From c2ce07be579c84c917c17197b7d08a87bb9b1087 Mon Sep 17 00:00:00 2001 From: azett Date: Wed, 28 Dec 2022 13:12:59 +0100 Subject: [PATCH 1/5] more i18n for new comment mail subject --- fp-interface/lang/cs-cz/lang.comments.php | 2 ++ fp-interface/lang/el-gr/lang.comments.php | 2 ++ fp-interface/lang/es-es/lang.comments.php | 2 ++ fp-interface/lang/fr-fr/lang.comments.php | 2 ++ fp-interface/lang/it-it/lang.comments.php | 2 ++ fp-interface/lang/ja-jp/lang.comments.php | 2 ++ fp-interface/lang/nl-nl/lang.comments.php | 2 ++ fp-interface/lang/pt-br/lang.comments.php | 2 ++ 8 files changed, 16 insertions(+) diff --git a/fp-interface/lang/cs-cz/lang.comments.php b/fp-interface/lang/cs-cz/lang.comments.php index de050a7..53ad92d 100644 --- a/fp-interface/lang/cs-cz/lang.comments.php +++ b/fp-interface/lang/cs-cz/lang.comments.php @@ -11,4 +11,6 @@ S pozdravem %blogtitle% '; +$lang ['comments'] ['newcomment'] = 'Nový komentář k'; + ?> diff --git a/fp-interface/lang/el-gr/lang.comments.php b/fp-interface/lang/el-gr/lang.comments.php index b6b4068..7838214 100644 --- a/fp-interface/lang/el-gr/lang.comments.php +++ b/fp-interface/lang/el-gr/lang.comments.php @@ -16,4 +16,6 @@ $lang ['comments'] ['mail'] = 'Αγαπητέ/η %toname%, '; +$lang ['comments'] ['newcomment'] = 'νέο σχόλιο στο'; + ?> diff --git a/fp-interface/lang/es-es/lang.comments.php b/fp-interface/lang/es-es/lang.comments.php index e834818..d151203 100644 --- a/fp-interface/lang/es-es/lang.comments.php +++ b/fp-interface/lang/es-es/lang.comments.php @@ -16,4 +16,6 @@ Todo lo mejor, '; +$lang ['comments'] ['newcomment'] = 'Nuevo comentario sobre'; + ?> diff --git a/fp-interface/lang/fr-fr/lang.comments.php b/fp-interface/lang/fr-fr/lang.comments.php index 3356353..b82c22a 100644 --- a/fp-interface/lang/fr-fr/lang.comments.php +++ b/fp-interface/lang/fr-fr/lang.comments.php @@ -16,4 +16,6 @@ Cordialement, '; +$lang ['comments'] ['newcomment'] = 'Nouveau commentaire sur'; + ?> diff --git a/fp-interface/lang/it-it/lang.comments.php b/fp-interface/lang/it-it/lang.comments.php index 0221fbb..825f6ee 100644 --- a/fp-interface/lang/it-it/lang.comments.php +++ b/fp-interface/lang/it-it/lang.comments.php @@ -16,4 +16,6 @@ Saluti, '; +$lang ['comments'] ['newcomment'] = 'Nuovo commento su'; + ?> diff --git a/fp-interface/lang/ja-jp/lang.comments.php b/fp-interface/lang/ja-jp/lang.comments.php index 4712e26..e74b026 100644 --- a/fp-interface/lang/ja-jp/lang.comments.php +++ b/fp-interface/lang/ja-jp/lang.comments.php @@ -19,4 +19,6 @@ $lang ['comments'] ['mail'] = '%toname% さま, '; +$lang ['comments'] ['newcomment'] = 'の新しいコメント'; + ?> diff --git a/fp-interface/lang/nl-nl/lang.comments.php b/fp-interface/lang/nl-nl/lang.comments.php index 4caff8e..9a096aa 100644 --- a/fp-interface/lang/nl-nl/lang.comments.php +++ b/fp-interface/lang/nl-nl/lang.comments.php @@ -16,4 +16,6 @@ Groeten, '; +$lang ['comments'] ['newcomment'] = 'Nieuw commentaar op'; + ?> diff --git a/fp-interface/lang/pt-br/lang.comments.php b/fp-interface/lang/pt-br/lang.comments.php index 51a8ba1..0fcbd7f 100644 --- a/fp-interface/lang/pt-br/lang.comments.php +++ b/fp-interface/lang/pt-br/lang.comments.php @@ -17,4 +17,6 @@ Um abraço, '; +$lang ['comments'] ['newcomment'] = 'Novo comentário em'; + ?> From 2656ad68bcfa6370ccbf87003d491cd95bd17fe2 Mon Sep 17 00:00:00 2001 From: azett Date: Wed, 28 Dec 2022 13:21:51 +0100 Subject: [PATCH 2/5] PHP functions used as modifier must be registered as modifier explicitly as of Smarty 4.3 - fixed. --- index.