WordPress.org

Make WordPress Core


Ignore:
Timestamp:
09/19/2017 10:15:56 AM (2 years ago)
Author:
johnbillion
Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41399], with additions, to the 4.8 branch.

See #13377

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/4.8/src/wp-admin/plugins.php

    r40169 r41412  
    1818$action = $wp_list_table->current_action();
    1919
    20 $plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : '';
     20$plugin = isset($_REQUEST['plugin']) ? wp_unslash( $_REQUEST['plugin'] ) : '';
    2121$s = isset($_REQUEST['s']) ? urlencode( wp_unslash( $_REQUEST['s'] ) ) : '';
    2222
     
    4040            check_admin_referer('activate-plugin_' . $plugin);
    4141
    42             $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . $plugin), is_network_admin() );
     42            $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . urlencode( $plugin ) ), is_network_admin() );
    4343            if ( is_wp_error( $result ) ) {
    4444                if ( 'unexpected_output' == $result->get_error_code() ) {
    45                     $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . $plugin . "&plugin_status=$status&paged=$page&s=$s");
     45                    $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . urlencode( $plugin ) . "&plugin_status=$status&paged=$page&s=$s");
    4646                    wp_redirect(add_query_arg('_error_nonce', wp_create_nonce('plugin-activation-error_' . $plugin), $redirect));
    4747                    exit;
     
    7474            check_admin_referer('bulk-plugins');
    7575
    76             $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
     76            $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
    7777
    7878            if ( is_network_admin() ) {
     
    123123
    124124            if ( isset( $_GET['plugins'] ) )
    125                 $plugins = explode( ',', $_GET['plugins'] );
     125                $plugins = explode( ',', wp_unslash( $_GET['plugins'] ) );
    126126            elseif ( isset( $_POST['checked'] ) )
    127                 $plugins = (array) $_POST['checked'];
     127                $plugins = (array) wp_unslash( $_POST['checked'] );
    128128            else
    129129                $plugins = array();
     
    198198            check_admin_referer('bulk-plugins');
    199199
    200             $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
     200            $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
    201201            // Do not deactivate plugins which are already deactivated.
    202202            if ( is_network_admin() ) {
     
    235235
    236236            //$_POST = from the plugin form; $_GET = from the FTP details screen.
    237             $plugins = isset( $_REQUEST['checked'] ) ? (array) $_REQUEST['checked'] : array();
     237            $plugins = isset( $_REQUEST['checked'] ) ? (array) wp_unslash( $_REQUEST['checked'] ) : array();
    238238            if ( empty( $plugins ) ) {
    239239                wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") );
     
    369369            if ( isset( $_POST['checked'] ) ) {
    370370                check_admin_referer('bulk-plugins');
    371                 $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
     371                $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
    372372                $sendback = wp_get_referer();
    373373
Note: See TracChangeset for help on using the changeset viewer.