Media from FTP - Version 9.87

Version Description

Security measures.

Release Info

Developer	Katsushi Kawamori
Plugin	Media from FTP
Version	9.87
Comparing to
See all releases

Code changes from version 9.86 to 9.87

Files changed (5) hide show

inc/MediaFromFtp.php +4 -4
mediafromftp.php +1 -1
readme.txt +7 -1
req/MediaFromFtpAdmin.php +11 -11
req/MediaFromFtpAjax.php +5 -5

inc/MediaFromFtp.php CHANGED Viewed

	@@ -103,9 +103,9 @@ class MediaFromFtp {
103
104	$searchtext = '.*';
105	if (!empty($_POST['searchtext'])){
106	- $searchtext = $this->mb_encode_multibyte($_POST['searchtext'], $mediafromftp_settings['character_code']);
107	}else if (!empty($_GET['searchtext'])){
108	- $searchtext = $this->mb_encode_multibyte($_GET['searchtext'], $mediafromftp_settings['character_code']);
109	}
110
111	$files = scandir($dir);
	@@ -483,9 +483,9 @@ class MediaFromFtp {
483
484	$searchtext = NULL;
485	if ( !empty($_POST['searchtext']) ) {
486	- $searchtext = $_POST['searchtext'];
487	} else if ( !empty($_GET['searchtext']) ) {
488	- $searchtext = $_GET['searchtext'];
489	}
490
491	$pagemax = $mediafromftp_settings['pagemax'];


103
104	$searchtext = '.*';
105	if (!empty($_POST['searchtext'])){
106	+ $searchtext = $this->mb_encode_multibyte(sanitize_text_field($_POST['searchtext']), $mediafromftp_settings['character_code']);
107	}else if (!empty($_GET['searchtext'])){
108	+ $searchtext = $this->mb_encode_multibyte(sanitize_text_field($_GET['searchtext']), $mediafromftp_settings['character_code']);
109	}
110
111	$files = scandir($dir);

483
484	$searchtext = NULL;
485	if ( !empty($_POST['searchtext']) ) {
486	+ $searchtext = sanitize_text_field($_POST['searchtext']);
487	} else if ( !empty($_GET['searchtext']) ) {
488	+ $searchtext = sanitize_text_field($_GET['searchtext']);
489	}
490
491	$pagemax = $mediafromftp_settings['pagemax'];

mediafromftp.php CHANGED Viewed

	@@ -2,7 +2,7 @@
2	/*
3	Plugin Name: Media from FTP
4	Plugin URI: https://wordpress.org/plugins/media-from-ftp/
5	- Version: 9.86
6	Description: Register to media library from files that have been uploaded by FTP.
7	Author: Katsushi Kawamori
8	Author URI: https://riverforest-wp.info/


2	/*
3	Plugin Name: Media from FTP
4	Plugin URI: https://wordpress.org/plugins/media-from-ftp/
5	+ Version: 9.87
6	Description: Register to media library from files that have been uploaded by FTP.
7	Author: Katsushi Kawamori
8	Author URI: https://riverforest-wp.info/

readme.txt CHANGED Viewed

	@@ -5,7 +5,7 @@ Tags: files, ftp, import, media, sync, uploads
5	Requires at least: 3.6.0
6	Requires PHP: 5.3.0
7	Tested up to: 4.9
8	- Stable tag: 9.86
9	License: GPLv2 or later
10	License URI: http://www.gnu.org/licenses/gpl-2.0.html
11
	@@ -116,6 +116,9 @@ Register to media library from files that have been uploaded by FTP.
116
117	== Changelog ==
118



119	= 9.86 =
120	Fixed problem of Directory-Traversal. Thanks[Plugin Vulnerabilities](https://www.pluginvulnerabilities.com/).
121
	@@ -139,6 +142,9 @@ Fixed [PHP Object Injection Vulnerability](https://www.pluginvulnerabilities.com
139
140	== Upgrade Notice ==
141



142	= 9.86 =
143	Fixed problem of Directory-Traversal. Thanks[Plugin Vulnerabilities](https://www.pluginvulnerabilities.com/).
144


5	Requires at least: 3.6.0
6	Requires PHP: 5.3.0
7	Tested up to: 4.9
8	+ Stable tag: 9.87
9	License: GPLv2 or later
10	License URI: http://www.gnu.org/licenses/gpl-2.0.html
11

