Enable Media Replace - Version 2.4

Version Description

Bug fixes, security fixes. Thanks to my old pal Ulf "rsta" Hrnhammar for pointing them out!
New method for uploading avoids going around WP, for greater security.

Release Info

Developer	MungoBBQ
Plugin	Enable Media Replace
Version	2.4
Comparing to
See all releases

Code changes from version 2.3 to 2.4

Files changed (4) hide show

enable-media-replace.php +11 -5
popup.php +8 -3
readme.txt +5 -1
upload.php +35 -28

enable-media-replace.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	Plugin Name: Enable Media Replace
4	Plugin URI: http://www.mansjonasson.se/enable-media-replace
5	Description: Enable replacing media files by uploading a new file in the "Edit Media" section of the WordPress Media Library.
6	- Version: 2.3
7	Author: M�ns Jonasson
8	Author URI: http://www.mansjonasson.se
9
	@@ -24,7 +24,6 @@ Developed for .SE (Stiftelsen f
24	* @subpackage enable-media-replace
25	*
26	*/
27	- //ini_set("display_errors", "on");
28
29	add_action( 'admin_init', 'enable_media_replace_init' );
30	add_action('admin_menu', 'emr_menu');
	@@ -55,9 +54,9 @@ function enable_media_replace_init() {
55	*/
56	function enable_media_replace( $form_fields ) {
57
58	- if ($_GET["attachment_id"]) {
59
60	- $url = ~~get_bloginfo~~(~~"wpurl")~~ . "~~/wp-admin/~~upload.php?page=enable-media-replace/enable-media-replace.php&action=media_replace&attachment_id={$_GET["attachment_id"]}";
61	$action = "media_replace";
62	$editurl = wp_nonce_url( $url, $action );
63
	@@ -79,10 +78,17 @@ function emr_options() {
79
80	if ( isset( $_GET['action'] ) && $_GET['action'] == 'media_replace' ) {
81	check_admin_referer( 'media_replace' ); // die if invalid or missing nonce
82	- if ( array_key_exists("attachment_id", $_GET) && $_GET["attachment_id"] > 0) {
83	include("popup.php");
84	}
85	}







86	}
87
88	/**


3	Plugin Name: Enable Media Replace
4	Plugin URI: http://www.mansjonasson.se/enable-media-replace
5	Description: Enable replacing media files by uploading a new file in the "Edit Media" section of the WordPress Media Library.
6	+ Version: 2.4
7	Author: M�ns Jonasson
8	Author URI: http://www.mansjonasson.se
9

24	* @subpackage enable-media-replace
25	*
26	*/

27
28	add_action( 'admin_init', 'enable_media_replace_init' );
29	add_action('admin_menu', 'emr_menu');

54	*/
55	function enable_media_replace( $form_fields ) {
56
57	+ if (isset($_GET["attachment_id"]) && $_GET["attachment_id"]) {
58
59	+ $url = admin_url( "upload.php?page=enable-media-replace/enable-media-replace.php&action=media_replace&attachment_id=" . (int) $_GET["attachment_id"]);
60	$action = "media_replace";
61	$editurl = wp_nonce_url( $url, $action );
62

78
79	if ( isset( $_GET['action'] ) && $_GET['action'] == 'media_replace' ) {
80	check_admin_referer( 'media_replace' ); // die if invalid or missing nonce
81	+ if ( array_key_exists("attachment_id", $_GET) && (int) $_GET["attachment_id"] > 0) {
82	include("popup.php");
83	}
84	}
85	+
86	+ if ( isset( $_GET['action'] ) && $_GET['action'] == 'media_replace_upload' ) {
87	+ $plugin_url = str_replace("enable-media-replace.php", "", __FILE__);
88	+ check_admin_referer( 'media_replace_upload' ); // die if invalid or missing nonce
89	+ require_once($plugin_url . "upload.php");
90	+ }
91	+
92	}
93
94	/**

popup.php CHANGED Viewed

	@@ -17,7 +17,7 @@ global $wpdb;
17
18	$table_name = $wpdb->prefix . "posts";
19
20	- $sql = "SELECT guid, post_mime_type FROM $table_name WHERE ID = {$_GET["attachment_id"]}";
21
22	list($current_filename, $current_filetype) = mysql_fetch_array(mysql_query($sql));
23
	@@ -30,14 +30,19 @@ $current_filename = substr($current_filename, (strrpos($current_filename, "/") +
30	<h2><?php echo __("Replace Media Upload", "enable-media-replace"); ?></h2>
31
32	<?php
33	- $~~formurl~~ = ~~get_bloginfo~~("~~wpurl")~~ . ~~"/wp~~-~~content~~/~~plugins/~~enable-media-replace~~/upload~~.php";


