WP Add Mime Types - Version 2.5.1

Version Description

Added the response of CSRF (Cross-Site Request Forgery) vulnerability for this plugin's settings.

Release Info

Developer	kimipooh
Plugin	WP Add Mime Types
Version	2.5.1
Comparing to
See all releases

Code changes from version 2.5.0 to 2.5.1

Files changed (4) hide show

includes/admin.php +12 -8
includes/network-admin.php +12 -8
readme.txt +5 -1
wp-add-mime-types.php +2 -2

includes/admin.php CHANGED Viewed

	@@ -27,14 +27,16 @@ function admin_settings_page(){
27	// If the adding data is not set, the value "mime_type_values" sets "empty".
28	if(!isset($settings['mime_type_values'])) $settings['mime_type_values'] = '';
29	// When the adding data is saved (posted) at the setting menu, the data will update to the WordPress database after the security check
30	- if(isset($_POST['mime_type_values'])){
31	- ~~$p_set = esc_attr~~(~~strip_tags~~(~~html_entity_decode($_POST['mime_type_values'])~~,~~ENT_QUOTES~~));
32	- $~~mime_type_values~~ = ~~explode~~(~~"\n",~~ $~~p_set~~);
33	- if(~~!empty(~~$~~mime_type_values~~)){
34	- ~~foreach~~($mime_type_values ~~as $m_type=>$m_value~~)
35	- // ~~"　"~~ ~~is the Japanese multi-byte space. If the character is found out, it automatically change the space.~~
36	- ~~$mime_type_values[$m_type]~~ ~~= trim(str_replace(~~"　", " ", ~~$m_value));~~
37	- $~~settings~~[~~'mime_type_values'~~] = ~~serialize~~($~~mime_type_values~~);


38	}
39	}else
40	$mime_type_values = unserialize($settings['mime_type_values']);
	@@ -64,6 +66,8 @@ function admin_settings_page(){
64	<h2><?php _e('WP Add Mime Types Admin Settings', 'wp-add-mime-types'); ?></h2>
65
66	<form method="post" action="">


67	<fieldset style="border:1px solid #777777; width: 750px; padding-left: 6px; ">
68	<legend><h3><?php _e('List of allowed mime types and file extensions by WordPress','wp-add-mime-types'); ?></h3></legend>
69	<div style="overflow:scroll; height: 500px;">


27	// If the adding data is not set, the value "mime_type_values" sets "empty".
28	if(!isset($settings['mime_type_values'])) $settings['mime_type_values'] = '';
29	// When the adding data is saved (posted) at the setting menu, the data will update to the WordPress database after the security check
30	+ if(isset($_POST['mime_type_values']) && (isset($_POST["wamt-form"]) && $_POST["wamt-form"])){
31	+ if(check_admin_referer("wamt-nonce-key", "wamt-form")){
32	+ $p_set = esc_attr(strip_tags(html_entity_decode($_POST['mime_type_values']),ENT_QUOTES));
33	+ $mime_type_values = explode("\n", $p_set);
34	+ if(!empty($mime_type_values)){
35	+ foreach($mime_type_values as $m_type=>$m_value)
36	+ // "　" is the Japanese multi-byte space. If the character is found out, it automatically change the space.
37	+ $mime_type_values[$m_type] = trim(str_replace("　", " ", $m_value));
38	+ $settings['mime_type_values'] = serialize($mime_type_values);
39	+ }
40	}
41	}else
42	$mime_type_values = unserialize($settings['mime_type_values']);

66	<h2><?php _e('WP Add Mime Types Admin Settings', 'wp-add-mime-types'); ?></h2>
67
68	<form method="post" action="">
69	+ <?php // for CSRF (Cross-Site Request Forgery): https://propansystem.net/blog/2018/02/20/post-6279/
70	+ wp_nonce_field("wamt-nonce-key", "wamt-form"); ?>
71	<fieldset style="border:1px solid #777777; width: 750px; padding-left: 6px; ">
72	<legend><h3><?php _e('List of allowed mime types and file extensions by WordPress','wp-add-mime-types'); ?></h3></legend>
73	<div style="overflow:scroll; height: 500px;">

includes/network-admin.php CHANGED Viewed

	@@ -28,14 +28,16 @@ function network_admin_settings_page(){
28	// If the adding data is not set, the value "mime_type_values" sets "empty".
29	if(!isset($settings['mime_type_values'])) $settings['mime_type_values'] = '';
30	// When the adding data is saved (posted) at the setting menu, the data will update to the WordPress database after the security check
31	- if(isset($_POST['mime_type_values'])){
32	- ~~$p_set = esc_attr~~(~~strip_tags~~(~~html_entity_decode($_POST['mime_type_values'])~~,~~ENT_QUOTES~~));
33	- $~~mime_type_values~~ = ~~explode~~(~~"\n",~~ $~~p_set~~);
34	- if(~~!empty(~~$~~mime_type_values~~)){
35	- ~~foreach~~($mime_type_values ~~as $m_type=>$m_value~~)
36	- // ~~"　"~~ ~~is the Japanese multi-byte space. If the character is found out, it automatically change the space.~~
37	- ~~$mime_type_values[$m_type]~~ ~~= trim(str_replace(~~"　", " ", ~~$m_value));~~
38	- $~~settings~~[~~'mime_type_values'~~] = ~~serialize~~($~~mime_type_values~~);


