diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php index 0f5583682b..954ffb4f16 100644 --- a/wp-admin/includes/ajax-actions.php +++ b/wp-admin/includes/ajax-actions.php @@ -2026,7 +2026,11 @@ function wp_ajax_upload_attachment() { $post_id = null; } - $post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array(); + $post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array(); + + if ( is_wp_error( $post_data ) ) { + wp_die( $post_data->get_error_message() ); + } // If the context is custom header or background, make sure the uploaded file is an image. if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) { diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php index 4eb762def6..9d68fafc16 100644 --- a/wp-admin/includes/post.php +++ b/wp-admin/includes/post.php @@ -175,6 +175,27 @@ function _wp_translate_postdata( $update = false, $post_data = null ) { return $post_data; } +/** + * Returns only allowed post data fields + * + * @since 4.9.9 + * + * @param array $post_data Array of post data. Defaults to the contents of $_POST. + * @return object|bool WP_Error on failure, true on success. + */ +function _wp_get_allowed_postdata( $post_data = null ) { + if ( empty( $post_data ) ) { + $post_data = $_POST; + } + + // Pass through errors + if ( is_wp_error( $post_data ) ) { + return $post_data; + } + + return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) ); +} + /** * Update an existing post with values provided in $_POST. * @@ -243,6 +264,7 @@ function edit_post( $post_data = null ) { $post_data = _wp_translate_postdata( true, $post_data ); if ( is_wp_error($post_data) ) wp_die( $post_data->get_error_message() ); + $translated = _wp_get_allowed_postdata( $post_data ); // Post Formats if ( isset( $post_data['post_format'] ) ) @@ -320,7 +342,7 @@ function edit_post( $post_data = null ) { $attachment_data = isset( $post_data['attachments'][ $post_ID ] ) ? $post_data['attachments'][ $post_ID ] : array(); /** This filter is documented in wp-admin/includes/media.php */ - $post_data = apply_filters( 'attachment_fields_to_save', $post_data, $attachment_data ); + $translated = apply_filters( 'attachment_fields_to_save', $translated, $attachment_data ); } // Convert taxonomy input to term IDs, to avoid ambiguity. @@ -365,7 +387,7 @@ function edit_post( $post_data = null ) { } } - $post_data['tax_input'][ $taxonomy ] = $clean_terms; + $translated['tax_input'][ $taxonomy ] = $clean_terms; } } @@ -373,18 +395,18 @@ function edit_post( $post_data = null ) { update_post_meta( $post_ID, '_edit_last', get_current_user_id() ); - $success = wp_update_post( $post_data ); + $success = wp_update_post( $translated ); // If the save failed, see if we can sanity check the main fields and try again if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) { $fields = array( 'post_title', 'post_content', 'post_excerpt' ); foreach ( $fields as $field ) { - if ( isset( $post_data[ $field ] ) ) { - $post_data[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $post_data[ $field ] ); + if ( isset( $translated[ $field ] ) ) { + $translated[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $translated[ $field ] ); } } - wp_update_post( $post_data ); + wp_update_post( $translated ); } // Now that we have an ID we can fix any attachment anchor hrefs @@ -544,9 +566,9 @@ function bulk_edit_posts( $post_data = null ) { unset( $post_data['tax_input']['category'] ); } + $post_data['post_ID'] = $post_ID; $post_data['post_type'] = $post->post_type; $post_data['post_mime_type'] = $post->post_mime_type; - $post_data['guid'] = $post->guid; foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) { if ( ! isset( $post_data[ $field ] ) ) { @@ -554,14 +576,12 @@ function bulk_edit_posts( $post_data = null ) { } } - $post_data['ID'] = $post_ID; - $post_data['post_ID'] = $post_ID; - $post_data = _wp_translate_postdata( true, $post_data ); if ( is_wp_error( $post_data ) ) { $skipped[] = $post_ID; continue; } + $post_data = _wp_get_allowed_postdata( $post_data ); $updated[] = wp_update_post( $post_data ); @@ -572,8 +592,8 @@ function bulk_edit_posts( $post_data = null ) { unstick_post( $post_ID ); } - if ( isset( $post_data['post_format'] ) ) - set_post_format( $post_ID, $post_data['post_format'] ); + if ( isset( $shared_post_data['post_format'] ) ) + set_post_format( $post_ID, $shared_post_data['post_format'] ); } return array( 'updated' => $updated, 'skipped' => $skipped, 'locked' => $locked ); @@ -754,9 +774,10 @@ function wp_write_post() { $translated = _wp_translate_postdata( false ); if ( is_wp_error($translated) ) return $translated; + $translated = _wp_get_allowed_postdata( $translated ); // Create the post. - $post_ID = wp_insert_post( $_POST ); + $post_ID = wp_insert_post( $translated ); if ( is_wp_error( $post_ID ) ) return $post_ID; @@ -1664,6 +1685,7 @@ function wp_create_post_autosave( $post_data ) { $post_data = _wp_translate_postdata( true, $post_data ); if ( is_wp_error( $post_data ) ) return $post_data; + $post_data = _wp_get_allowed_postdata( $post_data ); $post_author = get_current_user_id(); diff --git a/wp-admin/post.php b/wp-admin/post.php index 4da1263b5a..027d5a091e 100644 --- a/wp-admin/post.php +++ b/wp-admin/post.php @@ -189,7 +189,7 @@ case 'editattachment': // Update the thumbnail filename $newmeta = wp_get_attachment_metadata( $post_id, true ); - $newmeta['thumb'] = $_POST['thumb']; + $newmeta['thumb'] = wp_basename( $_POST['thumb'] ); wp_update_attachment_metadata( $post_id, $newmeta );