golem
/
twentyGOLEM
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add nonces to importers 

git-svn-id: http://svn.automattic.com/wordpress/trunk@5404 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2007-05-07 15:56:53 +00:00
parent 9b1b9b2084
commit ef4ad331e1
9 changed files with 57 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
wp-admin/admin-functions.php
View File

@ -2030,6 +2030,7 @@ function wp_import_upload_form( $action ) {
?>
<form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo attribute_escape($action) ?>">
<p>
<?php wp_nonce_field('import-upload'); ?>
<label for="upload"><?php _e( 'Choose a file from your computer:' ); ?></label> (<?php printf( __('Maximum size: %s' ), $size ); ?> )
<input type="file" id="upload" name="import" size="25" />
<input type="hidden" name="action" value="save" />

4
wp-admin/import/blogger.php
View File

@ -743,10 +743,11 @@ class Blogger_Import {
// Step 9: Congratulate the user
function congrats() {
$blog = (int) $_GET['blog'];
echo '<h1>'.__('Congratulations!').'</h1><p>'.__('Now that you have imported your Blogger blog into WordPress, what are you going to do? Here are some suggestions:').'</p><ul><li>'.__('That was hard work! Take a break.').'</li>';
if ( count($this->import['blogs']) > 1 )
echo '<li>'.__('In case you haven\'t done it already, you can import the posts from your other blogs:'). $this->show_blogs() . '</li>';
if ( $n = count($this->import['blogs'][$_GET['blog']]['newusers']) )
if ( $n = count($this->import['blogs'][$blog]['newusers']) )
echo '<li>'.sprintf(__('Go to <a href="%s" target="%s">Authors &amp; Users</a>, where you can modify the new user(s) or delete them. If you want to make all of the imported posts yours, you will be given that option when you delete the new authors.'), 'users.php', '_parent').'</li>';
echo '<li>'.__('For security, click the link below to reset this importer.').'</li>';
echo '</ul>';
@ -765,6 +766,7 @@ class Blogger_Import {
if ( isset( $_REQUEST['blog'] ) ) {
$blog = is_array($_REQUEST['blog']) ? array_shift( array_keys( $_REQUEST['blog'] ) ) : $_REQUEST['blog'];
$blog = (int) $blog;
$this->import_blog( $blog );
} elseif ( isset($_GET['token']) )
$this->auth();

