WordPress.org

Make WordPress Core

Changeset 3737


Ignore:
Timestamp:
04/21/2006 09:18:32 PM (14 years ago)
Author:
ryan
Message:

Ref checks. Comment filter.

Location:
branches/2.0
Files:
18 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/wp-admin/cat-js.php

    r3500 r3737  
    145145    var catString = '';
    146146
    147     catString = 'ajaxnewcat=' + encodeURIComponent(newcat.value);
     147    catString = ajaxCat.encVar('ajaxnewcat', newcat.value) + '&' + ajaxCat.encVar('cookie', document.cookie);
    148148    ajaxCat.requestFile = 'edit-form-ajax-cat.php';
    149     ajaxCat.method = 'GET';
     149    ajaxCat.method = 'POST';
    150150    ajaxCat.onLoading = newCatLoading;
    151151    ajaxCat.onLoaded = newCatLoaded;
  • branches/2.0/wp-admin/categories.php

    r3422 r3737  
    2525
    2626case 'addcat':
     27
     28    check_admin_referer();
    2729
    2830    if ( !current_user_can('manage_categories') )
     
    9597
    9698case 'editedcat':
     99    check_admin_referer();
     100
    97101    if ( !current_user_can('manage_categories') )
    98102        die (__('Cheatin’ uh?'));
  • branches/2.0/wp-admin/edit-comments.php

    r3422 r3737  
    4040<?php
    4141if ( !empty( $_POST['delete_comments'] ) ) :
     42    check_admin_referer();
     43
    4244    $i = 0;
    4345    foreach ($_POST['delete_comments'] as $comment) : // Check the permissions on each
  • branches/2.0/wp-admin/edit-form-ajax-cat.php

    r3135 r3737  
    88if ( !current_user_can('manage_categories') )
    99    die('-1');
     10if ( !check_ajax_referer() )
     11    die('-1');
    1012
    1113function get_out_now() { exit; }
     
    1315add_action('shutdown', 'get_out_now', -1);
    1416
    15 $names = explode(',', rawurldecode($_GET['ajaxnewcat']) );
     17$names = explode(',', rawurldecode($_POST['ajaxnewcat']) );
    1618$ids   = array();
    1719
  • branches/2.0/wp-admin/inline-uploading.php

    r3469 r3737  
    22
    33require_once('admin.php');
     4
     5check_admin_referer();
    46
    57header('Content-Type: text/html; charset=' . get_option('blog_charset'));
  • branches/2.0/wp-admin/link-categories.php

    r3422 r3737  
    2727  case 'addcat':
    2828  {
     29      check_admin_referer();
     30
    2931      if ( !current_user_can('manage_links') )
    3032          die (__("Cheatin' uh ?"));
     
    8183  case 'Delete':
    8284  {
     85    check_admin_referer();
     86
    8387    $cat_id = (int) $_GET['cat_id'];
    8488    $cat_name=get_linkcatname($cat_id);
     
    200204  case "editedcat":
    201205  {
     206    check_admin_referer();
     207
    202208    if ( !current_user_can('manage_links') )
    203209      die (__("Cheatin' uh ?"));
  • branches/2.0/wp-admin/link-import.php

    r3480 r3737  
    6464
    6565    case 1: {
     66        check_admin_referer();
     67
    6668                include_once('admin-header.php');
    6769                if ( !current_user_can('manage_links') )
  • branches/2.0/wp-admin/list-manipulation.js

    r3061 r3737  
    3434    ajaxDel.onInteractive = function() { ajaxDel.myResponseElement.innerHTML = 'Processing Data...'; };
    3535    ajaxDel.onCompletion = function() { removeThisItem( what + '-' + id ); };
    36     ajaxDel.runAJAX('action=delete-' + what + '&id=' + id);
     36    ajaxDel.runAJAX('action=delete-' + what + '&id=' + id + '&' + ajaxDel.encVar('cookie', document.cookie));
    3737    return false;
    3838}
     
