Make WordPress Core

Changeset 10879


Ignore:
Timestamp:
04/06/2009 05:27:36 PM (16 years ago)
Author:
ryan
Message:

Don't allow editing of binary files. Props jbsil. fixes #9452

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/plugin-editor.php

    r10734 r10879  
    1919$plugins = get_plugins();
    2020
     21if ( isset($_REQUEST['plugin']) )
     22    $plugin = $_REQUEST['plugin'];
     23
    2124if ( empty($plugin) ) {
    2225    $plugin = array_keys($plugins);
     
    2629$plugin_files = get_plugin_files($plugin);
    2730
    28 if (empty($file))
     31if ( empty($file) )
    2932    $file = $plugin_files[0];
    3033
     
    3235$real_file = WP_PLUGIN_DIR . '/' . $file;
    3336
    34 switch($action) {
     37switch ( $action ) {
    3538
    3639case 'update':
     
    7174
    7275        $error = validate_plugin($file);
    73         if( is_wp_error($error) )
     76        if ( is_wp_error($error) )
    7477            wp_die( $error );
    7578
    7679        if ( ! is_plugin_active($file) )
    77             activate_plugin($file, "plugin-editor.php?file=$file&phperror=1");// we'll override this later if the plugin can be included without fatal error
     80            activate_plugin($file, "plugin-editor.php?file=$file&phperror=1"); // we'll override this later if the plugin can be included without fatal error
    7881
    7982        wp_redirect("plugin-editor.php?file=$file&a=te");
     
    8790    update_recently_edited(WP_PLUGIN_DIR . '/' . $file);
    8891
    89     if ( ! is_file($real_file) )
    90         $error = 1;
     92    // List of allowable extensions
     93    $editable_extensions = array('php', 'txt', 'text', 'js', 'css', 'html', 'htm', 'xml', 'inc', 'include');
     94    $extra_extensions = apply_filters('editable_extensions', null);
     95    if ( is_array($extra_extensions) )
     96        $editable_extensions = array_merge($editable_extensions, $extra_extensions);
     97
     98    if ( ! is_file($real_file) ) {
     99        $error = __('No such file exists! Double check the name and try again.');
     100    } else {
     101        // Get the extension of the file
     102        if ( preg_match('/\.([^.]+)$/', $real_file, $matches) ) {
     103            $ext = strtolower($matches[1]);
     104            // If extension is not in the acceptable list, skip it
     105            if ( !in_array( $ext, $editable_extensions) )
     106                $error = __('Files of this type are not editable.');
     107        }
     108    }
    91109
    92110    if ( ! $error ) {
     
    99117            $docs_select .= '<option value="">' . __( 'Function Name...' ) . '</option>';
    100118            foreach ( $functions as $function) {
    101                 $docs_select .= '<option value="' . urlencode( $function ) . '">' . htmlspecialchars( $function ) . '()</option>';
     119                $docs_select .= '<option value="' . attribute_escape( $function ) . '">' . htmlspecialchars( $function ) . '()</option>';
    102120            }
    103121            $docs_select .= '</select>';
     
    127145        <select name="plugin" id="plugin">
    128146<?php
    129     foreach ($plugins as $plugin_key => $a_plugin) {
    130     $plugin_name = $a_plugin['Name'];
    131     if ($plugin_key == $plugin) $selected = " selected='selected'";
    132     else $selected = '';
    133     $plugin_name = attribute_escape($plugin_name);
    134     echo "\n\t<option value=\"$plugin_key\" $selected>$plugin_name</option>";
    135 }
     147    foreach ( $plugins as $plugin_key => $a_plugin ) {
     148        $plugin_name = $a_plugin['Name'];
     149        if ( $plugin_key == $plugin )
     150            $selected = " selected='selected'";
     151        else
     152            $selected = '';
     153        $plugin_name = attribute_escape($plugin_name);
     154        $plugin_key = attribute_escape($plugin_key);
     155        echo "\n\t<option value=\"$plugin_key\" $selected>$plugin_name</option>";
     156    }
    136157?>
    137158        </select>
     
    162183
    163184    <ul>
    164 <?php foreach($plugin_files as $plugin_file) : ?>
     185<?php
     186foreach ( $plugin_files as $plugin_file ) :
     187    // Get the extension of the file
     188    if ( preg_match('/\.([^.]+)$/', $plugin_file, $matches) ) {
     189        $ext = strtolower($matches[1]);
     190        // If extension is not in the acceptable list, skip it
     191        if ( !in_array( $ext, $editable_extensions ) )
     192            continue;
     193    } else {
     194        // No extension found
     195        continue;
     196    }
     197?>
    165198        <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo $plugin_file; ?>&plugin=<?php echo $plugin; ?>"><?php echo $plugin_file ?></a></li>
    166199<?php endforeach; ?>
     
    176209        </div>
    177210        <?php if ( count( $functions ) ) : ?>
    178         <div id="documentation"><label for="docs-list">Documentation:</label> <?php echo $docs_select ?> <input type="button" class="button" value=" <?php _e( 'Lookup' ) ?> " onclick="if ( '' != jQuery('#docs-list').val() ) { window.open( 'http://api.wordpress.org/core/handbook/1.0/?function=' + escape( jQuery( '#docs-list' ).val() ) + '&locale=<?php echo urlencode( get_locale() ) ?>&version=<?php echo urlencode( $wp_version ) ?>&redirect=true'); }" /></div>
     211        <div id="documentation"><label for="docs-list"><?php _e('Documentation:') ?></label> <?php echo $docs_select ?> <input type="button" class="button" value=" <?php echo attribute_escape(__( 'Lookup' )) ?> " onclick="if ( '' != jQuery('#docs-list').val() ) { window.open( 'http://api.wordpress.org/core/handbook/1.0/?function=' + escape( jQuery( '#docs-list' ).val() ) + '&locale=<?php echo urlencode( get_locale() ) ?>&version=<?php echo urlencode( $wp_version ) ?>&redirect=true'); }" /></div>
    179212        <?php endif; ?>
    180213<?php if ( is_writeable($real_file) ) : ?>
     
    196229<?php
    197230    } else {
    198         echo '<div class="error"><p>' . __('Oops, no such file exists! Double check the name and try again, merci.') . '</p></div>';
     231        echo '<div class="error"><p>' . $error . '</p></div>';
    199232    }
    200233?>
Note: See TracChangeset for help on using the changeset viewer.