34	if (FORCE_SSL_ADMIN) {
35	$formurl = str_replace("http:", "https:", $formurl);
36	}
37	?>
38
39	<form enctype="multipart/form-data" method="post" action="<?php echo $formurl; ?>">
40	- ~~<input type="hidden" name="ID" value="~~<?php ~~echo $_GET["attachment_id"]; ?>" />~~



41	<div id="message" class="updated fade"><p><?php echo __("NOTE: You are about to replace the media file", "enable-media-replace"); ?> "<?php echo $current_filename?>". <?php echo __("There is no undo. Think about it!", "enable-media-replace"); ?></p></div>
42
43	<p><?php echo __("Choose a file to upload from your computer", "enable-media-replace"); ?></p>


17
18	$table_name = $wpdb->prefix . "posts";
19
20	+ $sql = "SELECT guid, post_mime_type FROM $table_name WHERE ID = " . (int) $_GET["attachment_id"];
21
22	list($current_filename, $current_filetype) = mysql_fetch_array(mysql_query($sql));
23

30	<h2><?php echo __("Replace Media Upload", "enable-media-replace"); ?></h2>
31
32	<?php
33	+ $url = admin_url( "upload.php?page=enable-media-replace/enable-media-replace.php&action=media_replace_upload&attachment_id=" . (int) $_GET["attachment_id"]);
34	+ $action = "media_replace_upload";
35	+ $formurl = wp_nonce_url( $url, $action );
36	if (FORCE_SSL_ADMIN) {
37	$formurl = str_replace("http:", "https:", $formurl);
38	}
39	?>
40
41	<form enctype="multipart/form-data" method="post" action="<?php echo $formurl; ?>">
42	+ <?php
43	+ #wp_nonce_field('enable-media-replace');
44	+ ?>
45	+ <input type="hidden" name="ID" value="<?php echo (int) $_GET["attachment_id"]; ?>" />
46	<div id="message" class="updated fade"><p><?php echo __("NOTE: You are about to replace the media file", "enable-media-replace"); ?> "<?php echo $current_filename?>". <?php echo __("There is no undo. Think about it!", "enable-media-replace"); ?></p></div>
47
48	<p><?php echo __("Choose a file to upload from your computer", "enable-media-replace"); ?></p>

readme.txt CHANGED Viewed

	@@ -2,7 +2,7 @@
2	Contributors: mungobbq
3	Tags: admin, attachment, media, files
4	Requires at least: 2.8
5	- Tested up to: 3.0.1
6	Stable tag: trunk
7
8	Enables replacing attachment files by simply uploading a new file in the media library edit view.
	@@ -37,6 +37,10 @@ If you want more control over the format used to display the time, you can use t
37
38	== Changelog ==
39




40	= 2.3 =
41	* Lots of code trimmed and enhanced, thanks to Ben ter Stal! Now working properly with Windows systems, better security, optimized loading, and much more.
42	* Added Dutch translation by Ben ter Stal.


2	Contributors: mungobbq
3	Tags: admin, attachment, media, files
4	Requires at least: 2.8
5	+ Tested up to: 3.0.5
6	Stable tag: trunk
7
8	Enables replacing attachment files by simply uploading a new file in the media library edit view.

37
38	== Changelog ==
39
40	+ = 2.4 =
41	+ * Bug fixes, security fixes. Thanks to my old pal Ulf "�rsta" H�rnhammar for pointing them out!
42	+ * New method for uploading avoids going around WP, for greater security.
43	+
44	= 2.3 =
45	* Lots of code trimmed and enhanced, thanks to Ben ter Stal! Now working properly with Windows systems, better security, optimized loading, and much more.
46	* Added Dutch translation by Ben ter Stal.

