From 8bc92a8d4f3dfd501a3afa667b22acabc3ceb8d4 Mon Sep 17 00:00:00 2001
From: Ryan Boren <ryan@git.wordpress.org>
Date: Thu, 18 Jun 2009 00:33:07 +0000
Subject: [PATCH] Require all plugin page requests (?page=) to be for
 registered plugins pages. Provides CYA for plugins that don't do enough cap
 checking. action requests not bound to a plugin page still go through.

git-svn-id: https://develop.svn.wordpress.org/trunk@11595 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-admin/includes/plugin.php | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/wp-admin/includes/plugin.php b/wp-admin/includes/plugin.php
index 9b14af63d0..4afb9ffe97 100644
--- a/wp-admin/includes/plugin.php
+++ b/wp-admin/includes/plugin.php
@@ -585,7 +585,7 @@ function uninstall_plugin($plugin) {
 //
 
 function add_menu_page( $page_title, $menu_title, $access_level, $file, $function = '', $icon_url = '' ) {
-	global $menu, $admin_page_hooks;
+	global $menu, $admin_page_hooks, $_registered_pages;
 
 	$file = plugin_basename( $file );
 
@@ -602,11 +602,13 @@ function add_menu_page( $page_title, $menu_title, $access_level, $file, $functio
 
 	$menu[] = array ( $menu_title, $access_level, $file, $page_title, 'menu-top ' . $hookname, $hookname, $icon_url );
 
+	$_registered_pages[$hookname] = true;
+
 	return $hookname;
 }
 
 function add_object_page( $page_title, $menu_title, $access_level, $file, $function = '', $icon_url = '') {
-	global $menu, $admin_page_hooks, $_wp_last_object_menu;
+	global $menu, $admin_page_hooks, $_wp_last_object_menu, $_registered_pages;
 
 	$file = plugin_basename( $file );
 
@@ -623,11 +625,13 @@ function add_object_page( $page_title, $menu_title, $access_level, $file, $funct
 
 	$menu[$_wp_last_object_menu] = array ( $menu_title, $access_level, $file, $page_title, 'menu-top ' . $hookname, $hookname, $icon_url );
 
+	$_registered_pages[$hookname] = true;
+
 	return $hookname;
 }
 
 function add_utility_page( $page_title, $menu_title, $access_level, $file, $function = '', $icon_url = '') {
-	global $menu, $admin_page_hooks, $_wp_last_utility_menu;
+	global $menu, $admin_page_hooks, $_wp_last_utility_menu, $_registered_pages;
 
 	$file = plugin_basename( $file );
 
@@ -646,6 +650,8 @@ function add_utility_page( $page_title, $menu_title, $access_level, $file, $func
 
 	$menu[$_wp_last_utility_menu] = array ( $menu_title, $access_level, $file, $page_title, 'menu-top ' . $hookname, $hookname, $icon_url );
 
+	$_registered_pages[$hookname] = true;
+
 	return $hookname;
 }
 
@@ -654,6 +660,7 @@ function add_submenu_page( $parent, $page_title, $menu_title, $access_level, $fi
 	global $menu;
 	global $_wp_real_parent_file;
 	global $_wp_submenu_nopriv;
+	global $_registered_pages;
 
 	$file = plugin_basename( $file );
 
@@ -683,6 +690,8 @@ function add_submenu_page( $parent, $page_title, $menu_title, $access_level, $fi
 	if (!empty ( $function ) && !empty ( $hookname ))
 		add_action( $hookname, $function );
 
+	$_registered_pages[$hookname] = true;
+
 	return $hookname;
 }
 
@@ -919,14 +928,21 @@ function user_can_access_admin_page() {
 	global $_wp_menu_nopriv;
 	global $_wp_submenu_nopriv;
 	global $plugin_page;
+	global $_registered_pages;
 
 	$parent = get_admin_page_parent();
 
 	if ( !isset( $plugin_page ) && isset( $_wp_submenu_nopriv[$parent][$pagenow] ) )
 		return false;
 
-	if ( isset( $plugin_page ) && isset( $_wp_submenu_nopriv[$parent][$plugin_page] ) )
-		return false;
+	if ( isset( $plugin_page ) ) {
+		if ( isset( $_wp_submenu_nopriv[$parent][$plugin_page] ) )
+			return false;
+
+		$hookname = get_plugin_page_hookname($plugin_page, $parent);
+		if ( !isset($_registered_pages[$hookname]) )
+			return false;
+	}
 
 	if ( empty( $parent) ) {
 		if ( isset( $_wp_menu_nopriv[$pagenow] ) )