diff options
| author | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2008-01-23 01:31:58 +0000 |
|---|---|---|
| committer | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2008-01-23 01:31:58 +0000 |
| commit | 488af8b6d55fd4535e9d88e3bf8cf4d20e583d3d (patch) | |
| tree | e46c96d4de82c9e0f02e11a3d176d34d7fd6ad80 /wp-admin/options.php | |
| parent | 8dcb4eb1ed5ce55ab32860892857de425b09f0d1 (diff) | |
| download | wordpress-mu-488af8b6d55fd4535e9d88e3bf8cf4d20e583d3d.tar.gz wordpress-mu-488af8b6d55fd4535e9d88e3bf8cf4d20e583d3d.tar.xz wordpress-mu-488af8b6d55fd4535e9d88e3bf8cf4d20e583d3d.zip | |
Whitelist the options pages. (plugins may break, see forum)
git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@1188 7be80a69-a1ef-0310-a953-fb0f7c49ff36
Diffstat (limited to 'wp-admin/options.php')
| -rw-r--r-- | wp-admin/options.php | 42 |
1 files changed, 32 insertions, 10 deletions
diff --git a/wp-admin/options.php b/wp-admin/options.php index cb5763e..eb4eb04 100644 --- a/wp-admin/options.php +++ b/wp-admin/options.php @@ -7,6 +7,19 @@ $parent_file = 'options-general.php'; wp_reset_vars(array('action')); +$whitelist_options = array( + 'general' => array('siteurl', 'home', 'blogname', 'blogdescription', 'admin_email', 'users_can_register', 'gmt_offset', 'date_format', 'time_format', 'start_of_week', 'comment_registration', 'default_role'), + 'discussion' => array( 'default_pingback_flag', 'default_ping_status', 'default_comment_status', 'comments_notify', 'moderation_notify', 'comment_moderation', 'require_name_email', 'comment_whitelist', 'comment_max_links', 'moderation_keys', 'blacklist_keys' ), + 'misc' => array( 'hack_file', 'use_linksupdate', 'uploads_use_yearmonth_folders', 'upload_path' ), + 'privacy' => array( 'blog_public' ), + 'reading' => array( 'posts_per_page', 'posts_per_rss', 'rss_use_excerpt', 'blog_charset', 'gzipcompression', 'show_on_front', 'page_on_front', 'page_for_posts' ), + 'writing' => array( 'default_post_edit_rows', 'use_smilies', 'ping_sites', 'mailserver_url', 'mailserver_port', 'mailserver_login', 'mailserver_pass', 'default_category', 'default_email_category', 'use_balanceTags', 'default_link_category' ), + 'options' => array( '' ) ); +if ( defined( 'WP_SITEURL' ) ) remove_option_update_handler( 'general', 'siteurl' ); +if ( defined( 'WP_HOME' ) ) remove_option_update_handler( 'general', 'home' ); + +$whitelist_options = apply_filters( 'whitelist_options', $whitelist_options ); + if ( !current_user_can('manage_options') ) wp_die(__('Cheatin’ uh?')); @@ -23,20 +36,26 @@ if( $_GET[ 'adminhash' ] ) { exit; } } + switch($action) { case 'update': $any_changed = 0; - check_admin_referer('update-options'); + $option_page = $_POST[ 'option_page' ]; + check_admin_referer( $option_page . '-options' ); - if ( !$_POST['page_options'] ) { - foreach ( (array) $_POST as $key => $value) { - if ( !in_array($key, array('_wpnonce', '_wp_http_referer')) ) - $options[] = $key; + if( !isset( $whitelist_options[ $option_page ] ) ) + wp_die( __( 'Error! Options page not found.' ) ); + + if( $option_page == 'options' ) { + if( is_site_admin() ) { + $options = explode(',', stripslashes( $_POST[ 'page_options' ] )); + } else { + die( 'Not admin' ); } } else { - $options = explode(',', stripslashes($_POST['page_options'])); + $options = $whitelist_options[ $option_page ]; } if ($options) { @@ -44,7 +63,7 @@ case 'update': $option = trim($option); $value = $_POST[$option]; if(!is_array($value)) $value = trim($value); - $value = stripslashes_deep($value); + $value = stripslashes_deep($value); update_option($option, $value); } } @@ -54,16 +73,17 @@ case 'update': break; default: -if (!is_site_admin()) - die('Not admin'); + if (!is_site_admin()) + die('Not admin'); include('admin-header.php'); ?> <div class="wrap"> <h2><?php _e('All Options'); ?></h2> <form name="form" action="options.php" method="post" id="all-options"> - <?php wp_nonce_field('update-options') ?> + <?php wp_nonce_field('options-options') ?> <input type="hidden" name="action" value="update" /> + <input type='hidden' name='option_page' value='options' /> <p class="submit"><input type="submit" name="Update" value="<?php _e('Update Options »') ?>" /></p> <table width="98%"> <?php @@ -72,6 +92,8 @@ $options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name foreach ( (array) $options as $option) : $disabled = ''; $option->option_name = attribute_escape($option->option_name); + if( $option->option_name == '' ) + continue; if ( is_serialized($option->option_value) ) { if ( is_serialized_string($option->option_value) ) { // this is a serialized string, so we should display it |