Require an attachment ID for upload.php?action=edit. fixes #3333

git-svn-id: http://svn.automattic.com/wordpress/trunk@4600 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2006-12-04 14:05:54 +00:00 · 2006-12-04 14:05:54 +00:00 · 5dbc09631b
parent df98461b02
commit 5dbc09631b
1 changed files with 8 additions and 0 deletions
--- a/wp-admin/upload.php
+++ b/wp-admin/upload.php
@ -8,6 +8,14 @@ if (!current_user_can('upload_files'))

 wp_reset_vars(array('action', 'tab', 'from_tab', 'style', 'post_id', 'ID', 'paged', 'post_title', 'post_content', 'delete'));

+// IDs should be integers
+$ID = (int) $ID;
+$post_id = (int) $post_id;
+
+// Require an ID for the edit screen
+if ( $action == 'edit' && !$ID )
+	wp_die(__("You are not allowed to be here"));
+
 require_once('upload-functions.php');
 if ( !$tab )
 	$tab = 'browse-all';