From ca4e75cb57f03da2fb0d7fcd72e6c1e5cef6e733 Mon Sep 17 00:00:00 2001
From: Ryan Boren <ryan@git.wordpress.org>
Date: Thu, 23 Aug 2007 16:09:37 +0000
Subject: [PATCH] Don't allow private query vars in url_to_postid

git-svn-id: https://develop.svn.wordpress.org/trunk@5925 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-includes/query.php   | 6 ++++++
 wp-includes/rewrite.php | 9 +++++++++
 2 files changed, 15 insertions(+)

diff --git a/wp-includes/query.php b/wp-includes/query.php
index bbda607ff6..182e674b93 100644
--- a/wp-includes/query.php
+++ b/wp-includes/query.php
@@ -657,6 +657,12 @@ class WP_Query {
 			}
 		}
 
+		if ( !empty($qv['post_type']) )
+			$qv['post_type'] = sanitize_user($qv['post_type'], true);
+
+		if ( !empty($qv['post_status']) )
+			$qv['post_status'] = sanitize_user($qv['post_status'], true);
+
 		if ( $this->is_posts_page && !$qv['withcomments'] )
 			$this->is_comment_feed = false;
 
diff --git a/wp-includes/rewrite.php b/wp-includes/rewrite.php
index b566fb70ec..df584c635b 100644
--- a/wp-includes/rewrite.php
+++ b/wp-includes/rewrite.php
@@ -136,6 +136,15 @@ function url_to_postid($url) {
 
 			// Substitute the substring matches into the query.
 			eval("\$query = \"$query\";");
+			// Filter out non-public query vars
+			global $wp;
+			parse_str($query, $query_vars);
+			$query = array();
+			foreach ( $query_vars as $key => $value ) {
+				if ( in_array($key, $wp->public_query_vars) )
+					$query[$key] = $value;
+			}
+			// Do the query
 			$query = new WP_Query($query);
 			if ( $query->is_single || $query->is_page )
 				return $query->post->ID;