WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#22079 closed defect (bug) (fixed)

Plugin filenames can break links in the admin menu

Reported by: simonwheatley Owned by: SergeyBiryukov
Milestone: 3.6 Priority: normal
Severity: normal Version: 2.7
Component: Administration Keywords: has-patch commit
Focuses: Cc:

Description

For example:

Creating a plugin at wp-content/plugins/import.php will break the Tools > Import link, changing the (correct) link from /wp-admin/import.php to /wp-admin/tools.php?page=import.php. This also works/breaks with plugins.php, export.php, etc.

The issue seems to be some code in [http://core.trac.wordpress.org/browser/tags/3.4.2/wp-admin/menu-header.php#L153 _wp_menu_output], which checks for the existence of files in the plugins directory and changes the link if they are found. I'm guessing this code relates to the ability to link to plugin files from the admin menu?

Attachments (2)

22079.patch (936 bytes) - added by lightningspirit 5 years ago.
Checks for the filename in the wp-admin directory. Doesn't allow overriding of default files in the admin.
22079.2.patch (2.7 KB) - added by SergeyBiryukov 5 years ago.

Download all attachments as: .zip

Change History (15)

@lightningspirit
5 years ago

Checks for the filename in the wp-admin directory. Doesn't allow overriding of default files in the admin.

#1 @lightningspirit
5 years ago

  • Cc lightningspirit@… added
  • Keywords has-patch needs-testing added

#2 @scribu
5 years ago

  • Keywords 2nd-opinion removed

Related: #12718

#3 @MikeHansenMe
5 years ago

I was able to reproduce and verify that the patch corrects the problem.

#4 @MikeHansenMe
5 years ago

  • Cc mdhansen@… added

#5 @SergeyBiryukov
5 years ago

  • Keywords 3.6-early added
  • Milestone changed from Awaiting Review to Future Release

#6 @SergeyBiryukov
5 years ago

  • Milestone changed from Future Release to 3.6

#7 @simonwheatley
5 years ago

This appears to have been fixed elsewhere. Creating a wp-content/plugins/import.php file no longer breaks the Import link.

#8 @MikeHansenMe
5 years ago

I am still able to reproduce the problem using the following.

Create import.php in the plugins dir and add the following

<?php
/*
Plugin Name: Test Import
*/

Then activate the plugin and check the tools import link.
It changes the link from import.php to tools.php?page=import.php and shows permissions error.

#9 @MikeHansenMe
5 years ago

Also, the patch still applies cleanly and fixes the problem.

#10 @SergeyBiryukov
5 years ago

  • Keywords dev-feedback removed
  • Version changed from 3.4.2 to 2.7

It's not just wp-content/plugins/import.php.

Filenames like these break the corresponding admin menu links too:

  • wp-content/plugins/edit.php
  • wp-content/plugins/edit-comments.php
  • wp-content/plugins/plugin-install.php (#20710)

We need the ! file_exists( ABSPATH . "/wp-admin/$menu_file" ) check in all the three places where we have the file_exists( WP_PLUGIN_DIR . "/$menu_file" ) check. See 22079.2.patch.

#11 @SergeyBiryukov
5 years ago

#20710 was marked as a duplicate.

#12 @SergeyBiryukov
5 years ago

  • Keywords commit added; 3.6-early needs-testing removed

#13 @SergeyBiryukov
5 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 23656:

Prevent plugins with certain filenames from breaking links in the admin menu. props lightningspirit. fixes #22079.

Note: See TracTickets for help on using tickets.