WordPress.org
Get WordPress

Plugin Directory

Changeset 398036


Ignore:
Timestamp:
06/16/2011 05:16:27 PM (15 years ago)
Author:
Gnuget
Message:

Fix a security Bug

Location:
magic-fields/trunk
Files:
8 edited

Legend:

Unmodified
Added
Removed

  • magic-fields/trunk/Main.php

    r394087 r398036  
    55Description: Create custom write panels and easily retrieve their values in your templates.
    66Author: Hunk and Gnuget
    7 Version: 1.5.5
     7Version: 1.5.6
    88Author URI: http://magicfields.org
    99*/

  • magic-fields/trunk/RCCWP_CustomFieldPage.php

    r394087 r398036  
    9090                                    $FIELD_TYPES['audio'],
    9191                                    $FIELD_TYPES['related_type'],
    92                                     $FIELD_TYPES['Image (Upload Media)']
     92                                    $FIELD_TYPES['Image (Upload Media)'],
     93                                    $FIELD_TYPES['markdown_textbox']
    9394                            ))){  ?>
    9495        <tr valign="top">

  • magic-fields/trunk/RCCWP_GetFile.php

    r314766 r398036  
    6767if (!empty($_POST['upload_url'])) {         
    6868    // file was send from browser
    69     $_POST['upload_url'] = clean_url($_POST['upload_url']);
     69    $_POST['upload_url'] = esc_url($_POST['upload_url']);
    7070    $filename = DownloadFile();
    7171

  • magic-fields/trunk/RCCWP_upload.php

    r314766 r398036  
    3939}
    4040
    41 
    42 
    4341if (isset($_POST['fileframe'])){
     42
     43  if ( empty($_POST) || !wp_verify_nonce($_POST['checking'],'nonce_upload_file') ){
     44    print 'Sorry, your nonce did not verify.';
     45    exit;
     46  }
    4447    $operationSuccess = "false";
    4548   
     
    249252    </table>
    250253
    251    
     254<?php wp_nonce_field('nonce_upload_file','checking'); ?>   
    252255    <input type="hidden" name="fileframe" value="true" />
    253256    <input type="hidden" name="imgnum" />

  • magic-fields/trunk/RCCWP_upload_ajax.php

    r350728 r398036  
    1818}
    1919
    20 
     20if (!(is_user_logged_in() &&
     21      (current_user_can('edit_posts') || current_user_can('edit_published_pages'))))
     22    die(__("Authentication failed!",$mf_domain));
    2123
    2224/**

  • magic-fields/trunk/README.markdown

    r394087 r398036  
    33* Contributors: [Astrata Software](http://astrata.mx) [Travis Hensgen](http://traversal.com.au/), [Jeff Minard](http://jrm.cc/ "Jeff Minard"), [Carlos Mendoza](http://http://github.com/kaziel/Magic-Fields "Carlos Mendoza"), Michael Bayard, [Doc4](doc4design.com/ "Doc4")
    44* Tested up to: Wordpress 3.0.1
    5 * Stable tag: 1.5.5
     5* Stable tag: 1.5.6
    66* Description: Magic Fields  is a feature rich WordPress CMS plugin.
    77
     
    1818
    1919## Changelog ##
     20
     21###1.5.6###
     22 * Security bug fixed related with the uploader
    2023
    2124###1.5.5###

  • magic-fields/trunk/js/groups.js

    r394087 r398036  
    993993
    994994    //validate maxlength
    995     jQuery('.mf-field.maxlength input, .mf-field.maxlength textarea').keyup(function(){
     995    jQuery('.mf-field.maxlength input, .mf-field.maxlength textarea').live( 'keyup', function(){
    996996        var maximal = parseInt(jQuery(this).attr('maxlength'));
    997997        var actual = parseInt(jQuery(this).val().length);

  • magic-fields/trunk/readme.txt

    r394087 r398036  
    55Requires at least: 2.9
    66Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=edgar%40programador%2ecom&lc=GB&item_name=Donation%20Magic%20Fields&currency_code=USD&bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHostedGuest
    7 Stable tag: 1.5.5
     7Stable tag: 1.5.6
    88Description: Magic Fields  is a feature rich WordPress CMS plugin.
    99
     
    2828
    2929== Changelog ==
     30
     31= 1.5.6 =
     32 * Security bug fixed related with the uploader
     33
    3034
    3135= 1.5.5 =
Note: See TracChangeset for help on using the changeset viewer.