Ticket #2591: serialization.diff
| File serialization.diff, 6.4 kB (added by markjaquith, 2 years ago) |
|---|
-
wp-includes/functions.php
old new 261 261 return 0; 262 262 } 263 263 264 264 /* 265 265 function maybe_unserialize($original) { 266 266 if ( false !== $gm = @ unserialize($original) ) 267 267 return $gm; 268 268 else 269 269 return $original; 270 270 } 271 */ 271 272 273 function maybe_unserialize($original) { 274 if ( is_serialized($original) ) 275 if ( false !== $gm = @ unserialize($original) ) 276 return $gm; 277 return $original; 278 } 279 280 function is_serialized($data) { 281 if ( !is_string($data) ) { 282 // if it isn't a string, it isn't serialized 283 return false; 284 } 285 $data = trim($data); 286 if ( preg_match("/^(a|d|o|b|i|s):[0-9]+:(.*)[;}]/si",$data) ) 287 return true; 288 return false; 289 } 290 291 function throw_serialization_error($data) { 292 die(__('<strong>Error:</strong> serialized data was detected!')); 293 } 294 272 295 /* Options functions */ 273 296 274 297 function get_settings($setting) { … … 348 371 return apply_filters('all_options', $all_options); 349 372 } 350 373 351 function update_option($option_name, $newvalue ) {374 function update_option($option_name, $newvalue, $accept_serialized=false) { 352 375 global $wpdb; 353 376 354 377 if ( is_string($newvalue) ) … … 365 388 return true; 366 389 } 367 390 368 if ( is_array($newvalue) || is_object($newvalue) ) 369 $newvalue = serialize($newvalue); 391 $newvalue = prepare_data($newvalue, $accept_serialized); 370 392 371 393 wp_cache_set($option_name, $newvalue, 'options'); 372 394 … … 395 417 if ( false !== get_option($name) ) 396 418 return; 397 419 398 if ( is_array($value) || is_object($value) ) 399 $value = serialize($value); 420 $value = prepare_data($value); 400 421 401 422 wp_cache_set($name, $value, 'options'); 402 423 … … 418 439 return true; 419 440 } 420 441 442 function prepare_data($data, $accept_serialized=false) { 443 if ( is_string($data) ) 444 $data = trim($data); 445 elseif ( is_array($data) || is_object($data) ) 446 return serialize($data); 447 if ( !$accept_serialized && is_serialized($data) ) 448 throw_serialization_error($data); 449 return $data; 450 } 451 421 452 function add_post_meta($post_id, $key, $value, $unique = false) { 422 453 global $wpdb, $post_meta_cache; 423 454 … … 431 462 $original = $value; 432 463 if ( is_array($value) || is_object($value) ) 433 464 $value = $wpdb->escape(serialize($value)); 465 else 466 $value = prepare_data($value); 434 467 435 468 $wpdb->query("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value) VALUES ('$post_id','$key','$value')"); 436 469 … … 510 543 $original_value = $value; 511 544 if ( is_array($value) || is_object($value) ) 512 545 $value = $wpdb->escape(serialize($value)); 546 else 547 $value = prepare_data($value); 513 548 514 549 $original_prev = $prev_value; 515 550 if ( is_array($prev_value) || is_object($prev_value) ) … … 2165 2200 return false; 2166 2201 $meta_key = preg_replace('|[^a-z0-9_]|i', '', $meta_key); 2167 2202 2168 if ( is_array($meta_value) || is_object($meta_value) ) 2169 $meta_value = serialize($meta_value); 2170 $meta_value = trim( $meta_value ); 2203 $meta_value = prepare_data($meta_value); 2171 2204 2172 2205 if (empty($meta_value)) { 2173 2206 delete_usermeta($user_id, $meta_key); … … 2197 2230 return false; 2198 2231 $meta_key = preg_replace('|[^a-z0-9_]|i', '', $meta_key); 2199 2232 2200 if ( is_array($meta_value) || is_object($meta_value) ) 2201 $meta_value = serialize($meta_value); 2202 $meta_value = trim( $meta_value ); 2233 $meta_value = prepare_data($meta_value); 2203 2234 2204 2235 if ( ! empty($meta_value) ) 2205 2236 $wpdb->query("DELETE FROM $wpdb->usermeta WHERE user_id = '$user_id' AND meta_key = '$meta_key' AND meta_value = '$meta_value'"); -
wp-admin/admin-functions.php
old new 226 226 // Meta Stuff 227 227 if ($_POST['meta']) { 228 228 foreach ($_POST['meta'] as $key => $value) 229 update_meta($key, $value['key'], $value['value']); 229 if ( '%SERIALIZED_DATA%' != $value ) 230 update_meta($key, $value['key'], $value['value']); 230 231 } 231 232 232 233 if ($_POST['deletemeta']) { … … 849 850 $style = ''; 850 851 if ('_' == $entry['meta_key'] { 0 }) 851 852 $style .= ' hidden'; 853 if ( is_serialized($entry['meta_value']) ) { 854 -- $count; 855 continue; 856 } 852 857 echo " 853 858 <tr class='$style'> 854 859 <td valign='top'><input name='meta[{$entry['meta_id']}][key]' tabindex='6' type='text' size='20' value='{$entry['meta_key']}' /></td> … … 920 925 921 926 $metakeyselect = $wpdb->escape(stripslashes(trim($_POST['metakeyselect']))); 922 927 $metakeyinput = $wpdb->escape(stripslashes(trim($_POST['metakeyinput']))); 923 $metavalue = $wpdb->escape(stripslashes(trim($_POST['metavalue']))); 928 $metavalue = prepare_data(stripslashes((trim($_POST['metavalue'])))); 929 if ( '%SERIALIZED_DATA%' == $metavalue ) 930 return; 931 $metavalue = $wpdb->escape($metavalue); 924 932 925 933 if ( ('0' === $metavalue || !empty ($metavalue)) && ((('#NONE#' != $metakeyselect) && !empty ($metakeyselect)) || !empty ($metakeyinput)) ) { 926 934 // We have a key/value pair. If both the select and the … … 948 956 949 957 function update_meta($mid, $mkey, $mvalue) { 950 958 global $wpdb; 951 959 if ( is_serialized(stripslashes($mvalue)) ) 960 return false; 952 961 return $wpdb->query("UPDATE $wpdb->postmeta SET meta_key = '$mkey', meta_value = '$mvalue' WHERE meta_id = '$mid'"); 953 962 } 954 963 -
wp-admin/options.php
old new 33 33 34 34 if (!$_POST['page_options']) { 35 35 foreach ($_POST as $key => $value) { 36 $options[] = $key; 36 if ( $value != '%SERIALIZED_DATA%') 37 $options[] = $key; 37 38 } 38 39 } else { 39 40 $options = explode(',', stripslashes($_POST['page_options'])); … … 95 96 $options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name"); 96 97 97 98 foreach ($options as $option) : 98 $value = wp_specialchars($option->option_value); 99 if ( is_serialized($option->option_value) ) { 100 $value = '%SERIALIZED_DATA%'; 101 $disabled = ' disabled="disabled"'; 102 } else { 103 $value = wp_specialchars($option->option_value); 104 $disabled = ''; 105 } 99 106 echo " 100 107 <tr> 101 108 <th scope='row'><label for='$option->option_name'>$option->option_name</label></th> 102 <td><input type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . $value . "' /></td>109 <td><input type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . $value . "'$disabled /></td> 103 110 <td>$option->option_description</td> 104 111 </tr>"; 105 112 endforeach;
