From ac46bc16c7ae890c7579da4b593ff01f0c22321d Mon Sep 17 00:00:00 2001
From: ryan <ryan@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Thu, 23 Aug 2007 16:09:37 +0000
Subject: [PATCH] Don't allow private query vars in url_to_postid

git-svn-id: http://svn.automattic.com/wordpress/trunk@5925 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/query.php   | 6 ++++++
 wp-includes/rewrite.php | 9 +++++++++
 2 files changed, 15 insertions(+)

diff --git a/wp-includes/query.php b/wp-includes/query.php
index bbda607ff..182e674b9 100644
--- a/wp-includes/query.php
+++ b/wp-includes/query.php
@@ -657,6 +657,12 @@ class WP_Query {
 			}
 		}
 
+		if ( !empty($qv['post_type']) )
+			$qv['post_type'] = sanitize_user($qv['post_type'], true);
+
+		if ( !empty($qv['post_status']) )
+			$qv['post_status'] = sanitize_user($qv['post_status'], true);
+
 		if ( $this->is_posts_page && !$qv['withcomments'] )
 			$this->is_comment_feed = false;
 
diff --git a/wp-includes/rewrite.php b/wp-includes/rewrite.php
index b566fb70e..df584c635 100644
--- a/wp-includes/rewrite.php
+++ b/wp-includes/rewrite.php
@@ -136,6 +136,15 @@ function url_to_postid($url) {
 
 			// Substitute the substring matches into the query.
 			eval("\$query = \"$query\";");
+			// Filter out non-public query vars
+			global $wp;
+			parse_str($query, $query_vars);
+			$query = array();
+			foreach ( $query_vars as $key => $value ) {
+				if ( in_array($key, $wp->public_query_vars) )
+					$query[$key] = $value;
+			}
+			// Do the query
 			$query = new WP_Query($query);
 			if ( $query->is_single || $query->is_page )
 				return $query->post->ID;