Security back ports from masquerade and MarkJaquith.

git-svn-id: http://svn.automattic.com/wordpress/branches/1.5@3627 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2006-03-07 01:47:45 +00:00 · 2006-03-07 01:47:45 +00:00 · 0aa07547e2
parent 658b7540d5
commit 0aa07547e2
10 changed files with 587 additions and 212 deletions
--- a/wp-admin/admin.php
+++ b/wp-admin/admin.php
@ -55,7 +55,7 @@ if (isset($_GET['page'])) {
 		}
 		
 		if (! file_exists(ABSPATH . "wp-content/plugins/$plugin_page"))
-			die(sprintf(__('Cannot load %s.'), $plugin_page));
+			die(sprintf(__('Cannot load %s.'), htmlentities($plugin_page)));

 		if (! isset($_GET['noheader']))
 			require_once(ABSPATH . '/wp-admin/admin-header.php');
--- a/wp-admin/post.php
+++ b/wp-admin/post.php
@ -29,7 +29,7 @@ $editing = true;

 switch($action) {
 case 'post':
-
+	check_admin_referer();
 	if ( !user_can_create_draft($user_ID) )
 		die( __('You are not allowed to create posts or drafts on this blog.') );

@ -268,6 +268,7 @@ case 'edit':
 	break;

 case 'editpost':
+	check_admin_referer();
 	// die(var_dump('<pre>', $_POST));
 	if (!isset($blog_ID)) {
 		$blog_ID = 1;
@ -495,7 +496,7 @@ case 'editcomment':
 	break;

 case 'confirmdeletecomment':
-
+	check_admin_referer();
 	require_once('./admin-header.php');

 	$comment = (int) $_GET['comment'];
@ -590,7 +591,7 @@ case 'unapprovecomment':
 	break;

 case 'mailapprovecomment':
-
+	check_admin_referer();
 	$comment = (int) $_GET['comment'];

 	$commentdata = get_commentdata($comment, 1, true) or die(sprintf(__('Oops, no comment with this ID. <a href="%s">Go back</a>!'), 'edit.php'));
@ -610,7 +611,7 @@ case 'mailapprovecomment':
 	break;

 case 'approvecomment':
-
+	check_admin_referer();
 	$comment = (int) $_GET['comment'];
 	$p = (int) $_GET['p'];
 	if (isset($_GET['noredir'])) {
@ -639,7 +640,7 @@ case 'approvecomment':
 	break;

 case 'editedcomment':
-
+	check_admin_referer();
 	$comment_ID = (int) $_POST['comment_ID'];
 	$comment_post_ID = (int) $_POST['comment_post_ID'];
 	$newcomment_author = $_POST['newcomment_author'];
--- a/wp-admin/profile.php
+++ b/wp-admin/profile.php
@ -64,10 +64,10 @@ case 'update':
 			die (__("<strong>ERROR</strong>: you typed your new password only once. Go back to type it twice."));
 		if ( $pass1 != $pass2 )
 			die (__("<strong>ERROR</strong>: you typed two different passwords. Go back to correct that."));
-		$newuser_pass = $pass1;
+		$newuser_pass = $wpdb->escape($pass1);
 		$updatepassword = "user_pass=MD5('$newuser_pass'), ";
 		wp_clearcookie();
-		wp_setcookie($user_login, $newuser_pass);
+		wp_setcookie($user_login, $pass1);
 	}

 	$newuser_firstname = wp_specialchars($_POST['newuser_firstname']);
--- a/wp-admin/user-edit.php
+++ b/wp-admin/user-edit.php
@ -24,6 +24,8 @@ for ($i=0; $i<count($wpvarstoreset); $i += 1) {
 switch ($action) {
 case 'update':

+check_admin_referer();
+
 get_currentuserinfo();
 $edituser = get_userdata($user_id);
 if ($edituser->user_level >= $user_level) die( __('You do not have permission to edit this user.') );
--- a/wp-comments-post.php
+++ b/wp-comments-post.php
@ -57,7 +57,7 @@ header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
 header('Cache-Control: no-cache, must-revalidate, max-age=0');
 header('Pragma: no-cache');

