WordPress.org

Make WordPress Core

Ticket #7277: optionwhitelist.diff

File optionwhitelist.diff, 10.7 KB (added by donncha, 7 years ago)

Adds option whitelisting

  • options-privacy.php

     
    1010<div class="wrap"> 
    1111<h2><?php _e('Privacy Settings') ?></h2> 
    1212<form method="post" action="options.php"> 
    13 <?php wp_nonce_field('update-options') ?> 
     13<?php wp_nonce_field('privacy-options') ?> 
     14<input type='hidden' name='option_page' value='privacy' /> 
    1415<table class="form-table"> 
    1516<tr valign="top"> 
    1617<th scope="row"><?php _e('Blog Visibility') ?> </th> 
     
    2627 
    2728<p class="submit"><input type="submit" name="Submit" value="<?php _e('Save Changes') ?>" /> 
    2829<input type="hidden" name="action" value="update" /> 
    29 <input type="hidden" name="page_options" value="blog_public" /> 
    3030</p> 
    3131</form> 
    3232 
  • includes/misc.php

     
    160160        } 
    161161} 
    162162 
     163/* Whitelist functions */ 
     164function add_option_update_handler($option_group, $option_name, $sanitize_callback = '') { 
     165        global $new_whitelist_options; 
     166        $new_whitelist_options[ $option_group ][] = $option_name; 
     167        if( $sanitize_callback != '' ) 
     168                add_filter( "sanitize_option_{$option_name}", $sanitize_callback ); 
     169} 
     170 
     171function remove_option_update_handler($option_group, $option_name, $sanitize_callback = '') { 
     172        global $new_whitelist_options; 
     173        $pos = array_search( $option_name, $new_whitelist_options ); 
     174        if( $pos !== false ) 
     175                unset( $new_whitelist_options[ $option_group ][ $pos ] ); 
     176        if( $sanitize_callback != '' ) 
     177                remove_filter( "sanitize_option_{$option_name}", $sanitize_callback ); 
     178} 
     179 
     180function option_update_filter( $options ) { 
     181        global $new_whitelist_options; 
     182 
     183        if( is_array( $new_whitelist_options ) ) 
     184                $options = add_option_whitelist( $new_whitelist_options, $options ); 
     185 
     186        return $options; 
     187} 
     188add_filter( 'whitelist_options', 'option_update_filter' ); 
     189 
     190function add_option_whitelist( $new_options, $options = '' ) { 
     191        if( $options == '' ) { 
     192                global $whitelist_options; 
     193        } else { 
     194                $whitelist_options = $options; 
     195        } 
     196        foreach( $new_options as $page => $keys ) { 
     197                foreach( $keys as $key ) { 
     198                        $pos = array_search( $key, $whitelist_options[ $page ] ); 
     199                        if( $pos === false ) 
     200                                $whitelist_options[ $page ][] = $key; 
     201                } 
     202        } 
     203        return $whitelist_options; 
     204} 
     205 
     206function remove_option_whitelist( $del_options, $options = '' ) { 
     207        if( $options == '' ) { 
     208                global $whitelist_options; 
     209        } else { 
     210                $whitelist_options = $options; 
     211        } 
     212        foreach( $del_options as $page => $keys ) { 
     213                foreach( $keys as $key ) { 
     214                        $pos = array_search( $key, $whitelist_options[ $page ] ); 
     215                        if( $pos !== false ) 
     216                                unset( $whitelist_options[ $page ][ $pos ] ); 
     217                } 
     218        } 
     219        return $whitelist_options; 
     220} 
     221 
    163222?> 
  • options-general.php

     
    1010<div class="wrap"> 
    1111<h2><?php _e('General Settings') ?></h2> 
    1212<form method="post" action="options.php"> 
    13 <?php wp_nonce_field('update-options') ?> 
     13<?php wp_nonce_field('general-options') ?> 
     14<input type='hidden' name='option_page' value='general' /> 
    1415<table class="form-table"> 
    1516<tr valign="top"> 
    1617<th scope="row"><label for="blogname"><?php _e('Blog Title') ?></label></th> 
     
