From d8941bec654b6dbf1438cca44ed344d9c389532d Mon Sep 17 00:00:00 2001 From: Vex Date: Thu, 26 Jan 2017 17:34:05 +0000 Subject: [PATCH 1/3] Fixed stripslashes_deep() fix for windows servers Removed stripslashes_deep() call from $_FILES superglobal to ensure pathnames for temporary files don't get mangled on windows servers. --- classes/Admin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/Admin.php b/classes/Admin.php index 29f8711..d9a5180 100644 --- a/classes/Admin.php +++ b/classes/Admin.php @@ -884,7 +884,7 @@ public static function ProcessWidgetUpload() { // if category is set in widget options, force to use this. security done with nonce checking ($_POST['cat'] is reliable) if ($_POST['cat'] >= 0) $_POST['file_category'] = $_POST['cat']; - $result = WPFB_Admin::InsertFile(stripslashes_deep(array_merge($_POST, $_FILES, array('frontend_upload' => true, 'form' => empty($form) ? null : $form)))); + $result = WPFB_Admin::InsertFile(array_merge($_FILES, stripslashes_deep(array_merge($_POST, array('frontend_upload' => true, 'form' => empty($form) ? null : $form))))); if (isset($result['error']) && $result['error']) { $content .= '

' . $result['error'] . '

'; $title .= __('Error'); From 7963bc731a638c51cf4284154a5694ae80955e76 Mon Sep 17 00:00:00 2001 From: Vex Date: Thu, 26 Jan 2017 17:36:11 +0000 Subject: [PATCH 2/3] Fixed stripslashes_deep() fix for windows servers Removed stripslashes_deep() call from $_FILES superglobal to ensure pathnames for temporary files don't get mangled on windows servers. --- classes/AdminGuiFiles.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/AdminGuiFiles.php b/classes/AdminGuiFiles.php index af8f99e..9df9033 100644 --- a/classes/AdminGuiFiles.php +++ b/classes/AdminGuiFiles.php @@ -79,7 +79,7 @@ static function Display() $_POST['file_date'] = sprintf( "%04d-%02d-%02d %02d:%02d:%02d", $aa, $mm, $jj, $hh, $mn, $ss ); } - $result = WPFB_Admin::InsertFile(stripslashes_deep(array_merge($_POST, $_FILES)), true); + $result = WPFB_Admin::InsertFile(array_merge(stripslashes_deep($_POST), $_FILES), true); if(isset($result['error']) && $result['error']) { $message = $result['error'] . '
' . __("Go back") . ''; } else { From 105146db851ddfb59b8ee1ae8682605822bc4516 Mon Sep 17 00:00:00 2001 From: Vex Date: Thu, 26 Jan 2017 17:37:27 +0000 Subject: [PATCH 3/3] Fixed stripslashes_deep() fix for windows servers Removed stripslashes_deep() call from $_FILES superglobal to ensure pathnames for temporary files don't get mangled on windows servers. --- screens/editor-plugin.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/screens/editor-plugin.php b/screens/editor-plugin.php index b60696b..381188a 100644 --- a/screens/editor-plugin.php +++ b/screens/editor-plugin.php @@ -268,7 +268,7 @@ function insBrowserTag() if(!wp_verify_nonce($_POST['wpfb-file-nonce'], $nonce_action."-editor") && !wp_verify_nonce($_POST['wpfb-file-nonce'], $nonce_action) ) wp_die(__('Cheatin’ uh?')); - $result = WPFB_Admin::InsertFile(stripslashes_deep(array_merge($_POST, $_FILES))); + $result = WPFB_Admin::InsertFile(array_merge(stripslashes_deep($_POST), $_FILES)); if(isset($result['error']) && $result['error']) { ?>

- \ No newline at end of file +