Make WordPress Core

Changeset 44295 for trunk


Ignore:
Timestamp:
12/18/2018 09:31:14 PM (6 years ago)
Author:
desrosj
Message:

Editor: Remove unwanted fields before saving posts.

The meta_input, file, and guid fields are not intended to be updated through user input.

Merges [44047] to trunk.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk

  • trunk/src/wp-admin/includes/ajax-actions.php

    r44153 r44295  
    22632263    }
    22642264
    2265     $post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
     2265    $post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array();
     2266
     2267    if ( is_wp_error( $post_data ) ) {
     2268        wp_die( $post_data->get_error_message() );
     2269    }
    22662270
    22672271    // If the context is custom header or background, make sure the uploaded file is an image.
  • trunk/src/wp-admin/includes/post.php

    r44280 r44295  
    197197
    198198/**
     199 * Returns only allowed post data fields
     200 *
     201 * @since 4.9.9
     202 *
     203 * @param array $post_data Array of post data. Defaults to the contents of $_POST.
     204 * @return object|bool WP_Error on failure, true on success.
     205 */
     206function _wp_get_allowed_postdata( $post_data = null ) {
     207    if ( empty( $post_data ) ) {
     208        $post_data = $_POST;
     209    }
     210
     211    // Pass through errors
     212    if ( is_wp_error( $post_data ) ) {
     213        return $post_data;
     214    }
     215
     216    return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) );
     217}
     218
     219/**
    199220 * Update an existing post with values provided in $_POST.
    200221 *
     
    274295        wp_die( $post_data->get_error_message() );
    275296    }
     297    $translated = _wp_get_allowed_postdata( $post_data );
    276298
    277299    // Post Formats
     
    363385
    364386        /** This filter is documented in wp-admin/includes/media.php */
    365         $post_data = apply_filters( 'attachment_fields_to_save', $post_data, $attachment_data );
     387        $translated = apply_filters( 'attachment_fields_to_save', $translated, $attachment_data );
    366388    }
    367389
     
    372394
    373395            if ( $tax_object && isset( $tax_object->meta_box_sanitize_cb ) ) {
    374                 $post_data['tax_input'][ $taxonomy ] = call_user_func_array( $tax_object->meta_box_sanitize_cb, array( $taxonomy, $terms ) );
     396                $translated['tax_input'][ $taxonomy ] = call_user_func_array( $tax_object->meta_box_sanitize_cb, array( $taxonomy, $terms ) );
    375397            }
    376398        }
     
    381403    update_post_meta( $post_ID, '_edit_last', get_current_user_id() );
    382404
    383     $success = wp_update_post( $post_data );
     405    $success = wp_update_post( $translated );
    384406    // If the save failed, see if we can sanity check the main fields and try again
    385407    if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) {
     
    387409
    388410        foreach ( $fields as $field ) {
    389             if ( isset( $post_data[ $field ] ) ) {
    390                 $post_data[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $post_data[ $field ] );
    391             }
    392         }
    393 
    394         wp_update_post( $post_data );
     411            if ( isset( $translated[ $field ] ) ) {
     412                $translated[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $translated[ $field ] );
     413            }
     414        }
     415
     416        wp_update_post( $translated );
    395417    }
    396418
     
    570592        }
    571593
     594        $post_data['post_ID']        = $post_ID;
    572595        $post_data['post_type']      = $post->post_type;
    573596        $post_data['post_mime_type'] = $post->post_mime_type;
    574         $post_data['guid']           = $post->guid;
    575597
    576598        foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) {
     
    579601            }
    580602        }
    581 
    582         $post_data['ID']      = $post_ID;
    583         $post_data['post_ID'] = $post_ID;
    584603
    585604        $post_data = _wp_translate_postdata( true, $post_data );
     
    588607            continue;
    589608        }
    590 
    591         if ( isset( $post_data['post_format'] ) ) {
    592             set_post_format( $post_ID, $post_data['post_format'] );
     609        $post_data = _wp_get_allowed_postdata( $post_data );
     610
     611        if ( isset( $shared_post_data['post_format'] ) ) {
     612            set_post_format( $post_ID, $shared_post_data['post_format'] );
    593613            unset( $post_data['tax_input']['post_format'] );
    594614        }
     
    807827        return $translated;
    808828    }
     829    $translated = _wp_get_allowed_postdata( $translated );
    809830
    810831    // Create the post.
    811     $post_ID = wp_insert_post( $_POST );
     832    $post_ID = wp_insert_post( $translated );
    812833    if ( is_wp_error( $post_ID ) ) {
    813834        return $post_ID;
     
    17691790        return $post_data;
    17701791    }
     1792    $post_data = _wp_get_allowed_postdata( $post_data );
    17711793
    17721794    $post_author = get_current_user_id();
  • trunk/src/wp-admin/post.php

    r44260 r44295  
    201201        // Update the thumbnail filename
    202202        $newmeta          = wp_get_attachment_metadata( $post_id, true );
    203         $newmeta['thumb'] = $_POST['thumb'];
     203        $newmeta['thumb'] = wp_basename( $_POST['thumb'] );
    204204
    205205        wp_update_attachment_metadata( $post_id, $newmeta );
Note: See TracChangeset for help on using the changeset viewer.