Ref checks. Comment filter.

git-svn-id: https://develop.svn.wordpress.org/branches/2.0@3737 602fd350-edb4-49c9-b593-d223f7449a82

wp-admin/cat-js.php

@@ -144,9 +144,9 @@ function ajaxNewCat() {
 	var split_cats = new Array(1);
 	var catString = '';
 
-	catString = 'ajaxnewcat=' + encodeURIComponent(newcat.value);
+	catString = ajaxCat.encVar('ajaxnewcat', newcat.value) + '&' + ajaxCat.encVar('cookie', document.cookie);
 	ajaxCat.requestFile = 'edit-form-ajax-cat.php';
-	ajaxCat.method = 'GET';
+	ajaxCat.method = 'POST';
 	ajaxCat.onLoading = newCatLoading;
 	ajaxCat.onLoaded = newCatLoaded;
 	ajaxCat.onInteractive = newCatInteractive;
@@ -175,4 +175,4 @@ function myPload( str ) {
 	if ( currentElement != "" )
 		fixedExplode[count] = currentElement;
 	return fixedExplode;
-}
+}

wp-admin/categories.php

@@ -25,6 +25,8 @@
 
 case 'addcat':
 
+	check_admin_referer();
+
 	if ( !current_user_can('manage_categories') )
 		die (__('Cheatin’ uh?'));
 
@@ -94,6 +96,8 @@
 break;
 
 case 'editedcat':
+	check_admin_referer();
+
 	if ( !current_user_can('manage_categories') )
 		die (__('Cheatin’ uh?'));
 

wp-admin/edit-comments.php

@@ -39,6 +39,8 @@ function checkAll(form)
 <p><a href="?mode=view"><?php _e('View Mode') ?></a> | <a href="?mode=edit"><?php _e('Mass Edit Mode') ?></a></p>
 <?php
 if ( !empty( $_POST['delete_comments'] ) ) :
+	check_admin_referer();
+
 	$i = 0;
 	foreach ($_POST['delete_comments'] as $comment) : // Check the permissions on each
 		$comment = (int) $comment;

wp-admin/edit-form-ajax-cat.php

@@ -7,12 +7,14 @@
 
 if ( !current_user_can('manage_categories') )
 	die('-1');
+if ( !check_ajax_referer() )
+	die('-1');
 
 function get_out_now() { exit; }
 
 add_action('shutdown', 'get_out_now', -1);
 
-$names = explode(',', rawurldecode($_GET['ajaxnewcat']) );
+$names = explode(',', rawurldecode($_POST['ajaxnewcat']) );
 $ids   = array();
 
 foreach ($names as $cat_name) {
@@ -34,4 +36,4 @@ function get_out_now() { exit; }
 
 die( (string) $return );
 
-?>
+?>

wp-admin/inline-uploading.php

@@ -2,6 +2,8 @@
 
 require_once('admin.php');
 
+check_admin_referer();
+
 header('Content-Type: text/html; charset=' . get_option('blog_charset'));
 
 if (!current_user_can('upload_files'))

wp-admin/link-categories.php

@@ -26,6 +26,8 @@
 switch ($action) {
   case 'addcat':
   {
+      check_admin_referer();
+
       if ( !current_user_can('manage_links') )
           die (__("Cheatin' uh ?"));
 
@@ -80,6 +82,8 @@
   } // end addcat
   case 'Delete':
   {
+    check_admin_referer();
+
     $cat_id = (int) $_GET['cat_id'];
     $cat_name=get_linkcatname($cat_id);
 
@@ -199,6 +203,8 @@
   } // end Edit
   case "editedcat":
   {
+    check_admin_referer();
+
     if ( !current_user_can('manage_links') )
       die (__("Cheatin' uh ?"));
 

wp-admin/link-import.php

@@ -63,6 +63,8 @@
             } // end case 0
 
     case 1: {
+		check_admin_referer();
+
                 include_once('admin-header.php');
                 if ( !current_user_can('manage_links') )
                     die (__("Cheatin' uh ?"));

wp-admin/list-manipulation.js

@@ -33,13 +33,13 @@ function ajaxDelete(what, id) {
 	ajaxDel.onLoaded = function() { ajaxDel.myResponseElement.innerHTML = 'Data Sent...'; };
 	ajaxDel.onInteractive = function() { ajaxDel.myResponseElement.innerHTML = 'Processing Data...'; };
 	ajaxDel.onCompletion = function() { removeThisItem( what + '-' + id ); };
-	ajaxDel.runAJAX('action=delete-' + what + '&id=' + id);
+	ajaxDel.runAJAX('action=delete-' + what + '&id=' + id + '&' + ajaxDel.encVar('cookie', document.cookie));
 	return false;
 }
 
