From 3bfb59b39dd29f4e987fc24e6c10a068b1b532f9 Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Fri, 21 Jun 2013 05:54:40 +0000 Subject: [PATCH] More robust escaping in the plugin/theme upgrader. git-svn-id: http://core.svn.wordpress.org/trunk@24474 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/class-wp-upgrader.php | 28 +++++++++++++++---------- wp-admin/update.php | 16 +++++++------- 2 files changed, 25 insertions(+), 19 deletions(-) diff --git a/wp-admin/includes/class-wp-upgrader.php b/wp-admin/includes/class-wp-upgrader.php index a9f230fd4d..6c399c7ec0 100644 --- a/wp-admin/includes/class-wp-upgrader.php +++ b/wp-admin/includes/class-wp-upgrader.php @@ -99,7 +99,7 @@ class WP_Upgrader { break; default: if ( ! $wp_filesystem->find_folder($dir) ) - return new WP_Error('fs_no_folder', sprintf($this->strings['fs_no_folder'], $dir)); + return new WP_Error( 'fs_no_folder', sprintf( $this->strings['fs_no_folder'], esc_html( basename( $dir ) ) ) ); break; } } @@ -1144,7 +1144,7 @@ class WP_Upgrader_Skin { } elseif ( is_wp_error($errors) && $errors->get_error_code() ) { foreach ( $errors->get_error_messages() as $message ) { if ( $errors->get_error_data() ) - $this->feedback($message . ' ' . $errors->get_error_data() ); + $this->feedback($message . ' ' . esc_html( $errors->get_error_data() ) ); else $this->feedback($message); } @@ -1158,8 +1158,11 @@ class WP_Upgrader_Skin { if ( strpos($string, '%') !== false ) { $args = func_get_args(); $args = array_splice($args, 1); - if ( !empty($args) ) + if ( $args ) { + $args = array_map( 'strip_tags', $args ); + $args = array_map( 'esc_html', $args ); $string = vsprintf($string, $args); + } } if ( empty($string) ) return; @@ -1199,11 +1202,11 @@ class Plugin_Upgrader_Skin extends WP_Upgrader_Skin { function after() { $this->plugin = $this->upgrader->plugin_info(); if ( !empty($this->plugin) && !is_wp_error($this->result) && $this->plugin_active ){ - echo ''; + echo ''; } $update_actions = array( - 'activate_plugin' => '' . __('Activate Plugin') . '', + 'activate_plugin' => '' . __('Activate Plugin') . '', 'plugins_page' => '' . __('Return to Plugins page') . '' ); if ( $this->plugin_active || ! $this->result || is_wp_error( $this->result ) || ! current_user_can( 'activate_plugins' ) ) @@ -1255,8 +1258,11 @@ class Bulk_Upgrader_Skin extends WP_Upgrader_Skin { if ( strpos($string, '%') !== false ) { $args = func_get_args(); $args = array_splice($args, 1); - if ( !empty($args) ) + if ( $args ) { + $args = array_map( 'strip_tags', $args ); + $args = array_map( 'esc_html', $args ); $string = vsprintf($string, $args); + } } if ( empty($string) ) return; @@ -1280,7 +1286,7 @@ class Bulk_Upgrader_Skin extends WP_Upgrader_Skin { if ( is_wp_error($error) ) { foreach ( $error->get_error_messages() as $emessage ) { if ( $error->get_error_data() ) - $messages[] = $emessage . ' ' . $error->get_error_data(); + $messages[] = $emessage . ' ' . esc_html( $error->get_error_data() ); else $messages[] = $emessage; } @@ -1442,12 +1448,12 @@ class Plugin_Installer_Skin extends WP_Upgrader_Skin { $from = isset($_GET['from']) ? wp_unslash( $_GET['from'] ) : 'plugins'; if ( 'import' == $from ) - $install_actions['activate_plugin'] = '' . __('Activate Plugin & Run Importer') . ''; + $install_actions['activate_plugin'] = '' . __('Activate Plugin & Run Importer') . ''; else - $install_actions['activate_plugin'] = '' . __('Activate Plugin') . ''; + $install_actions['activate_plugin'] = '' . __('Activate Plugin') . ''; if ( is_multisite() && current_user_can( 'manage_network_plugins' ) ) { - $install_actions['network_activate'] = '' . __('Network Activate') . ''; + $install_actions['network_activate'] = '' . __('Network Activate') . ''; unset( $install_actions['activate_plugin'] ); } @@ -1682,4 +1688,4 @@ class File_Upload_Upgrader { return true; } -} \ No newline at end of file +} diff --git a/wp-admin/update.php b/wp-admin/update.php index 687142e218..caed6e794d 100644 --- a/wp-admin/update.php +++ b/wp-admin/update.php @@ -57,7 +57,7 @@ if ( isset($_GET['action']) ) { require_once(ABSPATH . 