116
117	== Changelog ==
118
119	+ = 9.87 =
120	+ Security measures.
121	+
122	= 9.86 =
123	Fixed problem of Directory-Traversal. Thanks[Plugin Vulnerabilities](https://www.pluginvulnerabilities.com/).
124

142
143	== Upgrade Notice ==
144
145	+ = 9.87 =
146	+ Security measures.
147	+
148	= 9.86 =
149	Fixed problem of Directory-Traversal. Thanks[Plugin Vulnerabilities](https://www.pluginvulnerabilities.com/).
150

req/MediaFromFtpAdmin.php CHANGED Viewed

	@@ -1510,12 +1510,12 @@ class MediaFromFtpAdmin {
1510	switch ($submenu) {
1511	case 1:
1512	if ( !empty($_POST['mediafromftp_datefixed']) ) {
1513	- $datefixed = $_POST['mediafromftp_datefixed'];
1514	} else {
1515	$datefixed = $mediafromftp_settings['datefixed'];
1516	}
1517	if ( !empty($_POST['mediafromftp_cron_apply']) ) {
1518	- $mediafromftp_cron_apply = ~~$_POST['mediafromftp_cron_apply']~~;
1519	} else {
1520	$mediafromftp_cron_apply = FALSE;
1521	}
	@@ -1525,22 +1525,22 @@ class MediaFromFtpAdmin {
1525	$mediafromftp_cron_schedule = $mediafromftp_settings['cron']['schedule'];
1526	}
1527	if ( !empty($_POST['mediafromftp_cron_limit_number']) ) {
1528	- $mediafromftp_cron_limit_number = $_POST['mediafromftp_cron_limit_number'];
1529	} else {
1530	$mediafromftp_cron_limit_number = FALSE;
1531	}
1532	if ( !empty($_POST['mediafromftp_cron_mail_apply']) ) {
1533	- $mediafromftp_cron_mail_apply = ~~$_POST['mediafromftp_cron_mail_apply']~~;
1534	} else {
1535	$mediafromftp_cron_mail_apply = FALSE;
1536	}
1537	if ( !empty($_POST['mediafromftp_caption_apply']) ) {
1538	- $mediafromftp_caption_apply = ~~$_POST['mediafromftp_caption_apply']~~;
1539	} else {
1540	$mediafromftp_caption_apply = FALSE;
1541	}
1542	if ( !empty($_POST['mediafromftp_exif_text']) ) {
1543	- $exif_text = $_POST['mediafromftp_exif_text'];
1544	} else {
1545	$exif_text = $mediafromftp_settings['caption']['exif_text'];
1546	}
	@@ -1548,7 +1548,7 @@ class MediaFromFtpAdmin {
1548	$exif_text = '%title% %credit% %camera% %caption% %created_timestamp% %copyright% %aperture% %shutter_speed% %iso% %focal_length% %white_balance%';
1549	}
1550	if ( !empty($_POST['mediafromftp_apply_log']) ) {
1551	- $mediafromftp_apply_log = ~~$_POST['mediafromftp_apply_log']~~;
1552	} else {
1553	$mediafromftp_apply_log = FALSE;
1554	}
	@@ -1591,7 +1591,7 @@ class MediaFromFtpAdmin {
1591	'ext2typefilter' => $mediafromftp_settings['ext2typefilter'],
1592	'extfilter' => $mediafromftp_settings['extfilter'],
1593	'search_display_metadata' => $mediafromftp_settings['search_display_metadata'],
1594	- 'dateset' => $_POST['mediafromftp_dateset'],
1595	'datefixed' => $datefixed,
1596	'datetimepicker' => $mediafromftp_settings['datetimepicker'],
1597	'max_execution_time' => intval($_POST['mediafromftp_max_execution_time']),
	@@ -1619,7 +1619,7 @@ class MediaFromFtpAdmin {
1619	);
1620	update_option( $this->wp_options_name(), $mediafromftp_tbl );
1621	if ( !empty($_POST['move_yearmonth_folders']) ) {
1622	- update_option( 'uploads_use_yearmonth_folders', ~~$_POST['move_yearmonth_folders']~~ );
1623	} else {
1624	update_option( 'uploads_use_yearmonth_folders', '0' );
1625	}
	@@ -1754,9 +1754,9 @@ class MediaFromFtpAdmin {
1754	if ( !empty($_POST['mediafromftp_add_schedule']) ) {
1755	if ( !empty($_POST['mediafromftp_cron_schedule_innername']) && !empty($_POST['mediafromftp_cron_schedule_secounds']) && !empty($_POST['mediafromftp_cron_schedule_viewname']) ) {
1756	$mediafromftp_cron_intervals_tbl = get_option( 'mediafromftp_event_intervals' );
1757	- $innername = $_POST['mediafromftp_cron_schedule_innername'];
1758	$secounds = intval($_POST['mediafromftp_cron_schedule_secounds']);
1759	- $viewname = $_POST['mediafromftp_cron_schedule_viewname'];
1760	$mediafromftp_cron_intervals_tbl[$innername] = array(
1761	'interval' => $secounds,
1762	'display' => $viewname


