diff options
author | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2008-01-23 01:31:58 +0000 |
---|---|---|
committer | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2008-01-23 01:31:58 +0000 |
commit | 488af8b6d55fd4535e9d88e3bf8cf4d20e583d3d (patch) | |
tree | e46c96d4de82c9e0f02e11a3d176d34d7fd6ad80 /wp-admin | |
parent | 8dcb4eb1ed5ce55ab32860892857de425b09f0d1 (diff) | |
download | wordpress-mu-488af8b6d55fd4535e9d88e3bf8cf4d20e583d3d.tar.gz wordpress-mu-488af8b6d55fd4535e9d88e3bf8cf4d20e583d3d.tar.xz wordpress-mu-488af8b6d55fd4535e9d88e3bf8cf4d20e583d3d.zip |
Whitelist the options pages. (plugins may break, see forum)
git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@1188 7be80a69-a1ef-0310-a953-fb0f7c49ff36
Diffstat (limited to 'wp-admin')
-rw-r--r-- | wp-admin/includes/misc.php | 57 | ||||
-rw-r--r-- | wp-admin/includes/mu.php | 16 | ||||
-rw-r--r-- | wp-admin/options-discussion.php | 4 | ||||
-rw-r--r-- | wp-admin/options-general.php | 4 | ||||
-rw-r--r-- | wp-admin/options-misc.php | 4 | ||||
-rw-r--r-- | wp-admin/options-privacy.php | 4 | ||||
-rw-r--r-- | wp-admin/options-reading.php | 4 | ||||
-rw-r--r-- | wp-admin/options-writing.php | 9 | ||||
-rw-r--r-- | wp-admin/options.php | 42 |
9 files changed, 122 insertions, 22 deletions
diff --git a/wp-admin/includes/misc.php b/wp-admin/includes/misc.php index db28014..23f998f 100644 --- a/wp-admin/includes/misc.php +++ b/wp-admin/includes/misc.php @@ -175,4 +175,61 @@ function wp_reset_vars( $vars ) { } } +function add_option_update_handler($option_group, $option_name, $sanitize_callback = '') { + global $new_whitelist_options, $sanitize_callbacks; + $new_whitelist_options[ $option_group ][] = $option_name; + if( $sanitize_callback != '' ) + add_filter( "sanitize_option_{$option_name}", $sanitize_callback ); +} + +function remove_option_update_handler($option_group, $option_name, $sanitize_callback = '') { + global $new_whitelist_options, $sanitize_callbacks; + $pos = array_search( $option_name, $new_whitelist_options ); + if( $pos !== false ) + unset( $new_whitelist_options[ $option_group ][ $pos ] ); + if( $sanitize_callback != '' ) + remove_filter( "sanitize_option_{$option_name}", $sanitize_callback ); +} + +function option_update_filter( $options ) { + global $new_whitelist_options; + + if( is_array( $new_whitelist_options ) ) + $options = add_option_whitelist( $new_whitelist_options, $options ); + + return $options; +} +add_filter( 'whitelist_options', 'option_update_filter' ); + +function add_option_whitelist( $new_options, $options = '' ) { + if( $options == '' ) { + global $whitelist_options; + } else { + $whitelist_options = $options; + } + foreach( $new_options as $page => $keys ) { + foreach( $keys as $key ) { + $pos = array_search( $key, $whitelist_options[ $page ] ); + if( $pos === false ) + $whitelist_options[ $page ][] = $key; + } + } + return $whitelist_options; +} + +function remove_option_whitelist( $del_options, $options = '' ) { + if( $options == '' ) { + global $whitelist_options; + } else { + $whitelist_options = $options; + } + foreach( $del_options as $page => $keys ) { + foreach( $keys as $key ) { + $pos = array_search( $key, $whitelist_options[ $page ] ); + if( $pos !== false ) + unset( $whitelist_options[ $page ][ $pos ] ); + } + } + return $whitelist_options; +} ?