check for correct admin referer on deletefile (see #64)

fp-includes/core/core.wp-pluggable-funcs.php

@@ -335,7 +335,8 @@ if (!function_exists('wp_verify_nonce')) :
 		$i = ceil(time() / (60 * 60 * 12));
 
 		// Allow for expanding range, but only do one check if we can
-		if (substr(wp_hash($i . $action . $uid), -12, 10) == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce)
+		$expectedNonce = substr(wp_hash($i . $action . $uid), -12, 10);
+		if ($expectedNonce == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce)
 			return true;
 		return false;
 	}

fp-plugins/mediamanager/panels/panel.mediamanager.file.php

@@ -74,8 +74,13 @@ class admin_uploader_mediamanager extends AdminPanelAction {
 	}
 
 	function doItemActions($folder, $mmbaseurl) {
+
 		/* delete file */
 		if (isset($_GET ['deletefile'])) {
+			// at first: check if nonce was given correctly
+			check_admin_referer('mediamanager_deletefile');
+
+			// now get the file to be deleted
 			list ($type, $name) = explode("-", $_GET ['deletefile'], 2);
 			// prevent path traversal: remove ".." and "/" resp. "\"
 			$name = preg_replace('(\.\.|\/|\\\\)', '', $name);

fp-plugins/mediamanager/tpls/admin.plugin.mediamanager.files.tpl

@@ -43,7 +43,7 @@
 			<td>{$v.size}</td>
 			<td>{$v.mtime}</td>
 			<td>
-				<a class="link-delete" href="{$mmbaseurl}&deletefile={$v.type}-{$v.name}">{$plang.delete}</a>
+				<a class="link-delete" href="{wp_nonce_url("{$mmbaseurl}&deletefile={$v.type}-{$v.name}", 'mediamanager_deletefile')}">{$plang.delete}</a>
 			</td>
 		</tr>
 	{/foreach}
@@ -70,7 +70,7 @@
 			<td>{$v.size}</td>
 			<td>{$v.mtime}</td>
 			<td>
-				<a class="link-delete" href="{$mmbaseurl}&deletefile={$v.type}-{$v.name}">{$plang.delete}</a>
+				<a class="link-delete" href="{wp_nonce_url("{$mmbaseurl}&deletefile={$v.type}-{$v.name}", 'mediamanager_deletefile')}">{$plang.delete}</a>
 			</td>
 		</tr>
 	{/foreach}