From 97ff094990ddba483b345205dba3a5c2e98cb34b Mon Sep 17 00:00:00 2001
From: Matt Mullenweg <matt@git.wordpress.org>
Date: Fri, 23 May 2003 00:12:22 +0000
Subject: [PATCH] Clean up entire file, improved error messages and HTML, fixed
 editing problem, double-checekd security.

git-svn-id: https://develop.svn.wordpress.org/trunk@41 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-admin/b2template.php | 90 ++++++++++++++++++++---------------------
 1 file changed, 44 insertions(+), 46 deletions(-)

diff --git a/wp-admin/b2template.php b/wp-admin/b2template.php
index 91656d4e31..9e962793f3 100644
--- a/wp-admin/b2template.php
+++ b/wp-admin/b2template.php
@@ -37,21 +37,22 @@ for ($i=0; $i<count($b2varstoreset); $i += 1) {
 
 switch($action) {
 
-case "update":
+case 'update':
 
-	$standalone=1;
-	require_once("./b2header.php");
+	$standalone = 1;
+	require("b2header.php");
 
 	if ($user_level < 3) {
-		die("You have no right to edit the template for this blog.<br>Ask for a promotion to your <a href=\"mailto:$admin_email\">blog admin</a> :)");
+		die('<p>You have no right to edit the template for this blog.<br />Ask for a promotion to your <a href="mailto:$admin_email">blog admin</a>. :)</p>');
 	}
 
 	$newcontent = stripslashes($HTTP_POST_VARS["newcontent"]);
 	$file = $HTTP_POST_VARS["file"];
-	$f = fopen($file,"w+");
-	fwrite($f,$newcontent);
+	$f = fopen($file, 'w+');
+	fwrite($f, $newcontent);
 	fclose($f);
 
+	$file = str_replace('../', '', $file);
 	header("Location: b2template.php?file=$file&a=te");
 	exit();
 
@@ -59,55 +60,51 @@ break;
 
 default:
 
-	include("./b2header.php");
+	require('b2header.php');
 
 	if ($user_level <= 3) {
-		die("You have no right to edit the template for this blog.<br>Ask for a promotion to your <a href=\"mailto:$admin_email\">blog admin</a> :)");
+		die('<p>You have no right to edit the template for this blog.<br>Ask for a promotion to your <a href="mailto:$admin_email">blog admin</a>. :)</p>');
 	}
 
-	if ($file=="") {
-		if ($blogfilename != "") {
+	if ('' == $file) {
+		if ('' != $blogfilename) {
 			$file = $blogfilename;
 		} else {
-			$file = "b2.php";
+			$file = 'index.php';
 		}
 	}
 	
-	if (substr($file,0,2) == "..")
-		die ("Sorry, can't edit files that are up one directory or more.");
+	if ('..' == substr($file,0,2))
+		die ('Sorry, can&#8217;t edit files with ".." in the name. If you are trying to edit a file in your WordPress home directory, you can just type the name of the file in.');
 	
-	if (substr($file,1,1) == ":")
-		die ("Sorry, can't call files with their real path.");
+	if (':' == substr($file,1,1))
+		die ('Sorry, can&#8217;t call files with their real path.');
 
-	if (substr($file,0,1) == "/")
-		$file = ".".$file;
+	if ('/' == substr($file,0,1))
+		$file = '.' . $file;
+	
+	$file = stripslashes($file);
+	$file = '../' . $file;
 	
 	if (!is_file($file))
 		$error = 1;
 
-	$file = stripslashes($file);
-
-	if ((substr($file,0,2) == "b2") and (substr($file,-4,4) == ".php") and ($file != "b2.php"))
-		$warning = " - this is a b2 file, be careful when editing it !";
-
+	if ((substr($file,0,2) == 'b2') and (substr($file,-4,4) == '.php') and ($file != 'b2.php'))
+		$warning = ' &#8212; this is a WordPress file, be careful when editing it!';
+	
 	if (!$error) {
-		$f = fopen($file,"r");
-		$content = fread($f,filesize($file));
-//		$content = template_simplify($content);
+		$f = fopen($file, 'r');
+		$content = fread($f, filesize($file));
 		$content = htmlspecialchars($content);
 //		$content = str_replace("</textarea","&lt;/textarea",$content);
 	}
 
-	echo $blankline;
-	echo $tabletop;
 	?>
-	<table width="100%" cellpadding="5" cellspacing="0">
-	<tr>
-	<td>
+<div class="wrap">
 	<?php
-	echo "Listing <b>$file</b>".$warning;
-	if ($a == "te")
-		echo "<i> [ file edited ! ]</i>";
+	echo "Listing <strong>$file</strong> $warning";
+	if ('te' == $a)
+		echo "<em>File edited successfully.</em>";
 	
 	if (!$error) {
 	?>
@@ -126,25 +123,26 @@ default:
 		</form>
 	<?php
 	} else {
-		echo "<p>oops, no such file !</p>";
+		echo '<p>Oops, no such file exists! Double check the name and try again, merci.</p>';
 	}
-	echo $tablebottom;
 	?>
-	</td>
-	</table>
-	<br />
-	<?php	echo $tabletop; ?>
-	You can also edit the <a href="b2template.php?file=b2comments.php">comments' template</a> or the <a href="b2template.php?file=b2commentspopup.php">popup comments' template</a>, or edit any other file (provided it's writable by the server, e.g. CHMOD 766).<br />
-	<br />
-	To edit a file, type its name here:
-	<form name="file" action="b2template.php" method="get">
+</div>
+
+<div class="wrap"> 
+  <p>You can also edit the <a href="b2template.php?file=b2comments.php">comments 
+    template</a> or the <a href="b2template.php?file=b2commentspopup.php">popup 
+    comments template</a>, or edit any other file (provided it&#8217;s writable by 
+    the server, e.g. CHMOD 766).</p>
+    <p>To edit a file, type its name here:</p>
+  <form name="file" action="b2template.php" method="get">
 	<input type="text" name="file" />
 	<input type="submit" name="submit"  class="search" value="go" />
 	</form>
-	<br />
-	Note: of course, you can also edit the files/templates in your text editor and upload them. This online editor is only meant to be used when you don't have access to a text editor...
 	
-<?php	echo $tablebottom; ?>
+  <p>Note: of course, you can also edit the files/templates in your text editor 
+    and upload them. This online editor is only meant to be used when you don't 
+    have access to a text editor.</p>
+</div>
 	
 
 	<?php