  
    166166
    167167/**
     168 * Returns only allowed post data fields
     169 *
     170 * @since 4.9.9
     171 *
     172 * @param array $post_data Array of post data. Defaults to the contents of $_POST.
     173 * @return object|bool WP_Error on failure, true on success.
     174 */
     175function _wp_get_allowed_postdata( $post_data = null ) {
     176    if ( empty( $post_data ) ) {
     177        $post_data = $_POST;
     178    }
     179
     180    // Pass through errors
     181    if ( is_wp_error( $post_data ) ) {
     182        return $post_data;
     183    }
     184
     185    return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) );
     186}
     187
     188/**
    168189 * Update an existing post with values provided in $_POST.
    169190 *
     
    231252    if ( is_wp_error($post_data) )
    232253        wp_die( $post_data->get_error_message() );
     254    $translated = _wp_get_allowed_postdata( $post_data );
    233255
    234256    if ( ( empty( $post_data['action'] ) || 'autosave' != $post_data['action'] ) && 'auto-draft' == $post_data['post_status'] ) {
     
    297319        $attachment_data = isset( $post_data['attachments'][ $post_ID ] ) ? $post_data['attachments'][ $post_ID ] : array();
    298320        /** This filter is documented in wp-admin/includes/media.php */
    299         $post_data = apply_filters( 'attachment_fields_to_save', $post_data, $attachment_data );
     321        $translated = apply_filters( 'attachment_fields_to_save', $translated, $attachment_data );
    300322    }
    301323
     
    304326    update_post_meta( $post_ID, '_edit_last', get_current_user_id() );
    305327
    306     $success = wp_update_post( $post_data );
     328    $success = wp_update_post( $translated );
    307329    // If the save failed, see if we can sanity check the main fields and try again
    308330    if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) {
     
    310332
    311333        foreach( $fields as $field ) {
    312             if ( isset( $post_data[ $field ] ) ) {
    313                 $post_data[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $post_data[ $field ] );
     334            if ( isset( $translated[ $field ] ) ) {
     335                $translated[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $translated[ $field ] );
    314336            }
    315337        }
    316338
    317         wp_update_post( $post_data );
     339        wp_update_post( $translated );
    318340    }
    319341
     
    473495        }
    474496
     497        $post_data['post_ID']        = $post_ID;
    475498        $post_data['post_type'] = $post->post_type;
    476499        $post_data['post_mime_type'] = $post->post_mime_type;
    477         $post_data['guid'] = $post->guid;
    478500
    479501        foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) {
     
    483505        }
    484506
    485         $post_data['ID'] = $post_ID;
    486         $post_data['post_ID'] = $post_ID;
    487 
    488507        $post_data = _wp_translate_postdata( true, $post_data );
    489508        if ( is_wp_error( $post_data ) ) {
     
    491510            continue;
    492511        }
     512        $post_data = _wp_get_allowed_postdata( $post_data );
    493513
    494514        $updated[] = wp_update_post( $post_data );
     
    501521        }
    502522
    503         if ( isset( $post_data['post_format'] ) )
    504             set_post_format( $post_ID, $post_data['post_format'] );
     523        if ( isset( $shared_post_data['post_format'] ) )
     524            set_post_format( $post_ID, $shared_post_data['post_format'] );
    505525    }
    506526
     
    654674    if ( is_wp_error($translated) )
    655675        return $translated;
     676    $translated = _wp_get_allowed_postdata( $translated );
    656677
    657678    // Create the post.
    658     $post_ID = wp_insert_post( $_POST );
     679    $post_ID = wp_insert_post( $translated );
    659680    if ( is_wp_error( $post_ID ) )
    660681        return $post_ID;
     
    14071428    if ( is_wp_error( $translated ) )
    14081429        return $translated;
     1430    $translated = _wp_get_allowed_postdata( $translated );
    14091431
    14101432    $post_author = get_current_user_id();
     
    14121434    // Store one autosave per author. If there is already an autosave, overwrite it.
    14131435    if ( $old_autosave = wp_get_post_autosave( $post_id, $post_author ) ) {
    1414         $new_autosave = _wp_post_revision_fields( $_POST, true );
     1436        $new_autosave = _wp_post_revision_fields( $translated, true );
    14151437        $new_autosave['ID'] = $old_autosave->ID;
    14161438        $new_autosave['post_author'] = $post_author;
     
    14351457
    14361458    // _wp_put_post_revision() expects unescaped.
    1437     $post_data = wp_unslash( $_POST );
     1459    $post_data = wp_unslash( $translated );
    14381460
    14391461    // Otherwise create the new autosave as a special post revision
  • branches/3.7/src/wp-admin/post.php

    r44075 r44076  
    216216    // Update the thumbnail filename
    217217    $newmeta = wp_get_attachment_metadata( $post_id, true );
    218     $newmeta['thumb'] = $_POST['thumb'];
     218    $newmeta['thumb'] = wp_basename( $_POST['thumb'] );
    219219
    220220    wp_update_attachment_metadata( $post_id, $newmeta );
Note: See TracChangeset for help on using the changeset viewer.