WordPress.org

Make WordPress Core

Ticket #7277: optionwhitelist.diff

File optionwhitelist.diff, 10.7 KB (added by donncha, 10 years ago)

Adds option whitelisting

  • options-privacy.php

     
    1010<div class="wrap">
    1111<h2><?php _e('Privacy Settings') ?></h2>
    1212<form method="post" action="options.php">
    13 <?php wp_nonce_field('update-options') ?>
     13<?php wp_nonce_field('privacy-options') ?>
     14<input type='hidden' name='option_page' value='privacy' />
    1415<table class="form-table">
    1516<tr valign="top">
    1617<th scope="row"><?php _e('Blog Visibility') ?> </th>
     
    2627
    2728<p class="submit"><input type="submit" name="Submit" value="<?php _e('Save Changes') ?>" />
    2829<input type="hidden" name="action" value="update" />
    29 <input type="hidden" name="page_options" value="blog_public" />
    3030</p>
    3131</form>
    3232
  • includes/misc.php

     
    160160        }
    161161}
    162162
     163/* Whitelist functions */
     164function add_option_update_handler($option_group, $option_name, $sanitize_callback = '') {
     165        global $new_whitelist_options;
     166        $new_whitelist_options[ $option_group ][] = $option_name;
     167        if( $sanitize_callback != '' )
     168                add_filter( "sanitize_option_{$option_name}", $sanitize_callback );
     169}
     170
     171function remove_option_update_handler($option_group, $option_name, $sanitize_callback = '') {
     172        global $new_whitelist_options;
     173        $pos = array_search( $option_name, $new_whitelist_options );
     174        if( $pos !== false )
     175                unset( $new_whitelist_options[ $option_group ][ $pos ] );
     176        if( $sanitize_callback != '' )
     177                remove_filter( "sanitize_option_{$option_name}", $sanitize_callback );
     178}
     179
     180function option_update_filter( $options ) {
     181        global $new_whitelist_options;
     182
     183        if( is_array( $new_whitelist_options ) )
     184                $options = add_option_whitelist( $new_whitelist_options, $options );
     185
     186        return $options;
     187}
     188add_filter( 'whitelist_options', 'option_update_filter' );
     189
     190function add_option_whitelist( $new_options, $options = '' ) {
     191        if( $options == '' ) {
     192                global $whitelist_options;
     193        } else {
     194                $whitelist_options = $options;
     195        }
     196        foreach( $new_options as $page => $keys ) {
     197                foreach( $keys as $key ) {
     198                        $pos = array_search( $key, $whitelist_options[ $page ] );
     199                        if( $pos === false )
     200                                $whitelist_options[ $page ][] = $key;
     201                }
     202        }
     203        return $whitelist_options;
     204}
     205
     206function remove_option_whitelist( $del_options, $options = '' ) {
     207        if( $options == '' ) {
     208                global $whitelist_options;
     209        } else {
     210                $whitelist_options = $options;
     211        }
     212        foreach( $del_options as $page => $keys ) {
     213                foreach( $keys as $key ) {
     214                        $pos = array_search( $key, $whitelist_options[ $page ] );
     215                        if( $pos !== false )
     216                                unset( $whitelist_options[ $page ][ $pos ] );
     217                }
     218        }
     219        return $whitelist_options;
     220}
     221
    163222?>
  • options-general.php

     
    1010<div class="wrap">
    1111<h2><?php _e('General Settings') ?></h2>
    1212<form method="post" action="options.php">
    13 <?php wp_nonce_field('update-options') ?>
     13<?php wp_nonce_field('general-options') ?>
     14<input type='hidden' name='option_page' value='general' />
    1415<table class="form-table">
    1516<tr valign="top">
    1617<th scope="row"><label for="blogname"><?php _e('Blog Title') ?></label></th>
     