> diff --git a/wp-admin/includes/mu.php b/wp-admin/includes/mu.php index d24ce46..f5dd094 100644 --- a/wp-admin/includes/mu.php +++ b/wp-admin/includes/mu.php @@ -411,4 +411,20 @@ function wpmu_menu() { } add_action( '_admin_menu', 'wpmu_menu' ); +function mu_options( $options ) { + $removed = array( 'general' => array( 'admin_email', 'default_role' ), + 'reading' => array( 'gzipcompression' ), + 'writing' => array( 'ping_sites', 'mailserver_login', 'mailserver_pass', 'default_email_category', 'mailserver_port', 'mailserver_url' ) ); + + $added = array( 'general' => array( 'new_admin_email', 'WPLANG', 'language' ) ); + + unset( $options[ 'misc' ] ); + + $options = remove_option_whitelist( $removed, $options ); + $options = add_option_whitelist( $added, $options ); + + return $options; +} +add_filter( 'whitelist_options', 'mu_options' ); + ?> diff --git a/wp-admin/options-discussion.php b/wp-admin/options-discussion.php index 78deefd..3f8ce72 100644 --- a/wp-admin/options-discussion.php +++ b/wp-admin/options-discussion.php @@ -10,7 +10,8 @@ include('admin-header.php'); <div class="wrap"> <h2><?php _e('Discussion Options') ?></h2> <form method="post" action="options.php"> -<?php wp_nonce_field('update-options') ?> +<?php wp_nonce_field('discussion-options') ?> +<input type='hidden' name='option_page' value='discussion' /> <p class="submit"><input type="submit" name="Submit" value="<?php _e('Update Options »') ?>" /></p> <fieldset class="options"> <legend><?php echo __('Usual settings for an article:').'<br /><small><em>('.__('These settings may be overridden for individual articles.').')</em></small>'; ?></legend> @@ -77,7 +78,6 @@ include('admin-header.php'); </fieldset> <p class="submit"> <input type="hidden" name="action" value="update" /> -<input type="hidden" name="page_options" value="default_pingback_flag,default_ping_status,default_comment_status,comments_notify,moderation_notify,comment_moderation,require_name_email,comment_whitelist,comment_max_links,moderation_keys,blacklist_keys" /> <input type="submit" name="Submit" value="<?php _e('Update Options »') ?>" /> </p> </form> diff --git a/wp-admin/options-general.php b/wp-admin/options-general.php index e201be0..d05e8db 100644 --- a/wp-admin/options-general.php +++ b/wp-admin/options-general.php @@ -10,7 +10,8 @@ include('./admin-header.php'); <div class="wrap"> <h2><?php _e('General Options') ?></h2> <form method="post" action="options.php"> -<?php wp_nonce_field('update-options') ?> +<?php wp_nonce_field('general-options') ?> +<input type='hidden' name='option_page' value='general' /> <p class="submit"><input type="submit" name="Submit" value="<?php _e('Update Options »') ?>" /></p> <table class="optiontable"> <tr valign="top"> @@ -105,7 +106,6 @@ endfor; <p class="submit"><input type="submit" name="Submit" value="<?php _e('Update Options »') ?>" /> <input type="hidden" name="action" value="update" /> -<input type="hidden" name="page_options" value="blogname,blogdescription,new_admin_email,users_can_register,gmt_offset,date_format,time_format,start_of_week,comment_registration,WPLANG,language" /> </p> </form> diff --git a/wp-admin/options-misc.php b/wp-admin/options-misc.php index f12d91f..ded2de4 100644 --- a/wp-admin/options-misc.php +++ b/wp-admin/options-misc.php @@ -12,7 +12,8 @@ include('admin-header.php'); <div class="wrap"> <h2><?php _e('Miscellaneous Options') ?></h2> <form method="post" action="options.php"> -<?php wp_nonce_field('update-options') ?> +<?php wp_nonce_field('misc-options') ?> +<input type='hidden' name='option_page' value='misc' /> <p class="submit"><input type="submit" name="Submit" value="<?php _e('Update Options »') ?>" /></p> <fieldset class="options"> <legend><?php _e('Uploading'); ?