-$location = (empty($_POST['redirect_to'])) ? $_SERVER["HTTP_REFERER"] : $_POST['redirect_to']; 
+$location = ( empty( $_POST['redirect_to'] ) ) ? get_permalink( $comment_post_ID ) : $_POST['redirect_to']; 

 wp_redirect($location);
 ?>
--- a/wp-includes/class-snoopy.php
+++ b/wp-includes/class-snoopy.php
--- a/wp-includes/functions-formatting.php
+++ b/wp-includes/functions-formatting.php
@ -989,5 +989,12 @@ function ent2ncr($text) {
 	}
 	return $text;
 }
+function stripslashes_deep($value)
+{
+   $value = is_array($value) ?
+               array_map('stripslashes_deep', $value) :
+               stripslashes($value);

+   return $value;
+}
 ?>
--- a/wp-includes/template-functions-links.php
+++ b/wp-includes/template-functions-links.php
@ -352,7 +352,7 @@ function next_post($format='%', $next='next post: ', $title='yes', $in_same_cat=
 function get_pagenum_link($pagenum = 1) {
 	global $wp_rewrite;

-	$qstr = $_SERVER['REQUEST_URI'];
+	$qstr = wp_specialchars($_SERVER['REQUEST_URI']);

 	$page_querystring = "paged"; 
 	$page_modstring = "page/";
--- a/wp-mail.php
+++ b/wp-mail.php
@ -50,9 +50,7 @@ for ($i=1; $i <= $count; $i++) :
 			if (preg_match('/Subject: /i', $line)) {
 				$subject = trim($line);
 				$subject = substr($subject, 9, strlen($subject)-9);
-				if (!preg_match('#\=\?(.+)\?Q\?(.+)\?\=#i', $subject)) {
-				  $subject = wp_iso_descrambler($subject);
-				}
+				$subject = wp_iso_descrambler($subject);
 				// Captures any text in the subject before $phone_delim as the subject
 				$subject = explode($phone_delim, $subject);
 				$subject = $subject[0];
@ -63,8 +61,10 @@ for ($i=1; $i <= $count; $i++) :
 			if (preg_match('/From: /', $line) | preg_match('Reply-To: /', $line))  {
 				$author=trim($line);
 			if ( ereg("([a-zA-Z0-9\_\-\.]+@[\a-zA-z0-9\_\-\.]+)", $author , $regs) ) {
-				echo "Author = {$regs[1]} <p>";
-				$result = $wpdb->get_row("SELECT ID FROM $tableusers WHERE user_email='$regs[1]' ORDER BY ID DESC LIMIT 1");
+				$author = $regs[1];
+				echo "Author = {$author} <p>";
+				$author = $wpdb->escape($author);
+				$result = $wpdb->get_row("SELECT ID FROM $wpdb->users WHERE user_email='$author' LIMIT 1");
 				if (!$result)
 					$post_author = 1;
 				else
@ -81,11 +81,11 @@ for ($i=1; $i <= $count; $i++) :
 				}
 				$date_arr = explode(' ', $ddate);
 				$date_time = explode(':', $date_arr[3]);
-				
+
 				$ddate_H = $date_time[0];
 				$ddate_i = $date_time[1];
 				$ddate_s = $date_time[2];
-				
+
 				$ddate_m = $date_arr[1];
 				$ddate_d = $date_arr[0];
 				$ddate_Y = $date_arr[2];
@ -136,6 +136,7 @@ for ($i=1; $i <= $count; $i++) :
 	$post_status = 'publish';

 	$post_data = compact('post_content','post_title','post_date','post_date_gmt','post_author','post_category', 'post_status');
+	$post_data = add_magic_quotes($post_data);

 	$post_ID = wp_insert_post($post_data);

--- a/wp-settings.php
+++ b/wp-settings.php
@ -153,13 +153,19 @@ load_default_textdomain();
 // Pull in locale data after loading text domain.
 require_once(ABSPATH . WPINC . '/locale.php');

-if ( !get_magic_quotes_gpc() ) {
-	$_GET    = add_magic_quotes($_GET   );
-	$_POST   = add_magic_quotes($_POST  );
-	$_COOKIE = add_magic_quotes($_COOKIE);
-	$_SERVER = add_magic_quotes($_SERVER);
+// If already slashed, strip.
+if ( get_magic_quotes_gpc() ) {
+	$_GET    = stripslashes_deep($_GET   );
+	$_POST   = stripslashes_deep($_POST  );
+	$_COOKIE = stripslashes_deep($_COOKIE);
 }

+// Escape with wpdb.
+$_GET    = add_magic_quotes($_GET   );
+$_POST   = add_magic_quotes($_POST  );
+$_COOKIE = add_magic_quotes($_COOKIE);
+$_SERVER = add_magic_quotes($_SERVER);
+
 function shutdown_action_hook() {
 	do_action('shutdown');
 }