 function removeThisItem(id) {
 	var response = ajaxDel.response;
-	if ( isNaN(response) ) { alert(response); }
+	if ( isNaN(response) ) { ajaxDel.myResponseElement.innerHTML = response; return false; }
 	response = parseInt(response, 10);
 	if ( -1 == response ) { ajaxDel.myResponseElement.innerHTML = "You don't have permission to do that."; }
 	else if ( 0 == response ) { ajaxDel.myResponseElement.interHTML = "Something odd happened.  Try refreshing the page? Either that or what you tried to delete never existed in the first place."; }

wp-admin/list-manipulation.php

@@ -6,6 +6,8 @@
 get_currentuserinfo();
 if ( !is_user_logged_in() )
 	die('-1');
+if ( !check_ajax_referer() )
+	die('-1');
 
 function grab_results() {
 	global $ajax_results;
@@ -15,8 +17,6 @@ function grab_results() {
 function get_out_now() { exit; }
 add_action('shutdown', 'get_out_now', -1);
 
-//	check_admin_referer();
-
 switch ( $_POST['action'] ) :
 case 'delete-link' :
 	$id = (int) $_POST['id'];

wp-admin/moderation.php

@@ -32,6 +32,8 @@
 
 case 'update':
 
+	check_admin_referer();
+
 	if ( ! current_user_can('moderate_comments') )
 	die('<p>'.__('Your level is not high enough to moderate comments.').'</p>');
 

wp-admin/options-permalink.php

@@ -58,6 +58,8 @@ function blurry() {
 $home_path = get_home_path();
 
 if ( isset($_POST) ) {
+	check_admin_referer();
+
 	if ( isset($_POST['permalink_structure']) ) {
 		$permalink_structure = $_POST['permalink_structure'];
 		if (! empty($permalink_structure) )

wp-admin/plugin-editor.php

@@ -34,6 +34,8 @@
 
 case 'update':
 
+	check_admin_referer();
+
 	if ( !current_user_can('edit_plugins') )
 	die('<p>'.__('You have do not have sufficient permissions to edit templates for this blog.').'</p>');
 

wp-admin/post.php

@@ -292,6 +292,8 @@
 
 case 'approvecomment':
 
+	check_admin_referer();
+
 	$comment = (int) $_GET['comment'];
 	$p = (int) $_GET['p'];
 	if (isset($_GET['noredir'])) {
@@ -322,6 +324,8 @@
 
 case 'editedcomment':
 
+	check_admin_referer();
+
 	edit_comment();
 
 	$referredby = $_POST['referredby'];

wp-admin/templates.php

@@ -36,6 +36,8 @@
 
 case 'update':
 
+	check_adimn_referer();
+
 	if ( ! current_user_can('edit_files') )
 	die('<p>'.__('You have do not have sufficient permissions to edit templates for this blog.').'</p>');
 

wp-admin/theme-editor.php

@@ -47,6 +47,8 @@
 
 case 'update':
 
+	check_admin_referer();
+
 	if ( !current_user_can('edit_themes') )
 	die('<p>'.__('You have do not have sufficient permissions to edit templates for this blog.').'</p>');
 

wp-includes/classes.php

@@ -826,7 +826,7 @@ function find_spam() {
 					if ( empty( $word ) )
 						continue;
 					$fulltext = strtolower($comment->email.' '.$comment->url.' '.$comment->ip.' '.$comment->text);
-					if( strpos( $fulltext, strtolower($word) ) != FALSE ) {
+					if( false !== strpos( $fulltext, strtolower($word) ) ) {
 						$this->found_comments[] = $comment->ID;
 						break;
 					}

wp-includes/comment-functions.php

@@ -185,6 +185,8 @@ function wp_update_comment($commentarr) {
 	// Merge old and new fields with new fields overwriting old ones.
 	$commentarr = array_merge($comment, $commentarr);
 
+	$commentarr = wp_filter_comment( $commentarr );
+
 	// Now extract the merged array.
 	extract($commentarr);
 

wp-includes/pluggable-functions.php

@@ -233,6 +233,21 @@ function check_admin_referer() {
 }
 endif;
 
+if ( !function_exists('check_ajax_referer') ) :
+function check_ajax_referer() {
+	$cookie = explode(';', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie
+	foreach ( $cookie as $tasty ) {
+		if ( false !== strpos($tasty, USER_COOKIE) )
+			$user = substr(strstr($tasty, '='), 1);
+		if ( false !== strpos($tasty, PASS_COOKIE) )
+			$pass = substr(strstr($tasty, '='), 1);
+	}
+	if ( wp_login( $user, $pass, true ) )
+		return true;
+	return false;
+}
+endif;
+
 // Cookie safe redirect.  Works around IIS Set-Cookie bug.
 // http://support.microsoft.com/kb/q176113/
 if ( !function_exists('wp_redirect') ) :