Version Description
Fixed problem of Directory-Traversal. Thankswpl0v3r.
Download this release
Release Info
| Developer | Katsushi Kawamori |
| Plugin |  Media from FTP |
| Version | 9.85 |
| Comparing to | |
| See all releases | |
Code changes from version 9.84 to 9.85
- mediafromftp.php +1 -1
- readme.txt +7 -1
- req/MediaFromFtpAdmin.php +11 -4
mediafromftp.php
CHANGED
|
@@ -2,7 +2,7 @@
|
|
| 2 |
/*
|
| 3 |
Plugin Name: Media from FTP
|
| 4 |
Plugin URI: https://wordpress.org/plugins/media-from-ftp/
|
| 5 |
-
Version: 9.
|
| 6 |
Description: Register to media library from files that have been uploaded by FTP.
|
| 7 |
Author: Katsushi Kawamori
|
| 8 |
Author URI: https://riverforest-wp.info/
|
| 2 |
/*
|
| 3 |
Plugin Name: Media from FTP
|
| 4 |
Plugin URI: https://wordpress.org/plugins/media-from-ftp/
|
| 5 |
+
Version: 9.85
|
| 6 |
Description: Register to media library from files that have been uploaded by FTP.
|
| 7 |
Author: Katsushi Kawamori
|
| 8 |
Author URI: https://riverforest-wp.info/
|
readme.txt
CHANGED
|
@@ -5,7 +5,7 @@ Tags: files, ftp, import, media, sync, uploads
|
|
| 5 |
Requires at least: 3.6.0
|
| 6 |
Requires PHP: 5.3.0
|
| 7 |
Tested up to: 4.9
|
| 8 |
-
Stable tag: 9.
|
| 9 |
License: GPLv2 or later
|
| 10 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 11 |
|
|
@@ -116,6 +116,9 @@ Register to media library from files that have been uploaded by FTP.
|
|
| 116 |
|
| 117 |
== Changelog ==
|
| 118 |
|
|
|
|
|
|
|
|
|
|
| 119 |
= 9.84 =
|
| 120 |
Notices for when "Organize my uploads into month- and year-based folders" is checked.
|
| 121 |
|
|
@@ -133,6 +136,9 @@ Fixed [PHP Object Injection Vulnerability](https://www.pluginvulnerabilities.com
|
|
| 133 |
|
| 134 |
== Upgrade Notice ==
|
| 135 |
|
|
|
|
|
|
|
|
|
|
| 136 |
= 9.80 =
|
| 137 |
Fixed [PHP Object Injection Vulnerability](https://www.pluginvulnerabilities.com/2017/09/13/authenticated-php-object-injection-vulnerability-in-media-from-ftp/). Please do not use the previous version.
|
| 138 |
|
| 5 |
Requires at least: 3.6.0
|
| 6 |
Requires PHP: 5.3.0
|
| 7 |
Tested up to: 4.9
|
| 8 |
+
Stable tag: 9.85
|
| 9 |
License: GPLv2 or later
|
| 10 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 11 |
|
| 116 |
|
| 117 |
== Changelog ==
|
| 118 |
|
| 119 |
+
= 9.85 =
|
| 120 |
+
Fixed problem of Directory-Traversal. Thanks[wpl0v3r](https://wordpress.org/support/users/wpl0v3r/).
|
| 121 |
+
|
| 122 |
= 9.84 =
|
| 123 |
Notices for when "Organize my uploads into month- and year-based folders" is checked.
|
| 124 |
|
| 136 |
|
| 137 |
== Upgrade Notice ==
|
| 138 |
|
| 139 |
+
= 9.85 =
|
| 140 |
+
Fixed problem of Directory-Traversal. Thanks[wpl0v3r](https://wordpress.org/support/users/wpl0v3r/).
|
| 141 |
+
|
| 142 |
= 9.80 =
|
| 143 |
Fixed [PHP Object Injection Vulnerability](https://www.pluginvulnerabilities.com/2017/09/13/authenticated-php-object-injection-vulnerability-in-media-from-ftp/). Please do not use the previous version.