39	}
40	}else
41	$mime_type_values = unserialize($settings['mime_type_values']);
	@@ -63,6 +65,8 @@ function network_admin_settings_page(){
63	<h2><?php _e('WP Add Mime Types Admin Settings for Network Administrator', 'wp-add-mime-types'); ?></h2>
64
65	<form method="post" action="">


66	<fieldset style="border:1px solid #777777; width: 750px; padding-left: 6px;">
67	<legend><h3><?php _e('List of allowed mime types and file extensions by WordPress','wp-add-mime-types'); ?></h3></legend>
68	<div style="overflow:scroll; height: 500px;">


28	// If the adding data is not set, the value "mime_type_values" sets "empty".
29	if(!isset($settings['mime_type_values'])) $settings['mime_type_values'] = '';
30	// When the adding data is saved (posted) at the setting menu, the data will update to the WordPress database after the security check
31	+ if(isset($_POST['mime_type_values']) && (isset($_POST["wamt-network-form"]) && $_POST["wamt-network-form"])){
32	+ if(heck_admin_referer("wamt-network-nonce-key", "wamt-network-form")){
33	+ $p_set = esc_attr(strip_tags(html_entity_decode($_POST['mime_type_values']),ENT_QUOTES));
34	+ $mime_type_values = explode("\n", $p_set);
35	+ if(!empty($mime_type_values)){
36	+ foreach($mime_type_values as $m_type=>$m_value)
37	+ // "　" is the Japanese multi-byte space. If the character is found out, it automatically change the space.
38	+ $mime_type_values[$m_type] = trim(str_replace("　", " ", $m_value));
39	+ $settings['mime_type_values'] = serialize($mime_type_values);
40	+ }
41	}
42	}else
43	$mime_type_values = unserialize($settings['mime_type_values']);

65	<h2><?php _e('WP Add Mime Types Admin Settings for Network Administrator', 'wp-add-mime-types'); ?></h2>
66
67	<form method="post" action="">
68	+ <?php // for CSRF (Cross-Site Request Forgery): https://propansystem.net/blog/2018/02/20/post-6279/
69	+ wp_nonce_field("wamt-network-nonce-key", "wamt-network-form"); ?>
70	<fieldset style="border:1px solid #777777; width: 750px; padding-left: 6px;">
71	<legend><h3><?php _e('List of allowed mime types and file extensions by WordPress','wp-add-mime-types'); ?></h3></legend>
72	<div style="overflow:scroll; height: 500px;">

readme.txt CHANGED Viewed

	@@ -4,7 +4,7 @@ Tags: mime,file extention
4	Requires at least: 4.0
5	Requires PHP: 5.6
6	Tested up to: 5.3.2
7	- Stable tag: 2.5.0
8	License: GPL v2
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
	@@ -78,6 +78,10 @@ Yes, each setting values are saved as the other setting items.
78
79
80	== Changelog ==




81	= 2.5.0 =
82	* Added the security option item in the admin menu for enabling the security check for a file content and for sanitizing the multiple file extensions within the filename by WordPress core.
83	* Supported the new language setting regarding load_plugin_textdomain function.


4	Requires at least: 4.0
5	Requires PHP: 5.6
6	Tested up to: 5.3.2
7	+ Stable tag: 2.5.1
8	License: GPL v2
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
10

78
79
80	== Changelog ==
81	+
82	+ = 2.5.1 =
83	+ * Added the response of CSRF (Cross-Site Request Forgery) vulnerability for this plugin's settings.
84	+
85	= 2.5.0 =
86	* Added the security option item in the admin menu for enabling the security check for a file content and for sanitizing the multiple file extensions within the filename by WordPress core.
87	* Supported the new language setting regarding load_plugin_textdomain function.

wp-add-mime-types.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	Plugin Name: WP Add Mime Types
4	Plugin URI:
5	Description: The plugin additionally allows the mime types and file extensions to WordPress.
6	- Version: 2.5.0
7	Author: Kimiya Kitani
8	Author URI: http://kitaney-wordpress.blogspot.jp/
9	Text Domain: wp-add-mime-types
	@@ -19,7 +19,7 @@ add_action('plugins_loaded', 'enable_language_translation');
19	$plugin_basename = plugin_basename ( __FILE__ );
20
21	$default_var = array(
22	- 'wp_add_mime_types' => '2.5.0',
23	);
24
25	// Add Setting to WordPress 'Settings' menu for Multisite.


3	Plugin Name: WP Add Mime Types
4	Plugin URI:
5	Description: The plugin additionally allows the mime types and file extensions to WordPress.
6	+ Version: 2.5.1
7	Author: Kimiya Kitani
8	Author URI: http://kitaney-wordpress.blogspot.jp/
9	Text Domain: wp-add-mime-types

19	$plugin_basename = plugin_basename ( __FILE__ );
20
21	$default_var = array(
22	+ 'wp_add_mime_types' => '2.5.1',
23	);
24
25	// Add Setting to WordPress 'Settings' menu for Multisite.