WordPress.org

Make WordPress Core

Changeset 10879


Ignore:
Timestamp:
04/06/09 17:27:36 (5 years ago)
Author:
ryan
Message:

Don't allow editing of binary files. Props jbsil. fixes #9452

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/plugin-editor.php

    r10734 r10879  
    1919$plugins = get_plugins(); 
    2020 
     21if ( isset($_REQUEST['plugin']) ) 
     22    $plugin = $_REQUEST['plugin']; 
     23 
    2124if ( empty($plugin) ) { 
    2225    $plugin = array_keys($plugins); 
     
    2629$plugin_files = get_plugin_files($plugin); 
    2730 
    28 if (empty($file)) 
     31if ( empty($file) ) 
    2932    $file = $plugin_files[0]; 
    3033 
     
    3235$real_file = WP_PLUGIN_DIR . '/' . $file; 
    3336 
    34 switch($action) { 
     37switch ( $action ) { 
    3538 
    3639case 'update': 
     
    7174 
    7275        $error = validate_plugin($file); 
    73         if( is_wp_error($error) ) 
     76        if ( is_wp_error($error) ) 
    7477            wp_die( $error ); 
    7578 
    7679        if ( ! is_plugin_active($file) ) 
    77             activate_plugin($file, "plugin-editor.php?file=$file&phperror=1");// we'll override this later if the plugin can be included without fatal error 
     80            activate_plugin($file, "plugin-editor.php?file=$file&phperror=1"); // we'll override this later if the plugin can be included without fatal error 
    7881 
    7982        wp_redirect("plugin-editor.php?file=$file&a=te"); 
     
    8790    update_recently_edited(WP_PLUGIN_DIR . '/' . $file); 
    8891 
    89     if ( ! is_file($real_file) ) 
    90         $error = 1; 
     92    // List of allowable extensions 
     93    $editable_extensions = array('php', 'txt', 'text', 'js', 'css', 'html', 'htm', 'xml', 'inc', 'include'); 
     94    $extra_extensions = apply_filters('editable_extensions', null); 
     95    if ( is_array($extra_extensions) ) 
     96        $editable_extensions = array_merge($editable_extensions, $extra_extensions); 
     97 
     98    if ( ! is_file($real_file) ) { 
     99        $error = __('No such file exists! Double check the name and try again.'); 
     100    } else { 
     101        // Get the extension of the file 
     102        if ( preg_match('/\.([^.]+)$/', $real_file, $matches) ) { 
     103            $ext = strtolower($matches[1]); 
     104            // If extension is not in the acceptable list, skip it 
     105            if ( !in_array( $ext, $editable_extensions) ) 
     106                $error = __('Files of this type are not editable.'); 
     107        } 
     108    } 
    91109 
    92110    if ( ! $error ) { 
     
    99117            $docs_select .= '<option value="">' . __( 'Function Name...' ) . '</option>'; 
    100118            foreach ( $functions as $function) { 
    101                 $docs_select .= '<option value="' . urlencode( $function ) . '">' . htmlspecialchars( $function ) . '()</option>'; 
     119                $docs_select .= '<option value="' . attribute_escape( $function ) . '">' . htmlspecialchars( $function ) . '()</option>'; 
    102120            } 
    103121            $docs_select .= '</select>'; 
     
    127145        <select name="plugin" id="plugin"> 
    128146<?php 
    129     foreach ($plugins as $plugin_key => $a_plugin) { 
    130     $plugin_name = $a_plugin['Name']; 
    131     if ($plugin_key == $plugin) $selected = " selected='selected'"; 
    132     else $selected = ''; 
    133     $plugin_name = attribute_escape($plugin_name); 
    134     echo "\n\t<option value=\"$plugin_key\" $selected>$plugin_name</option>"; 
    135 } 
     147    foreach ( $plugins as $plugin_key => $a_plugin ) { 
     148        $plugin_name = $a_plugin['Name']; 
     149        if ( $plugin_key == $plugin ) 
     150            $selected = " selected='selected'"; 
     151        else 
     152            $selected = ''; 
     153        $plugin_name = attribute_escape($plugin_name); 
     154        $plugin_key = attribute_escape($plugin_key); 
     155        echo "\n\t<option value=\"$plugin_key\" $selected>$plugin_name</option>"; 
     156    } 
    136157?> 
    137158        </select> 
     
    162183 
    163184    <ul> 
    164 <?php foreach($plugin_files as $plugin_file) : ?> 
     185<?php 
     186foreach ( $plugin_files as $plugin_file ) : 
     187    // Get the extension of the file 
     188    if ( preg_match('/\.([^.]+)$/', $plugin_file, $matches) ) { 
     189        $ext = strtolower($matches[1]); 
     190        // If extension is not in the acceptable list, skip it 
     191        if ( !in_array( $ext, $editable_extensions ) ) 
     192            continue; 
     193    } else { 
     194        // No extension found 
     195        continue; 
     196    } 
     197?> 
    165198        <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo $plugin_file; ?>&plugin=<?php echo $plugin; ?>"><?php echo $plugin_file ?></a></li> 
    166199<?php endforeach; ?> 
     
    176209        </div> 
    177210        <?php if ( count( $functions ) ) : ?> 
    178         <div id="documentation"><label for="docs-list">Documentation:</label> <?php echo $docs_select ?> <input type="button" class="button" value=" <?php _e( 'Lookup' ) ?> " onclick="if ( '' != jQuery('#docs-list').val() ) { window.open( 'http://api.wordpress.org/core/handbook/1.0/?function=' + escape( jQuery( '#docs-list' ).val() ) + '&locale=<?php echo urlencode( get_locale() ) ?>&version=<?php echo urlencode( $wp_version ) ?>&redirect=true'); }" /></div> 
     211        <div id="documentation"><label for="docs-list"><?php _e('Documentation:') ?></label> <?php echo $docs_select ?> <input type="button" class="button" value=" <?php echo attribute_escape(__( 'Lookup' )) ?> " onclick="if ( '' != jQuery('#docs-list').val() ) { window.open( 'http://api.wordpress.org/core/handbook/1.0/?function=' + escape( jQuery( '#docs-list' ).val() ) + '&locale=<?php echo urlencode( get_locale() ) ?>&version=<?php echo urlencode( $wp_version ) ?>&redirect=true'); }" /></div> 
    179212        <?php endif; ?> 
    180213<?php if ( is_writeable($real_file) ) : ?> 
     
    196229<?php 
    197230    } else { 
    198         echo '<div class="error"><p>' . __('Oops, no such file exists! Double check the name and try again, merci.') . '</p></div>'; 
     231        echo '<div class="error"><p>' . $error . '</p></div>'; 
    199232    } 
    200233?> 
Note: See TracChangeset for help on using the changeset viewer.