Multisite: Validate activation links.
Merges [44048] to the 4.7 branch. Built from https://develop.svn.wordpress.org/branches/4.7@44054 git-svn-id: http://core.svn.wordpress.org/branches/4.7@43884 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
fd88de7653
commit
51631c8f07
|
@ -26,7 +26,9 @@ $activate_cookie = 'wp-activate-' . COOKIEHASH;
|
||||||
$key = '';
|
$key = '';
|
||||||
$result = null;
|
$result = null;
|
||||||
|
|
||||||
if ( ! empty( $_GET['key'] ) ) {
|
if ( isset( $_GET['key'] ) && isset( $_POST['key'] ) && $_GET['key'] !== $_POST['key'] ) {
|
||||||
|
wp_die( __( 'A key value mismatch has been detected. Please follow the link provided in your activation email.' ), __( 'An error occurred during the activation' ), 400 );
|
||||||
|
} elseif ( ! empty( $_GET['key'] ) ) {
|
||||||
$key = $_GET['key'];
|
$key = $_GET['key'];
|
||||||
} elseif ( ! empty( $_POST['key'] ) ) {
|
} elseif ( ! empty( $_POST['key'] ) ) {
|
||||||
$key = $_POST['key'];
|
$key = $_POST['key'];
|
||||||
|
|
|
@ -290,7 +290,9 @@ final class WP_Screen {
|
||||||
|
|
||||||
switch ( $base ) {
|
switch ( $base ) {
|
||||||
case 'post' :
|
case 'post' :
|
||||||
if ( isset( $_GET['post'] ) )
|
if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] )
|
||||||
|
wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
|
||||||
|
elseif ( isset( $_GET['post'] ) )
|
||||||
$post_id = (int) $_GET['post'];
|
$post_id = (int) $_GET['post'];
|
||||||
elseif ( isset( $_POST['post_ID'] ) )
|
elseif ( isset( $_POST['post_ID'] ) )
|
||||||
$post_id = (int) $_POST['post_ID'];
|
$post_id = (int) $_POST['post_ID'];
|
||||||
|
|
|
@ -16,7 +16,9 @@ $submenu_file = 'edit.php';
|
||||||
|
|
||||||
wp_reset_vars( array( 'action' ) );
|
wp_reset_vars( array( 'action' ) );
|
||||||
|
|
||||||
if ( isset( $_GET['post'] ) )
|
if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] )
|
||||||
|
wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
|
||||||
|
elseif ( isset( $_GET['post'] ) )
|
||||||
$post_id = $post_ID = (int) $_GET['post'];
|
$post_id = $post_ID = (int) $_GET['post'];
|
||||||
elseif ( isset( $_POST['post_ID'] ) )
|
elseif ( isset( $_POST['post_ID'] ) )
|
||||||
$post_id = $post_ID = (int) $_POST['post_ID'];
|
$post_id = $post_ID = (int) $_POST['post_ID'];
|
||||||
|
@ -38,6 +40,10 @@ if ( $post ) {
|
||||||
$post_type_object = get_post_type_object( $post_type );
|
$post_type_object = get_post_type_object( $post_type );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( isset( $_POST['post_type'] ) && $post && $post_type !== $_POST['post_type'] ) {
|
||||||
|
wp_die( __( 'A post type mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
|
||||||
|
}
|
||||||
|
|
||||||
if ( isset( $_POST['deletepost'] ) )
|
if ( isset( $_POST['deletepost'] ) )
|
||||||
$action = 'delete';
|
$action = 'delete';
|
||||||
elseif ( isset($_POST['wp-preview']) && 'dopreview' == $_POST['wp-preview'] )
|
elseif ( isset($_POST['wp-preview']) && 'dopreview' == $_POST['wp-preview'] )
|
||||||
|
|
|
@ -302,6 +302,8 @@ class WP {
|
||||||
foreach ( $this->public_query_vars as $wpvar ) {
|
foreach ( $this->public_query_vars as $wpvar ) {
|
||||||
if ( isset( $this->extra_query_vars[$wpvar] ) )
|
if ( isset( $this->extra_query_vars[$wpvar] ) )
|
||||||
$this->query_vars[$wpvar] = $this->extra_query_vars[$wpvar];
|
$this->query_vars[$wpvar] = $this->extra_query_vars[$wpvar];
|
||||||
|
elseif ( isset( $_GET[ $wpvar ] ) && isset( $_POST[ $wpvar ] ) && $_GET[ $wpvar ] !== $_POST[ $wpvar ] )
|
||||||
|
wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
|
||||||
elseif ( isset( $_POST[$wpvar] ) )
|
elseif ( isset( $_POST[$wpvar] ) )
|
||||||
$this->query_vars[$wpvar] = $_POST[$wpvar];
|
$this->query_vars[$wpvar] = $_POST[$wpvar];
|
||||||
elseif ( isset( $_GET[$wpvar] ) )
|
elseif ( isset( $_GET[$wpvar] ) )
|
||||||
|
|
|
@ -271,10 +271,13 @@ function wpmu_admin_do_redirect( $url = '' ) {
|
||||||
_deprecated_function( __FUNCTION__, '3.3.0' );
|
_deprecated_function( __FUNCTION__, '3.3.0' );
|
||||||
|
|
||||||
$ref = '';
|
$ref = '';
|
||||||
if ( isset( $_GET['ref'] ) )
|
if ( isset( $_GET['ref'] ) && isset( $_POST['ref'] ) && $_GET['ref'] !== $_POST['ref'] ) {
|
||||||
$ref = $_GET['ref'];
|
wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
|
||||||
if ( isset( $_POST['ref'] ) )
|
} elseif ( isset( $_POST['ref'] ) ) {
|
||||||
$ref = $_POST['ref'];
|
$ref = $_POST[ 'ref' ];
|
||||||
|
} elseif ( isset( $_GET['ref'] ) ) {
|
||||||
|
$ref = $_GET[ 'ref' ];
|
||||||
|
}
|
||||||
|
|
||||||
if ( $ref ) {
|
if ( $ref ) {
|
||||||
$ref = wpmu_admin_redirect_add_updated_param( $ref );
|
$ref = wpmu_admin_redirect_add_updated_param( $ref );
|
||||||
|
@ -287,7 +290,9 @@ function wpmu_admin_do_redirect( $url = '' ) {
|
||||||
}
|
}
|
||||||
|
|
||||||
$url = wpmu_admin_redirect_add_updated_param( $url );
|
$url = wpmu_admin_redirect_add_updated_param( $url );
|
||||||
if ( isset( $_GET['redirect'] ) ) {
|
if ( isset( $_GET['redirect'] ) && isset( $_POST['redirect'] ) && $_GET['redirect'] !== $_POST['redirect'] ) {
|
||||||
|
wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
|
||||||
|
} elseif ( isset( $_GET['redirect'] ) ) {
|
||||||
if ( substr( $_GET['redirect'], 0, 2 ) == 's_' )
|
if ( substr( $_GET['redirect'], 0, 2 ) == 's_' )
|
||||||
$url .= '&action=blogs&s='. esc_html( substr( $_GET['redirect'], 2 ) );
|
$url .= '&action=blogs&s='. esc_html( substr( $_GET['redirect'], 2 ) );
|
||||||
} elseif ( isset( $_POST['redirect'] ) ) {
|
} elseif ( isset( $_POST['redirect'] ) ) {
|
||||||
|
|
Loading…
Reference in New Issue