From ec1dec848d36d2bf8557b0640971dc5a219bd8c8 Mon Sep 17 00:00:00 2001 From: "@hunk" Date: Wed, 3 Aug 2016 13:49:39 -0500 Subject: [PATCH] add check_ajax_referer in upload image alternative --- admin/mf_ajax_call.php | 57 +++++++----- admin/mf_post.php | 87 ++++++++++--------- .../image_alt_field/image_alt_field.js | 12 +-- 3 files changed, 87 insertions(+), 69 deletions(-) diff --git a/admin/mf_ajax_call.php b/admin/mf_ajax_call.php index 392eecb..d364e75 100644 --- a/admin/mf_ajax_call.php +++ b/admin/mf_ajax_call.php @@ -22,7 +22,7 @@ public function mf_sort_field($data){ $order = $data['order']; $order = split(',',$order); array_walk( $order, create_function( '&$v,$k', '$v = str_replace("order_","",$v);' )); - + if( $thing = mf_custom_fields::save_order_field( $data['group_id'], $order ) ) { print "1"; die; @@ -33,7 +33,7 @@ public function mf_sort_field($data){ public function check_name_post_type($data){ global $mf_domain; - + $type = $data['post_type']; $id = $data['post_type_id']; $check = mf_posttype::check_post_type($type,$id); @@ -48,28 +48,28 @@ public function check_name_post_type($data){ public function check_name_custom_group($data){ global $mf_domain; - + $name = $data['group_name']; $post_type = $data['post_type']; $id = $data['group_id']; $resp = array('success' => 1); - + $check = mf_custom_group::check_group($name,$post_type,$id); if($check){ $resp = array('success' => 0, 'msg' => __('The name of Group exist in this post type, Please choose a different name.',$mf_domain) ); } - + echo json_encode($resp); } public function check_name_custom_field($data){ global $mf_domain; - + $name = $data['field_name']; $post_type = $data['post_type']; $id = $data['field_id']; $resp = array('success' => 1); - + $check = mf_custom_fields::check_group($name,$post_type,$id); if($check){ $resp = array('success' => 0, 'msg' => __('The name of Field exist in this post type, Please choose a different name.',$mf_domain) ); @@ -79,7 +79,7 @@ public function check_name_custom_field($data){ public function check_type_custom_taxonomy($data){ global $mf_domain; - + $type = $data['taxonomy_type']; $id = $data['taxonomy_id']; $check = mf_custom_taxonomy::check_custom_taxonomy($type,$id); @@ -118,13 +118,13 @@ public function change_custom_field($data){ public function set_default_categories($data){ global $wpdb; - + $post_type_key = sprintf('_cat_%s',$data['post_type']); $cats = preg_split('/\|\|\|/', $data['cats']); $cats = maybe_serialize($cats); $table = $wpdb->postmeta; - + $check_parent = $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta ". " WHERE meta_key='%s'", @@ -152,20 +152,35 @@ public function set_default_categories($data){ } $wpdb->query($sql); $resp = array('success' => 1); - + //update_post_meta(-2, $post_type, $cats); - + echo json_encode($resp); } + public static function remove_upload_file() { + + if (isset($_FILES['file']) && (!empty($_FILES['file']['tmp_name']))){ + if ($_FILES['file']['error'] == UPLOAD_ERR_OK){ + $file_path = $_FILES['file']['tmp_name']; + @unlink($file_path); + } + } + + } + public function upload_ajax($data){ global $mf_domain; - // pr($data); - // pr($_FILES); - // $resp = array('ok' => true,$_FILES,$data); - // echo json_encode($resp); + + if( !check_ajax_referer( 'mf_nonce_ajax', 'security', false ) ) { + mf_ajax_call::remove_upload_file(); + $resp = array('success' => false, 'msg' => __('Sorry, your nonce did not verify..',$mf_domain) ); + echo json_encode($resp); + die; + } if ( !current_user_can('upload_files') ){ + mf_ajax_call::remove_upload_file(); $resp = array('success' => false, 'msg' => __('You do not have sufficient permissions to upload images.',$mf_domain) ); echo json_encode($resp); die; @@ -184,13 +199,13 @@ public function upload_ajax($data){ $special_chars = array(' ','`','"','\'','\\','/'," ","#","$","%","^","&","*","!","~","‘","\"","’","'","=","?","/","[","]","(",")","|","<",">",";","\\",",","+","-"); $filename = str_replace($special_chars,'',$_FILES['file']['name']); $filename = time() . $filename; - + @move_uploaded_file( $_FILES['file']['tmp_name'], MF_FILES_DIR . $filename ); @chmod(MF_FILES_DIR . $filename, 0644); $info = pathinfo(MF_FILES_DIR . $filename); $thumb = aux_image($filename,"w=150&h=120&zc=1",'image_alt'); - + $resp = array( 'success' => true, 'name' => $filename, @@ -229,7 +244,7 @@ public function valid_mime($mime,$file_type){ 'audio/x-wav', 'audio/mp3' ); - + if($file_type == "image"){ if(in_array($mime,$imagesExts)){ return true; @@ -243,7 +258,7 @@ public function valid_mime($mime,$file_type){ //are safety for the "files" type of field return true; } - return false; + return false; } public function get_thumb($data){ @@ -273,4 +288,4 @@ public function get_thumb($data){ } -} \ No newline at end of file +} diff --git a/admin/mf_post.php b/admin/mf_post.php index b7b51ed..8eec254 100644 --- a/admin/mf_post.php +++ b/admin/mf_post.php @@ -31,13 +31,13 @@ function mf_check_wp_gallery_version() { */ function mf_post_add_metaboxes() { global $post,$mf_post_values; - - //if the user are going to add a new link + + //if the user are going to add a new link //the var $post is not defined and we do nothing if(!isset($post)) { return false; } - + $mf_post_values = $this->mf_get_post_values($post->ID); //Getting the post types @@ -168,7 +168,7 @@ public function mf_draw_field($field,$group_id,$group_index =1,$field_index =1 , $id = sprintf('mf_field_%d_%d_%d_%d_ui',$group_id,$group_index,$field['id'],$field_index); $delete_id = sprintf('delete_field_repeat-%d_%d_%d_%d',$group_id,$group_index,$field['id'],$field_index); $add_id = sprintf('mf_field_repeat-%d_%d_%d_%d',$group_id,$group_index,$field['id'],$field_index); - $field_style = ($field_index == 1)? 'style="display: none; "' : ''; + $field_style = ($field_index == 1)? 'style="display: none; "' : ''; $name = sprintf('field-%s',$field['name']); $tool = sprintf('%s%s',__( 'What\'s this?', $mf_domain ),'%s'); @@ -406,8 +406,8 @@ public function load_js_css_base(){ global $mf_domain; wp_enqueue_style( 'mf_field_base', MF_BASENAME.'css/mf_field_base.css' ); - wp_enqueue_script( 'tmpl', MF_BASENAME.'js/third_party/jquery.tmpl.js'); - wp_enqueue_script( 'mf_field_base', MF_BASENAME.'js/mf_field_base.js'); + wp_enqueue_script( 'tmpl', MF_BASENAME.'js/third_party/jquery.tmpl.js'); + wp_enqueue_script( 'mf_field_base', MF_BASENAME.'js/mf_field_base.js'); wp_enqueue_script( 'mf_sortable_groups', MF_BASENAME.'js/mf_sortable_groups.js', array( 'jquery-ui-sortable' ) ); $mceAddString = "mceAddControl"; @@ -424,18 +424,19 @@ public function load_js_css_base(){ 'mf_validation_error_msg' => __('Sorry, some required fields are missing. Please provide values for any highlighted fields and try again.',$mf_domain), 'mf_image_media_set' => __('Insert into field',$mf_domain), 'mf_mceAddString' => $mceAddString, - 'mf_mceRemoveString' => $mceRemoveString + 'mf_mceRemoveString' => $mceRemoveString, + 'mf_nonce_ajax' => wp_create_nonce( "mf_nonce_ajax" ) ); - wp_localize_script( 'mf_field_base', 'mf_js', $js_vars ); - + wp_localize_script( 'mf_field_base', 'mf_js', $js_vars ); + } /* enqueue css and js of fields */ public function load_js_css_fields(){ - - //Loading any custom field if is required + + //Loading any custom field if is required if( !empty( $_GET['post']) && is_numeric( $_GET['post'] ) ) {//when the post already exists - $post_type = get_post_type($_GET['post']); + $post_type = get_post_type($_GET['post']); }else{ //Creating a new post $post_type = (!empty($_GET['post_type'])) ? $_GET['post_type'] : 'post'; } @@ -458,7 +459,7 @@ public function load_js_css_fields(){ $type = $field."_field"; $type = new $type(); $properties = $type->get_properties(); - + if ( $properties['js'] ) { wp_enqueue_script( 'mf_field_'.$field, @@ -467,7 +468,7 @@ public function load_js_css_fields(){ null, true ); - + /* idear forma por si se necesita mas de dos js*/ if( isset($properties['js_internal']) ){ wp_enqueue_script( @@ -481,21 +482,21 @@ public function load_js_css_fields(){ } if ( $properties['css'] ) { - wp_enqueue_style( + wp_enqueue_style( 'mf_field_'.$field, MF_BASENAME.'field_types/'.$field.'_field/'.$field.'_field.css' ); } - + if ( !empty($properties['css_dependencies'] )) { foreach($properties['css_dependencies'] as $css_script) { wp_enqueue_style($css_script); } } - + /* load css internal */ if(isset($properties['css_internal'])){ - wp_enqueue_style( + wp_enqueue_style( 'mf_field_'.preg_replace('/\./','_',$properties['css_internal']), MF_BASENAME.'field_types/'.$field.'_field/'.$properties['css_internal'] ); @@ -509,41 +510,41 @@ public function check_exist_visual_editor(){ if( isset($_GET['action']) && $_GET['action'] == 'trash' ) {//when the post already exists return; - } + } if( !empty( $_GET['post']) && is_numeric( $_GET['post'] ) ) {//when the post already exists - $post_type = get_post_type($_GET['post']); + $post_type = get_post_type($_GET['post']); }else{ //Creating a new post $post_type = (!empty($_GET['post_type'])) ? $_GET['post_type'] : 'post'; } $mf_posttype = new mf_posttype(); $pt = $mf_posttype->get_post_type($post_type); - + if ($pt && !isset($pt['support']['editor'])) { echo ""; } - + } - + } public function media_buttons_add_mf(){ - + print '
'; do_action( 'media_buttons' ); - print '
'; + print ''; } - + public function register_media_button($buttons) { array_push($buttons, "separator","add_image","add_video","add_audio","add_media"); return $buttons; } - + public function tmce_not_remove_p_and_br(){ ?> postmeta." WHERE meta_key='".$post_type_key."' "; $check = $wpdb->get_row($sql); if ($check) { @@ -586,11 +587,11 @@ public function categories_of_post_type(){ $assignedCategoryIds = maybe_unserialize($cata); } } - - + + ?>