upload.php CHANGED Viewed

	@@ -1,40 +1,21 @@
1	<?php
2	- /**
3	- * Handling upload new media file
4	- * We have two types: replace / replace_and_search
5	- *
6	- * @author M�ns Jonasson <http://www.mansjonasson.se>
7	- * @copyright M�ns Jonasson 13 sep 2010
8	- * @version $Revision: 1984 $ \| $Date: 2009-09-09 13:01:30 +0200 (wo, 09 sep 2009) $
9	- * @package wordpress
10	- * @subpackage enable-media-replace
11	- *
12	- */
13	-
14	-
15	- $wppath = str_replace("wp-content/plugins/enable-media-replace/upload.php", "", str_replace('\\','/',__FILE__));
16	-
17	- require_once($wppath . "wp-load.php");
18	- require_once($wppath . "wp-admin/admin.php");
19	-
20	if (!current_user_can('upload_files'))
21	wp_die(__('You do not have permission to upload files.'));
22
23	- global $wpdb;
24	-
25	// Define DB table names

26	$table_name = $wpdb->prefix . "posts";
27	$postmeta_table_name = $wpdb->prefix . "postmeta";
28
29	// Get old guid and filetype from DB
30	- $sql = "SELECT guid, post_mime_type FROM $table_name WHERE ID = {$_POST["ID"]}";
31	list($current_filename, $current_filetype) = mysql_fetch_array(mysql_query($sql));
32
33	// Massage a bunch of vars
34	$current_guid = $current_filename;
35	$current_filename = substr($current_filename, (strrpos($current_filename, "/") + 1));
36
37	- $current_file = get_attached_file($_POST["ID"], true);
38	$current_path = substr($current_file, 0, (strrpos($current_file, "/")));
39	$current_file = str_replace("//", "/", $current_file);
40	$current_filename = basename($current_file);
	@@ -47,6 +28,14 @@ if (is_uploaded_file($_FILES["userfile"]["tmp_name"])) {
47	$new_filename = $_FILES["userfile"]["name"];
48	$new_filetype = $_FILES["userfile"]["type"];
49	$new_filesize = $_FILES["userfile"]["size"];








50
51	if ($replace_type == "replace") {
52	// Drop-in replace and we don't even care if you uploaded something that is the wrong file-type.
	@@ -54,6 +43,15 @@ if (is_uploaded_file($_FILES["userfile"]["tmp_name"])) {
54
55	// Delete old file
56	unlink($current_file);









57
58	// Move new file to old location/name
59	move_uploaded_file($_FILES["userfile"]["tmp_name"], $current_file);
	@@ -62,7 +60,7 @@ if (is_uploaded_file($_FILES["userfile"]["tmp_name"])) {
62	chmod($current_file, 0644);
63
64	// Make thumb and/or update metadata
65	- wp_update_attachment_metadata( $_POST["ID"], wp_generate_attachment_metadata( $_POST["ID"], $current_file ) );
66
67	}
68
	@@ -71,6 +69,15 @@ if (is_uploaded_file($_FILES["userfile"]["tmp_name"])) {
71
72	// Delete old file
73	unlink($current_file);









74
75	// Massage new filename to adhere to WordPress standards
76	$new_filename= wp_unique_filename( $current_path, $new_filename );
	@@ -86,20 +93,20 @@ if (is_uploaded_file($_FILES["userfile"]["tmp_name"])) {
86	$new_guid = str_replace($current_filename, $new_filename, $current_guid);
87
88	// Update database file name
89	- mysql_query("UPDATE $table_name SET post_title = '$new_filetitle', post_name = '$new_filetitle', guid = '$new_guid', post_mime_type = '$new_filetype' WHERE ID = {$_POST["ID"]}");
90	-
91	// Update the postmeta file name
92
93	// Get old postmeta _wp_attached_file
94	- $sql = "SELECT meta_value FROM $postmeta_table_name WHERE meta_key = '_wp_attached_file' AND post_id = '{$_POST["ID"]}'";
95	$old_meta_name = mysql_result(mysql_query($sql),0);
96
97	// Make new postmeta _wp_attached_file
98	$new_meta_name = str_replace($current_filename, $new_filename, $old_meta_name);
99	- mysql_query("UPDATE $postmeta_table_name SET meta_value = '$new_meta_name' WHERE meta_key = '_wp_attached_file' AND post_id = '{$_POST["ID"]}'");
100
101	// Make thumb and/or update metadata
102	- wp_update_attachment_metadata( $_POST["ID"], wp_generate_attachment_metadata( $_POST["ID"], $new_file) );
103
104	// Search-and-replace filename in post database
105	$sql = "SELECT ID, post_content FROM $table_name WHERE post_content LIKE '%$current_guid%'";


1	<?php


















2	if (!current_user_can('upload_files'))
3	wp_die(__('You do not have permission to upload files.'));
4


