From a03073ef0a5c663591aeecf42a1bb9c6cd0808b9 Mon Sep 17 00:00:00 2001
From: ryan <ryan@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Sat, 25 Aug 2007 17:07:10 +0000
Subject: [PATCH] Add nonces to tag importers. Props xknown. fixes #4811

git-svn-id: http://svn.automattic.com/wordpress/trunk@5941 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/import/utw.php        | 6 ++++++
 wp-admin/import/wp-cat2tag.php | 6 +++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/wp-admin/import/utw.php b/wp-admin/import/utw.php
index bc1ab5fca7..52e347ad12 100644
--- a/wp-admin/import/utw.php
+++ b/wp-admin/import/utw.php
@@ -31,6 +31,9 @@ class UTW_Import {
 		} else {
 			$step = (int) $_GET['step'];
 		}
+		
+		if ( $step > 1 )
+			check_admin_referer('import-utw');
 
 		// load the header
 		$this->header();
@@ -102,6 +105,7 @@ class UTW_Import {
 		}
 
 		echo '<form action="admin.php?import=utw&amp;step=2" method="post">';
+		wp_nonce_field('import-utw');
 		echo '<p class="submit"><input type="submit" name="submit" value="'.__('Step 2 &raquo;').'" /></p>';
 		echo '</form>';
 		echo '</div>';
@@ -137,6 +141,7 @@ class UTW_Import {
 		}
 
 		echo '<form action="admin.php?import=utw&amp;step=3" method="post">';
+		wp_nonce_field('import-utw');
 		echo '<p class="submit"><input type="submit" name="submit" value="'.__('Step 3 &raquo;').'" /></p>';
 		echo '</form>';
 		echo '</div>';
@@ -155,6 +160,7 @@ class UTW_Import {
 		echo '<p>' . sprintf( __('Done! <strong>%s</strong> tags where added!'), $tags_added ) . '<br /></p>';
 
 		echo '<form action="admin.php?import=utw&amp;step=4" method="post">';
+		wp_nonce_field('import-utw');
 		echo '<p class="submit"><input type="submit" name="submit" value="'.__('Step 4 &raquo;').'" /></p>';
 		echo '</form>';
 		echo '</div>';
diff --git a/wp-admin/import/wp-cat2tag.php b/wp-admin/import/wp-cat2tag.php
index c31658ef49..5f2869e153 100644
--- a/wp-admin/import/wp-cat2tag.php
+++ b/wp-admin/import/wp-cat2tag.php
@@ -38,6 +38,7 @@ class WP_Categories_to_Tags {
 
 	function categories_form() {
 		print '<form action="admin.php?import=wp-cat2tag&amp;step=2" method="post">';
+		wp_nonce_field('import-cat2tag');
 		print '<ul style="list-style:none">';
 
 		$hier = _get_term_hierarchy('category');
@@ -144,6 +145,7 @@ class WP_Categories_to_Tags {
 		print '<p>' . __('You are about to convert all categories to tags. Are you sure you want to continue?') . '</p>';
 
 		print '<form action="admin.php?import=wp-cat2tag" method="post">';
+		wp_nonce_field('import-cat2tag');
 		print '<p style="text-align:center" class="submit"><input type="submit" value="' . __('Yes') . '" name="yes_convert_all_cats" />&nbsp;&nbsp;&nbsp;&nbsp;<input type="submit" value="' . __('No') . '" name="no_dont_do_it" /></p>';
 		print '</form>';
 
@@ -158,7 +160,6 @@ class WP_Categories_to_Tags {
 	}
 
 	function init() {
-		echo '<!--'; print_r($_POST); print_r($_GET); echo '-->';
 
 		if (isset($_POST['maybe_convert_all_cats'])) {
 			$step = 3;
@@ -177,6 +178,9 @@ class WP_Categories_to_Tags {
 			print '<p>' . __('Cheatin&#8217; uh?') . '</p>';
 			print '</div>';
 		} else {
+			if ( $step > 1 )
+				check_admin_referer('import-cat2tag');
+
 			switch ($step) {
 				case 1 :
 					$this->welcome();