Changeset 41

Timestamp:

05/23/2003 12:12:22 AM (22 years ago)

Author:

saxmatt

Message:

Clean up entire file, improved error messages and HTML, fixed editing problem, double-checekd security.

File:

• trunk/wp-admin/b2template.php (modified) (3 diffs)

trunk/wp-admin/b2template.php

@@ -38 +38 @@
 switch($action) {
 
-case "update":
+case 'update':
 
-    $standalone=1;
-    require_once("./b2header.php");
+    $standalone = 1;
+    require("b2header.php");
 
     if ($user_level < 3) {
-        die("You have no right to edit the template for this blog.<br>Ask for a promotion to your <a href=\"mailto:$admin_email\">blog admin</a> :)");
+        die('<p>You have no right to edit the template for this blog.<br />Ask for a promotion to your <a href="mailto:$admin_email">blog admin</a>. :)</p>');
     }
 
     $newcontent = stripslashes($HTTP_POST_VARS["newcontent"]);
     $file = $HTTP_POST_VARS["file"];
-    $f = fopen($file,"w+");
-    fwrite($f,$newcontent);
+    $f = fopen($file, 'w+');
+    fwrite($f, $newcontent);
     fclose($f);
 
+    $file = str_replace('../', '', $file);
     header("Location: b2template.php?file=$file&a=te");
     exit();
@@ -60 +61 @@
 default:
 
-    include("./b2header.php");
+    require('b2header.php');
 
     if ($user_level <= 3) {
-        die("You have no right to edit the template for this blog.<br>Ask for a promotion to your <a href=\"mailto:$admin_email\">blog admin</a> :)");
+        die('<p>You have no right to edit the template for this blog.<br>Ask for a promotion to your <a href="mailto:$admin_email">blog admin</a>. :)</p>');
     }
 
-    if ($file=="") {
-        if ($blogfilename != "") {
+    if ('' == $file) {
+        if ('' != $blogfilename) {
             $file = $blogfilename;
         } else {
-            $file = "b2.php";
+            $file = 'index.php';
         }
     }
     
-    if (substr($file,0,2) == "..")
-        die ("Sorry, can't edit files that are up one directory or more.");
+    if ('..' == substr($file,0,2))
+        die ('Sorry, can&#8217;t edit files with ".." in the name. If you are trying to edit a file in your WordPress home directory, you can just type the name of the file in.');
     
-    if (substr($file,1,1) == ":")
-        die ("Sorry, can't call files with their real path.");
+    if (':' == substr($file,1,1))
+        die ('Sorry, can&#8217;t call files with their real path.');
 
-    if (substr($file,0,1) == "/")
-        $file = ".".$file;
+    if ('/' == substr($file,0,1))
+        $file = '.' . $file;
+    
+    $file = stripslashes($file);
+    $file = '../' . $file;
     
     if (!is_file($file))
         $error = 1;
 
-    $file = stripslashes($file);
-
-    if ((substr($file,0,2) == "b2") and (substr($file,-4,4) == ".php") and ($file != "b2.php"))
-        $warning = " - this is a b2 file, be careful when editing it !";
-
+    if ((substr($file,0,2) == 'b2') and (substr($file,-4,4) == '.php') and ($file != 'b2.php'))
+        $warning = ' &#8212; this is a WordPress file, be careful when editing it!';
+    
     if (!$error) {
-        $f = fopen($file,"r");
-        $content = fread($f,filesize($file));
-//      $content = template_simplify($content);
+        $f = fopen($file, 'r');
+        $content = fread($f, filesize($file));
         $content = htmlspecialchars($content);
 //      $content = str_replace("</textarea","&lt;/textarea",$content);
     }
 
-    echo $blankline;
-    echo $tabletop;
     ?>
-    <table width="100%" cellpadding="5" cellspacing="0">
-    <tr>
-    <td>
+<div class="wrap">
     <?php
-    echo "Listing <b>$file</b>".$warning;
-    if ($a == "te")
-        echo "<i> [ file edited ! ]</i>";
+    echo "Listing <strong>$file</strong> $warning";
+    if ('te' == $a)
+        echo "<em>File edited successfully.</em>";
     
     if (!$error) {
@@ -127 +124 @@
     <?php
     } else {
-        echo "<p>oops, no such file !</p>";
+        echo '<p>Oops, no such file exists! Double check the name and try again, merci.</p>';
     }
-    echo $tablebottom;
     ?>
-    </td>
-    </table>
-    <br />
-    <?php   echo $tabletop; ?>
-    You can also edit the <a href="b2template.php?file=b2comments.php">comments' template</a> or the <a href="b2template.php?file=b2commentspopup.php">popup comments' template</a>, or edit any other file (provided it's writable by the server, e.g. CHMOD 766).<br />
-    <br />
-    To edit a file, type its name here:
-    <form name="file" action="b2template.php" method="get">
+</div>
+
+<div class="wrap"> 
+  <p>You can also edit the <a href="b2template.php?file=b2comments.php">comments 
+    template</a> or the <a href="b2template.php?file=b2commentspopup.php">popup 
+    comments template</a>, or edit any other file (provided it&#8217;s writable by 
+    the server, e.g. CHMOD 766).</p>
+    <p>To edit a file, type its name here:</p>
+  <form name="file" action="b2template.php" method="get">
     <input type="text" name="file" />
     <input type="submit" name="submit"  class="search" value="go" />
     </form>
-    <br />
-    Note: of course, you can also edit the files/templates in your text editor and upload them. This online editor is only meant to be used when you don't have access to a text editor...
     
-<?php   echo $tablebottom; ?>
+  <p>Note: of course, you can also edit the files/templates in your text editor 
+    and upload them. This online editor is only meant to be used when you don't 
+    have access to a text editor.</p>
+</div>