Hardening. Santizers for WPLANG and new_admin_email. Prevent stomping ID and filter. Validate locale filename. Props westi.

git-svn-id: https://develop.svn.wordpress.org/trunk@18346 602fd350-edb4-49c9-b593-d223f7449a82
2011-06-27 15:56:42 +00:00 · 2011-06-27 15:56:42 +00:00 · 091ec81919
commit 091ec81919
parent 7a9c81cdb1
6 changed files with 38 additions and 4 deletions
--- a/wp-admin/custom-header.php
+++ b/wp-admin/custom-header.php
@ -646,7 +646,8 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
 		'post_content' => $url,
 		'post_mime_type' => $type,
 		'guid' => $url,
-		'context' => 'custom-header');
+		'context' => 'custom-header'
+		);

 		// Save the data
 		$id = wp_insert_attachment($object, $file);
--- a/wp-admin/includes/media.php
+++ b/wp-admin/includes/media.php
@ -228,6 +228,10 @@ function media_handle_upload($file_id, $post_id, $post_data = array(), $override
 		'post_content' => $content,
 	), $post_data );

+	// This should never be set as it would then overwrite an existing attachment.
+	if ( isset( $attachment['ID'] ) )
+		unset( $attachment['ID'] );
+
 	// Save the data
 	$id = wp_insert_attachment($attachment, $file, $post_id);
 	if ( !is_wp_error($id) ) {
@ -281,6 +285,10 @@ function media_handle_sideload($file_array, $post_id, $desc = null, $post_data =
 		'post_content' => $content,
 	), $post_data );

+	// This should never be set as it would then overwrite an existing attachment.
+	if ( isset( $attachment['ID'] ) )
+		unset( $attachment['ID'] );
+
 	// Save the attachment metadata
 	$id = wp_insert_attachment($attachment, $file, $post_id);
 	if ( !is_wp_error($id) )
--- a/wp-admin/includes/post.php
+++ b/wp-admin/includes/post.php
@ -142,6 +142,10 @@ function edit_post( $post_data = null ) {
 	if ( empty($post_data) )
 		$post_data = &$_POST;

+	// Clear out any data in internal vars.
+	if ( isset( $post_data['filter'] ) )
+		unset( $post_data['filter'] );
+
 	$post_ID = (int) $post_data['post_ID'];
 	$post = get_post( $post_ID );
 	$post_data['post_type'] = $post->post_type;
@ -560,6 +564,15 @@ function wp_write_post() {
 		}
 	}

+	// Edit don't write if we have a post id.
+	if ( isset( $_POST['ID'] ) ) {
+		$_POST['post_ID'] = $_POST['ID'];
+		unset ( $_POST['ID'] );
+	}
+	if ( isset( $_POST['post_ID'] ) ) {
+		return edit_post();
+	}
+
 	$translated = _wp_translate_postdata( false );
 	if ( is_wp_error($translated) )
 		return $translated;
--- a/wp-admin/options-general.php
+++ b/wp-admin/options-general.php
@ -127,7 +127,7 @@ include('./admin-header.php');
 $new_admin_email = get_option( 'new_admin_email' );
 if ( $new_admin_email && $new_admin_email != get_option('admin_email') ) : ?>
 <div class="updated inline">
-<p><?php printf( __('There is a pending change of the admin e-mail to <code>%1$s</code>. <a href="%2$s">Cancel</a>'), $new_admin_email, esc_url( admin_url( 'options.php?dismiss=new_admin_email' ) ) ); ?></p>
+<p><?php printf( __('There is a pending change of the admin e-mail to <code>%1$s</code>. <a href="%2$s">Cancel</a>'), esc_html( $new_admin_email ), esc_url( admin_url( 'options.php?dismiss=new_admin_email' ) ) ); ?></p>
 </div>
 <?php endif; ?>
 </td>
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@ -2426,7 +2426,14 @@ function sanitize_option($option, $value) {
 					add_settings_error('admin_email', 'invalid_admin_email', __('The email address entered did not appear to be a valid email address. Please enter a valid email address.'));
 			}
 			break;
-
+		case 'new_admin_email':
+			$value = sanitize_email($value);
+			if ( !is_email($value) ) {
+				$value = get_option( $option ); // Resets option to stored value in the case of failed sanitization
+				if ( function_exists('add_settings_error') )
+					add_settings_error('new_admin_email', 'invalid_admin_email', __('The email address entered did not appear to be a valid email address. Please enter a valid email address.'));
+			}
+			break;
 		case 'thumbnail_size_w':
 		case 'thumbnail_size_h':
 		case 'medium_size_w':
@ -2520,6 +2527,11 @@ function sanitize_option($option, $value) {
 					add_settings_error('home', 'invalid_home', __('The Site address you entered did not appear to be a valid URL. Please enter a valid URL.'));
 			}
 			break;
+		case 'WPLANG':
+			$allowed = get_available_languages();
+			if ( ! in_array( $value, $allowed ) && ! empty( $value ) )
+				$value = get_option( $option );
+			break;

 		case 'timezone_string':
 			$allowed_zones = timezone_identifiers_list();
--- a/wp-settings.php
+++ b/wp-settings.php
@ -258,7 +258,7 @@ load_default_textdomain();
 // Find the blog locale.
 $locale = get_locale();
 $locale_file = WP_LANG_DIR . "/$locale.php";
-if ( is_readable( $locale_file ) )
+if ( ( 0 === validate_file( $locale ) ) && is_readable( $locale_file ) )
 	require( $locale_file );
 unset($locale_file);