* @since 2.0.5
*
* @param mixed $data Value to check to see if was serialized.
+ * @param bool $strict Optional. Whether to be strict about the end of the string. Defaults true.
* @return bool False if not serialized and true if it was.
*/
-function is_serialized( $data ) {
+function is_serialized( $data, $strict = true ) {
// if it isn't a string, it isn't serialized
if ( ! is_string( $data ) )
return false;
return false;
if ( ':' !== $data[1] )
return false;
- $lastc = $data[$length-1];
- if ( ';' !== $lastc && '}' !== $lastc )
- return false;
+ if ( $strict ) {
+ $lastc = $data[ $length - 1 ];
+ if ( ';' !== $lastc && '}' !== $lastc )
+ return false;
+ } else {
+ $semicolon = strpos( $data, ';' );
+ $brace = strpos( $data, '}' );
+ // Either ; or } must exist.
+ if ( false === $semicolon && false === $brace )
+ return false;
+ // But neither must be in the first X characters.
+ if ( false !== $semicolon && $semicolon < 3 )
+ return false;
+ if ( false !== $brace && $brace < 4 )
+ return false;
+ }
$token = $data[0];
switch ( $token ) {
case 's' :
- if ( '"' !== $data[$length-2] )
+ if ( $strict ) {
+ if ( '"' !== $data[ $length - 2 ] )
+ return false;
+ } elseif ( false === strpos( $data, '"' ) ) {
return false;
+ }
case 'a' :
case 'O' :
return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );
case 'b' :
case 'i' :
case 'd' :
- return (bool) preg_match( "/^{$token}:[0-9.E-]+;\$/", $data );
+ $end = $strict ? '$' : '';
+ return (bool) preg_match( "/^{$token}:[0-9.E-]+;$end/", $data );
}
return false;
}
// Double serialization is required for backward compatibility.
// See http://core.trac.wordpress.org/ticket/12930
- if ( is_serialized( $data ) )
+ if ( is_serialized( $data, false ) )
return serialize( $data );
return $data;
$ref = wp_unslash( $_SERVER['HTTP_REFERER'] );
if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) )
- return wp_unslash( $ref );
+ return wp_validate_redirect( $ref, false );
return false;
}
*/
function wp_get_original_referer() {
if ( !empty( $_REQUEST['_wp_original_http_referer'] ) )
- return wp_unslash( $_REQUEST['_wp_original_http_referer'] );
+ return wp_validate_redirect( wp_unslash( $_REQUEST['_wp_original_http_referer'] ), false );
return false;
}
* @uses apply_filters() Calls 'upload_mimes' on returned array
* @uses wp_get_upload_mime_types() to fetch the list of mime types
*
+ * @param int|WP_User $user Optional. User to check. Defaults to current user.
* @return array Array of mime types keyed by the file extension regex corresponding to those types.
*/
-function get_allowed_mime_types() {
- return apply_filters( 'upload_mimes', wp_get_mime_types() );
+function get_allowed_mime_types( $user = null ) {
+ $t = wp_get_mime_types();
+
+ unset( $t['swf'], $t['exe'] );
+ if ( function_exists( 'current_user_can' ) )
+ $unfiltered = $user ? user_can( $user, 'unfiltered_html' ) : current_user_can( 'unfiltered_html' );
+
+ if ( empty( $unfiltered ) )
+ unset( $t['htm|html'] );
+
+ return apply_filters( 'upload_mimes', $t, $user );
}
/**