'wp-admin/admin-header.php'); $nonce = 'upgrade-plugin_' . $plugin; - $url = 'update.php?action=upgrade-plugin&plugin=' . $plugin; + $url = 'update.php?action=upgrade-plugin&plugin=' . urlencode( $plugin ); $upgrader = new Plugin_Upgrader( new Plugin_Upgrader_Skin( compact('title', 'nonce', 'url', 'plugin') ) ); $upgrader->upgrade($plugin); @@ -70,9 +70,9 @@ if ( isset($_GET['action']) ) { check_admin_referer('activate-plugin_' . $plugin); if ( ! isset($_GET['failure']) && ! isset($_GET['success']) ) { - wp_redirect( admin_url('update.php?action=activate-plugin&failure=true&plugin=' . $plugin . '&_wpnonce=' . $_GET['_wpnonce']) ); + wp_redirect( admin_url('update.php?action=activate-plugin&failure=true&plugin=' . urlencode( $plugin ) . '&_wpnonce=' . $_GET['_wpnonce']) ); activate_plugin( $plugin, '', ! empty( $_GET['networkwide'] ), true ); - wp_redirect( admin_url('update.php?action=activate-plugin&success=true&plugin=' . $plugin . '&_wpnonce=' . $_GET['_wpnonce']) ); + wp_redirect( admin_url('update.php?action=activate-plugin&success=true&plugin=' . urlencode( $plugin ) . '&_wpnonce=' . $_GET['_wpnonce']) ); die(); } iframe_header( __('Plugin Reactivation'), true ); @@ -107,7 +107,7 @@ if ( isset($_GET['action']) ) { $title = sprintf( __('Installing Plugin: %s'), $api->name . ' ' . $api->version ); $nonce = 'install-plugin_' . $plugin; - $url = 'update.php?action=install-plugin&plugin=' . $plugin; + $url = 'update.php?action=install-plugin&plugin=' . urlencode( $plugin ); if ( isset($_GET['from']) ) $url .= '&from=' . urlencode(stripslashes($_GET['from'])); @@ -132,7 +132,7 @@ if ( isset($_GET['action']) ) { $submenu_file = 'plugin-install.php'; require_once(ABSPATH . 'wp-admin/admin-header.php'); - $title = sprintf( __('Installing Plugin from uploaded file: %s'), basename( $file_upload->filename ) ); + $title = sprintf( __('Installing Plugin from uploaded file: %s'), esc_html( basename( $file_upload->filename ) ) ); $nonce = 'plugin-upload'; $url = add_query_arg(array('package' => $file_upload->id), 'update.php?action=upload-plugin'); $type = 'upload'; //Install plugin type, From Web or an Upload. @@ -160,7 +160,7 @@ if ( isset($_GET['action']) ) { require_once(ABSPATH . 'wp-admin/admin-header.php'); $nonce = 'upgrade-theme_' . $theme; - $url = 'update.php?action=upgrade-theme&theme=' . $theme; + $url = 'update.php?action=upgrade-theme&theme=' . urlencode( $theme ); $upgrader = new Theme_Upgrader( new Theme_Upgrader_Skin( compact('title', 'nonce', 'url', 'theme') ) ); $upgrader->upgrade($theme); @@ -213,7 +213,7 @@ if ( isset($_GET['action']) ) { $title = sprintf( __('Installing Theme: %s'), $api->name . ' ' . $api->version ); $nonce = 'install-theme_' . $theme; - $url = 'update.php?action=install-theme&theme=' . $theme; + $url = 'update.php?action=install-theme&theme=' . urlencode( $theme ); $type = 'web'; //Install theme type, From Web or an Upload. $upgrader = new Theme_Upgrader( new Theme_Installer_Skin( compact('title', 'url', 'nonce', 'plugin', 'api') ) ); @@ -238,7 +238,7 @@ if ( isset($_GET['action']) ) { require_once(ABSPATH . 'wp-admin/admin-header.php'); - $title = sprintf( __('Installing Theme from uploaded file: %s'), basename( $file_upload->filename ) ); + $title = sprintf( __('Installing Theme from uploaded file: %s'), esc_html( basename( $file_upload->filename ) ) ); $nonce = 'theme-upload'; $url = add_query_arg(array('package' => $file_upload->id), 'update.php?action=upload-theme'); $type = 'upload'; //Install plugin type, From Web or an Upload.