    112113 
    113114<p class="submit"><input type="submit" name="Submit" value="<?php _e('Save Changes') ?>" /> 
    114115<input type="hidden" name="action" value="update" /> 
    115 <input type="hidden" name="page_options" value="<?php if ( ! defined( 'WP_SITEURL' ) ) echo 'siteurl,'; if ( ! defined( 'WP_HOME' ) ) echo 'home,'; ?>blogname,blogdescription,admin_email,users_can_register,gmt_offset,date_format,time_format,start_of_week,comment_registration,default_role" /> 
    116116</p> 
    117117</form> 
    118118 
  • options-misc.php

     
    1111<div class="wrap"> 
    1212<h2><?php _e('Miscellaneous Settings') ?></h2> 
    1313<form method="post" action="options.php"> 
    14 <?php wp_nonce_field('update-options') ?> 
     14<input type='hidden' name='option_page' value='misc' /> 
     15<?php wp_nonce_field('misc-options') ?> 
    1516<h3><?php _e('Uploading'); ?></h3> 
    1617<table class="form-table"> 
    1718<tr valign="top"> 
     
    9091 
    9192<p class="submit"> 
    9293<input type="hidden" name="action" value="update" /> 
    93 <input type="hidden" name="page_options" value="hack_file,use_linksupdate,uploads_use_yearmonth_folders,upload_path,upload_url_path,thumbnail_size_w,thumbnail_size_h,thumbnail_crop,medium_size_w,medium_size_h" /> 
    9494<input type="submit" name="Submit" value="<?php _e('Save Changes') ?>" class="button" /> 
    9595</p> 
    9696</form> 
    9797</div> 
    9898 
    99 <?php include('./admin-footer.php'); ?> 
    100  No newline at end of file 
     99<?php include('./admin-footer.php'); ?> 
  • options-discussion.php

     
    1010<div class="wrap"> 
    1111<h2><?php _e('Discussion Settings') ?></h2> 
    1212<form method="post" action="options.php"> 
    13 <?php wp_nonce_field('update-options') ?> 
     13<input type='hidden' name='option_page' value='discussion' /> 
     14<?php wp_nonce_field('discussion-options') ?> 
    1415<table class="form-table"> 
    1516<tr valign="top"> 
    1617<th scope="row"><?php _e('Default article settings') ?></th> 
     
    151152 
    152153<p class="submit"> 
    153154<input type="hidden" name="action" value="update" /> 
    154 <input type="hidden" name="page_options" value="default_pingback_flag,default_ping_status,default_comment_status,comments_notify,moderation_notify,comment_moderation,require_name_email,comment_whitelist,comment_max_links,moderation_keys,blacklist_keys,show_avatars,avatar_rating,avatar_default" /> 
    155155<input type="submit" name="Submit" value="<?php _e('Save Changes') ?>" /> 
    156156</p> 
    157157</form> 
  • options.php

     
    77 
    88wp_reset_vars(array('action')); 
    99 
     10$whitelist_options = array( 
     11        'general' => array('siteurl', 'home', 'blogname', 'blogdescription', 'admin_email', 'users_can_register', 'gmt_offset', 'date_format', 'time_format', 'start_of_week', 'comment_registration', 'default_role'), 
     12        'discussion' => array( 'default_pingback_flag', 'default_ping_status', 'default_comment_status', 'comments_notify', 'moderation_notify', 'comment_moderation', 'require_name_email', 'comment_whitelist', 'comment_max_links', 'moderation_keys', 'blacklist_keys', 'show_avatars', 'avatar_rating' ), 
     13        'misc' => array( 'hack_file', 'use_linksupdate', 'uploads_use_yearmonth_folders', 'upload_path', 'thumbnail_size_w', 'thumbnail_size_h', 'thumbnail_crop', 'medium_size_w', 'medium_size_h' ), 
     14        'privacy' => array( 'blog_public' ), 
     15        'reading' => array( 'posts_per_page', 'posts_per_rss', 'rss_use_excerpt', 'blog_charset', 'gzipcompression', 'show_on_front', 'page_on_front', 'page_for_posts' ), 
     16        'writing' => array( 'default_post_edit_rows', 'use_smilies', 'ping_sites', 'mailserver_url', 'mailserver_port', 'mailserver_login', 'mailserver_pass', 'default_category', 'default_email_category', 'use_balanceTags', 'default_link_category', 'enable_app', 'enable_xmlrpc' ), 
     17        'options' => array( '' ) ); 
     18if ( defined( 'WP_SITEURL' ) ) remove_option_update_handler( 'general', 'siteurl' ); 
     19if ( defined( 'WP_HOME' ) ) remove_option_update_handler( 'general', 'home' );  
     20 
     21$whitelist_options = apply_filters( 'whitelist_options', $whitelist_options ); 
     22 
    1023if ( !current_user_can('manage_options') ) 
    1124        wp_die(__('Cheatin&#8217; uh?')); 
    1225 
     