|
| 144 |
|
req/MediaFromFtpAdmin.php
CHANGED
|
@@ -903,8 +903,6 @@ class MediaFromFtpAdmin {
|
|
| 903 |
<div id="mediafromftp-loading"><img src="<?php echo MEDIAFROMFTP_PLUGIN_URL.'/css/loading.gif'; ?>"></div>
|
| 904 |
<div id="mediafromftp-loading-container">
|
| 905 |
<?php
|
| 906 |
-
$formhtml = $mediafromftp->form_html($mediafromftp_settings);
|
| 907 |
-
unset($mediafromftp);
|
| 908 |
$MediaFromFtpListTable = new TT_MediaFromFtp_List_Table();
|
| 909 |
$MediaFromFtpListTable->prepare_items($mediafromftp_settings);
|
| 910 |
if ( $MediaFromFtpListTable->max_items > 0 ) {
|
|
@@ -916,7 +914,7 @@ class MediaFromFtpAdmin {
|
|
| 916 |
$update_lower_button = NULL;
|
| 917 |
}
|
| 918 |
?>
|
| 919 |
-
|
| 920 |
<form method="post" id="mediafromftp_ajax_update">
|
| 921 |
<form id="media-from-ftp-filter" method="get">
|
| 922 |
<input type="hidden" name="page" value="<?php echo $_REQUEST['page']; ?>" />
|
|
@@ -928,6 +926,7 @@ class MediaFromFtpAdmin {
|
|
| 928 |
</div>
|
| 929 |
</div>
|
| 930 |
<?php
|
|
|
|
| 931 |
}
|
| 932 |
|
| 933 |
/* ==================================================
|
|
@@ -1639,7 +1638,15 @@ class MediaFromFtpAdmin {
|
|
| 1639 |
}
|
| 1640 |
$basedir = $mediafromftp_settings['basedir'];
|
| 1641 |
if (!empty($_POST['searchdir'])){
|
| 1642 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1643 |
} else {
|
| 1644 |
$searchdir = $mediafromftp_settings['searchdir'];
|
| 1645 |
if ( MEDIAFROMFTP_PLUGIN_UPLOAD_PATH <> $basedir ) {
|
| 903 |
<div id="mediafromftp-loading"><img src="<?php echo MEDIAFROMFTP_PLUGIN_URL.'/css/loading.gif'; ?>"></div>
|
| 904 |
<div id="mediafromftp-loading-container">
|
| 905 |
<?php
|
|
|
|
|
|
|
| 906 |
$MediaFromFtpListTable = new TT_MediaFromFtp_List_Table();
|
| 907 |
$MediaFromFtpListTable->prepare_items($mediafromftp_settings);
|
| 908 |
if ( $MediaFromFtpListTable->max_items > 0 ) {
|
| 914 |
$update_lower_button = NULL;
|
| 915 |
}
|
| 916 |
?>
|
| 917 |
+
<?php $mediafromftp->form_html($mediafromftp_settings); ?>
|
| 918 |
<form method="post" id="mediafromftp_ajax_update">
|
| 919 |
<form id="media-from-ftp-filter" method="get">
|
| 920 |
<input type="hidden" name="page" value="<?php echo $_REQUEST['page']; ?>" />
|
| 926 |
</div>
|
| 927 |
</div>
|
| 928 |
<?php
|
| 929 |
+
unset($mediafromftp);
|
| 930 |
}
|
| 931 |
|
| 932 |
/* ==================================================
|
| 1638 |
}
|
| 1639 |
$basedir = $mediafromftp_settings['basedir'];
|
| 1640 |
if (!empty($_POST['searchdir'])){
|
| 1641 |
+
if ( preg_match('/(\.\.\/|\/|\.\.\\\\)/', $_POST['searchdir']) ) {
|
| 1642 |
+
$searchdir = $mediafromftp_settings['searchdir'];
|
| 1643 |
+
if ( MEDIAFROMFTP_PLUGIN_UPLOAD_PATH <> $basedir ) {
|
| 1644 |
+
$searchdir = MEDIAFROMFTP_PLUGIN_UPLOAD_PATH;
|
| 1645 |
+
$basedir = MEDIAFROMFTP_PLUGIN_UPLOAD_PATH;
|
| 1646 |
+
}
|
| 1647 |
+
} else {
|
| 1648 |
+
$searchdir = urldecode($_POST['searchdir']);
|
| 1649 |
+
}
|
| 1650 |
} else {
|
| 1651 |
$searchdir = $mediafromftp_settings['searchdir'];
|
| 1652 |
if ( MEDIAFROMFTP_PLUGIN_UPLOAD_PATH <> $basedir ) {
|