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/index.php b/index.php index b4717ab..711d48d 100644 --- a/index.php +++ b/index.php @@ -10,7 +10,7 @@ if (!file_exists(CONFIG_FILE)) /* local function defines follow */ function index_permatitle($val, $sep) { global $fpdb; - $q = & $fpdb->getQuery(); + $q = &$fpdb->getQuery(); list ($id, $e) = @$q->peekEntry(); if ($e) return "{$e['subject']} {$sep} $val "; @@ -126,12 +126,12 @@ function index_main() { $module = 'index.tpl'; $can404 = true; - if (!empty($fp_params ['entry'])) { + // register all Smarty modifier functions used by the templates + $smarty->registerPlugin('modifier', 'wp_specialchars', 'wp_specialchars'); + if (!empty($fp_params ['entry'])) { index_singlepost($params, $module); - } elseif ( - ($explicit_req = $page = @$fp_params ['page']) || (empty($fp_params) && $page = @$fp_config ['general'] ['startpage'])) - { + } elseif (($explicit_req = $page = @$fp_params ['page']) || (empty($fp_params) && $page = @$fp_config ['general'] ['startpage'])) { index_staticpage($page, $explicit_req, $params, $module); return $module; @@ -163,7 +163,7 @@ function index_main() { $fpdb->query($params); - $q = & $fpdb->getQuery(); + $q = &$fpdb->getQuery(); list ($id, $e) = $q->peekEntry(); /* no entry found : 404 */ From aa10022f488d4ee3070ef60244b77b7f85c89d33 Mon Sep 17 00:00:00 2001 From: azett Date: Thu, 29 Dec 2022 13:19:06 +0100 Subject: [PATCH 3/5] removed ancient unused file --- .../core/core.wp-pluggable-funcs_old.php | 64 ------------------- 1 file changed, 64 deletions(-) delete mode 100755 fp-includes/core/core.wp-pluggable-funcs_old.php diff --git a/fp-includes/core/core.wp-pluggable-funcs_old.php b/fp-includes/core/core.wp-pluggable-funcs_old.php deleted file mode 100755 index a9cf0ee..0000000 --- a/fp-includes/core/core.wp-pluggable-funcs_old.php +++ /dev/null @@ -1,64 +0,0 @@ - \ No newline at end of file From d8991285c65e8a33bf35a82985e809f7173d95c4 Mon Sep 17 00:00:00 2001 From: azett Date: Thu, 29 Dec 2022 14:20:31 +0100 Subject: [PATCH 4/5] added API doc; fixed code formatting --- admin/panels/entry/admin.entry.delete.php | 99 +++-- admin/panels/entry/admin.entry.write.php | 374 ++++++++++--------- fp-includes/core/core.users.php | 10 +- fp-includes/core/core.wp-functions.php | 83 ++-- fp-includes/core/core.wp-pluggable-funcs.php | 31 +- 5 files changed, 322 insertions(+), 275 deletions(-) diff --git a/admin/panels/entry/admin.entry.delete.php b/admin/panels/entry/admin.entry.delete.php index ba52278..752170d 100755 --- a/admin/panels/entry/admin.entry.delete.php +++ b/admin/panels/entry/admin.entry.delete.php @@ -3,60 +3,59 @@ /** * edit entry panel * - * Type: - * Name: - * Date: - * Purpose: + * Type: + * Name: + * Date: + * Purpose: * Input: - * - * @author NoWhereMan * + * @author NoWhereMan + * */ - - - class admin_entry_delete extends AdminPanelAction { - - var $events = array('delete', 'cancel'); - - function main() { - global $fpdb; - - if (isset($_REQUEST['entry'])){ - $id = $_REQUEST['entry']; - if ($a = entry_parse($id)); - else - $a = draft_parse($id); - - if ($a) { - - if (THEME_LEGACY_MODE) { - theme_entry_filters($a, $id); - } - - $this->smarty->assign('entry', $a); - $this->smarty->assign('id', $id); - return 0; - - } +class admin_entry_delete extends AdminPanelAction { + + var $events = array( + 'delete', + 'cancel' + ); + + function main() { + global $fpdb; + + if (isset($_REQUEST ['entry'])) { + $id = $_REQUEST ['entry']; + if ($a = entry_parse($id)) + ; + else + $a = draft_parse($id); + + if ($a) { + + if (THEME_LEGACY_MODE) { + theme_entry_filters($a, $id); + } + + $this->smarty->assign('entry', $a); + $this->smarty->assign('id', $id); + return 0; } - - return 1; - - } - - - function ondelete() { - $id=$_REQUEST['entry']; - $ok=draft_delete($id) || entry_delete($id); - - $success = $ok? 2 : -2; - $this->smarty->assign('success',$success); - return 1; - } - - function oncancel() { - return 1; } - } + return 1; + } + + function ondelete() { + $id = $_REQUEST ['entry']; + $ok = draft_delete($id) || entry_delete($id); + + $success = $ok ? 2 : -2; + $this->smarty->assign('success', $success); + return 1; + } + + function oncancel() { + return 1; + } + +} ?> diff --git a/admin/panels/entry/admin.entry.write.php b/admin/panels/entry/admin.entry.write.php index 2000a14..d75ed49 100755 --- a/admin/panels/entry/admin.entry.write.php +++ b/admin/panels/entry/admin.entry.write.php @@ -3,200 +3,212 @@ /** * edit entry panel * - * Type: - * Name: - * Date: - * Purpose: + * Type: + * Name: + * Date: + * Purpose: * Input: - * - * @author NoWhereMan * + * @author NoWhereMan + * */ - - - +class admin_entry_write extends AdminPanelActionValidated { - class admin_entry_write extends AdminPanelActionValidated { - - var $validators = array( - array('subject', 'subject', 'notEmpty', false, false, 'trim,stripslashes'), - array('content', 'content', 'notEmpty', false, false, 'stripslashes'), - ); - - var $events = array('save', 'preview', 'savecontinue'); - var $draft = false; - - function _makePreview($arr, $id=null) { - - if (!$id) { - $arr['subject'] = apply_filters('title_save_pre', $arr['subject']); - $arr['content'] = apply_filters('content_save_pre', $arr['content']); - } - + var $validators = array( + array( + 'subject', + 'subject', + 'notEmpty', + false, + false, + 'trim,stripslashes' + ), + array( + 'content', + 'content', + 'notEmpty', + false, + false, + 'stripslashes' + ) + ); - if ($this->draft || $this->draft = draft_exists($this->id)) { - if (isset($arr['categories']) - && is_array($arr['categories']) && !in_array('draft', $arr['categories']) ) { - $arr['categories'][] = 'draft'; - } else { - $arr['categories'][] = 'draft'; - } + var $events = array( + 'save', + 'preview', + 'savecontinue' + ); - } + var $draft = false; - // unfiltered content (for editing) - $this->smarty->assign('post', $arr); - - if (THEME_LEGACY_MODE) { - theme_entry_filters($arr, $id); - } - - // content for preview - $this->smarty->assign('entry', $arr); - $this->smarty->assign('preview', true); - } - - function makePageTitle($title, $sep) { - global $lang, $panel; - if ($this->draft) { - $this->smarty->append( - 'warnings', - $lang['admin']['entry']['write']['msgs']['draft'] - ); - } - return "$title $sep {$lang['admin']['entry']['write']['head']}"; + function _makePreview($arr, $id = null) { + if (!$id) { + $arr ['subject'] = apply_filters('title_save_pre', $arr ['subject']); + $arr ['content'] = apply_filters('content_save_pre', $arr ['content']); } - function draft_class($string) { - return "$string draft"; - } - - function _getCatsFlags() { - - //$this->smarty->assign('saved_categories', entry_categories_format()); - $this->smarty->assign('saved_flags', entry_flags_get()); - - } - - function setup() { - - $this->id = @$_REQUEST['entry']; - $this->smarty->assign('id', $this->id); - - - } - - function main() { - - global $lang; - - $id = $this->id; - - if (isset($_REQUEST['entry'])) { - - $arr = draft_parse($id); - - if (!