WordPress.org

Make WordPress Core

Changeset 11595


Ignore:
Timestamp:
06/18/2009 12:33:07 AM (9 years ago)
Author:
ryan
Message:

Require all plugin page requests (?page=) to be for registered plugins pages. Provides CYA for plugins that don't do enough cap checking. action requests not bound to a plugin page still go through.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/plugin.php

    r11592 r11595  
    586586
    587587function add_menu_page( $page_title, $menu_title, $access_level, $file, $function = '', $icon_url = '' ) {
    588     global $menu, $admin_page_hooks;
     588    global $menu, $admin_page_hooks, $_registered_pages;
    589589
    590590    $file = plugin_basename( $file );
     
    603603    $menu[] = array ( $menu_title, $access_level, $file, $page_title, 'menu-top ' . $hookname, $hookname, $icon_url );
    604604
     605    $_registered_pages[$hookname] = true;
     606
    605607    return $hookname;
    606608}
    607609
    608610function add_object_page( $page_title, $menu_title, $access_level, $file, $function = '', $icon_url = '') {
    609     global $menu, $admin_page_hooks, $_wp_last_object_menu;
     611    global $menu, $admin_page_hooks, $_wp_last_object_menu, $_registered_pages;
    610612
    611613    $file = plugin_basename( $file );
     
    624626    $menu[$_wp_last_object_menu] = array ( $menu_title, $access_level, $file, $page_title, 'menu-top ' . $hookname, $hookname, $icon_url );
    625627
     628    $_registered_pages[$hookname] = true;
     629
    626630    return $hookname;
    627631}
    628632
    629633function add_utility_page( $page_title, $menu_title, $access_level, $file, $function = '', $icon_url = '') {
    630     global $menu, $admin_page_hooks, $_wp_last_utility_menu;
     634    global $menu, $admin_page_hooks, $_wp_last_utility_menu, $_registered_pages;
    631635
    632636    $file = plugin_basename( $file );
     
    646650
    647651    $menu[$_wp_last_utility_menu] = array ( $menu_title, $access_level, $file, $page_title, 'menu-top ' . $hookname, $hookname, $icon_url );
     652
     653    $_registered_pages[$hookname] = true;
    648654
    649655    return $hookname;
     
    655661    global $_wp_real_parent_file;
    656662    global $_wp_submenu_nopriv;
     663    global $_registered_pages;
    657664
    658665    $file = plugin_basename( $file );
     
    683690    if (!empty ( $function ) && !empty ( $hookname ))
    684691        add_action( $hookname, $function );
     692
     693    $_registered_pages[$hookname] = true;
    685694
    686695    return $hookname;
     
    920929    global $_wp_submenu_nopriv;
    921930    global $plugin_page;
     931    global $_registered_pages;
    922932
    923933    $parent = get_admin_page_parent();
     
    926936        return false;
    927937
    928     if ( isset( $plugin_page ) && isset( $_wp_submenu_nopriv[$parent][$plugin_page] ) )
    929         return false;
     938    if ( isset( $plugin_page ) ) {
     939        if ( isset( $_wp_submenu_nopriv[$parent][$plugin_page] ) )
     940            return false;
     941
     942        $hookname = get_plugin_page_hookname($plugin_page, $parent);
     943        if ( !isset($_registered_pages[$hookname]) )
     944            return false;
     945    }
    930946
    931947    if ( empty( $parent) ) {
Note: See TracChangeset for help on using the changeset viewer.