WordPress.org

Make WordPress Core

Ticket #22572: 22572.3.patch

File 22572.3.patch, 2.4 KB (added by ocean90, 5 years ago)
  • wp-admin/includes/media.php

     
    21662166 * @since 2.6.0
    21672167 */
    21682168function media_upload_flash_bypass() {
     2169        $browser_uploader = admin_url( 'media-new.php?browser-uploader' );
     2170
     2171        $post = get_post();
     2172        if ( ! empty( $post ) )
     2173                $browser_uploader = add_query_arg( 'post_id', $post->ID, $browser_uploader );
     2174
    21692175        ?>
    21702176        <p class="upload-flash-bypass">
    2171         <?php printf( __( 'You are using the multi-file uploader. Problems? Try the <a href="%1$s" target="%2$s">browser uploader</a> instead.' ), admin_url( 'media-new.php?browser-uploader' ), '_blank' ); ?>
     2177        <?php printf( __( 'You are using the multi-file uploader. Problems? Try the <a href="%1$s" target="%2$s">browser uploader</a> instead.' ), $browser_uploader, '_blank' ); ?>
    21722178        </p>
    21732179        <?php
    21742180}
  • wp-admin/media-new.php

     
    1717
    1818wp_enqueue_script('plupload-handlers');
    1919
    20 unset( $_REQUEST['post_id'] );
     20$post_id = ! empty( $_REQUEST['post_id'] ) ? (int) $_REQUEST['post_id'] : 0;
    2121
    2222if ( $_POST ) {
     23        if ( ! empty( $post_id ) && ! current_user_can( 'edit_post' , $post_id ) )
     24                wp_die( __( 'Cheatin&#8217; uh?' ) );
     25
    2326        $location = 'upload.php';
    2427        if ( isset($_POST['html-upload']) && !empty($_FILES) ) {
    2528                check_admin_referer('media-form');
    2629                // Upload File button was clicked
    27                 $id = media_handle_upload('async-upload', $_REQUEST['post_id']);
     30                $id = media_handle_upload('async-upload', $post_id);
    2831                if ( is_wp_error( $id ) )
    2932                        $location .= '?message=3';
    3033        }
    3134        wp_redirect( admin_url( $location ) );
    3235        exit;
     36} else if ( ! empty( $post_id ) ) {
     37        // post_id is only allowed for browser upload
     38        wp_die( __( 'Cheatin&#8217; uh?' ) );
    3339}
    3440
    3541$title = __('Upload New Media');
     
    6874        <?php media_upload_form(); ?>
    6975
    7076        <script type="text/javascript">
    71         var post_id = 0, shortform = 3;
     77        var post_id = <?php echo $post_id; ?>, shortform = 3;
    7278        </script>
    73         <input type="hidden" name="post_id" id="post_id" value="0" />
     79        <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" />
    7480        <?php wp_nonce_field('media-form'); ?>
    7581        <div id="media-items" class="hide-if-no-js"></div>
    7682        </form>