32
wp-admin/import/dotclear.php
View File

@ -147,8 +147,9 @@ class Dotclear_Import {
echo '<div class="narrow"><p>'.__('Howdy! This importer allows you to extract posts from a DotClear database into your blog. Mileage may vary.').'</p>';
echo '<p>'.__('Your DotClear Configuration settings are as follows:').'</p>';
echo '<form action="admin.php?import=dotclear&amp;step=1" method="post">';
wp_nonce_field('import-dotclear');
$this->db_form();
echo '<p class="submit"><input type="submit" name="submit" value="'.__('Import Categories').' &raquo;" /></p>';
echo '<p class="submit"><input type="submit" name="submit" value="'.attribute_escape(__('Import Categories &raquo;')).'" /></p>';
echo '</form></div>';
}
@ -558,7 +559,8 @@ class Dotclear_Import {
echo '<form action="admin.php?import=dotclear&amp;step=2" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Users'));
wp_nonce_field('import-dotclear');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Users')));
echo '</form>';
}
@ -570,7 +572,8 @@ class Dotclear_Import {
$this->users2wp($users);
echo '<form action="admin.php?import=dotclear&amp;step=3" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Posts'));
wp_nonce_field('import-dotclear');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Posts')));
echo '</form>';
}
@ -581,7 +584,8 @@ class Dotclear_Import {
$this->posts2wp($posts);
echo '<form action="admin.php?import=dotclear&amp;step=4" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Comments'));
wp_nonce_field('import-dotclear');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Comments')));
echo '</form>';
}
@ -592,7 +596,8 @@ class Dotclear_Import {
$this->comments2wp($comments);
echo '<form action="admin.php?import=dotclear&amp;step=5" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Links'));
wp_nonce_field('import-dotclear');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Links')));
echo '</form>';
}
@ -604,7 +609,8 @@ class Dotclear_Import {
add_option('dc_links', $links);
echo '<form action="admin.php?import=dotclear&amp;step=6" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Finish'));
wp_nonce_field('import-dotclear');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Finish')));
echo '</form>';
}
@ -667,42 +673,44 @@ class Dotclear_Import {
if ( $step > 0 )
{
check_admin_referer('import-dotclear');
if($_POST['dbuser'])
{
if(get_option('dcuser'))
delete_option('dcuser');
add_option('dcuser',$_POST['dbuser']);
add_option('dcuser', sanitize_user($_POST['dbuser'], true));
}
if($_POST['dbpass'])
{
if(get_option('dcpass'))
delete_option('dcpass');
add_option('dcpass',$_POST['dbpass']);
add_option('dcpass', sanitize_user($_POST['dbpass'], true));
}
if($_POST['dbname'])
{
if(get_option('dcname'))
delete_option('dcname');
add_option('dcname',$_POST['dbname']);
add_option('dcname', sanitize_user($_POST['dbname'], true));
}
if($_POST['dbhost'])
{
if(get_option('dchost'))
delete_option('dchost');
add_option('dchost',$_POST['dbhost']);
add_option('dchost', sanitize_user($_POST['dbhost'], true));
}
if($_POST['dccharset'])
{
if(get_option('dccharset'))
delete_option('dccharset');
add_option('dccharset',$_POST['dccharset']);
add_option('dccharset', sanitize_user($_POST['dccharset'], true));
}
if($_POST['dbprefix'])
{
if(get_option('dcdbprefix'))
delete_option('dcdbprefix');
add_option('dcdbprefix',$_POST['dbprefix']);
add_option('dcdbprefix', sanitize_user($_POST['dbprefix'], true));
}

8
wp-admin/import/greymatter.php
View File

@ -34,6 +34,7 @@ class GM_Import {
<form name="stepOne" method="get">
<input type="hidden" name="import" value="greymatter" />
<input type="hidden" name="step" value="1" />
<?php wp_nonce_field('import-greymatter'); ?>
<h3><?php _e('Second step: GreyMatter details:') ?></h3>
<p><table cellpadding="0">
<tr>
@ -87,10 +88,12 @@ class GM_Import {
}
if (!chdir($archivespath))
wp_die(sprintf(__("Wrong path, %s\ndoesn't exist\non the server"), $archivespath));
wp_die(__("Wrong path, the path to the GM entries does not exist on the server"));
if (!chdir($gmpath))
wp_die(sprintf(__("Wrong path, %s\ndoesn't exist\non the server"), $gmpath));
wp_die(__("Wrong path, the path to the GM files does not exist on the server"));
$lastentry = (int) $lastentry;
$this->header();
?>
@ -297,6 +300,7 @@ class GM_Import {
$this->greet();
break;
case 1:
check_admin_referer('import-greymatter');
$this->import();
break;
}

1
wp-admin/import/livejournal.php
View File

@ -153,6 +153,7 @@ class LJ_Import {
$this->greet();
break;
case 1 :
check_admin_referer('import-upload');
$this->import();
break;
}

3
wp-admin/import/mt.php
View File

@ -147,6 +147,7 @@ class MT_Import {
$authors = $this->get_mt_authors();
echo '<ol id="authors">';
echo '<form action="?import=mt&amp;step=2&amp;id=' . $this->id . '" method="post">';
wp_nonce_field('import-mt');
$j = -1;
foreach ($authors as $author) {
++ $j;
@ -417,9 +418,11 @@ class MT_Import {
$this->greet();
break;
case 1 :
check_admin_referer('import-upload');
$this->select_authors();
break;
case 2:
check_admin_referer('import-mt');
$this->import();
break;
}

1
wp-admin/import/rss.php
View File

@ -156,6 +156,7 @@ class RSS_Import {
$this->greet();
break;
case 1 :
check_admin_referer('import-upload');
$this->import();
break;
}

