<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><style type="text/css"><!--
#msg dl { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fc0 solid; padding: 6px; }
#msg ul, pre { overflow: auto; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<title>[12310] trunk: Fix file validation in theme editor.</title>
</head>
<body>
<div id="msg">
<dl>
<dt>Revision</dt> <dd><a href="http://trac.wordpress.org/changeset/12310">12310</a></dd>
<dt>Author</dt> <dd>ryan</dd>
<dt>Date</dt> <dd>2009-12-01 22:03:13 +0000 (Tue, 01 Dec 2009)</dd>
</dl>
<h3>Log Message</h3>
<pre>Fix file validation in theme editor. Props dd32. fixes <a href="http://trac.wordpress.org/ticket/11032">#11032</a></pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkwpadminincludesfilephp">trunk/wp-admin/includes/file.php</a></li>
<li><a href="#trunkwpadminplugineditorphp">trunk/wp-admin/plugin-editor.php</a></li>
<li><a href="#trunkwpadminthemeeditorphp">trunk/wp-admin/theme-editor.php</a></li>
<li><a href="#trunkwpincludesfunctionsphp">trunk/wp-includes/functions.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkwpadminincludesfilephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/file.php (12309 => 12310)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/file.php        2009-12-01 21:21:31 UTC (rev 12309)
+++ trunk/wp-admin/includes/file.php        2009-12-01 22:03:13 UTC (rev 12310)
</span><span class="lines">@@ -195,8 +195,6 @@
</span><span class="cx"> * @return unknown
</span><span class="cx"> */
</span><span class="cx"> function validate_file_to_edit( $file, $allowed_files = '' ) {
</span><del>-        $file = stripslashes( $file );
-
</del><span class="cx">         $code = validate_file( $file, $allowed_files );
</span><span class="cx">
</span><span class="cx">         if (!$code )
</span><span class="lines">@@ -206,8 +204,8 @@
</span><span class="cx">                 case 1 :
</span><span class="cx">                         wp_die( __('Sorry, can&#8217;t edit files with &#8220;..&#8221; in the name. If you are trying to edit a file in your WordPress home directory, you can just type the name of the file in.' ));
</span><span class="cx">
</span><del>-                case 2 :
-                        wp_die( __('Sorry, can&#8217;t call files with their real path.' ));
</del><ins>+                //case 2 :
+                //        wp_die( __('Sorry, can&#8217;t call files with their real path.' ));
</ins><span class="cx">
</span><span class="cx">                 case 3 :
</span><span class="cx">                         wp_die( __('Sorry, that file cannot be edited.' ));
</span></span></pre></div>
<a id="trunkwpadminplugineditorphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/plugin-editor.php (12309 => 12310)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/plugin-editor.php        2009-12-01 21:21:31 UTC (rev 12309)
+++ trunk/wp-admin/plugin-editor.php        2009-12-01 22:03:13 UTC (rev 12310)
</span><span class="lines">@@ -22,7 +22,7 @@
</span><span class="cx"> $plugins = get_plugins();
</span><span class="cx">
</span><span class="cx"> if ( isset($_REQUEST['file']) )
</span><del>-        $plugin = $_REQUEST['file'];
</del><ins>+        $plugin = stripslashes($_REQUEST['file']);
</ins><span class="cx">
</span><span class="cx"> if ( empty($plugin) ) {
</span><span class="cx">         $plugin = array_keys($plugins);
</span><span class="lines">@@ -33,6 +33,8 @@
</span><span class="cx">
</span><span class="cx"> if ( empty($file) )
</span><span class="cx">         $file = $plugin_files[0];
</span><ins>+else
+        $file = stripslashes($file);
</ins><span class="cx">
</span><span class="cx"> $file = validate_file_to_edit($file, $plugin_files);
</span><span class="cx"> $real_file = WP_PLUGIN_DIR . '/' . $file;
</span></span></pre></div>
<a id="trunkwpadminthemeeditorphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/theme-editor.php (12309 => 12310)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/theme-editor.php        2009-12-01 21:21:31 UTC (rev 12309)
+++ trunk/wp-admin/theme-editor.php        2009-12-01 22:03:13 UTC (rev 12310)
</span><span class="lines">@@ -35,6 +35,7 @@
</span><span class="cx"> if (empty($file)) {
</span><span class="cx">         $file = $allowed_files[0];
</span><span class="cx"> } else {
</span><ins>+        $file = stripslashes($file);
</ins><span class="cx">         if ( 'theme' == $dir ) {
