diff --git a/wp-admin/admin-functions.php b/wp-admin/admin-functions.php index 5bc83efb8..973aff999 100644 --- a/wp-admin/admin-functions.php +++ b/wp-admin/admin-functions.php @@ -2030,6 +2030,7 @@ function wp_import_upload_form( $action ) { ?>

+ ( ) diff --git a/wp-admin/import/blogger.php b/wp-admin/import/blogger.php index 50ded417c..ca803149c 100644 --- a/wp-admin/import/blogger.php +++ b/wp-admin/import/blogger.php @@ -743,10 +743,11 @@ class Blogger_Import { // Step 9: Congratulate the user function congrats() { + $blog = (int) $_GET['blog']; echo '

'.__('Congratulations!').'

'.__('Now that you have imported your Blogger blog into WordPress, what are you going to do? Here are some suggestions:').'

'; @@ -765,6 +766,7 @@ class Blogger_Import { if ( isset( $_REQUEST['blog'] ) ) { $blog = is_array($_REQUEST['blog']) ? array_shift( array_keys( $_REQUEST['blog'] ) ) : $_REQUEST['blog']; + $blog = (int) $blog; $this->import_blog( $blog ); } elseif ( isset($_GET['token']) ) $this->auth(); diff --git a/wp-admin/import/dotclear.php b/wp-admin/import/dotclear.php index 9a32e3a89..661e1a07b 100644 --- a/wp-admin/import/dotclear.php +++ b/wp-admin/import/dotclear.php @@ -147,8 +147,9 @@ class Dotclear_Import { echo '

'.__('Howdy! This importer allows you to extract posts from a DotClear database into your blog. Mileage may vary.').'

'; echo '

'.__('Your DotClear Configuration settings are as follows:').'

'; echo ''; + wp_nonce_field('import-dotclear'); $this->db_form(); - echo '

'; + echo '

'; echo '
'; } @@ -558,7 +559,8 @@ class Dotclear_Import { echo '
'; - printf('', __('Import Users')); + wp_nonce_field('import-dotclear'); + printf('', attribute_escape(__('Import Users'))); echo '
'; } @@ -570,7 +572,8 @@ class Dotclear_Import { $this->users2wp($users); echo '
'; - printf('', __('Import Posts')); + wp_nonce_field('import-dotclear'); + printf('', attribute_escape(__('Import Posts'))); echo '
'; } @@ -581,7 +584,8 @@ class Dotclear_Import { $this->posts2wp($posts); echo '
'; - printf('', __('Import Comments')); + wp_nonce_field('import-dotclear'); + printf('', attribute_escape(__('Import Comments'))); echo '
'; } @@ -592,7 +596,8 @@ class Dotclear_Import { $this->comments2wp($comments); echo '
'; - printf('', __('Import Links')); + wp_nonce_field('import-dotclear'); + printf('', attribute_escape(__('Import Links'))); echo '
'; } @@ -604,7 +609,8 @@ class Dotclear_Import { add_option('dc_links', $links); echo '
'; - printf('', __('Finish')); + wp_nonce_field('import-dotclear'); + printf('', attribute_escape(__('Finish'))); echo '
'; } @@ -667,42 +673,44 @@ class Dotclear_Import { if ( $step > 0 ) { + check_admin_referer('import-dotclear'); + if($_POST['dbuser']) { if(get_option('dcuser')) delete_option('dcuser'); - add_option('dcuser',$_POST['dbuser']); + add_option('dcuser', sanitize_user($_POST['dbuser'], true)); } if($_POST['dbpass']) { if(get_option('dcpass')) delete_option('dcpass'); - add_option('dcpass',$_POST['dbpass']); + add_option('dcpass', sanitize_user($_POST['dbpass'], true)); } if($_POST['dbname']) { if(get_option('dcname')) delete_option('dcname'); - add_option('dcname',$_POST['dbname']); + add_option('dcname', sanitize_user($_POST['dbname'], true)); } if($_POST['dbhost']) { if(get_option('dchost')) delete_option('dchost'); - add_option('dchost',$_POST['dbhost']); + add_option('dchost', sanitize_user($_POST['dbhost'], true)); } if($_POST['dccharset']) { if(get_option('dccharset')) delete_option('dccharset'); - add_option('dccharset',$_POST['dccharset']); + add_option('dccharset', sanitize_user($_POST['dccharset'], true)); } if($_POST['dbprefix']) { if(get_option('dcdbprefix')) delete_option('dcdbprefix'); - add_option('dcdbprefix',$_POST['dbprefix']); + add_option('dcdbprefix', sanitize_user($_POST['dbprefix'], true)); } diff --git a/wp-admin/import/greymatter.php b/wp-admin/import/greymatter.php index 9203ff72c..4305cd18c 100644 --- a/wp-admin/import/greymatter.php +++ b/wp-admin/import/greymatter.php @@ -34,6 +34,7 @@ class GM_Import {
+