1510	switch ($submenu) {
1511	case 1:
1512	if ( !empty($_POST['mediafromftp_datefixed']) ) {
1513	+ $datefixed = sanitize_text_field($_POST['mediafromftp_datefixed']);
1514	} else {
1515	$datefixed = $mediafromftp_settings['datefixed'];
1516	}
1517	if ( !empty($_POST['mediafromftp_cron_apply']) ) {
1518	+ $mediafromftp_cron_apply = 1;
1519	} else {
1520	$mediafromftp_cron_apply = FALSE;
1521	}

1525	$mediafromftp_cron_schedule = $mediafromftp_settings['cron']['schedule'];
1526	}
1527	if ( !empty($_POST['mediafromftp_cron_limit_number']) ) {
1528	+ $mediafromftp_cron_limit_number = intval($_POST['mediafromftp_cron_limit_number']);
1529	} else {
1530	$mediafromftp_cron_limit_number = FALSE;
1531	}
1532	if ( !empty($_POST['mediafromftp_cron_mail_apply']) ) {
1533	+ $mediafromftp_cron_mail_apply = 1;
1534	} else {
1535	$mediafromftp_cron_mail_apply = FALSE;
1536	}
1537	if ( !empty($_POST['mediafromftp_caption_apply']) ) {
1538	+ $mediafromftp_caption_apply = 1;
1539	} else {
1540	$mediafromftp_caption_apply = FALSE;
1541	}
1542	if ( !empty($_POST['mediafromftp_exif_text']) ) {
1543	+ $exif_text = sanitize_text_field($_POST['mediafromftp_exif_text']);
1544	} else {
1545	$exif_text = $mediafromftp_settings['caption']['exif_text'];
1546	}

1548	$exif_text = '%title% %credit% %camera% %caption% %created_timestamp% %copyright% %aperture% %shutter_speed% %iso% %focal_length% %white_balance%';
1549	}
1550	if ( !empty($_POST['mediafromftp_apply_log']) ) {
1551	+ $mediafromftp_apply_log = 1;
1552	} else {
1553	$mediafromftp_apply_log = FALSE;
1554	}

1591	'ext2typefilter' => $mediafromftp_settings['ext2typefilter'],
1592	'extfilter' => $mediafromftp_settings['extfilter'],
1593	'search_display_metadata' => $mediafromftp_settings['search_display_metadata'],
1594	+ 'dateset' => sanitize_text_field($_POST['mediafromftp_dateset']),
1595	'datefixed' => $datefixed,
1596	'datetimepicker' => $mediafromftp_settings['datetimepicker'],
1597	'max_execution_time' => intval($_POST['mediafromftp_max_execution_time']),

1619	);
1620	update_option( $this->wp_options_name(), $mediafromftp_tbl );
1621	if ( !empty($_POST['move_yearmonth_folders']) ) {
1622	+ update_option( 'uploads_use_yearmonth_folders', 1 );
1623	} else {
1624	update_option( 'uploads_use_yearmonth_folders', '0' );
1625	}