$arr) - $arr = entry_parse($id); - else - $this->smarty->assign('draft', true); - - // if entry does not exists - if ($arr) { - $this->_makePreview($arr, $id); - } - - } - - $this->_getCatsFlags(); - add_filter('wp_title', array(&$this, 'makePageTitle'), 10, 2); - if ($this->draft) add_filter('admin_body_class', array(&$this, 'draft_class')); - - } - - function _getposteddata() { - - $arr['version'] = system_ver(); - $arr['subject'] = ($_POST['subject']); - $arr['content'] = ($_POST['content']); - $author = user_get(); - $arr['author'] = $author['userid']; - $arr['date'] = !empty($_POST['timestamp'])?$_POST['timestamp']:date_time(); - - - $cats = !empty($_POST['cats'])?$_POST['cats']:array(); - $flags = !empty($_POST['flags'])?$_POST['flags']:array(); - - $catids = array_merge(array_keys($flags), array_keys($cats)); - - $this->draft = isset($flags['draft']); - if ($catids) - $arr['categories'] = $catids; - - return $arr; - - } - - function onsave($do_preview = false) { - - $id = $this->id; - $data = $this->_getposteddata(); - - if ($this->draft) { - $success=draft_save($data, $id, true); - $this->smarty->assign('success', $success? 1 : -1 ); + if ($this->draft || $this->draft = draft_exists($this->id)) { + if (isset($arr ['categories']) && is_array($arr ['categories']) && !in_array('draft', $arr ['categories'])) { + $arr ['categories'] [] = 'draft'; } else { - $success=entry_save($data, $id); - $this->smarty->assign('success', is_numeric($success)? $success : 1 ); + $arr ['categories'] [] = 'draft'; } - - // if ($success) sess_remove('entry'); - - - if ($do_preview) - $this->_makePreview($data); - - if ($success<0) { - $this->main(); - return PANEL_NOREDIRECT; - } - - return 1; - } - - - function onpreview() { - global $lang; - - $this->_makePreview($this->_getposteddata()); - - - $this->_getCatsFlags(); - - add_filter('wp_title', array(&$this, 'makePageTitle'), 10, 2); - if ($this->draft) add_filter('admin_body_class', array(&$this, 'draft_class')); - - return 0; - - - } - - function onsavecontinue() { - global $lang; - $this->onsave(true); - - $this->_getCatsFlags(); - - add_filter('wp_title', array(&$this, 'makePageTitle'), 10, 2); - if ($this->draft) add_filter('admin_body_class', array(&$this, 'draft_class')); - } - - - function onerror() { - $this->main(); - return 0; } + // unfiltered content (for editing) + $this->smarty->assign('post', $arr); + + if (THEME_LEGACY_MODE) { + theme_entry_filters($arr, $id); + } + + // content for preview + $this->smarty->assign('entry', $arr); + $this->smarty->assign('preview', true); } + function makePageTitle($title, $sep) { + global $lang, $panel; + if ($this->draft) { + $this->smarty->append('warnings', $lang ['admin'] ['entry'] ['write'] ['msgs'] ['draft']); + } + return "$title $sep {$lang['admin']['entry']['write']['head']}"; + } + + function draft_class($string) { + return "$string draft"; + } + + function _getCatsFlags() { + + // $this->smarty->assign('saved_categories', entry_categories_format()); + $this->smarty->assign('saved_flags', entry_flags_get()); + } + + function setup() { + $this->id = @$_REQUEST ['entry']; + $this->smarty->assign('id', $this->id); + } + + function main() { + global $lang; + + $id = $this->id; + + if (isset($_REQUEST ['entry'])) { + + $arr = draft_parse($id); + + if (!