    112113
    113114<p class="submit"><input type="submit" name="Submit" value="<?php _e('Save Changes') ?>" />
    114115<input type="hidden" name="action" value="update" />
    115 <input type="hidden" name="page_options" value="<?php if ( ! defined( 'WP_SITEURL' ) ) echo 'siteurl,'; if ( ! defined( 'WP_HOME' ) ) echo 'home,'; ?>blogname,blogdescription,admin_email,users_can_register,gmt_offset,date_format,time_format,start_of_week,comment_registration,default_role" />
    116116</p>
    117117</form>
    118118
  • options-misc.php

     
    1111<div class="wrap">
    1212<h2><?php _e('Miscellaneous Settings') ?></h2>
    1313<form method="post" action="options.php">
    14 <?php wp_nonce_field('update-options') ?>
     14<input type='hidden' name='option_page' value='misc' />
     15<?php wp_nonce_field('misc-options') ?>
    1516<h3><?php _e('Uploading'); ?></h3>
    1617<table class="form-table">
    1718<tr valign="top">
     
    9091
    9192<p class="submit">
    9293<input type="hidden" name="action" value="update" />
    93 <input type="hidden" name="page_options" value="hack_file,use_linksupdate,uploads_use_yearmonth_folders,upload_path,upload_url_path,thumbnail_size_w,thumbnail_size_h,thumbnail_crop,medium_size_w,medium_size_h" />
    9494<input type="submit" name="Submit" value="<?php _e('Save Changes') ?>" class="button" />
    9595</p>
    9696</form>
    9797</div>
    9898
    99 <?php include('./admin-footer.php'); ?>
    100  No newline at end of file
     99<?php include('./admin-footer.php'); ?>
  • options-discussion.php

     
    1010<div class="wrap">
    1111<h2><?php _e('Discussion Settings') ?></h2>
    1212<form method="post" action="options.php">
    13 <?php wp_nonce_field('update-options') ?>
     13<input type='hidden' name='option_page' value='discussion' />
     14<?php wp_nonce_field('discussion-options') ?>
    1415<table class="form-table">
    1516<tr valign="top">
    1617<th scope="row"><?php _e('Default article settings') ?></th>
     
    151152
    152153<p class="submit">
    153154<input type="hidden" name="action" value="update" />
    154 <input type="hidden" name="page_options" value="default_pingback_flag,default_ping_status,default_comment_status,comments_notify,moderation_notify,comment_moderation,require_name_email,comment_whitelist,comment_max_links,moderation_keys,blacklist_keys,show_avatars,avatar_rating,avatar_default" />
    155155<input type="submit" name="Submit" value="<?php _e('Save Changes') ?>" />
    156156</p>
    157157</form>
  • options.php

     
    77
    88wp_reset_vars(array('action'));
    99
     10$whitelist_options = array(
     11        'general' => array('siteurl', 'home', 'blogname', 'blogdescription', 'admin_email', 'users_can_register', 'gmt_offset', 'date_format', 'time_format', 'start_of_week', 'comment_registration', 'default_role'),
     12        'discussion' => array( 'default_pingback_flag', 'default_ping_status', 'default_comment_status', 'comments_notify', 'moderation_notify', 'comment_moderation', 'require_name_email', 'comment_whitelist', 'comment_max_links', 'moderation_keys', 'blacklist_keys', 'show_avatars', 'avatar_rating' ),
     13        'misc' => array( 'hack_file', 'use_linksupdate', 'uploads_use_yearmonth_folders', 'upload_path', 'thumbnail_size_w', 'thumbnail_size_h', 'thumbnail_crop', 'medium_size_w', 'medium_size_h' ),
     14        'privacy' => array( 'blog_public' ),
     15        'reading' => array( 'posts_per_page', 'posts_per_rss', 'rss_use_excerpt', 'blog_charset', 'gzipcompression', 'show_on_front', 'page_on_front', 'page_for_posts' ),
     16        'writing' => array( 'default_post_edit_rows', 'use_smilies', 'ping_sites', 'mailserver_url', 'mailserver_port', 'mailserver_login', 'mailserver_pass', 'default_category', 'default_email_category', 'use_balanceTags', 'default_link_category', 'enable_app', 'enable_xmlrpc' ),
     17        'options' => array( '' ) );
     18if ( defined( 'WP_SITEURL' ) ) remove_option_update_handler( 'general', 'siteurl' );
     19if ( defined( 'WP_HOME' ) ) remove_option_update_handler( 'general', 'home' );
     20
     21$whitelist_options = apply_filters( 'whitelist_options', $whitelist_options );
     22
    1023if ( !current_user_can('manage_options') )
    1124        wp_die(__('Cheatin&#8217; uh?'));
    1225
     
