From 468f7aaa1403a85063329d40ec6dbdc46096ed8c Mon Sep 17 00:00:00 2001 From: azaozz Date: Thu, 13 Aug 2009 06:03:26 +0000 Subject: [PATCH] Strip slashes from POST data in request_filesystem_credentials(), props dd32, fixes #10567 git-svn-id: http://svn.automattic.com/wordpress/trunk@11808 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/file.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/wp-admin/includes/file.php b/wp-admin/includes/file.php index 3754fddfa1..eae700f474 100644 --- a/wp-admin/includes/file.php +++ b/wp-admin/includes/file.php @@ -676,13 +676,13 @@ function request_filesystem_credentials($form_post, $type = '', $error = false, $credentials = get_option('ftp_credentials', array( 'hostname' => '', 'username' => '')); // If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option) - $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? $_POST['hostname'] : $credentials['hostname']); - $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? $_POST['username'] : $credentials['username']); - $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? $_POST['password'] : ''); + $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? stripslashes($_POST['hostname']) : $credentials['hostname']); + $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? stripslashes($_POST['username']) : $credentials['username']); + $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? stripslashes($_POST['password']) : ''); // Check to see if we are setting the public/private keys for ssh - $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? $_POST['public_key'] : ''); - $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? $_POST['private_key'] : ''); + $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? stripslashes($_POST['public_key']) : ''); + $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? stripslashes($_POST['private_key']) : ''); //sanitize the hostname, Some people might pass in odd-data: $credentials['hostname'] = preg_replace('|\w+://|', '', $credentials['hostname']); //Strip any schemes off @@ -697,7 +697,7 @@ function request_filesystem_credentials($form_post, $type = '', $error = false, else if ( defined('FTP_SSL') && 'ftpext' == $type ) //Only the FTP Extension understands SSL $credentials['connection_type'] = 'ftps'; else if ( !empty($_POST['connection_type']) ) - $credentials['connection_type'] = $_POST['connection_type']; + $credentials['connection_type'] = stripslashes($_POST['connection_type']); else if ( !isset($credentials['connection_type']) ) //All else fails (And its not defaulted to something else saved), Default to FTP $credentials['connection_type'] = 'ftp'; @@ -791,10 +791,10 @@ jQuery(function($){ - + - +