$arr) + $arr = entry_parse($id); + else + $this->smarty->assign('draft', true); + + // if entry does not exists + if ($arr) { + $this->_makePreview($arr, $id); + } + } + + $this->_getCatsFlags(); + add_filter('wp_title', array( + &$this, + 'makePageTitle' + ), 10, 2); + if ($this->draft) + add_filter('admin_body_class', array( + &$this, + 'draft_class' + )); + } + + function _getposteddata() { + $arr ['version'] = system_ver(); + $arr ['subject'] = ($_POST ['subject']); + $arr ['content'] = ($_POST ['content']); + $author = user_get(); + $arr ['author'] = $author ['userid']; + $arr ['date'] = !empty($_POST ['timestamp']) ? $_POST ['timestamp'] : date_time(); + + $cats = !empty($_POST ['cats']) ? $_POST ['cats'] : array(); + $flags = !empty($_POST ['flags']) ? $_POST ['flags'] : array(); + + $catids = array_merge(array_keys($flags), array_keys($cats)); + + $this->draft = isset($flags ['draft']); + if ($catids) + $arr ['categories'] = $catids; + + return $arr; + } + + function onsave($do_preview = false) { + $id = $this->id; + $data = $this->_getposteddata(); + + if ($this->draft) { + $success = draft_save($data, $id, true); + $this->smarty->assign('success', $success ? 1 : -1); + } else { + $success = entry_save($data, $id); + $this->smarty->assign('success', is_numeric($success) ? $success : 1); + } + + // if ($success) sess_remove('entry'); + + if ($do_preview) + $this->_makePreview($data); + + if ($success < 0) { + $this->main(); + return PANEL_NOREDIRECT; + } + + return 1; + } + + function onpreview() { + global $lang; + + $this->_makePreview($this->_getposteddata()); + + $this->_getCatsFlags(); + + add_filter('wp_title', array( + &$this, + 'makePageTitle' + ), 10, 2); + if ($this->draft) + add_filter('admin_body_class', array( + &$this, + 'draft_class' + )); + + return 0; + } + + function onsavecontinue() { + global $lang; + $this->onsave(true); + + $this->_getCatsFlags(); + + add_filter('wp_title', array( + &$this, + 'makePageTitle' + ), 10, 2); + if ($this->draft) + add_filter('admin_body_class', array( + &$this, + 'draft_class' + )); + } + + function onerror() { + $this->main(); + return 0; + } + +} + ?> diff --git a/fp-includes/core/core.users.php b/fp-includes/core/core.users.php index 032a95c..8405863 100755 --- a/fp-includes/core/core.users.php +++ b/fp-includes/core/core.users.php @@ -49,7 +49,8 @@ function user_login($userid, $pwd, $params = null) { if (password_verify($userid . $pwd, $user ['password'])) { $loggedin = true; } // - // for FP instances updated from 1.1 to 1.2: check password the old-fashioned way (with wp_hash() which uses md5) + // If this didn't work, the passwords may have been created with FlatPress 1.1 or earlier. + // So we check the password the old-fashioned way (with wp_hash() which uses md5): elseif (wp_hash($userid . $pwd) == $user ['password']) { $loggedin = true; @@ -110,6 +111,13 @@ function user_loggedin() { return false; } +/** + * Returns the user information as associative array + * + * @param string $userid + * optional: The ID (shortname) of a specific user + * @return array the user information array + */ function user_get($userid = null) { if ($userid == null && ($user = user_loggedin())) { return $user; diff --git a/fp-includes/core/core.wp-functions.php b/fp-includes/core/core.wp-functions.php index ae851c5..f146f3a 100755 --- a/fp-includes/core/core.wp-functions.php +++ b/fp-includes/core/core.wp-functions.php @@ -1,76 +1,91 @@ '; - wp_referer_field(); + echo ''; + wp_referer_field(); } +/** + * Echoes a hidden input field containing the referrer + */ function wp_referer_field() { - $ref = wp_specialchars($_SERVER['REQUEST_URI']); - echo ''; - if ( wp_get_original_referer() ) { - $original_ref = wp_specialchars(stripslashes(wp_get_original_referer())); - echo ''; - } + $ref = wp_specialchars($_SERVER ['REQUEST_URI']); + echo ''; + if (wp_get_original_referer()) { + $original_ref = wp_specialchars(stripslashes(wp_get_original_referer())); + echo ''; + } } function wp_original_referer_field() { - echo ''; + echo ''; } function wp_get_referer() { - foreach ( array(@$_REQUEST['_wp_http_referer'],@$_SERVER['HTTP_REFERER']) as $ref ) - if ( !empty($ref) ) - return $ref; - return false; + foreach (array( + @$_REQUEST ['_wp_http_referer'], + @$_SERVER ['HTTP_REFERER'] + ) as $ref) + if (!empty($ref)) + return $ref; + return false; } function wp_get_original_referer() { - if ( !empty($_REQUEST['_wp_original_http_referer']) ) - return $_REQUEST['_wp_original_http_referer']; - return false; + if (!empty($_REQUEST ['_wp_original_http_referer'])) + return $_REQUEST ['_wp_original_http_referer']; + return false; } - - - - function add_magic_quotes($array) { foreach ($array as $k => $v) { if (is_array($v)) { - $array[$k] = add_magic_quotes($v); + $array [$k] = add_magic_quotes($v); } else { - $array[$k] = addslashes($v); + $array [$k] = addslashes($v); } } return $array; } -function wp_remote_fopen( $uri ) { - if ( ini_get('allow_url_fopen') ) { - $fp = fopen( $uri, 'r' ); - if ( !$fp ) +function wp_remote_fopen($uri) { + if (ini_get('allow_url_fopen')) { + $fp = fopen($uri, 'r'); + if (!$fp) return false; $linea = ''; - while( $remote_read = fread($fp, 4096) ) + while ($remote_read = fread($fp, 4096)) $linea .= $remote_read; fclose($fp); - return $linea; - } else if ( function_exists('curl_init') ) { + return $linea; + } else if (function_exists('curl_init')) { $handle = curl_init(); - curl_setopt ($handle, CURLOPT_URL, $uri); - curl_setopt ($handle, CURLOPT_CONNECTTIMEOUT, 1); - curl_setopt ($handle, CURLOPT_RETURNTRANSFER, 1); + curl_setopt($handle, CURLOPT_URL, $uri); + curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 1); + curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1); $buffer = curl_exec($handle); curl_close($handle); return $buffer; } else { return false; - } + } } ?> \ No newline at end of file diff --git a/fp-includes/core/core.wp-pluggable-funcs.php b/fp-includes/core/core.wp-pluggable-funcs.php index 45941c1..7f0c4d3 100755 --- a/fp-includes/core/core.wp-pluggable-funcs.php +++ b/fp-includes/core/core.wp-pluggable-funcs.php @@ -331,7 +331,8 @@ if (!function_exists('wp_verify_nonce')) : $user = user_get(); $uid = $user ['userid']; - $i = ceil(time() / 43200); + // new nonce each 12 hours + $i = ceil(time() / (60 * 60 * 12)); // Allow for expanding range, but only do one check if we can if (substr(wp_hash($i . $action . $uid), -12, 10) == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce) @@ -342,11 +343,20 @@ endif; if (!function_exists('wp_create_nonce')) : + /** + * Creates and returns the valid nonce. + * + * @param int $action + * optional: the action + * @return string the nonce + */ function wp_create_nonce($action = -1) { + // get the info array of the user currenty logged in $user = user_get(); $uid = $user ['userid']; - $i = ceil(time() / 43200); + // new nonce each 12 hours + $i = ceil(time() / (60 * 60 * 12)); return substr(wp_hash($i . $action . $uid), -12, 10); } @@ -355,18 +365,20 @@ endif; if (!function_exists('wp_salt')) : /** + * Returns a salt for hashing.
