Don't allow private query vars in url_to_postid

git-svn-id: https://develop.svn.wordpress.org/trunk@5925 602fd350-edb4-49c9-b593-d223f7449a82
2026-03-31 02:34:38 +00:00 · 2007-08-23 16:09:37 +00:00
parent de6855386a
commit ca4e75cb57
2 changed files with 15 additions and 0 deletions
--- a/wp-includes/rewrite.php
+++ b/wp-includes/rewrite.php
@@ -136,6 +136,15 @@ function url_to_postid($url) {

 			// Substitute the substring matches into the query.
 			eval("\$query = \"$query\";");
+			// Filter out non-public query vars
+			global $wp;
+			parse_str($query, $query_vars);
+			$query = array();
+			foreach ( $query_vars as $key => $value ) {
+				if ( in_array($key, $wp->public_query_vars) )
+					$query[$key] = $value;
+			}
+			// Do the query
 			$query = new WP_Query($query);
 			if ( $query->is_single || $query->is_page )
 				return $query->post->ID;