WordPress.org

Make WordPress Core

Changeset 18346


Ignore:
Timestamp:
06/27/11 15:56:42 (4 years ago)
Author:
ryan
Message:

Hardening. Santizers for WPLANG and new_admin_email. Prevent stomping ID and filter. Validate locale filename. Props westi.

Location:
trunk
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/custom-header.php

    r18298 r18346  
    647647        'post_mime_type' => $type, 
    648648        'guid' => $url, 
    649         'context' => 'custom-header'); 
     649        'context' => 'custom-header' 
     650        ); 
    650651 
    651652        // Save the data 
  • trunk/wp-admin/includes/media.php

    r18290 r18346  
    229229    ), $post_data ); 
    230230 
     231    // This should never be set as it would then overwrite an existing attachment. 
     232    if ( isset( $attachment['ID'] ) ) 
     233        unset( $attachment['ID'] ); 
     234 
    231235    // Save the data 
    232236    $id = wp_insert_attachment($attachment, $file, $post_id); 
     
    281285        'post_content' => $content, 
    282286    ), $post_data ); 
     287 
     288    // This should never be set as it would then overwrite an existing attachment. 
     289    if ( isset( $attachment['ID'] ) ) 
     290        unset( $attachment['ID'] ); 
    283291 
    284292    // Save the attachment metadata 
  • trunk/wp-admin/includes/post.php

    r18331 r18346  
    142142    if ( empty($post_data) ) 
    143143        $post_data = &$_POST; 
     144 
     145    // Clear out any data in internal vars. 
     146    if ( isset( $post_data['filter'] ) ) 
     147        unset( $post_data['filter'] ); 
    144148 
    145149    $post_ID = (int) $post_data['post_ID']; 
     
    559563            return edit_post(); 
    560564        } 
     565    } 
     566 
     567    // Edit don't write if we have a post id. 
     568    if ( isset( $_POST['ID'] ) ) { 
     569        $_POST['post_ID'] = $_POST['ID']; 
     570        unset ( $_POST['ID'] ); 
     571    } 
     572    if ( isset( $_POST['post_ID'] ) ) { 
     573        return edit_post(); 
    561574    } 
    562575 
  • trunk/wp-admin/options-general.php

    r18323 r18346  
    128128if ( $new_admin_email && $new_admin_email != get_option('admin_email') ) : ?> 
    129129<div class="updated inline"> 
    130 <p><?php printf( __('There is a pending change of the admin e-mail to <code>%1$s</code>. <a href="%2$s">Cancel</a>'), $new_admin_email, esc_url( admin_url( 'options.php?dismiss=new_admin_email' ) ) ); ?></p> 
     130<p><?php printf( __('There is a pending change of the admin e-mail to <code>%1$s</code>. <a href="%2$s">Cancel</a>'), esc_html( $new_admin_email ), esc_url( admin_url( 'options.php?dismiss=new_admin_email' ) ) ); ?></p> 
    131131</div> 
    132132<?php endif; ?> 
  • trunk/wp-includes/formatting.php

    r18324 r18346  
    24272427            } 
    24282428            break; 
    2429  
     2429        case 'new_admin_email': 
     2430            $value = sanitize_email($value); 
     2431            if ( !is_email($value) ) { 
     2432                $value = get_option( $option ); // Resets option to stored value in the case of failed sanitization 
     2433                if ( function_exists('add_settings_error') ) 
     2434                    add_settings_error('new_admin_email', 'invalid_admin_email', __('The email address entered did not appear to be a valid email address. Please enter a valid email address.')); 
     2435            } 
     2436            break; 
    24302437        case 'thumbnail_size_w': 
    24312438        case 'thumbnail_size_h': 
     
    25212528            } 
    25222529            break; 
     2530        case 'WPLANG': 
     2531            $allowed = get_available_languages(); 
     2532            if ( ! in_array( $value, $allowed ) && ! empty( $value ) ) 
     2533                $value = get_option( $option ); 
     2534            break; 
    25232535 
    25242536        case 'timezone_string': 
  • trunk/wp-settings.php

    r18263 r18346  
    259259$locale = get_locale(); 
    260260$locale_file = WP_LANG_DIR . "/$locale.php"; 
    261 if ( is_readable( $locale_file ) ) 
     261if ( ( 0 === validate_file( $locale ) ) && is_readable( $locale_file ) ) 
    262262    require( $locale_file ); 
    263263unset($locale_file); 
Note: See TracChangeset for help on using the changeset viewer.