Add nonces to importers

git-svn-id: http://svn.automattic.com/wordpress/trunk@5404 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2007-05-07 15:56:53 +00:00
parent 9b1b9b2084
commit ef4ad331e1
9 changed files with 57 additions and 26 deletions

View File

@ -2030,6 +2030,7 @@ function wp_import_upload_form( $action ) {
?> ?>
<form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo attribute_escape($action) ?>"> <form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo attribute_escape($action) ?>">
<p> <p>
<?php wp_nonce_field('import-upload'); ?>
<label for="upload"><?php _e( 'Choose a file from your computer:' ); ?></label> (<?php printf( __('Maximum size: %s' ), $size ); ?> ) <label for="upload"><?php _e( 'Choose a file from your computer:' ); ?></label> (<?php printf( __('Maximum size: %s' ), $size ); ?> )
<input type="file" id="upload" name="import" size="25" /> <input type="file" id="upload" name="import" size="25" />
<input type="hidden" name="action" value="save" /> <input type="hidden" name="action" value="save" />

View File

@ -743,10 +743,11 @@ class Blogger_Import {
// Step 9: Congratulate the user // Step 9: Congratulate the user
function congrats() { function congrats() {
$blog = (int) $_GET['blog'];
echo '<h1>'.__('Congratulations!').'</h1><p>'.__('Now that you have imported your Blogger blog into WordPress, what are you going to do? Here are some suggestions:').'</p><ul><li>'.__('That was hard work! Take a break.').'</li>'; echo '<h1>'.__('Congratulations!').'</h1><p>'.__('Now that you have imported your Blogger blog into WordPress, what are you going to do? Here are some suggestions:').'</p><ul><li>'.__('That was hard work! Take a break.').'</li>';
if ( count($this->import['blogs']) > 1 ) if ( count($this->import['blogs']) > 1 )
echo '<li>'.__('In case you haven\'t done it already, you can import the posts from your other blogs:'). $this->show_blogs() . '</li>'; echo '<li>'.__('In case you haven\'t done it already, you can import the posts from your other blogs:'). $this->show_blogs() . '</li>';
if ( $n = count($this->import['blogs'][$_GET['blog']]['newusers']) ) if ( $n = count($this->import['blogs'][$blog]['newusers']) )
echo '<li>'.sprintf(__('Go to <a href="%s" target="%s">Authors &amp; Users</a>, where you can modify the new user(s) or delete them. If you want to make all of the imported posts yours, you will be given that option when you delete the new authors.'), 'users.php', '_parent').'</li>'; echo '<li>'.sprintf(__('Go to <a href="%s" target="%s">Authors &amp; Users</a>, where you can modify the new user(s) or delete them. If you want to make all of the imported posts yours, you will be given that option when you delete the new authors.'), 'users.php', '_parent').'</li>';
echo '<li>'.__('For security, click the link below to reset this importer.').'</li>'; echo '<li>'.__('For security, click the link below to reset this importer.').'</li>';
echo '</ul>'; echo '</ul>';
@ -765,6 +766,7 @@ class Blogger_Import {
if ( isset( $_REQUEST['blog'] ) ) { if ( isset( $_REQUEST['blog'] ) ) {
$blog = is_array($_REQUEST['blog']) ? array_shift( array_keys( $_REQUEST['blog'] ) ) : $_REQUEST['blog']; $blog = is_array($_REQUEST['blog']) ? array_shift( array_keys( $_REQUEST['blog'] ) ) : $_REQUEST['blog'];
$blog = (int) $blog;
$this->import_blog( $blog ); $this->import_blog( $blog );
} elseif ( isset($_GET['token']) ) } elseif ( isset($_GET['token']) )
$this->auth(); $this->auth();

