Make WordPress Core

Changeset 5926


Ignore:
Timestamp:
08/23/2007 04:10:43 PM (17 years ago)
Author:
ryan
Message:

Don't allow private query vars in url_to_postid

Location:
branches/2.2/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/2.2/wp-includes/query.php

    r5314 r5926  
    607607        }
    608608
     609        if ( !empty($qv['post_type']) )
     610            $qv['post_type'] = sanitize_user($qv['post_type'], true);
     611
     612        if ( !empty($qv['post_status']) )
     613            $qv['post_status'] = sanitize_user($qv['post_status'], true);
     614
    609615        if ( $this->is_posts_page && !$qv['withcomments'] )
    610616            $this->is_comment_feed = false;
  • branches/2.2/wp-includes/rewrite.php

    r5289 r5926  
    136136            // Substitute the substring matches into the query.
    137137            eval("\$query = \"$query\";");
     138            // Filter out non-public query vars
     139            global $wp;
     140            parse_str($query, $query_vars);
     141            $query = array();
     142            foreach ( $query_vars as $key => $value ) {
     143                if ( in_array($key, $wp->public_query_vars) )
     144                    $query[$key] = $value;
     145            }
     146            // Do the query
    138147            $query = new WP_Query($query);
    139148            if ( $query->is_single || $query->is_page )
Note: See TracChangeset for help on using the changeset viewer.