></legend> @@ -44,7 +45,6 @@ include('admin-header.php'); <p class="submit"> <input type="hidden" name="action" value="update" /> -<input type="hidden" name="page_options" value="hack_file,use_linksupdate,uploads_use_yearmonth_folders,upload_path" /> <input type="submit" name="Submit" value="<?php _e('Update Options »') ?>" /> </p> </form> diff --git a/wp-admin/options-privacy.php b/wp-admin/options-privacy.php index 61a9ed6..62b5135 100644 --- a/wp-admin/options-privacy.php +++ b/wp-admin/options-privacy.php @@ -13,7 +13,8 @@ if( trim( get_option('blog_public') ) == '' ) <div class="wrap"> <h2><?php _e('Privacy Options') ?></h2> <form method="post" action="options.php"> -<?php wp_nonce_field('update-options') ?> +<?php wp_nonce_field('privacy-options') ?> +<input type='hidden' name='option_page' value='privacy' /> <table class="optiontable"> <tr valign="top"> <th scope="row"><?php _e('Blog visibility:') ?> </th> @@ -30,7 +31,6 @@ if( trim( get_option('blog_public') ) == '' ) <p class="submit"><input type="submit" name="Submit" value="<?php _e('Update Options »') ?>" /> <input type="hidden" name="action" value="update" /> -<input type="hidden" name="page_options" value="blog_public" /> </p> </form> diff --git a/wp-admin/options-reading.php b/wp-admin/options-reading.php index fbc08bc..08900bc 100644 --- a/wp-admin/options-reading.php +++ b/wp-admin/options-reading.php @@ -10,7 +10,8 @@ include('admin-header.php'); <div class="wrap"> <h2><?php _e('Reading Options') ?></h2> <form name="form1" method="post" action="options.php"> -<?php wp_nonce_field('update-options') ?> +<?php wp_nonce_field('reading-options') ?> +<input type='hidden' name='option_page' value='reading' /> <p class="submit"><input type="submit" name="Submit" value="<?php _e('Update Options »') ?>" /></p> <?php if ( get_pages() ): ?> <fieldset class="options"> @@ -84,7 +85,6 @@ include('admin-header.php'); </table> <p class="submit"> <input type="hidden" name="action" value="update" /> -<input type="hidden" name="page_options" value="posts_per_page,posts_per_rss,rss_use_excerpt,blog_charset,show_on_front,page_on_front,page_for_posts" /> <input type="submit" name="Submit" value="<?php _e('Update Options »') ?>" /> </p> </form> diff --git a/wp-admin/options-writing.php b/wp-admin/options-writing.php index 6c0db1e..d291e5f 100644 --- a/wp-admin/options-writing.php +++ b/wp-admin/options-writing.php @@ -10,7 +10,8 @@ include('admin-header.php'); <div class="wrap"> <h2><?php _e('Writing Options') ?></h2> <form method="post" action="options.php"> -<?php wp_nonce_field('update-options') ?> +<?php wp_nonce_field('writing-options') ?> +<input type='hidden' name='option_page' value='writing' /> <p class="submit"><input type="submit" name="Submit" value="<?php _e('Update Options »') ?>" /></p> <table width="100%" cellspacing="2" cellpadding="5" class="optiontable editform"> <tr valign="top"> @@ -56,9 +57,13 @@ endforeach; </select></td> </tr> </table> + + + +</fieldset> + <p class="submit"> <input type="hidden" name="action" value="update" /> -<input type="hidden" name="page_options" value="default_post_edit_rows,use_smilies,default_category,default_email_category,use_balanceTags,default_link_category" /> <input type="submit" name="Submit" value="<?php _e('Update Options »') ?