View File

@ -147,8 +147,9 @@ class Dotclear_Import {
echo '<div class="narrow"><p>'.__('Howdy! This importer allows you to extract posts from a DotClear database into your blog. Mileage may vary.').'</p>'; echo '<div class="narrow"><p>'.__('Howdy! This importer allows you to extract posts from a DotClear database into your blog. Mileage may vary.').'</p>';
echo '<p>'.__('Your DotClear Configuration settings are as follows:').'</p>'; echo '<p>'.__('Your DotClear Configuration settings are as follows:').'</p>';
echo '<form action="admin.php?import=dotclear&amp;step=1" method="post">'; echo '<form action="admin.php?import=dotclear&amp;step=1" method="post">';
wp_nonce_field('import-dotclear');
$this->db_form(); $this->db_form();
echo '<p class="submit"><input type="submit" name="submit" value="'.__('Import Categories').' &raquo;" /></p>'; echo '<p class="submit"><input type="submit" name="submit" value="'.attribute_escape(__('Import Categories &raquo;')).'" /></p>';
echo '</form></div>'; echo '</form></div>';
} }
@ -558,7 +559,8 @@ class Dotclear_Import {
echo '<form action="admin.php?import=dotclear&amp;step=2" method="post">'; echo '<form action="admin.php?import=dotclear&amp;step=2" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Users')); wp_nonce_field('import-dotclear');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Users')));
echo '</form>'; echo '</form>';
} }
@ -570,7 +572,8 @@ class Dotclear_Import {
$this->users2wp($users); $this->users2wp($users);
echo '<form action="admin.php?import=dotclear&amp;step=3" method="post">'; echo '<form action="admin.php?import=dotclear&amp;step=3" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Posts')); wp_nonce_field('import-dotclear');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Posts')));
echo '</form>'; echo '</form>';
} }
@ -581,7 +584,8 @@ class Dotclear_Import {
$this->posts2wp($posts); $this->posts2wp($posts);
echo '<form action="admin.php?import=dotclear&amp;step=4" method="post">'; echo '<form action="admin.php?import=dotclear&amp;step=4" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Comments')); wp_nonce_field('import-dotclear');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Comments')));
echo '</form>'; echo '</form>';
} }
@ -592,7 +596,8 @@ class Dotclear_Import {
$this->comments2wp($comments); $this->comments2wp($comments);
echo '<form action="admin.php?import=dotclear&amp;step=5" method="post">'; echo '<form action="admin.php?import=dotclear&amp;step=5" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Links')); wp_nonce_field('import-dotclear');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Links')));
echo '</form>'; echo '</form>';
} }
@ -604,7 +609,8 @@ class Dotclear_Import {
add_option('dc_links', $links); add_option('dc_links', $links);
echo '<form action="admin.php?import=dotclear&amp;step=6" method="post">'; echo '<form action="admin.php?import=dotclear&amp;step=6" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Finish')); wp_nonce_field('import-dotclear');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Finish')));
echo '</form>'; echo '</form>';
} }
@ -667,42 +673,44 @@ class Dotclear_Import {
if ( $step > 0 ) if ( $step > 0 )
{ {
check_admin_referer('import-dotclear');
if($_POST['dbuser']) if($_POST['dbuser'])
{ {
if(get_option('dcuser')) if(get_option('dcuser'))
delete_option('dcuser'); delete_option('dcuser');
add_option('dcuser',$_POST['dbuser']); add_option('dcuser', sanitize_user($_POST['dbuser'], true));
} }
if($_POST['dbpass']) if($_POST['dbpass'])
{ {
if(get_option('dcpass')) if(get_option('dcpass'))
delete_option('dcpass'); delete_option('dcpass');
add_option('dcpass',$_POST['dbpass']); add_option('dcpass', sanitize_user($_POST['dbpass'], true));
} }
if($_POST['dbname']) if($_POST['dbname'])
{ {
if(get_option('dcname')) if(get_option('dcname'))
delete_option('dcname'); delete_option('dcname');
add_option('dcname',$_POST['dbname']); add_option('dcname', sanitize_user($_POST['dbname'], true));
} }
if($_POST['dbhost']) if($_POST['dbhost'])
{ {
if(get_option('dchost')) if(get_option('dchost'))
delete_option('dchost'); delete_option('dchost');
add_option('dchost',$_POST['dbhost']); add_option('dchost', sanitize_user($_POST['dbhost'], true));
} }
if($_POST['dccharset']) if($_POST['dccharset'])
{ {
if(get_option('dccharset')) if(get_option('dccharset'))
delete_option('dccharset'); delete_option('dccharset');
add_option('dccharset',$_POST['dccharset']); add_option('dccharset', sanitize_user($_POST['dccharset'], true));
} }
if($_POST['dbprefix']) if($_POST['dbprefix'])
{ {
if(get_option('dcdbprefix')) if(get_option('dcdbprefix'))
delete_option('dcdbprefix'); delete_option('dcdbprefix');
add_option('dcdbprefix',$_POST['dbprefix']); add_option('dcdbprefix', sanitize_user($_POST['dbprefix'], true));
} }