5	// Define DB table names
6	+ global $wpdb;
7	$table_name = $wpdb->prefix . "posts";
8	$postmeta_table_name = $wpdb->prefix . "postmeta";
9
10	// Get old guid and filetype from DB
11	+ $sql = "SELECT guid, post_mime_type FROM $table_name WHERE ID = '" . (int) $_POST["ID"] . "'";
12	list($current_filename, $current_filetype) = mysql_fetch_array(mysql_query($sql));
13
14	// Massage a bunch of vars
15	$current_guid = $current_filename;
16	$current_filename = substr($current_filename, (strrpos($current_filename, "/") + 1));
17
18	+ $current_file = get_attached_file((int) $_POST["ID"], true);
19	$current_path = substr($current_file, 0, (strrpos($current_file, "/")));
20	$current_file = str_replace("//", "/", $current_file);
21	$current_filename = basename($current_file);

28	$new_filename = $_FILES["userfile"]["name"];
29	$new_filetype = $_FILES["userfile"]["type"];
30	$new_filesize = $_FILES["userfile"]["size"];
31	+
32	+ // Check that mime type is allowed
33	+ $allowed_mime_types = get_allowed_mime_types();
34	+ if (!in_array($new_filetype, $allowed_mime_types)) {
35	+ echo __("File type does not meet security guidelines. Try another.");
36	+ exit;
37	+ }
38	+
39
40	if ($replace_type == "replace") {
41	// Drop-in replace and we don't even care if you uploaded something that is the wrong file-type.

43
44	// Delete old file
45	unlink($current_file);
46	+
47	+ // Delete old resized versions if this was an image
48	+ $suffix = substr($current_file, (strlen($current_file)-4));
49	+ $prefix = substr($current_file, 0, (strlen($current_file)-4));
50	+ $imgAr = array(".png", ".gif", ".jpg");
51	+ if (in_array($suffix, $imgAr)) {
52	+ $mask = $prefix . "-x" . $suffix;
53	+ array_map( "unlink", glob( $mask ) );
54	+ }
55
56	// Move new file to old location/name
57	move_uploaded_file($_FILES["userfile"]["tmp_name"], $current_file);

60	chmod($current_file, 0644);
61
62	// Make thumb and/or update metadata
63	+ wp_update_attachment_metadata( (int) $_POST["ID"], wp_generate_attachment_metadata( (int) $_POST["ID"], $current_file ) );
64
65	}
66

69
70	// Delete old file
71	unlink($current_file);
72	+
73	+ // Delete old resized versions if this was an image
74	+ $suffix = substr($current_file, (strlen($current_file)-4));
75	+ $prefix = substr($current_file, 0, (strlen($current_file)-4));
76	+ $imgAr = array(".png", ".gif", ".jpg");
77	+ if (in_array($suffix, $imgAr)) {
78	+ $mask = $prefix . "-x" . $suffix;
79	+ array_map( "unlink", glob( $mask ) );
80	+ }
81
82	// Massage new filename to adhere to WordPress standards
83	$new_filename= wp_unique_filename( $current_path, $new_filename );

93	$new_guid = str_replace($current_filename, $new_filename, $current_guid);
94
95	// Update database file name
96	+ mysql_query("UPDATE $table_name SET post_title = '$new_filetitle', post_name = '$new_filetitle', guid = '$new_guid', post_mime_type = '$new_filetype' WHERE ID = '" . (int) $_POST["ID"] . "'");
97	+
98	// Update the postmeta file name
99
100	// Get old postmeta _wp_attached_file
101	+ $sql = "SELECT meta_value FROM $postmeta_table_name WHERE meta_key = '_wp_attached_file' AND post_id = '" . (int) $_POST["ID"] . "'";
102	$old_meta_name = mysql_result(mysql_query($sql),0);
103
104	// Make new postmeta _wp_attached_file
105	$new_meta_name = str_replace($current_filename, $new_filename, $old_meta_name);
106	+ mysql_query("UPDATE $postmeta_table_name SET meta_value = '$new_meta_name' WHERE meta_key = '_wp_attached_file' AND post_id = '" . (int) $_POST["ID"] . "'");
107
108	// Make thumb and/or update metadata
109	+ wp_update_attachment_metadata( (int) $_POST["ID"], wp_generate_attachment_metadata( (int) $_POST["ID"], $new_file) );
110
111	// Search-and-replace filename in post database
112	$sql = "SELECT ID, post_content FROM $table_name WHERE post_content LIKE '%$current_guid%'";