Hardening. Santizers for WPLANG and new_admin_email. Prevent stomping ID and filter. Validate locale filename. Props westi.
git-svn-id: http://svn.automattic.com/wordpress/trunk@18346 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
2010842d10
commit
593659b8d0
|
@ -646,7 +646,8 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
|
|||
'post_content' => $url,
|
||||
'post_mime_type' => $type,
|
||||
'guid' => $url,
|
||||
'context' => 'custom-header');
|
||||
'context' => 'custom-header'
|
||||
);
|
||||
|
||||
// Save the data
|
||||
$id = wp_insert_attachment($object, $file);
|
||||
|
|
|
@ -228,6 +228,10 @@ function media_handle_upload($file_id, $post_id, $post_data = array(), $override
|
|||
'post_content' => $content,
|
||||
), $post_data );
|
||||
|
||||
// This should never be set as it would then overwrite an existing attachment.
|
||||
if ( isset( $attachment['ID'] ) )
|
||||
unset( $attachment['ID'] );
|
||||
|
||||
// Save the data
|
||||
$id = wp_insert_attachment($attachment, $file, $post_id);
|
||||
if ( !is_wp_error($id) ) {
|
||||
|
@ -281,6 +285,10 @@ function media_handle_sideload($file_array, $post_id, $desc = null, $post_data =
|
|||
'post_content' => $content,
|
||||
), $post_data );
|
||||
|
||||
// This should never be set as it would then overwrite an existing attachment.
|
||||
if ( isset( $attachment['ID'] ) )
|
||||
unset( $attachment['ID'] );
|
||||
|
||||
// Save the attachment metadata
|
||||
$id = wp_insert_attachment($attachment, $file, $post_id);
|
||||
if ( !is_wp_error($id) )
|
||||
|
|
|
@ -142,6 +142,10 @@ function edit_post( $post_data = null ) {
|
|||
if ( empty($post_data) )
|
||||
$post_data = &$_POST;
|
||||
|
||||
// Clear out any data in internal vars.
|
||||
if ( isset( $post_data['filter'] ) )
|
||||
unset( $post_data['filter'] );
|
||||
|
||||
$post_ID = (int) $post_data['post_ID'];
|
||||
$post = get_post( $post_ID );
|
||||
$post_data['post_type'] = $post->post_type;
|
||||
|
@ -560,6 +564,15 @@ function wp_write_post() {
|
|||
}
|
||||
}
|
||||
|
||||
// Edit don't write if we have a post id.
|
||||
if ( isset( $_POST['ID'] ) ) {
|
||||
$_POST['post_ID'] = $_POST['ID'];
|
||||
unset ( $_POST['ID'] );
|
||||
}
|
||||
if ( isset( $_POST['post_ID'] ) ) {
|
||||
return edit_post();
|
||||
}
|
||||
|
||||
$translated = _wp_translate_postdata( false );
|
||||
if ( is_wp_error($translated) )
|
||||
return $translated;
|
||||
|
|
|
@ -127,7 +127,7 @@ include('./admin-header.php');
|
|||
$new_admin_email = get_option( 'new_admin_email' );
|
||||
if ( $new_admin_email && $new_admin_email != get_option('admin_email') ) : ?>
|
||||
<div class="updated inline">
|
||||
<p><?php printf( __('There is a pending change of the admin e-mail to <code>%1$s</code>. <a href="%2$s">Cancel</a>'), $new_admin_email, esc_url( admin_url( 'options.php?dismiss=new_admin_email' ) ) ); ?></p>
|
||||
<p><?php printf( __('There is a pending change of the admin e-mail to <code>%1$s</code>. <a href="%2$s">Cancel</a>'), esc_html( $new_admin_email ), esc_url( admin_url( 'options.php?dismiss=new_admin_email' ) ) ); ?></p>
|
||||
</div>
|
||||
<?php endif; ?>
|
||||
</td>
|
||||
|
|
|
@ -2426,7 +2426,14 @@ function sanitize_option($option, $value) {
|
|||
add_settings_error('admin_email', 'invalid_admin_email', __('The email address entered did not appear to be a valid email address. Please enter a valid email address.'));
|
||||
}
|
||||
break;
|
||||
|
||||
case 'new_admin_email':
|
||||
$value = sanitize_email($value);
|
||||
if ( !is_email($value) ) {
|
||||
$value = get_option( $option ); // Resets option to stored value in the case of failed sanitization
|
||||
if ( function_exists('add_settings_error') )
|
||||
add_settings_error('new_admin_email', 'invalid_admin_email', __('The email address entered did not appear to be a valid email address. Please enter a valid email address.'));
|
||||
}
|
||||
break;
|
||||
case 'thumbnail_size_w':
|
||||
case 'thumbnail_size_h':
|
||||
case 'medium_size_w':
|
||||
|
@ -2520,6 +2527,11 @@ function sanitize_option($option, $value) {
|
|||
add_settings_error('home', 'invalid_home', __('The Site address you entered did not appear to be a valid URL. Please enter a valid URL.'));
|
||||
}
|
||||
break;
|
||||
case 'WPLANG':
|
||||
$allowed = get_available_languages();
|
||||
if ( ! in_array( $value, $allowed ) && ! empty( $value ) )
|
||||
$value = get_option( $option );
|
||||
break;
|
||||
|
||||
case 'timezone_string':
|
||||
$allowed_zones = timezone_identifiers_list();
|
||||
|
|
|
@ -258,7 +258,7 @@ load_default_textdomain();
|
|||
// Find the blog locale.
|
||||
$locale = get_locale();
|
||||
$locale_file = WP_LANG_DIR . "/$locale.php";
|
||||
if ( is_readable( $locale_file ) )
|
||||
if ( ( 0 === validate_file( $locale ) ) && is_readable( $locale_file ) )
|
||||
require( $locale_file );
|
||||
unset($locale_file);
|
||||
|
||||
|
|
Loading…
Reference in New Issue