@@ -87,10 +88,12 @@ class GM_Import { } if (!chdir($archivespath)) - wp_die(sprintf(__("Wrong path, %s\ndoesn't exist\non the server"), $archivespath)); + wp_die(__("Wrong path, the path to the GM entries does not exist on the server")); if (!chdir($gmpath)) - wp_die(sprintf(__("Wrong path, %s\ndoesn't exist\non the server"), $gmpath)); + wp_die(__("Wrong path, the path to the GM files does not exist on the server")); + + $lastentry = (int) $lastentry; $this->header(); ?> @@ -297,6 +300,7 @@ class GM_Import { $this->greet(); break; case 1: + check_admin_referer('import-greymatter'); $this->import(); break; } diff --git a/wp-admin/import/livejournal.php b/wp-admin/import/livejournal.php index 8c1bed098..c3b821a00 100644 --- a/wp-admin/import/livejournal.php +++ b/wp-admin/import/livejournal.php @@ -153,6 +153,7 @@ class LJ_Import { $this->greet(); break; case 1 : + check_admin_referer('import-upload'); $this->import(); break; } diff --git a/wp-admin/import/mt.php b/wp-admin/import/mt.php index 53af688c6..3aa1a50b6 100644 --- a/wp-admin/import/mt.php +++ b/wp-admin/import/mt.php @@ -147,6 +147,7 @@ class MT_Import { $authors = $this->get_mt_authors(); echo '
    '; echo ''; + wp_nonce_field('import-mt'); $j = -1; foreach ($authors as $author) { ++ $j; @@ -417,9 +418,11 @@ class MT_Import { $this->greet(); break; case 1 : + check_admin_referer('import-upload'); $this->select_authors(); break; case 2: + check_admin_referer('import-mt'); $this->import(); break; } diff --git a/wp-admin/import/rss.php b/wp-admin/import/rss.php index 944b297f1..f46caa16a 100644 --- a/wp-admin/import/rss.php +++ b/wp-admin/import/rss.php @@ -156,6 +156,7 @@ class RSS_Import { $this->greet(); break; case 1 : + check_admin_referer('import-upload'); $this->import(); break; } diff --git a/wp-admin/import/textpattern.php b/wp-admin/import/textpattern.php index db60e15da..2d2b145e9 100644 --- a/wp-admin/import/textpattern.php +++ b/wp-admin/import/textpattern.php @@ -56,8 +56,9 @@ class Textpattern_Import { echo '

    '.__('This has not been tested on previous versions of Textpattern. Mileage may vary.').'

    '; echo '

    '.__('Your Textpattern Configuration settings are as follows:').'

    '; echo ''; + wp_nonce_field('import-textpattern'); $this->db_form(); - echo '

    '; + echo '

    '; echo ''; echo ''; } @@ -483,7 +484,8 @@ class Textpattern_Import { echo '
    '; - printf('', __('Import Users')); + wp_nonce_field('import-textpattern'); + printf('', attribute_escape(__('Import Users'))); echo ''; } @@ -495,7 +497,8 @@ class Textpattern_Import { $this->users2wp($users); echo '
    '; - printf('', __('Import Posts')); + wp_nonce_field('import-textpattern'); + printf('', attribute_escape(__('Import Posts'))); echo ''; } @@ -506,7 +509,8 @@ class Textpattern_Import { $this->posts2wp($posts); echo '
    '; - printf('', __('Import Comments')); + wp_nonce_field('import-textpattern'); + printf('', attribute_escape(__('Import Comments'))); echo ''; } @@ -517,7 +521,8 @@ class Textpattern_Import { $this->comments2wp($comments); echo '
    '; - printf('', __('Import Links')); + wp_nonce_field('import-textpattern'); + printf('', attribute_escape(__('Import Links'))); echo ''; } @@ -529,7 +534,8 @@ class Textpattern_Import { add_option('txp_links', $links); echo '
    '; - printf('', __('Finish')); + wp_nonce_field('import-textpattern'); + printf('', attribute_escape(__('Finish'))); echo ''; } @@ -590,36 +596,38 @@ class Textpattern_Import { if ( $step > 0 ) { + check_admin_referer('import-textpattern'); + if($_POST['dbuser']) { if(get_option('txpuser')) delete_option('txpuser'); - add_option('txpuser',$_POST['dbuser']); + add_option('txpuser', sanitize_user($_POST['dbuser'], true)); } if($_POST['dbpass']) { if(get_option('txppass')) delete_option('txppass'); - add_option('txppass',$_POST['dbpass']); + add_option('txppass', sanitize_user($_POST['dbpass'], true)); } if($_POST['dbname']) { if(get_option('txpname')) delete_option('txpname'); - add_option('txpname',$_POST['dbname']); + add_option('txpname', sanitize_user($_POST['dbname'], true)); } if($_POST['dbhost']) { if(get_option('txphost')) delete_option('txphost'); - add_option('txphost',$_POST['dbhost']); + add_option('txphost', sanitize_user($_POST['dbhost'], true)); } if($_POST['dbprefix']) { if(get_option('tpre')) delete_option('tpre'); - add_option('tpre',$_POST['dbprefix']); + add_option('tpre', sanitize_user($_POST['dbprefix'])); } diff --git a/wp-admin/import/wordpress.php b/wp-admin/import/wordpress.php index ab4180a2a..3cb6eedbd 100644 --- a/wp-admin/import/wordpress.php +++ b/wp-admin/import/wordpress.php @@ -159,6 +159,7 @@ class WP_Import { $authors = $this->get_wp_authors(); echo '
      '; echo '
      '; + wp_nonce_field('import-wordpress'); $j = -1; foreach ($authors as $author) { ++ $j; @@ -363,9 +364,11 @@ class WP_Import { $this->greet(); break; case 1 : + check_admin_referer('import-upload'); $this->select_authors(); break; case 2: + check_admin_referer('import-wordpress'); $this->import(); break; }