WordPress.org

Make WordPress Core

Changeset 11595


Ignore:
Timestamp:
06/18/09 00:33:07 (6 years ago)
Author:
ryan
Message:

Require all plugin page requests (?page=) to be for registered plugins pages. Provides CYA for plugins that don't do enough cap checking. action requests not bound to a plugin page still go through.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/plugin.php

    r11592 r11595  
    586586 
    587587function add_menu_page( $page_title, $menu_title, $access_level, $file, $function = '', $icon_url = '' ) { 
    588     global $menu, $admin_page_hooks; 
     588    global $menu, $admin_page_hooks, $_registered_pages; 
    589589 
    590590    $file = plugin_basename( $file ); 
     
    603603    $menu[] = array ( $menu_title, $access_level, $file, $page_title, 'menu-top ' . $hookname, $hookname, $icon_url ); 
    604604 
     605    $_registered_pages[$hookname] = true; 
     606 
    605607    return $hookname; 
    606608} 
    607609 
    608610function add_object_page( $page_title, $menu_title, $access_level, $file, $function = '', $icon_url = '') { 
    609     global $menu, $admin_page_hooks, $_wp_last_object_menu; 
     611    global $menu, $admin_page_hooks, $_wp_last_object_menu, $_registered_pages; 
    610612 
    611613    $file = plugin_basename( $file ); 
     
    624626    $menu[$_wp_last_object_menu] = array ( $menu_title, $access_level, $file, $page_title, 'menu-top ' . $hookname, $hookname, $icon_url ); 
    625627 
     628    $_registered_pages[$hookname] = true; 
     629 
    626630    return $hookname; 
    627631} 
    628632 
    629633function add_utility_page( $page_title, $menu_title, $access_level, $file, $function = '', $icon_url = '') { 
    630     global $menu, $admin_page_hooks, $_wp_last_utility_menu; 
     634    global $menu, $admin_page_hooks, $_wp_last_utility_menu, $_registered_pages; 
    631635 
    632636    $file = plugin_basename( $file ); 
     
    646650 
    647651    $menu[$_wp_last_utility_menu] = array ( $menu_title, $access_level, $file, $page_title, 'menu-top ' . $hookname, $hookname, $icon_url ); 
     652 
     653    $_registered_pages[$hookname] = true; 
    648654 
    649655    return $hookname; 
     
    655661    global $_wp_real_parent_file; 
    656662    global $_wp_submenu_nopriv; 
     663    global $_registered_pages; 
    657664 
    658665    $file = plugin_basename( $file ); 
     
    683690    if (!empty ( $function ) && !empty ( $hookname )) 
    684691        add_action( $hookname, $function ); 
     692 
     693    $_registered_pages[$hookname] = true; 
    685694 
    686695    return $hookname; 
     
    920929    global $_wp_submenu_nopriv; 
    921930    global $plugin_page; 
     931    global $_registered_pages; 
    922932 
    923933    $parent = get_admin_page_parent(); 
     
    926936        return false; 
    927937 
    928     if ( isset( $plugin_page ) && isset( $_wp_submenu_nopriv[$parent][$plugin_page] ) ) 
    929         return false; 
     938    if ( isset( $plugin_page ) ) { 
     939        if ( isset( $_wp_submenu_nopriv[$parent][$plugin_page] ) ) 
     940            return false; 
     941 
     942        $hookname = get_plugin_page_hookname($plugin_page, $parent); 
     943        if ( !isset($_registered_pages[$hookname]) ) 
     944            return false; 
     945    } 
    930946 
    931947    if ( empty( $parent) ) { 
Note: See TracChangeset for help on using the changeset viewer.