From 593659b8d05e7529c45149caf78dc5b33eca7a4b Mon Sep 17 00:00:00 2001 From: ryan Date: Mon, 27 Jun 2011 15:56:42 +0000 Subject: [PATCH] Hardening. Santizers for WPLANG and new_admin_email. Prevent stomping ID and filter. Validate locale filename. Props westi. git-svn-id: http://svn.automattic.com/wordpress/trunk@18346 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/custom-header.php | 3 ++- wp-admin/includes/media.php | 8 ++++++++ wp-admin/includes/post.php | 13 +++++++++++++ wp-admin/options-general.php | 2 +- wp-includes/formatting.php | 14 +++++++++++++- wp-settings.php | 2 +- 6 files changed, 38 insertions(+), 4 deletions(-) diff --git a/wp-admin/custom-header.php b/wp-admin/custom-header.php index 7476260500..24ec9b8be9 100644 --- a/wp-admin/custom-header.php +++ b/wp-admin/custom-header.php @@ -646,7 +646,8 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?> 'post_content' => $url, 'post_mime_type' => $type, 'guid' => $url, - 'context' => 'custom-header'); + 'context' => 'custom-header' + ); // Save the data $id = wp_insert_attachment($object, $file); diff --git a/wp-admin/includes/media.php b/wp-admin/includes/media.php index 2b84f8f1c8..1a00126133 100644 --- a/wp-admin/includes/media.php +++ b/wp-admin/includes/media.php @@ -228,6 +228,10 @@ function media_handle_upload($file_id, $post_id, $post_data = array(), $override 'post_content' => $content, ), $post_data ); + // This should never be set as it would then overwrite an existing attachment. + if ( isset( $attachment['ID'] ) ) + unset( $attachment['ID'] ); + // Save the data $id = wp_insert_attachment($attachment, $file, $post_id); if ( !is_wp_error($id) ) { @@ -281,6 +285,10 @@ function media_handle_sideload($file_array, $post_id, $desc = null, $post_data = 'post_content' => $content, ), $post_data ); + // This should never be set as it would then overwrite an existing attachment. + if ( isset( $attachment['ID'] ) ) + unset( $attachment['ID'] ); + // Save the attachment metadata $id = wp_insert_attachment($attachment, $file, $post_id); if ( !is_wp_error($id) ) diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php index b4da1e79f3..99d0ab855a 100644 --- a/wp-admin/includes/post.php +++ b/wp-admin/includes/post.php @@ -142,6 +142,10 @@ function edit_post( $post_data = null ) { if ( empty($post_data) ) $post_data = &$_POST; + // Clear out any data in internal vars. + if ( isset( $post_data['filter'] ) ) + unset( $post_data['filter'] ); + $post_ID = (int) $post_data['post_ID']; $post = get_post( $post_ID ); $post_data['post_type'] = $post->post_type; @@ -560,6 +564,15 @@ function wp_write_post() { } } + // Edit don't write if we have a post id. + if ( isset( $_POST['ID'] ) ) { + $_POST['post_ID'] = $_POST['ID']; + unset ( $_POST['ID'] ); + } + if ( isset( $_POST['post_ID'] ) ) { + return edit_post(); + } + $translated = _wp_translate_postdata( false ); if ( is_wp_error($translated) ) return $translated; diff --git a/wp-admin/options-general.php b/wp-admin/options-general.php index 4b16a5a85e..74517e7b17 100644 --- a/wp-admin/options-general.php +++ b/wp-admin/options-general.php @@ -127,7 +127,7 @@ include('./admin-header.php'); $new_admin_email = get_option( 'new_admin_email' ); if ( $new_admin_email && $new_admin_email != get_option('admin_email') ) : ?>
-

%1$s. Cancel'), $new_admin_email, esc_url( admin_url( 'options.php?dismiss=new_admin_email' ) ) ); ?>

+

%1$s. Cancel'), esc_html( $new_admin_email ), esc_url( admin_url( 'options.php?dismiss=new_admin_email' ) ) ); ?>

diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index 15931380f5..82a1b9bdf7 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -2426,7 +2426,14 @@ function sanitize_option($option, $value) { add_settings_error('admin_email', 'invalid_admin_email', __('The email address entered did not appear to be a valid email address. Please enter a valid email address.')); } break; - + case 'new_admin_email': + $value = sanitize_email($value); + if ( !is_email($value) ) { + $value = get_option( $option ); // Resets option to stored value in the case of failed sanitization + if ( function_exists('add_settings_error') ) + add_settings_error('new_admin_email', 'invalid_admin_email', __('The email address entered did not appear to be a valid email address. Please enter a valid email address.')); + } + break; case 'thumbnail_size_w': case 'thumbnail_size_h': case 'medium_size_w': @@ -2520,6 +2527,11 @@ function sanitize_option($option, $value) { add_settings_error('home', 'invalid_home', __('The Site address you entered did not appear to be a valid URL. Please enter a valid URL.')); } break; + case 'WPLANG': + $allowed = get_available_languages(); + if ( ! in_array( $value, $allowed ) && ! empty( $value ) ) + $value = get_option( $option ); + break; case 'timezone_string': $allowed_zones = timezone_identifiers_list(); diff --git a/wp-settings.php b/wp-settings.php index 36f0f60536..80eb440f64 100644 --- a/wp-settings.php +++ b/wp-settings.php @@ -258,7 +258,7 @@ load_default_textdomain(); // Find the blog locale. $locale = get_locale(); $locale_file = WP_LANG_DIR . "/$locale.php"; -if ( is_readable( $locale_file ) ) +if ( ( 0 === validate_file( $locale ) ) && is_readable( $locale_file ) ) require( $locale_file ); unset($locale_file);