View File

@ -34,6 +34,7 @@ class GM_Import {
<form name="stepOne" method="get"> <form name="stepOne" method="get">
<input type="hidden" name="import" value="greymatter" /> <input type="hidden" name="import" value="greymatter" />
<input type="hidden" name="step" value="1" /> <input type="hidden" name="step" value="1" />
<?php wp_nonce_field('import-greymatter'); ?>
<h3><?php _e('Second step: GreyMatter details:') ?></h3> <h3><?php _e('Second step: GreyMatter details:') ?></h3>
<p><table cellpadding="0"> <p><table cellpadding="0">
<tr> <tr>
@ -87,10 +88,12 @@ class GM_Import {
} }
if (!chdir($archivespath)) if (!chdir($archivespath))
wp_die(sprintf(__("Wrong path, %s\ndoesn't exist\non the server"), $archivespath)); wp_die(__("Wrong path, the path to the GM entries does not exist on the server"));
if (!chdir($gmpath)) if (!chdir($gmpath))
wp_die(sprintf(__("Wrong path, %s\ndoesn't exist\non the server"), $gmpath)); wp_die(__("Wrong path, the path to the GM files does not exist on the server"));
$lastentry = (int) $lastentry;
$this->header(); $this->header();
?> ?>
@ -297,6 +300,7 @@ class GM_Import {
$this->greet(); $this->greet();
break; break;
case 1: case 1:
check_admin_referer('import-greymatter');
$this->import(); $this->import();
break; break;
} }

View File

@ -153,6 +153,7 @@ class LJ_Import {
$this->greet(); $this->greet();
break; break;
case 1 : case 1 :
check_admin_referer('import-upload');
$this->import(); $this->import();
break; break;
} }

View File

@ -147,6 +147,7 @@ class MT_Import {
$authors = $this->get_mt_authors(); $authors = $this->get_mt_authors();
echo '<ol id="authors">'; echo '<ol id="authors">';
echo '<form action="?import=mt&amp;step=2&amp;id=' . $this->id . '" method="post">'; echo '<form action="?import=mt&amp;step=2&amp;id=' . $this->id . '" method="post">';
wp_nonce_field('import-mt');
$j = -1; $j = -1;
foreach ($authors as $author) { foreach ($authors as $author) {
++ $j; ++ $j;
@ -417,9 +418,11 @@ class MT_Import {
$this->greet(); $this->greet();
break; break;
case 1 : case 1 :
check_admin_referer('import-upload');
$this->select_authors(); $this->select_authors();
break; break;
case 2: case 2:
check_admin_referer('import-mt');
$this->import(); $this->import();
break; break;
} }

View File

@ -156,6 +156,7 @@ class RSS_Import {
$this->greet(); $this->greet();
break; break;
case 1 : case 1 :
check_admin_referer('import-upload');
$this->import(); $this->import();
break; break;
} }

