Hardening. Santizers for WPLANG and new_admin_email. Prevent stomping ID and filter. Validate locale filename. Props westi.
git-svn-id: http://svn.automattic.com/wordpress/trunk@18346 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
2010842d10
commit
593659b8d0
|
@ -646,7 +646,8 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
|
||||||
'post_content' => $url,
|
'post_content' => $url,
|
||||||
'post_mime_type' => $type,
|
'post_mime_type' => $type,
|
||||||
'guid' => $url,
|
'guid' => $url,
|
||||||
'context' => 'custom-header');
|
'context' => 'custom-header'
|
||||||
|
);
|
||||||
|
|
||||||
// Save the data
|
// Save the data
|
||||||
$id = wp_insert_attachment($object, $file);
|
$id = wp_insert_attachment($object, $file);
|
||||||
|
|
|
@ -228,6 +228,10 @@ function media_handle_upload($file_id, $post_id, $post_data = array(), $override
|
||||||
'post_content' => $content,
|
'post_content' => $content,
|
||||||
), $post_data );
|
), $post_data );
|
||||||
|
|
||||||
|
// This should never be set as it would then overwrite an existing attachment.
|
||||||
|
if ( isset( $attachment['ID'] ) )
|
||||||
|
unset( $attachment['ID'] );
|
||||||
|
|
||||||
// Save the data
|
// Save the data
|
||||||
$id = wp_insert_attachment($attachment, $file, $post_id);
|
$id = wp_insert_attachment($attachment, $file, $post_id);
|
||||||
if ( !is_wp_error($id) ) {
|
if ( !is_wp_error($id) ) {
|
||||||
|
@ -281,6 +285,10 @@ function media_handle_sideload($file_array, $post_id, $desc = null, $post_data =
|
||||||
'post_content' => $content,
|
'post_content' => $content,
|
||||||
), $post_data );
|
), $post_data );
|
||||||
|
|
||||||
|
// This should never be set as it would then overwrite an existing attachment.
|
||||||
|
if ( isset( $attachment['ID'] ) )
|
||||||
|
unset( $attachment['ID'] );
|
||||||
|
|
||||||
// Save the attachment metadata
|
// Save the attachment metadata
|
||||||
$id = wp_insert_attachment($attachment, $file, $post_id);
|
$id = wp_insert_attachment($attachment, $file, $post_id);
|
||||||
if ( !is_wp_error($id) )
|
if ( !is_wp_error($id) )
|
||||||
|
|
|
@ -142,6 +142,10 @@ function edit_post( $post_data = null ) {
|
||||||
if ( empty($post_data) )
|
if ( empty($post_data) )
|
||||||
$post_data = &$_POST;
|
$post_data = &$_POST;
|
||||||
|
|
||||||
|
// Clear out any data in internal vars.
|
||||||
|
if ( isset( $post_data['filter'] ) )
|
||||||
|
unset( $post_data['filter'] );
|
||||||
|
|
||||||
$post_ID = (int) $post_data['post_ID'];
|
$post_ID = (int) $post_data['post_ID'];
|
||||||
$post = get_post( $post_ID );
|
$post = get_post( $post_ID );
|
||||||
$post_data['post_type'] = $post->post_type;
|
$post_data['post_type'] = $post->post_type;
|
||||||
|
@ -560,6 +564,15 @@ function wp_write_post() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Edit don't write if we have a post id.