30
wp-admin/import/textpattern.php
View File

@ -56,8 +56,9 @@ class Textpattern_Import {
echo '<p>'.__('This has not been tested on previous versions of Textpattern. Mileage may vary.').'</p>';
echo '<p>'.__('Your Textpattern Configuration settings are as follows:').'</p>';
echo '<form action="admin.php?import=textpattern&amp;step=1" method="post">';
wp_nonce_field('import-textpattern');
$this->db_form();
echo '<p class="submit"><input type="submit" name="submit" value="'.__('Import Categories').' &raquo;" /></p>';
echo '<p class="submit"><input type="submit" name="submit" value="'.attribute_escape(__('Import Categories &raquo;')).'" /></p>';
echo '</form>';
echo '</div>';
}
@ -483,7 +484,8 @@ class Textpattern_Import {
echo '<form action="admin.php?import=textpattern&amp;step=2" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Users'));
wp_nonce_field('import-textpattern');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Users')));
echo '</form>';
}
@ -495,7 +497,8 @@ class Textpattern_Import {
$this->users2wp($users);
echo '<form action="admin.php?import=textpattern&amp;step=3" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Posts'));
wp_nonce_field('import-textpattern');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Posts')));
echo '</form>';
}
@ -506,7 +509,8 @@ class Textpattern_Import {
$this->posts2wp($posts);
echo '<form action="admin.php?import=textpattern&amp;step=4" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Comments'));
wp_nonce_field('import-textpattern');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Comments')));
echo '</form>';
}
@ -517,7 +521,8 @@ class Textpattern_Import {
$this->comments2wp($comments);
echo '<form action="admin.php?import=textpattern&amp;step=5" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Import Links'));
wp_nonce_field('import-textpattern');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Import Links')));
echo '</form>';
}
@ -529,7 +534,8 @@ class Textpattern_Import {
add_option('txp_links', $links);
echo '<form action="admin.php?import=textpattern&amp;step=6" method="post">';
printf('<input type="submit" name="submit" value="%s" />', __('Finish'));
wp_nonce_field('import-textpattern');
printf('<input type="submit" name="submit" value="%s" />', attribute_escape(__('Finish')));
echo '</form>';
}
@ -590,36 +596,38 @@ class Textpattern_Import {
if ( $step > 0 )
{
check_admin_referer('import-textpattern');
if($_POST['dbuser'])
{
if(get_option('txpuser'))
delete_option('txpuser');
add_option('txpuser',$_POST['dbuser']);
add_option('txpuser', sanitize_user($_POST['dbuser'], true));
}
if($_POST['dbpass'])
{
if(get_option('txppass'))
delete_option('txppass');
add_option('txppass',$_POST['dbpass']);
add_option('txppass', sanitize_user($_POST['dbpass'], true));
}
if($_POST['dbname'])
{
if(get_option('txpname'))
delete_option('txpname');
add_option('txpname',$_POST['dbname']);
add_option('txpname', sanitize_user($_POST['dbname'], true));
}
if($_POST['dbhost'])
{
if(get_option('txphost'))
delete_option('txphost');
add_option('txphost',$_POST['dbhost']);
add_option('txphost', sanitize_user($_POST['dbhost'], true));
}
if($_POST['dbprefix'])
{
if(get_option('tpre'))
delete_option('tpre');
add_option('tpre',$_POST['dbprefix']);
add_option('tpre', sanitize_user($_POST['dbprefix']));
}

3
wp-admin/import/wordpress.php
View File

@ -159,6 +159,7 @@ class WP_Import {
$authors = $this->get_wp_authors();
echo '<ol id="authors">';
echo '<form action="?import=wordpress&amp;step=2&amp;id=' . $this->id . '" method="post">';
wp_nonce_field('import-wordpress');
$j = -1;
foreach ($authors as $author) {
++ $j;
@ -363,9 +364,11 @@ class WP_Import {
$this->greet();
break;
case 1 :
check_admin_referer('import-upload');
$this->select_authors();
break;
case 2:
check_admin_referer('import-wordpress');
$this->import();
break;
}