Make WordPress Core

Changeset 12310


Ignore:
Timestamp:
12/01/2009 10:03:13 PM (15 years ago)
Author:
ryan
Message:

Fix file validation in theme editor. Props dd32. fixes #11032

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/file.php

    r12268 r12310  
    196196 */
    197197function validate_file_to_edit( $file, $allowed_files = '' ) {
    198     $file = stripslashes( $file );
    199 
    200198    $code = validate_file( $file, $allowed_files );
    201199
     
    207205            wp_die( __('Sorry, can’t edit files with “..” in the name. If you are trying to edit a file in your WordPress home directory, you can just type the name of the file in.' ));
    208206
    209         case 2 :
    210             wp_die( __('Sorry, can’t call files with their real path.' ));
     207        //case 2 :
     208        //  wp_die( __('Sorry, can’t call files with their real path.' ));
    211209
    212210        case 3 :
  • trunk/wp-admin/plugin-editor.php

    r12005 r12310  
    2323
    2424if ( isset($_REQUEST['file']) )
    25     $plugin = $_REQUEST['file'];
     25    $plugin = stripslashes($_REQUEST['file']);
    2626
    2727if ( empty($plugin) ) {
     
    3434if ( empty($file) )
    3535    $file = $plugin_files[0];
     36else
     37    $file = stripslashes($file);
    3638
    3739$file = validate_file_to_edit($file, $plugin_files);
  • trunk/wp-admin/theme-editor.php

    r12185 r12310  
    3636    $file = $allowed_files[0];
    3737} else {
     38    $file = stripslashes($file);
    3839    if ( 'theme' == $dir ) {
    3940        $file = dirname(dirname($themes[$theme]['Template Dir'])) . $file ;
     
    4344}
    4445
    45 $real_file = validate_file_to_edit($file, $allowed_files);
     46validate_file_to_edit($file, $allowed_files);
    4647$scrollto = isset($_REQUEST['scrollto']) ? (int) $_REQUEST['scrollto'] : 0;
    47 
    4848$file_show = basename( $file );
    4949
     
    5656    $newcontent = stripslashes($_POST['newcontent']);
    5757    $theme = urlencode($theme);
    58     if (is_writeable($real_file)) {
     58    if (is_writeable($file)) {
    5959        //is_writable() not always reliable, check return value. see comments @ http://uk.php.net/is_writable
    60         $f = fopen($real_file, 'w+');
     60        $f = fopen($file, 'w+');
    6161        if ($f !== FALSE) {
    6262            fwrite($f, $newcontent);
     
    8484    update_recently_edited($file);
    8585
    86     if ( !is_file($real_file) )
     86    if ( !is_file($file) )
    8787        $error = 1;
    8888
    89     if ( !$error && filesize($real_file) > 0 ) {
    90         $f = fopen($real_file, 'r');
    91         $content = fread($f, filesize($real_file));
    92 
    93         if ( '.php' == substr( $real_file, strrpos( $real_file, '.' ) ) ) {
     89    if ( !$error && filesize($file) > 0 ) {
     90        $f = fopen($file, 'r');
     91        $content = fread($f, filesize($file));
     92
     93        if ( '.php' == substr( $file, strrpos( $file, '.' ) ) ) {
    9494            $functions = wp_doc_link_parse( $content );
    9595
     
    103103
    104104        $content = htmlspecialchars( $content );
    105         $codepress_lang = codepress_get_lang($real_file);
     105        $codepress_lang = codepress_get_lang($file);
    106106    }
    107107
     
    213213
    214214        <div>
    215 <?php if ( is_writeable($real_file) ) : ?>
     215<?php if ( is_writeable($file) ) : ?>
    216216            <p class="submit">
    217217<?php
  • trunk/wp-includes/functions.php

    r12309 r12310  
    30693069        return 1;
    30703070
     3071    if (!empty ( $allowed_files ) && (!in_array( $file, $allowed_files ) ) )
     3072        return 3;
     3073
    30713074    if (':' == substr( $file, 1, 1 ))
    30723075        return 2;
    3073 
    3074     if (!empty ( $allowed_files ) && (!in_array( $file, $allowed_files ) ) )
    3075         return 3;
    30763076
    30773077    return 0;
Note: See TracChangeset for help on using the changeset viewer.