>" /> </p> </form> diff --git a/wp-admin/options.php b/wp-admin/options.php index cb5763e..eb4eb04 100644 --- a/wp-admin/options.php +++ b/wp-admin/options.php @@ -7,6 +7,19 @@ $parent_file = 'options-general.php'; wp_reset_vars(array('action')); +$whitelist_options = array( + 'general' => array('siteurl', 'home', 'blogname', 'blogdescription', 'admin_email', 'users_can_register', 'gmt_offset', 'date_format', 'time_format', 'start_of_week', 'comment_registration', 'default_role'), + 'discussion' => array( 'default_pingback_flag', 'default_ping_status', 'default_comment_status', 'comments_notify', 'moderation_notify', 'comment_moderation', 'require_name_email', 'comment_whitelist', 'comment_max_links', 'moderation_keys', 'blacklist_keys' ), + 'misc' => array( 'hack_file', 'use_linksupdate', 'uploads_use_yearmonth_folders', 'upload_path' ), + 'privacy' => array( 'blog_public' ), + 'reading' => array( 'posts_per_page', 'posts_per_rss', 'rss_use_excerpt', 'blog_charset', 'gzipcompression', 'show_on_front', 'page_on_front', 'page_for_posts' ), + 'writing' => array( 'default_post_edit_rows', 'use_smilies', 'ping_sites', 'mailserver_url', 'mailserver_port', 'mailserver_login', 'mailserver_pass', 'default_category', 'default_email_category', 'use_balanceTags', 'default_link_category' ), + 'options' => array( '' ) ); +if ( defined( 'WP_SITEURL' ) ) remove_option_update_handler( 'general', 'siteurl' ); +if ( defined( 'WP_HOME' ) ) remove_option_update_handler( 'general', 'home' ); + +$whitelist_options = apply_filters( 'whitelist_options', $whitelist_options ); + if ( !current_user_can('manage_options') ) wp_die(__('Cheatin’ uh?')); @@ -23,20 +36,26 @@ if( $_GET[ 'adminhash' ] ) { exit; } } + switch($action) { case 'update': $any_changed = 0; - check_admin_referer('update-options'); + $option_page = $_POST[ 'option_page' ]; + check_admin_referer( $option_page . '-options' ); - if ( !$_POST['page_options'] ) { - foreach ( (array) $_POST as $key => $value) { - if ( !in_array($key, array('_wpnonce', '_wp_http_referer')) ) - $options[] = $key; + if( !isset( $whitelist_options[ $option_page ] ) ) + wp_die( __( 'Error! Options page not found.' ) ); + + if( $option_page == 'options' ) { + if( is_site_admin() ) { + $options = explode(',', stripslashes( $_POST[ 'page_options' ] )); + } else { + die( 'Not admin' ); } } else { - $options = explode(',', stripslashes($_POST['page_options'])); + $options = $whitelist_options[ $option_page ]; } if ($options) { @@ -44,7 +63,7 @@ case 'update': $option = trim($option); $value = $_POST[$option]; if(!is_array($value)) $value = trim($value); - $value = stripslashes_deep($value); + $value = stripslashes_deep($value); update_option($option, $value); } } @@ -54,16 +73,17 @@ case 'update': break; default: -if (!is_site_admin()) - die('Not admin'); + if (!is_site_admin()) + die('Not admin'); include('admin-header.php'); ?> <div class="wrap"> <h2><?php _e('All Options'); ?></h2> <form name="form" action="options.php" method="post" id="all-options"> - <?php wp_nonce_field('update-options') ?> + <?php wp_nonce_field('options-options') ?> <input type="hidden" name="action" value="update" /> + <input type='hidden' name='option_page' value='options' /> <p class="submit"><input type="submit" name="Update" value="<?php _e('Update Options »') ?>" /></p> <table width="98%"> <?php @@ -72,6 +92,8 @@ $options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name foreach ( (array) $options as $option) : $disabled = ''; $option->option_name = attribute_escape($option->option_name); + if( $option->option_name == '' ) + continue; if ( is_serialized($option->option_value) ) { if ( is_serialized_string($option->option_value) ) { // this is a serialized string, so we should display it |