Security back ports from masquerade and MarkJaquith.

git-svn-id: https://develop.svn.wordpress.org/branches/1.5@3627 602fd350-edb4-49c9-b593-d223f7449a82
tierra · Mar 7, 2006 · f15612d · f15612d
1 parent fd5d2fe
commit f15612d
Show file tree

Hide file tree

Showing 10 changed files with 587 additions and 212 deletions.
diff --git a/wp-admin/admin.php b/wp-admin/admin.php
@@ -55,7 +55,7 @@
 		}
 
 		if (! file_exists(ABSPATH . "wp-content/plugins/$plugin_page"))
-			die(sprintf(__('Cannot load %s.'), $plugin_page));
+			die(sprintf(__('Cannot load %s.'), htmlentities($plugin_page)));
 
 		if (! isset($_GET['noheader']))
 			require_once(ABSPATH . '/wp-admin/admin-header.php');

diff --git a/wp-admin/post.php b/wp-admin/post.php
@@ -29,7 +29,7 @@
 
 switch($action) {
 case 'post':
-
+	check_admin_referer();
 	if ( !user_can_create_draft($user_ID) )
 		die( __('You are not allowed to create posts or drafts on this blog.') );
 
@@ -268,6 +268,7 @@
 	break;
 
 case 'editpost':
+	check_admin_referer();
 	// die(var_dump('<pre>', $_POST));
 	if (!isset($blog_ID)) {
 		$blog_ID = 1;
@@ -495,7 +496,7 @@
 	break;
 
 case 'confirmdeletecomment':
-
+	check_admin_referer();
 	require_once('./admin-header.php');
 
 	$comment = (int) $_GET['comment'];
@@ -590,7 +591,7 @@
 	break;
 
 case 'mailapprovecomment':
-
+	check_admin_referer();
 	$comment = (int) $_GET['comment'];
 
 	$commentdata = get_commentdata($comment, 1, true) or die(sprintf(__('Oops, no comment with this ID. <a href="%s">Go back</a>!'), 'edit.php'));
@@ -610,7 +611,7 @@
 	break;
 
 case 'approvecomment':
-
+	check_admin_referer();
 	$comment = (int) $_GET['comment'];
 	$p = (int) $_GET['p'];
 	if (isset($_GET['noredir'])) {
@@ -639,7 +640,7 @@
 	break;
 
 case 'editedcomment':
-
+	check_admin_referer();
 	$comment_ID = (int) $_POST['comment_ID'];
 	$comment_post_ID = (int) $_POST['comment_post_ID'];
 	$newcomment_author = $_POST['newcomment_author'];

diff --git a/wp-admin/profile.php b/wp-admin/profile.php
@@ -64,10 +64,10 @@
 			die (__("<strong>ERROR</strong>: you typed your new password only once. Go back to type it twice."));
 		if ( $pass1 != $pass2 )
 			die (__("<strong>ERROR</strong>: you typed two different passwords. Go back to correct that."));
-		$newuser_pass = $pass1;
+		$newuser_pass = $wpdb->escape($pass1);
 		$updatepassword = "user_pass=MD5('$newuser_pass'), ";
 		wp_clearcookie();
-		wp_setcookie($user_login, $newuser_pass);
+		wp_setcookie($user_login, $pass1);
 	}
 
 	$newuser_firstname = wp_specialchars($_POST['newuser_firstname']);

diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php
@@ -24,6 +24,8 @@
 switch ($action) {
 case 'update':
 
+check_admin_referer();
+
 get_currentuserinfo();
 $edituser = get_userdata($user_id);
 if ($edituser->user_level >= $user_level) die( __('You do not have permission to edit this user.') );

diff --git a/wp-comments-post.php b/wp-comments-post.php
@@ -57,7 +57,7 @@
 header('Cache-Control: no-cache, must-revalidate, max-age=0');
 header('Pragma: no-cache');
 
-$location = (empty($_POST['redirect_to'])) ? $_SERVER["HTTP_REFERER"] : $_POST['redirect_to']; 
+$location = ( empty( $_POST['redirect_to'] ) ) ? get_permalink( $comment_post_ID ) : $_POST['redirect_to']; 
 
 wp_redirect($location);
 ?>