+ * The salt is unique for each FlatPress installation; see fp-content/config/hashsalt.conf.php * - * @return NULL|unknown - * @deprecated as of FlatPress 1.2 - still here only to be able to update pre-1.2 credentials + * @return string the salt */ function wp_salt() { global $fp_config; static $salt = null; if (!$salt) { + // get the salt from the hashsalt file @include (HASHSALT_FILE); - if (!$fp_hashsalt) + if (!$fp_hashsalt) { trigger_error('Cannot load hash salt: reinstall FlatPress', E_USER_ERROR); - + } $salt = $fp_hashsalt; } return $salt; @@ -376,10 +388,11 @@ endif; if (!function_exists('wp_hash')) : /** + * Creates a salted MD5 hash of the given string. * - * @param unknown $data - * @return string - * @deprecated as of FlatPress 1.2 - still here only to be able to update pre-1.2 credentials + * @param string $data + * the string to hash + * @return string the hash */ function wp_hash($data) { $salt = wp_salt(); From 88494f55265e74f2259788c4ad97aac1043dbe12 Mon Sep 17 00:00:00 2001 From: azett Date: Thu, 29 Dec 2022 15:01:49 +0100 Subject: [PATCH 5/5] check for correct admin referer on deletefile (see #64) --- fp-includes/core/core.wp-pluggable-funcs.php | 3 ++- fp-plugins/mediamanager/panels/panel.mediamanager.file.php | 5 +++++ .../mediamanager/tpls/admin.plugin.mediamanager.files.tpl | 4 ++-- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/fp-includes/core/core.wp-pluggable-funcs.php b/fp-includes/core/core.wp-pluggable-funcs.php index 7f0c4d3..9849c27 100755 --- a/fp-includes/core/core.wp-pluggable-funcs.php +++ b/fp-includes/core/core.wp-pluggable-funcs.php @@ -335,7 +335,8 @@ if (!function_exists('wp_verify_nonce')) : $i = ceil(time() / (60 * 60 * 12)); // Allow for expanding range, but only do one check if we can - if (substr(wp_hash($i . $action . $uid), -12, 10) == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce) + $expectedNonce = substr(wp_hash($i . $action . $uid), -12, 10); + if ($expectedNonce == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce) return true; return false; } diff --git a/fp-plugins/mediamanager/panels/panel.mediamanager.file.php b/fp-plugins/mediamanager/panels/panel.mediamanager.file.php index cb33c48..f059d6b 100644 --- a/fp-plugins/mediamanager/panels/panel.mediamanager.file.php +++ b/fp-plugins/mediamanager/panels/panel.mediamanager.file.php @@ -74,8 +74,13 @@ class admin_uploader_mediamanager extends AdminPanelAction { } function doItemActions($folder, $mmbaseurl) { + /* delete file */ if (isset($_GET ['deletefile'])) { + // at first: check if nonce was given correctly + check_admin_referer('mediamanager_deletefile'); + + // now get the file to be deleted list ($type, $name) = explode("-", $_GET ['deletefile'], 2); // prevent path traversal: remove ".." and "/" resp. "\" $name = preg_replace('(\.\.|\/|\\\\)', '', $name); diff --git a/fp-plugins/mediamanager/tpls/admin.plugin.mediamanager.files.tpl b/fp-plugins/mediamanager/tpls/admin.plugin.mediamanager.files.tpl index 90dc179..f1db44c 100644 --- a/fp-plugins/mediamanager/tpls/admin.plugin.mediamanager.files.tpl +++ b/fp-plugins/mediamanager/tpls/admin.plugin.mediamanager.files.tpl @@ -43,7 +43,7 @@ {$v.size} {$v.mtime} - {$plang.delete} + {$plang.delete} {/foreach} @@ -70,7 +70,7 @@ {$v.size} {$v.mtime} - {$plang.delete} + {$plang.delete} {/foreach}