    4040function removeThisItem(id) {
    4141    var response = ajaxDel.response;
    42     if ( isNaN(response) ) { alert(response); }
     42    if ( isNaN(response) ) { ajaxDel.myResponseElement.innerHTML = response; return false; }
    4343    response = parseInt(response, 10);
    4444    if ( -1 == response ) { ajaxDel.myResponseElement.innerHTML = "You don't have permission to do that."; }
  • branches/2.0/wp-admin/list-manipulation.php

    r3622 r3737  
    66get_currentuserinfo();
    77if ( !is_user_logged_in() )
     8    die('-1');
     9if ( !check_ajax_referer() )
    810    die('-1');
    911
     
    1517function get_out_now() { exit; }
    1618add_action('shutdown', 'get_out_now', -1);
    17 
    18 //  check_admin_referer();
    1919
    2020switch ( $_POST['action'] ) :
  • branches/2.0/wp-admin/moderation.php

    r3422 r3737  
    3232
    3333case 'update':
     34
     35    check_admin_referer();
    3436
    3537    if ( ! current_user_can('moderate_comments') )
  • branches/2.0/wp-admin/options-permalink.php

    r3373 r3737  
    5959
    6060if ( isset($_POST) ) {
     61    check_admin_referer();
     62
    6163    if ( isset($_POST['permalink_structure']) ) {
    6264        $permalink_structure = $_POST['permalink_structure'];
  • branches/2.0/wp-admin/plugin-editor.php

    r3295 r3737  
    3434
    3535case 'update':
     36
     37    check_admin_referer();
    3638
    3739    if ( !current_user_can('edit_plugins') )
  • branches/2.0/wp-admin/post.php

    r3620 r3737  
    293293case 'approvecomment':
    294294
     295    check_admin_referer();
     296
    295297    $comment = (int) $_GET['comment'];
    296298    $p = (int) $_GET['p'];
     
    322324
    323325case 'editedcomment':
     326
     327    check_admin_referer();
    324328
    325329    edit_comment();
  • branches/2.0/wp-admin/templates.php

    r3364 r3737  
    3636
    3737case 'update':
     38
     39    check_adimn_referer();
    3840
    3941    if ( ! current_user_can('edit_files') )
  • branches/2.0/wp-admin/theme-editor.php

    r3295 r3737  
    4747
    4848case 'update':
     49
     50    check_admin_referer();
    4951
    5052    if ( !current_user_can('edit_themes') )
  • branches/2.0/wp-includes/classes.php

    r3602 r3737  
    827827                        continue;
    828828                    $fulltext = strtolower($comment->email.' '.$comment->url.' '.$comment->ip.' '.$comment->text);
    829                     if( strpos( $fulltext, strtolower($word) ) != FALSE ) {
     829                    if( false !== strpos( $fulltext, strtolower($word) ) ) {
    830830                        $this->found_comments[] = $comment->ID;
    831831                        break;
  • branches/2.0/wp-includes/comment-functions.php

    r3584 r3737  
    185185    // Merge old and new fields with new fields overwriting old ones.
    186186    $commentarr = array_merge($comment, $commentarr);
     187
     188    $commentarr = wp_filter_comment( $commentarr );
    187189
    188190    // Now extract the merged array.
  • branches/2.0/wp-includes/pluggable-functions.php

    r3497 r3737  
    231231        die(__('Sorry, you need to <a href="http://codex.wordpress.org/Enable_Sending_Referrers">enable sending referrers</a> for this feature to work.'));
    232232    do_action('check_admin_referer');
     233}
     234endif;
     235
     236if ( !function_exists('check_ajax_referer') ) :
     237function check_ajax_referer() {
     238    $cookie = explode(';', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie
     239    foreach ( $cookie as $tasty ) {
     240        if ( false !== strpos($tasty, USER_COOKIE) )
     241            $user = substr(strstr($tasty, '='), 1);
     242        if ( false !== strpos($tasty, PASS_COOKIE) )
     243            $pass = substr(strstr($tasty, '='), 1);
     244    }
     245    if ( wp_login( $user, $pass, true ) )
     246        return true;
     247    return false;
    233248}
    234249endif;
Note: See TracChangeset for help on using the changeset viewer.