    1528case 'update':
    1629        $any_changed = 0;
    1730
    18         check_admin_referer('update-options');
     31        $option_page = $_POST[ 'option_page' ];
     32        check_admin_referer( $option_page . '-options' );
    1933
    20         if ( !$_POST['page_options'] ) {
    21                 foreach ( (array) $_POST as $key => $value) {
    22                         if ( !in_array($key, array('_wpnonce', '_wp_http_referer')) )
    23                                 $options[] = $key;
     34        if( !isset( $whitelist_options[ $option_page ] ) )
     35                wp_die( __( 'Error! Options page not found.' ) );
     36
     37        if( $option_page == 'options' ) {
     38                $options = explode(',', stripslashes( $_POST[ 'page_options' ] ));
    2439                }
    2540        } else {
    26                 $options = explode(',', stripslashes($_POST['page_options']));
     41                $options = $whitelist_options[ $option_page ];
    2742        }
    2843
    2944        if ($options) {
     
    4661<div class="wrap">
    4762  <h2><?php _e('All Settings'); ?></h2>
    4863  <form name="form" action="options.php" method="post" id="all-options">
    49   <?php wp_nonce_field('update-options') ?>
     64  <?php wp_nonce_field('options-options') ?>
    5065  <input type="hidden" name="action" value="update" />
     66  <input type='hidden' name='option_page' value='options' />
    5167  <table class="form-table">
    5268<?php
    5369$options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name");
  • options-reading.php

     
    1010<div class="wrap">
    1111<h2><?php _e('Reading Settings') ?></h2>
    1212<form name="form1" method="post" action="options.php">
    13 <?php wp_nonce_field('update-options') ?>
     13<?php wp_nonce_field('reading-options') ?>
     14<input type='hidden' name='option_page' value='reading' />
    1415<table class="form-table">
    1516<?php if ( get_pages() ): ?>
    1617<tr valign="top">
     
    6667</table>
    6768<p class="submit">
    6869<input type="hidden" name="action" value="update" />
    69 <input type="hidden" name="page_options" value="posts_per_page,posts_per_rss,rss_use_excerpt,blog_charset,gzipcompression,show_on_front,page_on_front,page_for_posts" />
    7070<input type="submit" name="Submit" value="<?php _e('Save Changes') ?>" />
    7171</p>
    7272</form>
  • options-writing.php

     
    1010<div class="wrap">
    1111<h2><?php _e('Writing Settings') ?></h2>
    1212<form method="post" action="options.php">
    13 <?php wp_nonce_field('update-options') ?>
    14 
     13<?php wp_nonce_field('writing-options') ?>
     14<input type='hidden' name='option_page' value='writing' />
    1515<table class="form-table">
    1616<tr valign="top">
    1717<th scope="row"><label for="default_post_edit_rows"> <?php _e('Size of the post box') ?></label></th>
     
    130130
    131131<p class="submit">
    132132<input type="hidden" name="action" value="update" />
    133 <input type="hidden" name="page_options" value="default_post_edit_rows,use_smilies,ping_sites,mailserver_url,mailserver_port,mailserver_login,mailserver_pass,default_category,default_email_category,use_balanceTags,default_link_category,enable_app,enable_xmlrpc" />
    134133<input type="submit" name="Submit" value="<?php _e('Save Changes') ?>" />
    135134</p>
    136135</form>