Changeset 41399 for trunk/src/wp-admin/plugins.php

Timestamp:

09/19/2017 10:10:35 AM (8 years ago)

Author:

johnbillion

Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Props kawauso, Mte90 for initial patches

Fixes #13377

File:

• trunk/src/wp-admin/plugins.php (modified) (7 diffs)

trunk/src/wp-admin/plugins.php

@@ -18 +18 @@
 $action = $wp_list_table->current_action();
 
-$plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : '';
+$plugin = isset($_REQUEST['plugin']) ? wp_unslash( $_REQUEST['plugin'] ) : '';
 $s = isset($_REQUEST['s']) ? urlencode( wp_unslash( $_REQUEST['s'] ) ) : '';
 
@@ -41 +41 @@
             check_admin_referer('activate-plugin_' . $plugin);
 
-            $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . $plugin), is_network_admin() );
+            $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . urlencode( $plugin ) ), is_network_admin() );
             if ( is_wp_error( $result ) ) {
                 if ( 'unexpected_output' == $result->get_error_code() ) {
-                    $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . $plugin . "&plugin_status=$status&paged=$page&s=$s");
+                    $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . urlencode( $plugin ) . "&plugin_status=$status&paged=$page&s=$s");
                     wp_redirect(add_query_arg('_error_nonce', wp_create_nonce('plugin-activation-error_' . $plugin), $redirect));
                     exit;
@@ -75 +75 @@
             check_admin_referer('bulk-plugins');
 
-            $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
+            $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
 
             if ( is_network_admin() ) {
@@ -128 +128 @@
 
             if ( isset( $_GET['plugins'] ) )
-                $plugins = explode( ',', $_GET['plugins'] );
+                $plugins = explode( ',', wp_unslash( $_GET['plugins'] ) );
             elseif ( isset( $_POST['checked'] ) )
-                $plugins = (array) $_POST['checked'];
+                $plugins = (array) wp_unslash( $_POST['checked'] );
             else
                 $plugins = array();
@@ -206 +206 @@
             check_admin_referer('bulk-plugins');
 
-            $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
+            $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
             // Do not deactivate plugins which are already deactivated.
             if ( is_network_admin() ) {
@@ -251 +251 @@
 
             //$_POST = from the plugin form; $_GET = from the FTP details screen.
-            $plugins = isset( $_REQUEST['checked'] ) ? (array) $_REQUEST['checked'] : array();
+            $plugins = isset( $_REQUEST['checked'] ) ? (array) wp_unslash( $_REQUEST['checked'] ) : array();
             if ( empty( $plugins ) ) {
                 wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") );
@@ -385 +385 @@
             if ( isset( $_POST['checked'] ) ) {
                 check_admin_referer('bulk-plugins');
-                $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
+                $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
                 $sendback = wp_get_referer();