    1528case 'update': 
    1629        $any_changed = 0; 
    1730 
    18         check_admin_referer('update-options'); 
     31        $option_page = $_POST[ 'option_page' ]; 
     32        check_admin_referer( $option_page . '-options' ); 
    1933 
    20         if ( !$_POST['page_options'] ) { 
    21                 foreach ( (array) $_POST as $key => $value) { 
    22                         if ( !in_array($key, array('_wpnonce', '_wp_http_referer')) ) 
    23                                 $options[] = $key; 
     34        if( !isset( $whitelist_options[ $option_page ] ) ) 
     35                wp_die( __( 'Error! Options page not found.' ) ); 
     36 
     37        if( $option_page == 'options' ) { 
     38                $options = explode(',', stripslashes( $_POST[ 'page_options' ] )); 
    2439                } 
    2540        } else { 
    26                 $options = explode(',', stripslashes($_POST['page_options'])); 
     41                $options = $whitelist_options[ $option_page ]; 
    2742        } 
    2843 
    2944        if ($options) { 
     
    4661<div class="wrap"> 
    4762  <h2><?php _e('All Settings'); ?></h2> 
    4863  <form name="form" action="options.php" method="post" id="all-options"> 
    49   <?php wp_nonce_field('update-options') ?> 
     64  <?php wp_nonce_field('options-options') ?> 
    5065  <input type="hidden" name="action" value="update" /> 
     66  <input type='hidden' name='option_page' value='options' /> 
    5167  <table class="form-table"> 
    5268<?php 
    5369$options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name"); 
  • options-reading.php

     
    1010<div class="wrap"> 
    1111<h2><?php _e('Reading Settings') ?></h2> 
    1212<form name="form1" method="post" action="options.php"> 
    13 <?php wp_nonce_field('update-options') ?> 
     13<?php wp_nonce_field('reading-options') ?> 
     14<input type='hidden' name='option_page' value='reading' /> 
    1415<table class="form-table"> 
    1516<?php if ( get_pages() ): ?> 
    1617<tr valign="top"> 
     
    6667</table> 
    6768<p class="submit"> 
    6869<input type="hidden" name="action" value="update" /> 
    69 <input type="hidden" name="page_options" value="posts_per_page,posts_per_rss,rss_use_excerpt,blog_charset,gzipcompression,show_on_front,page_on_front,page_for_posts" /> 
    7070<input type="submit" name="Submit" value="<?php _e('Save Changes') ?>" /> 
    7171</p> 
    7272</form> 
  • options-writing.php

     
    1010<div class="wrap"> 
    1111<h2><?php _e('Writing Settings') ?></h2> 
    1212<form method="post" action="options.php"> 
    13 <?php wp_nonce_field('update-options') ?> 
    14  
     13<?php wp_nonce_field('writing-options') ?> 
     14<input type='hidden' name='option_page' value='writing' /> 
    1515<table class="form-table"> 
    1616<tr valign="top"> 
    1717<th scope="row"><label for="default_post_edit_rows"> <?php _e('Size of the post box') ?></label></th> 
     
    130130 
    131131<p class="submit"> 
    132132<input type="hidden" name="action" value="update" /> 
    133 <input type="hidden" name="page_options" value="default_post_edit_rows,use_smilies,ping_sites,mailserver_url,mailserver_port,mailserver_login,mailserver_pass,default_category,default_email_category,use_balanceTags,default_link_category,enable_app,enable_xmlrpc" /> 
    134133<input type="submit" name="Submit" value="<?php _e('Save Changes') ?>" /> 
    135134</p> 
    136135</form>