WordPress-C/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2025-03-09 07:00:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improvements to the nonce AYS from mdawaffe. #2734

Browse Source 
git-svn-id: http://svn.automattic.com/wordpress/trunk@3783 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2006-05-18 06:49:22 +00:00
parent 78e403f5fc
commit 8ee6921b49
6 changed files with 22 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
wp-admin/comment.php
View File

@ -1,6 +1,8 @@
<?php <?php
require_once('admin.php'); require_once('admin.php');
$parent_file = 'edit.php';
$submenu_file = 'edit-comments.php';
$wpvarstoreset = array('action'); $wpvarstoreset = array('action');
for ($i=0; $i<count($wpvarstoreset); $i += 1) { for ($i=0; $i<count($wpvarstoreset); $i += 1) {
@ -24,8 +26,6 @@ if ( isset( $_POST['deletecomment'] ) )
switch($action) { switch($action) {
case 'editcomment': case 'editcomment':
$title = __('Edit Comment'); $title = __('Edit Comment');
$parent_file = 'edit.php';
$submenu_file = 'edit-comments.php';
$editing = true; $editing = true;
require_once ('admin-header.php'); require_once ('admin-header.php');
@ -202,4 +202,4 @@ default:
include('admin-footer.php'); include('admin-footer.php');
?> ?>

4
wp-admin/page.php
View File

@ -1,6 +1,8 @@
<?php <?php
require_once('admin.php'); require_once('admin.php');
$parent_file = 'edit.php';
$submenu_file = 'edit-pages.php';
$wpvarstoreset = array('action'); $wpvarstoreset = array('action');
for ($i=0; $i<count($wpvarstoreset); $i += 1) { for ($i=0; $i<count($wpvarstoreset); $i += 1) {
@ -53,8 +55,6 @@ case 'post':
case 'edit': case 'edit':
$title = __('Edit'); $title = __('Edit');
$parent_file = 'edit.php';
$submenu_file = 'edit-pages.php';
$editing = true; $editing = true;
require_once('admin-header.php'); require_once('admin-header.php');

6
wp-admin/post.php
View File

@ -1,6 +1,8 @@
<?php <?php
require_once('admin.php'); require_once('admin.php');
$parent_file = 'edit.php';
$submenu_file = 'edit.php';
$wpvarstoreset = array('action', 'safe_mode', 'withcomments', 'posts', 'content', 'edited_post_title', 'comment_error', 'profile', 'trackback_url', 'excerpt', 'showcomments', 'commentstart', 'commentend', 'commentorder' ); $wpvarstoreset = array('action', 'safe_mode', 'withcomments', 'posts', 'content', 'edited_post_title', 'comment_error', 'profile', 'trackback_url', 'excerpt', 'showcomments', 'commentstart', 'commentend', 'commentorder' );
for ($i=0; $i<count($wpvarstoreset); $i += 1) { for ($i=0; $i<count($wpvarstoreset); $i += 1) {
@ -24,6 +26,8 @@ if ( isset( $_POST['deletepost'] ) )
switch($action) { switch($action) {
case 'postajaxpost': case 'postajaxpost':
case 'post': case 'post':
$parent_file = 'post-new.php';
$submenu_file = 'post-new.php';
check_admin_referer('add-post'); check_admin_referer('add-post');
$post_ID = 'post' == $action ? write_post() : edit_post(); $post_ID = 'post' == $action ? write_post() : edit_post();
@ -54,8 +58,6 @@ case 'post':
case 'edit': case 'edit':
$title = __('Edit'); $title = __('Edit');
$parent_file = 'edit.php';
$submenu_file = 'edit.php';
$editing = true; $editing = true;
require_once('admin-header.php'); require_once('admin-header.php');

2
wp-admin/profile-update.php
View File

@ -1,5 +1,7 @@
<?php <?php
$parent_file = 'profile.php';
$submenu_file = 'profile.php';
require_once('admin.php'); require_once('admin.php');
check_admin_referer('update-profile' . $user_ID); check_admin_referer('update-profile' . $user_ID);

2
wp-admin/wp-admin.css
View File

@ -361,7 +361,7 @@ form#upload #post_content {
display: none; display: none;
} }
.updated { .updated, .confirm {
background: #CFEBF7 url(images/notice.gif) no-repeat 1em ; background: #CFEBF7 url(images/notice.gif) no-repeat 1em ;
border: 1px solid #2580B2; border: 1px solid #2580B2;
margin: 1em 5% 10px; margin: 1em 5% 10px;

19
wp-includes/pluggable-functions.php
View File

@ -229,15 +229,15 @@ endif;
if ( !function_exists('check_admin_referer') ) : if ( !function_exists('check_admin_referer') ) :
function check_admin_referer($action = -1) { function check_admin_referer($action = -1) {
global $pagenow; global $pagenow, $menu, $submenu, $parent_file, $submenu_file;;
$adminurl = strtolower(get_settings('siteurl')).'/wp-admin'; $adminurl = strtolower(get_settings('siteurl')).'/wp-admin';
$referer = strtolower($_SERVER['HTTP_REFERER']); $referer = strtolower($_SERVER['HTTP_REFERER']);
if ( !wp_verify_nonce($_REQUEST['_wpnonce'], $action) && if ( !wp_verify_nonce($_REQUEST['_wpnonce'], $action) &&
!(-1 == $action && strstr($referer, $adminurl)) ) { !(-1 == $action && strstr($referer, $adminurl)) ) {
if ( $referer )
$html = "<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>\n<html xmlns='http://www.w3.org/1999/xhtml' lang='en' xml:lang='en'>\n\n"; $adminurl = $referer;
$html .= "<head>\n\t<title>" . __('WordPress Confirmation') . "</title>\n"; $title = __('WordPress Confirmation');
$html .= "</head>\n<body>\n"; require_once(ABSPATH . '/wp-admin/admin-header.php');
if ( $_POST ) { if ( $_POST ) {
$q = http_build_query($_POST); $q = http_build_query($_POST);
$q = explode( ini_get('arg_separator.output'), $q); $q = explode( ini_get('arg_separator.output'), $q);
@ -248,13 +248,14 @@ function check_admin_referer($action = -1) {
$html .= "\t\t<input type='hidden' name='" . wp_specialchars( urldecode($k), 1 ) . "' value='" . wp_specialchars( urldecode($v), 1 ) . "' />\n"; $html .= "\t\t<input type='hidden' name='" . wp_specialchars( urldecode($k), 1 ) . "' value='" . wp_specialchars( urldecode($v), 1 ) . "' />\n";
} }
$html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n"; $html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n";
$html .= "\t\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t</form>\n"; $html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n";
} else { } else {
$html .= "\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n"; $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
} }
$html .= "</body>\n</html>"; $html .= "</body>\n</html>";
echo $html;
die($html); include_once(ABSPATH . '/wp-admin/admin-footer.php');
die();
} }
do_action('check_admin_referer', $action); do_action('check_admin_referer', $action);
}endif; }endif;