View File

@ -56,8 +56,9 @@ class Textpattern_Import {
echo '<p>'.__('This has not been tested on previous versions of Textpattern. Mileage may vary.').'</p>'; echo '<p>'.__('This has not been tested on previous versions of Textpattern. Mileage may vary.').'</p>';
echo '<p>'.__('Your Textpattern Configuration settings are as follows:').'</p>'; echo '<p>'.__('Your Textpattern Configuration settings are as follows:').'</p>';
echo '<form action="admin.php?import=textpattern&amp;step=1" method="post">'; echo '<form action="admin.php?import=textpattern&amp;step=1" method="post">';
wp_nonce_field('import-textpattern');
$this->db_form(); $this->db_form();
echo '<p class="submit"><input type="submit" name="submit" value="'.__('Import Categories').' &raquo;" /></p>'; echo '<p class="submit"><input type="submit" name="submit" value="'.attribute_escape(__('Import Categories &raquo;')).'" /></p>';
echo '</form>'; echo '</form>';
echo '</div>'; echo '</div>';
} }
@ -483,7 +484,8 @@ class Textpattern_Import {
echo '<form action="admin.php?import=textpattern&amp;step=2" method="post">'; echo '<form action="admin.php?import=textpattern&amp;step=2" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Users')); wp_nonce_field('import-textpattern');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Users')));
echo '</form>'; echo '</form>';
} }
@ -495,7 +497,8 @@ class Textpattern_Import {
$this->users2wp($users); $this->users2wp($users);
echo '<form action="admin.php?import=textpattern&amp;step=3" method="post">'; echo '<form action="admin.php?import=textpattern&amp;step=3" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Posts')); wp_nonce_field('import-textpattern');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Posts')));
echo '</form>'; echo '</form>';
} }
@ -506,7 +509,8 @@ class Textpattern_Import {
$this->posts2wp($posts); $this->posts2wp($posts);
echo '<form action="admin.php?import=textpattern&amp;step=4" method="post">'; echo '<form action="admin.php?import=textpattern&amp;step=4" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Comments')); wp_nonce_field('import-textpattern');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Comments')));
echo '</form>'; echo '</form>';
} }
@ -517,7 +521,8 @@ class Textpattern_Import {
$this->comments2wp($comments); $this->comments2wp($comments);
echo '<form action="admin.php?import=textpattern&amp;step=5" method="post">'; echo '<form action="admin.php?import=textpattern&amp;step=5" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Links')); wp_nonce_field('import-textpattern');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Links')));
echo '</form>'; echo '</form>';
} }
@ -529,7 +534,8 @@ class Textpattern_Import {
add_option('txp_links', $links); add_option('txp_links', $links);
echo '<form action="admin.php?import=textpattern&amp;step=6" method="post">'; echo '<form action="admin.php?import=textpattern&amp;step=6" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Finish')); wp_nonce_field('import-textpattern');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Finish')));
echo '</form>'; echo '</form>';
} }
@ -590,36 +596,38 @@ class Textpattern_Import {
if ( $step > 0 ) if ( $step > 0 )
{ {
check_admin_referer('import-textpattern');
if($_POST['dbuser']) if($_POST['dbuser'])
{ {
if(get_option('txpuser')) if(get_option('txpuser'))
delete_option('txpuser'); delete_option('txpuser');
add_option('txpuser',$_POST['dbuser']); add_option('txpuser', sanitize_user($_POST['dbuser'], true));
} }
if($_POST['dbpass']) if($_POST['dbpass'])
{ {
if(get_option('txppass')) if(get_option('txppass'))
delete_option('txppass'); delete_option('txppass');
add_option('txppass',$_POST['dbpass']); add_option('txppass', sanitize_user($_POST['dbpass'], true));
} }
if($_POST['dbname']) if($_POST['dbname'])
{ {
if(get_option('txpname')) if(get_option('txpname'))
delete_option('txpname'); delete_option('txpname');
add_option('txpname',$_POST['dbname']); add_option('txpname', sanitize_user($_POST['dbname'], true));
} }
if($_POST['dbhost']) if($_POST['dbhost'])
{ {
if(get_option('txphost')) if(get_option('txphost'))
delete_option('txphost'); delete_option('txphost');
add_option('txphost',$_POST['dbhost']); add_option('txphost', sanitize_user($_POST['dbhost'], true));
} }
if($_POST['dbprefix']) if($_POST['dbprefix'])
{ {
if(get_option('tpre')) if(get_option('tpre'))
delete_option('tpre'); delete_option('tpre');
add_option('tpre',$_POST['dbprefix']); add_option('tpre', sanitize_user($_POST['dbprefix']));
} }

View File

@ -159,6 +159,7 @@ class WP_Import {
$authors = $this->get_wp_authors(); $authors = $this->get_wp_authors();
echo '<ol id="authors">'; echo '<ol id="authors">';
echo '<form action="?import=wordpress&amp;step=2&amp;id=' . $this->id . '" method="post">'; echo '<form action="?import=wordpress&amp;step=2&amp;id=' . $this->id . '" method="post">';
wp_nonce_field('import-wordpress');
$j = -1; $j = -1;
foreach ($authors as $author) { foreach ($authors as $author) {
++ $j; ++ $j;
@ -363,9 +364,11 @@ class WP_Import {
$this->greet(); $this->greet();
break; break;
case 1 : case 1 :
check_admin_referer('import-upload');
$this->select_authors(); $this->select_authors();
break; break;
case 2: case 2:
check_admin_referer('import-wordpress');
$this->import(); $this->import();
break; break;
} }