Changeset 11808

Timestamp:

08/13/2009 06:03:26 AM (16 years ago)

Author:

azaozz

Message:

Strip slashes from POST data in request_filesystem_credentials(), props dd32, fixes #10567

File:

• trunk/wp-admin/includes/file.php (modified) (3 diffs)

trunk/wp-admin/includes/file.php

@@ -677 +677 @@
 
     // If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option)
-    $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? $_POST['hostname'] : $credentials['hostname']);
-    $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? $_POST['username'] : $credentials['username']);
-    $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? $_POST['password'] : '');
+    $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? stripslashes($_POST['hostname']) : $credentials['hostname']);
+    $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? stripslashes($_POST['username']) : $credentials['username']);
+    $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? stripslashes($_POST['password']) : '');
 
     // Check to see if we are setting the public/private keys for ssh
-    $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? $_POST['public_key'] : '');
-    $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? $_POST['private_key'] : '');
+    $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? stripslashes($_POST['public_key']) : '');
+    $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? stripslashes($_POST['private_key']) : '');
 
     //sanitize the hostname, Some people might pass in odd-data:
@@ -698 +698 @@
         $credentials['connection_type'] = 'ftps';
     else if ( !empty($_POST['connection_type']) )
-        $credentials['connection_type'] = $_POST['connection_type'];
+        $credentials['connection_type'] = stripslashes($_POST['connection_type']);
     else if ( !isset($credentials['connection_type']) ) //All else fails (And its not defaulted to something else saved), Default to FTP
         $credentials['connection_type'] = 'ftp';
@@ -792 +792 @@
 
 <?php if ( isset( $_POST['version'] ) ) : ?>
-<input type="hidden" name="version" value="<?php echo esc_attr($_POST['version']) ?>" />
+<input type="hidden" name="version" value="<?php echo esc_attr(stripslashes($_POST['version'])) ?>" />
 <?php endif; ?>
 <?php if ( isset( $_POST['locale'] ) ) : ?>
-<input type="hidden" name="locale" value="<?php echo esc_attr($_POST['locale']) ?>" />
+<input type="hidden" name="locale" value="<?php echo esc_attr(stripslashes($_POST['locale'])) ?>" />
 <?php endif; ?>
 <p class="submit">