Require an attachment ID for upload.php?action=edit. fixes #3333

git-svn-id: https://develop.svn.wordpress.org/trunk@4600 602fd350-edb4-49c9-b593-d223f7449a82
2006-12-04 14:05:54 +00:00 · 2006-12-04 14:05:54 +00:00 · bb18d08ce4
parent 1dd63dd9e8
commit bb18d08ce4
1 changed files with 8 additions and 0 deletions
--- a/wp-admin/upload.php
+++ b/wp-admin/upload.php
@ -8,6 +8,14 @@ if (!current_user_can('upload_files'))

 wp_reset_vars(array('action', 'tab', 'from_tab', 'style', 'post_id', 'ID', 'paged', 'post_title', 'post_content', 'delete'));

+// IDs should be integers
+$ID = (int) $ID;
+$post_id = (int) $post_id;
+
+// Require an ID for the edit screen
+if ( $action == 'edit' && !$ID )
+	wp_die(__("You are not allowed to be here"));
+
 require_once('upload-functions.php');
 if ( !$tab )
 	$tab = 'browse-all';