1754	if ( !empty($_POST['mediafromftp_add_schedule']) ) {
1755	if ( !empty($_POST['mediafromftp_cron_schedule_innername']) && !empty($_POST['mediafromftp_cron_schedule_secounds']) && !empty($_POST['mediafromftp_cron_schedule_viewname']) ) {
1756	$mediafromftp_cron_intervals_tbl = get_option( 'mediafromftp_event_intervals' );
1757	+ $innername = sanitize_text_field($_POST['mediafromftp_cron_schedule_innername']);
1758	$secounds = intval($_POST['mediafromftp_cron_schedule_secounds']);
1759	+ $viewname = sanitize_text_field($_POST['mediafromftp_cron_schedule_viewname']);
1760	$mediafromftp_cron_intervals_tbl[$innername] = array(
1761	'interval' => $secounds,
1762	'display' => $viewname

req/MediaFromFtpAjax.php CHANGED Viewed

	@@ -185,26 +185,26 @@ class MediaFromFtpAjax {
185	global $wpdb;
186	$table_name = $wpdb->prefix.'posts';
187	$wpdb->insert( $table_name, $db_array );
188	- update_attached_file( $db_array['ID'], $filepath ) ;
189	if ( !empty($_POST["db_wp_attachment_metadata"]) ) {
190	$metadata_json = stripslashes($_POST["db_wp_attachment_metadata"]);
191	$metadata = json_decode($metadata_json);
192	$table_meta_name = $wpdb->prefix.'postmeta';
193	$db_meta_array = array(
194	- "post_id" => $db_array['ID'],
195	"meta_key" => '_wp_attachment_metadata',
196	"meta_value" => $metadata
197	);
198	$wpdb->insert( $table_meta_name, $db_meta_array );
199	}
200	if ( !empty($_POST["db_thumbnail_id"]) ) {
201	- update_post_meta( $db_array['ID'], '_thumbnail_id', $_POST["db_thumbnail_id"] );
202	}
203	if ( !empty($_POST["db_cover_hash"]) ) {
204	- update_post_meta( $db_array['ID'], '_cover_hash', $_POST["db_cover_hash"] );
205	}
206	if ( !empty($_POST["db_wp_attachment_image_alt"]) ) {
207	- update_post_meta( $db_array['ID'], '_wp_attachment_image_alt', $_POST["db_wp_attachment_image_alt"] );
208	}
209	$msg = 'success_db';
210	$output_html = $msg.','.'<div>'.__('Media').': <a href="'.get_permalink($db_array['ID']).'" target="_blank" style="text-decoration: none; color: green;">'.$this->esc_title($db_array['post_title']).'</a>: '.'<a href="'.MEDIAFROMFTP_PLUGIN_UPLOAD_URL.'/'.$filepath.'" target="_blank" style="text-decoration: none;">'.$filepath.'</a></div>';


185	global $wpdb;
186	$table_name = $wpdb->prefix.'posts';
187	$wpdb->insert( $table_name, $db_array );
188	+ update_attached_file( intval($db_array['ID']), $filepath ) ;
189	if ( !empty($_POST["db_wp_attachment_metadata"]) ) {
190	$metadata_json = stripslashes($_POST["db_wp_attachment_metadata"]);
191	$metadata = json_decode($metadata_json);
192	$table_meta_name = $wpdb->prefix.'postmeta';
193	$db_meta_array = array(
194	+ "post_id" => intval($db_array['ID']),
195	"meta_key" => '_wp_attachment_metadata',
196	"meta_value" => $metadata
197	);
198	$wpdb->insert( $table_meta_name, $db_meta_array );
199	}
200	if ( !empty($_POST["db_thumbnail_id"]) ) {
201	+ update_post_meta( $db_array['ID'], '_thumbnail_id', intval($_POST["db_thumbnail_id"]) );
202	}
203	if ( !empty($_POST["db_cover_hash"]) ) {
204	+ update_post_meta( $db_array['ID'], '_cover_hash', sanitize_text_field($_POST["db_cover_hash"]) );
205	}
206	if ( !empty($_POST["db_wp_attachment_image_alt"]) ) {
207	+ update_post_meta( $db_array['ID'], '_wp_attachment_image_alt', sanitize_text_field($_POST["db_wp_attachment_image_alt"]) );
208	}
209	$msg = 'success_db';
210	$output_html = $msg.','.'<div>'.__('Media').': <a href="'.get_permalink($db_array['ID']).'" target="_blank" style="text-decoration: none; color: green;">'.$this->esc_title($db_array['post_title']).'</a>: '.'<a href="'.MEDIAFROMFTP_PLUGIN_UPLOAD_URL.'/'.$filepath.'" target="_blank" style="text-decoration: none;">'.$filepath.'</a></div>';