X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/61343b82c4f0da4c68e4c6373daafff4a81efdd1..a6f44f0edcda2471c5a33e4156c1c9488c7f3210:/wp-includes/functions.php?ds=sidebyside diff --git a/wp-includes/functions.php b/wp-includes/functions.php index f8b424a8..ea774868 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -242,9 +242,10 @@ function maybe_unserialize( $original ) { * @since 2.0.5 * * @param mixed $data Value to check to see if was serialized. + * @param bool $strict Optional. Whether to be strict about the end of the string. Defaults true. * @return bool False if not serialized and true if it was. */ -function is_serialized( $data ) { +function is_serialized( $data, $strict = true ) { // if it isn't a string, it isn't serialized if ( ! is_string( $data ) ) return false; @@ -256,21 +257,39 @@ function is_serialized( $data ) { return false; if ( ':' !== $data[1] ) return false; - $lastc = $data[$length-1]; - if ( ';' !== $lastc && '}' !== $lastc ) - return false; + if ( $strict ) { + $lastc = $data[ $length - 1 ]; + if ( ';' !== $lastc && '}' !== $lastc ) + return false; + } else { + $semicolon = strpos( $data, ';' ); + $brace = strpos( $data, '}' ); + // Either ; or } must exist. + if ( false === $semicolon && false === $brace ) + return false; + // But neither must be in the first X characters. + if ( false !== $semicolon && $semicolon < 3 ) + return false; + if ( false !== $brace && $brace < 4 ) + return false; + } $token = $data[0]; switch ( $token ) { case 's' : - if ( '"' !== $data[$length-2] ) + if ( $strict ) { + if ( '"' !== $data[ $length - 2 ] ) + return false; + } elseif ( false === strpos( $data, '"' ) ) { return false; + } case 'a' : case 'O' : return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data ); case 'b' : case 'i' : case 'd' : - return (bool) preg_match( "/^{$token}:[0-9.E-]+;\$/", $data ); + $end = $strict ? '$' : ''; + return (bool) preg_match( "/^{$token}:[0-9.E-]+;$end/", $data ); } return false; } @@ -317,7 +336,7 @@ function maybe_serialize( $data ) { // Double serialization is required for backward compatibility. // See http://core.trac.wordpress.org/ticket/12930 - if ( is_serialized( $data ) ) + if ( is_serialized( $data, false ) ) return serialize( $data ); return $data; @@ -1283,7 +1302,7 @@ function wp_get_referer() { $ref = wp_unslash( $_SERVER['HTTP_REFERER'] ); if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) ) - return wp_unslash( $ref ); + return wp_validate_redirect( $ref, false ); return false; } @@ -1298,7 +1317,7 @@ function wp_get_referer() { */ function wp_get_original_referer() { if ( !empty( $_REQUEST['_wp_original_http_referer'] ) ) - return wp_unslash( $_REQUEST['_wp_original_http_referer'] ); + return wp_validate_redirect( wp_unslash( $_REQUEST['_wp_original_http_referer'] ), false ); return false; } @@ -2006,10 +2025,20 @@ function wp_get_mime_types() { * @uses apply_filters() Calls 'upload_mimes' on returned array * @uses wp_get_upload_mime_types() to fetch the list of mime types * + * @param int|WP_User $user Optional. User to check. Defaults to current user. * @return array Array of mime types keyed by the file extension regex corresponding to those types. */ -function get_allowed_mime_types() { - return apply_filters( 'upload_mimes', wp_get_mime_types() ); +function get_allowed_mime_types( $user = null ) { + $t = wp_get_mime_types(); + + unset( $t['swf'], $t['exe'] ); + if ( function_exists( 'current_user_can' ) ) + $unfiltered = $user ? user_can( $user, 'unfiltered_html' ) : current_user_can( 'unfiltered_html' ); + + if ( empty( $unfiltered ) ) + unset( $t['htm|html'] ); + + return apply_filters( 'upload_mimes', $t, $user ); } /**