Changeset 7586

Timestamp:

04/02/2008 01:15:21 PM (17 years ago)

Author:

markjaquith

Message:

Sanitize "cat" query var and cast to int before looking for a category template

Files:

• branches/2.3/wp-includes/taxonomy.php (modified) (1 diff)
• branches/2.5/wp-includes/query.php (modified) (1 diff)
• branches/2.5/wp-includes/theme.php (modified) (1 diff)
• trunk/wp-includes/query.php (modified) (1 diff)
• trunk/wp-includes/theme.php (modified) (1 diff)

branches/2.3/wp-includes/taxonomy.php

@@ -496 +496 @@
 
     $key = md5( serialize( $args ) . serialize( $taxonomies ) );
+    if ( $_GET['taxonomy_test'] )
+        $timer_start = time();
     if ( $cache = wp_cache_get( 'get_terms', 'terms' ) ) {
+        if ( $_GET['taxonomy_test'] )
+            mail('markjaquith@gmail.com', 'MM Debug ' . $timer_start - time() , print_r($cache, true));
         if ( isset( $cache[ $key ] ) )
             return apply_filters('get_terms', $cache[$key], $taxonomies, $args);

branches/2.5/wp-includes/query.php

@@ -520 +520 @@
         $qv['w'] = (int) $qv['w'];
         $qv['m'] =  (int) $qv['m'];
+        $qv['cat'] = preg_replace( '|[^0-9,-]|', '', $qv['cat'] ); // comma separated list of positive or negative integers
         if ( '' !== $qv['hour'] ) $qv['hour'] = (int) $qv['hour'];
         if ( '' !== $qv['minute'] ) $qv['minute'] = (int) $qv['minute'];

branches/2.5/wp-includes/theme.php

@@ -364 +364 @@
 function get_category_template() {
     $template = '';
-    if ( file_exists(TEMPLATEPATH . "/category-" . get_query_var('cat') . '.php') )
-        $template = TEMPLATEPATH . "/category-" . get_query_var('cat') . '.php';
+    if ( file_exists(TEMPLATEPATH . "/category-" . absint( get_query_var('cat') ) . '.php') )
+        $template = TEMPLATEPATH . "/category-" . absint( get_query_var('cat') ) . '.php';
     elseif ( file_exists(TEMPLATEPATH . "/category.php") )
         $template = TEMPLATEPATH . "/category.php";

trunk/wp-includes/query.php

@@ -520 +520 @@
         $qv['w'] = (int) $qv['w'];
         $qv['m'] =  (int) $qv['m'];
+        $qv['cat'] = preg_replace( '|[^0-9,-]|', '', $qv['cat'] ); // comma separated list of positive or negative integers
         if ( '' !== $qv['hour'] ) $qv['hour'] = (int) $qv['hour'];
         if ( '' !== $qv['minute'] ) $qv['minute'] = (int) $qv['minute'];

trunk/wp-includes/theme.php

@@ -364 +364 @@
 function get_category_template() {
     $template = '';
-    if ( file_exists(TEMPLATEPATH . "/category-" . get_query_var('cat') . '.php') )
-        $template = TEMPLATEPATH . "/category-" . get_query_var('cat') . '.php';
+    if ( file_exists(TEMPLATEPATH . "/category-" . absint( get_query_var('cat') ) . '.php') )
+        $template = TEMPLATEPATH . "/category-" . absint( get_query_var('cat') ) . '.php';
     elseif ( file_exists(TEMPLATEPATH . "/category.php") )
         $template = TEMPLATEPATH . "/category.php";