|
||||||
|
if ( isset( $_POST['ID'] ) ) {
|
||||||
|
$_POST['post_ID'] = $_POST['ID'];
|
||||||
|
unset ( $_POST['ID'] );
|
||||||
|
}
|
||||||
|
if ( isset( $_POST['post_ID'] ) ) {
|
||||||
|
return edit_post();
|
||||||
|
}
|
||||||
|
|
||||||
$translated = _wp_translate_postdata( false );
|
$translated = _wp_translate_postdata( false );
|
||||||
if ( is_wp_error($translated) )
|
if ( is_wp_error($translated) )
|
||||||
return $translated;
|
return $translated;
|
||||||
|
|
|
@ -127,7 +127,7 @@ include('./admin-header.php');
|
||||||
$new_admin_email = get_option( 'new_admin_email' );
|
$new_admin_email = get_option( 'new_admin_email' );
|
||||||
if ( $new_admin_email && $new_admin_email != get_option('admin_email') ) : ?>
|
if ( $new_admin_email && $new_admin_email != get_option('admin_email') ) : ?>
|
||||||
<div class="updated inline">
|
<div class="updated inline">
|
||||||
<p><?php printf( __('There is a pending change of the admin e-mail to <code>%1$s</code>. <a href="%2$s">Cancel</a>'), $new_admin_email, esc_url( admin_url( 'options.php?dismiss=new_admin_email' ) ) ); ?></p>
|
<p><?php printf( __('There is a pending change of the admin e-mail to <code>%1$s</code>. <a href="%2$s">Cancel</a>'), esc_html( $new_admin_email ), esc_url( admin_url( 'options.php?dismiss=new_admin_email' ) ) ); ?></p>
|
||||||
</div>
|
</div>
|
||||||
<?php endif; ?>
|
<?php endif; ?>
|
||||||
</td>
|
</td>
|
||||||
|
|
|
@ -2426,7 +2426,14 @@ function sanitize_option($option, $value) {
|
||||||
add_settings_error('admin_email', 'invalid_admin_email', __('The email address entered did not appear to be a valid email address. Please enter a valid email address.'));
|
add_settings_error('admin_email', 'invalid_admin_email', __('The email address entered did not appear to be a valid email address. Please enter a valid email address.'));
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case 'new_admin_email':
|
||||||
|
$value = sanitize_email($value);
|
||||||
|
if ( !is_email($value) ) {
|
||||||
|
$value = get_option( $option ); // Resets option to stored value in the case of failed sanitization
|
||||||
|
if ( function_exists('add_settings_error') )
|
||||||
|
add_settings_error('new_admin_email', 'invalid_admin_email', __('The email address entered did not appear to be a valid email address. Please enter a valid email address.'));
|
||||||
|
}
|
||||||
|
break;
|
||||||
case 'thumbnail_size_w':
|
case 'thumbnail_size_w':
|
||||||
case 'thumbnail_size_h':
|
case 'thumbnail_size_h':
|
||||||
case 'medium_size_w':
|
case 'medium_size_w':
|
||||||
|
@ -2520,6 +2527,11 @@ function sanitize_option($option, $value) {
|
||||||
add_settings_error('home', 'invalid_home', __('The Site address you entered did not appear to be a valid URL. Please enter a valid URL.'));
|
add_settings_error('home', 'invalid_home', __('The Site address you entered did not appear to be a valid URL. Please enter a valid URL.'));
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case 'WPLANG':
|
||||||
|
$allowed = get_available_languages();
|
||||||
|
if ( ! in_array( $value, $allowed ) && ! empty( $value ) )
|
||||||
|
$value = get_option( $option );
|
||||||
|
break;
|
||||||
|
|
||||||
case 'timezone_string':
|
case 'timezone_string':
|
||||||
$allowed_zones = timezone_identifiers_list();
|
$allowed_zones = timezone_identifiers_list();
|
||||||
|
|
|
@ -258,7 +258,7 @@ load_default_textdomain();
|
||||||
// Find the blog locale.
|
// Find the blog locale.
|
||||||
$locale = get_locale();
|
$locale = get_locale();
|
||||||
$locale_file = WP_LANG_DIR . "/$locale.php";
|
$locale_file = WP_LANG_DIR . "/$locale.php";
|
||||||
if ( is_readable( $locale_file ) )
|
if ( ( 0 === validate_file( $locale ) ) && is_readable( $locale_file ) )
|
||||||
require( $locale_file );
|
require( $locale_file );
|
||||||
unset($locale_file);
|
unset($locale_file);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue