From d7fccb66d36d3dbc0ae732b4552b42c9f1c0f12e Mon Sep 17 00:00:00 2001 From: ryan Date: Tue, 14 Oct 2008 15:56:33 +0000 Subject: [PATCH] Sanitation and error handling for plugin install. Props DD32. see #6015 git-svn-id: http://svn.automattic.com/wordpress/trunk@9163 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/plugin-install.php | 44 +++++++++++++++++++++++----- wp-settings.php | 24 ++++++++------- 2 files changed, 51 insertions(+), 17 deletions(-) diff --git a/wp-admin/includes/plugin-install.php b/wp-admin/includes/plugin-install.php index 6e7fd3f5f6..52cb5bb52c 100644 --- a/wp-admin/includes/plugin-install.php +++ b/wp-admin/includes/plugin-install.php @@ -37,9 +37,13 @@ function plugins_api($action, $args = null) { if ( ! $res ) { $request = wp_remote_post('http://api.wordpress.org/plugins/info/1.0/', array( 'body' => array('action' => $action, 'request' => serialize($args))) ); - $res = unserialize($request['body']); - if ( ! $res ) - $res = new WP_Error('plugins_api_failed', __('An unknown error occured'), $request['body']); + if ( is_wp_error($request) ) { + $res = new WP_Error('plugins_api_failed', __('An Unexpected HTTP Error occured during the API request.

Try again'), $request->get_error_message() ); + } else { + $res = unserialize($request['body']); + if ( ! $res ) + $res = new WP_Error('plugins_api_failed', __('An unknown error occured'), $request['body']); + } } return apply_filters('plugins_api_result', $res, $action, $args); @@ -62,6 +66,9 @@ function install_popular_tags( $args = array() ) { $tags = plugins_api('hot_tags', $args); + if ( is_wp_error($tags) ) + return $tags; + $cache = (object) array('timeout' => time(), 'cached' => $tags); update_option('wporg_popular_tags', $cache); @@ -100,6 +107,9 @@ function install_search($page) { $api = plugins_api('query_plugins', $args); + if ( is_wp_error($api) ) + wp_die($api); + add_action('install_plugins_table_header', 'install_search_form'); display_plugins_table($api->plugins, $api->info['page'], $api->info['pages']); @@ -173,6 +183,8 @@ add_action('install_plugins_featured', 'install_featured', 10, 1); function install_featured($page = 1) { $args = array('browse' => 'featured', 'page' => $page); $api = plugins_api('query_plugins', $args); + if ( is_wp_error($api) ) + wp_die($api); display_plugins_table($api->plugins, $api->info['page'], $api->info['pages']); } @@ -201,6 +213,8 @@ add_action('install_plugins_new', 'install_new', 10, 1); function install_new($page = 1) { $args = array('browse' => 'new', 'page' => $page); $api = plugins_api('query_plugins', $args); + if ( is_wp_error($api) ) + wp_die($api); display_plugins_table($api->plugins, $api->info['page'], $api->info['pages']); } add_action('install_plugins_updated', 'install_updated', 10, 1); @@ -234,7 +248,9 @@ function display_plugins_table($plugins, $page = 1, $totalpages = 1){ $type = isset($_REQUEST['type']) ? $_REQUEST['type'] : ''; $term = isset($_REQUEST['s']) ? $_REQUEST['s'] : ''; - $plugins_allowedtags = array('a' => array('href' => array(),'title' => array(), 'target' => array()),'abbr' => array('title' => array()),'acronym' => array('title' => array()),'code' => array(),'em' => array(),'strong' => array()); + $plugins_allowedtags = array('a' => array('href' => array(),'title' => array(), 'target' => array()), + 'abbr' => array('title' => array()),'acronym' => array('title' => array()), + 'code' => array(),'em' => array(),'strong' => array()); ?>

@@ -316,7 +332,7 @@ function display_plugins_table($plugins, $page = 1, $totalpages = 1){ -
+
<?php _e('5 stars') ?>
<?php _e('4 stars') ?>
@@ -355,6 +371,19 @@ function install_plugin_information() { $api = plugins_api('plugin_information', array('slug' => $_REQUEST['plugin'])); + if ( is_wp_error($api) ) + wp_die($api); + + $plugins_allowedtags = array('a' => array('href' => array(), 'title' => array(), 'target' => array()), + 'abbr' => array('title' => array()), 'acronym' => array('title' => array()), + 'code' => array(), 'em' => array(), 'strong' => array(), 'div' => array(), + 'p' => array(), 'ul' => array(), 'ol' => array(), 'li' => array()); + //Sanitize HTML + foreach ( (array)$api->sections as $section_name => $content ) + $api->sections[$section_name] = wp_kses($content, $plugins_allowedtags); + foreach ( array('version', 'author', 'requires', 'tested', 'homepage', 'downloaded', 'slug') as $key ) + $api->$key = wp_kses($api->$key, $plugins_allowedtags); + $section = isset($_REQUEST['section']) ? $_REQUEST['section'] : 'description'; //Default to the Description tab, Do not translate, API returns English. if( empty($section) || ! isset($api->sections[ $section ]) ) $section = array_shift( $section_titles = array_keys((array)$api->sections) ); @@ -521,6 +550,9 @@ function install_plugin() { check_admin_referer('install-plugin_' . $plugin); $api = plugins_api('plugin_information', array('slug' => $plugin, 'fields' => array('sections' => false) ) ); //Save on a bit of bandwidth. + + if ( is_wp_error($api) ) + wp_die($api); echo '
'; echo '

', sprintf( __('Installing Plugin: %s'), $api->name . ' ' . $api->version ), '

'; @@ -834,6 +866,4 @@ function wp_install_plugin_local_package($package, $feedback = '') { return $folder . '/' . $pluginfiles[0]; } - - ?> diff --git a/wp-settings.php b/wp-settings.php index e703202fb4..efc7f63b17 100644 --- a/wp-settings.php +++ b/wp-settings.php @@ -108,16 +108,19 @@ if ( !defined('WP_CONTENT_DIR') ) define( 'WP_CONTENT_DIR', ABSPATH . 'wp-content' ); // no trailing slash, full paths only - WP_CONTENT_URL is defined further down if ( file_exists(ABSPATH . '.maintenance') && !defined('WP_INSTALLING') ) { - if ( file_exists( WP_CONTENT_DIR . '/maintenance.php' ) ) { - require_once( WP_CONTENT_DIR . '/maintenance.php' ); - die(); - } + include(ABSPATH . '.maintenance'); + // If the $upgrading timestamp is older than 10 minutes, don't die. + if ( ( time() - $upgrading ) < 600 ) { + if ( file_exists( WP_CONTENT_DIR . '/maintenance.php' ) ) { + require_once( WP_CONTENT_DIR . '/maintenance.php' ); + die(); + } - $protocol = $_SERVER["SERVER_PROTOCOL"]; - if ( 'HTTP/1.1' != $protocol && 'HTTP/1.0' != $protocol ) - $protocol = 'HTTP/1.0'; - header( "$protocol 503 Service Unavailable", true, 503 ); - header( 'Content-Type: text/html; charset=utf-8' ); + $protocol = $_SERVER["SERVER_PROTOCOL"]; + if ( 'HTTP/1.1' != $protocol && 'HTTP/1.0' != $protocol ) + $protocol = 'HTTP/1.0'; + header( "$protocol 503 Service Unavailable", true, 503 ); + header( 'Content-Type: text/html; charset=utf-8' ); ?> @@ -131,7 +134,8 @@ if ( file_exists(ABSPATH . '.maintenance') && !defined('WP_INSTALLING') ) {