</span><span class="cx">                 $file = dirname(dirname($themes[$theme]['Template Dir'])) . $file ;
</span><span class="cx">         } else if ( 'style' == $dir) {
</span><span class="lines">@@ -42,9 +43,8 @@
</span><span class="cx">         }
</span><span class="cx"> }
</span><span class="cx">
</span><del>-$real_file = validate_file_to_edit($file, $allowed_files);
</del><ins>+validate_file_to_edit($file, $allowed_files);
</ins><span class="cx"> $scrollto = isset($_REQUEST['scrollto']) ? (int) $_REQUEST['scrollto'] : 0;
</span><del>-
</del><span class="cx"> $file_show = basename( $file );
</span><span class="cx">
</span><span class="cx"> switch($action) {
</span><span class="lines">@@ -55,9 +55,9 @@
</span><span class="cx">
</span><span class="cx">         $newcontent = stripslashes($_POST['newcontent']);
</span><span class="cx">         $theme = urlencode($theme);
</span><del>-        if (is_writeable($real_file)) {
</del><ins>+        if (is_writeable($file)) {
</ins><span class="cx">                 //is_writable() not always reliable, check return value. see comments @ http://uk.php.net/is_writable
</span><del>-                $f = fopen($real_file, 'w+');
</del><ins>+                $f = fopen($file, 'w+');
</ins><span class="cx">                 if ($f !== FALSE) {
</span><span class="cx">                         fwrite($f, $newcontent);
</span><span class="cx">                         fclose($f);
</span><span class="lines">@@ -83,14 +83,14 @@
</span><span class="cx">
</span><span class="cx">         update_recently_edited($file);
</span><span class="cx">
</span><del>-        if ( !is_file($real_file) )
</del><ins>+        if ( !is_file($file) )
</ins><span class="cx">                 $error = 1;
</span><span class="cx">
</span><del>-        if ( !$error && filesize($real_file) > 0 ) {
-                $f = fopen($real_file, 'r');
-                $content = fread($f, filesize($real_file));
</del><ins>+        if ( !$error && filesize($file) > 0 ) {
+                $f = fopen($file, 'r');
+                $content = fread($f, filesize($file));
</ins><span class="cx">
</span><del>-                if ( '.php' == substr( $real_file, strrpos( $real_file, '.' ) ) ) {
</del><ins>+                if ( '.php' == substr( $file, strrpos( $file, '.' ) ) ) {
</ins><span class="cx">                         $functions = wp_doc_link_parse( $content );
</span><span class="cx">
</span><span class="cx">                         $docs_select = '<select name="docs-list" id="docs-list">';
</span><span class="lines">@@ -102,7 +102,7 @@
</span><span class="cx">                 }
</span><span class="cx">
</span><span class="cx">                 $content = htmlspecialchars( $content );
</span><del>-                $codepress_lang = codepress_get_lang($real_file);
</del><ins>+                $codepress_lang = codepress_get_lang($file);
</ins><span class="cx">         }
</span><span class="cx">
</span><span class="cx">         ?>
</span><span class="lines">@@ -212,7 +212,7 @@
</span><span class="cx">         <?php } ?>
</span><span class="cx">
</span><span class="cx">                 <div>
</span><del>-<?php if ( is_writeable($real_file) ) : ?>
</del><ins>+<?php if ( is_writeable($file) ) : ?>
</ins><span class="cx">                         <p class="submit">
</span><span class="cx"> <?php
</span><span class="cx">         echo "<input type='submit' name='submit' class='button-primary' value='" . esc_attr__('Update File') . "' tabindex='2' />";
</span></span></pre></div>
<a id="trunkwpincludesfunctionsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/functions.php (12309 => 12310)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/functions.php        2009-12-01 21:21:31 UTC (rev 12309)
+++ trunk/wp-includes/functions.php        2009-12-01 22:03:13 UTC (rev 12310)
</span><span class="lines">@@ -3068,12 +3068,12 @@
</span><span class="cx">         if ( false !== strpos( $file, './' ))
</span><span class="cx">                 return 1;
</span><span class="cx">
</span><ins>+        if (!empty ( $allowed_files ) && (!in_array( $file, $allowed_files ) ) )
+                return 3;
+
</ins><span class="cx">         if (':' == substr( $file, 1, 1 ))
</span><span class="cx">                 return 2;
</span><span class="cx">
</span><del>-        if (!empty ( $allowed_files ) && (!in_array( $file, $allowed_files ) ) )
-                return 3;
-
</del><span class="cx">         return 0;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>