From 374a57451bfa169d2873627f2b8ef53f9ecd184a Mon Sep 17 00:00:00 2001 From: saxmatt Date: Fri, 23 May 2003 00:12:22 +0000 Subject: [PATCH] Clean up entire file, improved error messages and HTML, fixed editing problem, double-checekd security. git-svn-id: http://svn.automattic.com/wordpress/trunk@41 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/b2template.php | 90 ++++++++++++++++++++--------------------- 1 file changed, 44 insertions(+), 46 deletions(-) diff --git a/wp-admin/b2template.php b/wp-admin/b2template.php index 91656d4e31..9e962793f3 100644 --- a/wp-admin/b2template.php +++ b/wp-admin/b2template.php @@ -37,21 +37,22 @@ for ($i=0; $iAsk for a promotion to your blog admin :)"); + die('

You have no right to edit the template for this blog.
Ask for a promotion to your blog admin. :)

'); } $newcontent = stripslashes($HTTP_POST_VARS["newcontent"]); $file = $HTTP_POST_VARS["file"]; - $f = fopen($file,"w+"); - fwrite($f,$newcontent); + $f = fopen($file, 'w+'); + fwrite($f, $newcontent); fclose($f); + $file = str_replace('../', '', $file); header("Location: b2template.php?file=$file&a=te"); exit(); @@ -59,55 +60,51 @@ break; default: - include("./b2header.php"); + require('b2header.php'); if ($user_level <= 3) { - die("You have no right to edit the template for this blog.
Ask for a promotion to your blog admin :)"); + die('

You have no right to edit the template for this blog.
Ask for a promotion to your blog admin. :)

'); } - if ($file=="") { - if ($blogfilename != "") { + if ('' == $file) { + if ('' != $blogfilename) { $file = $blogfilename; } else { - $file = "b2.php"; + $file = 'index.php'; } } - if (substr($file,0,2) == "..") - die ("Sorry, can't edit files that are up one directory or more."); + if ('..' == substr($file,0,2)) + die ('Sorry, can’t edit files with ".." in the name. If you are trying to edit a file in your WordPress home directory, you can just type the name of the file in.'); - if (substr($file,1,1) == ":") - die ("Sorry, can't call files with their real path."); + if (':' == substr($file,1,1)) + die ('Sorry, can’t call files with their real path.'); - if (substr($file,0,1) == "/") - $file = ".".$file; + if ('/' == substr($file,0,1)) + $file = '.' . $file; + + $file = stripslashes($file); + $file = '../' . $file; if (!is_file($file)) $error = 1; - $file = stripslashes($file); - - if ((substr($file,0,2) == "b2") and (substr($file,-4,4) == ".php") and ($file != "b2.php")) - $warning = " - this is a b2 file, be careful when editing it !"; - + if ((substr($file,0,2) == 'b2') and (substr($file,-4,4) == '.php') and ($file != 'b2.php')) + $warning = ' — this is a WordPress file, be careful when editing it!'; + if (!$error) { - $f = fopen($file,"r"); - $content = fread($f,filesize($file)); -// $content = template_simplify($content); + $f = fopen($file, 'r'); + $content = fread($f, filesize($file)); $content = htmlspecialchars($content); // $content = str_replace(" - - - -
+
$file".$warning; - if ($a == "te") - echo " [ file edited ! ]"; + echo "Listing $file $warning"; + if ('te' == $a) + echo "File edited successfully."; if (!$error) { ?> @@ -126,25 +123,26 @@ default: oops, no such file !

"; + echo '

Oops, no such file exists! Double check the name and try again, merci.

'; } - echo $tablebottom; ?> -
-
- - You can also edit the comments' template or the popup comments' template, or edit any other file (provided it's writable by the server, e.g. CHMOD 766).
-
- To edit a file, type its name here: -
+ + +
+

You can also edit the comments + template or the popup + comments template, or edit any other file (provided it’s writable by + the server, e.g. CHMOD 766).

+

To edit a file, type its name here:

+ -
- Note: of course, you can also edit the files/templates in your text editor and upload them. This online editor is only meant to be used when you don't have access to a text editor... - +

Note: of course, you can also edit the files/templates in your text editor + and upload them. This online editor is only meant to be used when you don't + have access to a text editor.

+