Make WordPress Core

Changeset 5925


Ignore:
Timestamp:
08/23/2007 04:09:37 PM (17 years ago)
Author:
ryan
Message:

Don't allow private query vars in url_to_postid

Location:
trunk/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/query.php

    r5916 r5925  
    658658        }
    659659
     660        if ( !empty($qv['post_type']) )
     661            $qv['post_type'] = sanitize_user($qv['post_type'], true);
     662
     663        if ( !empty($qv['post_status']) )
     664            $qv['post_status'] = sanitize_user($qv['post_status'], true);
     665
    660666        if ( $this->is_posts_page && !$qv['withcomments'] )
    661667            $this->is_comment_feed = false;
  • trunk/wp-includes/rewrite.php

    r5769 r5925  
    137137            // Substitute the substring matches into the query.
    138138            eval("\$query = \"$query\";");
     139            // Filter out non-public query vars
     140            global $wp;
     141            parse_str($query, $query_vars);
     142            $query = array();
     143            foreach ( $query_vars as $key => $value ) {
     144                if ( in_array($key, $wp->public_query_vars) )
     145                    $query[$key] = $value;
     146            }
     147            // Do the query
    139148            $query = new WP_Query($query);
    140149            if ( $query->is_single || $query->is_page )
Note: See TracChangeset for help on using the changeset viewer.