diff -r 490d5cc509ed -r cf61fcea0001 wp/wp-admin/plugins.php --- a/wp/wp-admin/plugins.php Tue Jun 09 11:14:17 2015 +0000 +++ b/wp/wp-admin/plugins.php Mon Oct 14 17:39:30 2019 +0200 @@ -10,15 +10,15 @@ require_once( dirname( __FILE__ ) . '/admin.php' ); if ( ! current_user_can('activate_plugins') ) - wp_die( __( 'You do not have sufficient permissions to manage plugins for this site.' ) ); + wp_die( __( 'Sorry, you are not allowed to manage plugins for this site.' ) ); $wp_list_table = _get_list_table('WP_Plugins_List_Table'); $pagenum = $wp_list_table->get_pagenum(); $action = $wp_list_table->current_action(); -$plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : ''; -$s = isset($_REQUEST['s']) ? urlencode($_REQUEST['s']) : ''; +$plugin = isset($_REQUEST['plugin']) ? wp_unslash( $_REQUEST['plugin'] ) : ''; +$s = isset($_REQUEST['s']) ? urlencode( wp_unslash( $_REQUEST['s'] ) ) : ''; // Clean up request URI from temporary args for screen options/paging uri's to work as expected. $_SERVER['REQUEST_URI'] = remove_query_arg(array('error', 'deleted', 'activate', 'activate-multi', 'deactivate', 'deactivate-multi', '_error_nonce'), $_SERVER['REQUEST_URI']); @@ -29,8 +29,9 @@ switch ( $action ) { case 'activate': - if ( ! current_user_can('activate_plugins') ) - wp_die(__('You do not have sufficient permissions to activate plugins for this site.')); + if ( ! current_user_can( 'activate_plugin', $plugin ) ) { + wp_die( __( 'Sorry, you are not allowed to activate this plugin.' ) ); + } if ( is_multisite() && ! is_network_admin() && is_network_only_plugin( $plugin ) ) { wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") ); @@ -39,10 +40,10 @@ check_admin_referer('activate-plugin_' . $plugin); - $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . $plugin), is_network_admin() ); + $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . urlencode( $plugin ) ), is_network_admin() ); if ( is_wp_error( $result ) ) { if ( 'unexpected_output' == $result->get_error_code() ) { - $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . $plugin . "&plugin_status=$status&paged=$page&s=$s"); + $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . urlencode( $plugin ) . "&plugin_status=$status&paged=$page&s=$s"); wp_redirect(add_query_arg('_error_nonce', wp_create_nonce('plugin-activation-error_' . $plugin), $redirect)); exit; } else { @@ -54,10 +55,22 @@ $recent = (array) get_option( 'recently_activated' ); unset( $recent[ $plugin ] ); update_option( 'recently_activated', $recent ); + } else { + $recent = (array) get_site_option( 'recently_activated' ); + unset( $recent[ $plugin ] ); + update_site_option( 'recently_activated', $recent ); } if ( isset($_GET['from']) && 'import' == $_GET['from'] ) { wp_redirect( self_admin_url("import.php?import=" . str_replace('-importer', '', dirname($plugin))) ); // overrides the ?error=true one above and redirects to the Imports page, stripping the -importer suffix + } else if ( isset($_GET['from']) && 'press-this' == $_GET['from'] ) { + wp_redirect( self_admin_url( "press-this.php") ); + } else if ( isset( $_GET['from'] ) && 'try-gutenberg' == $_GET['from'] ) { + if ( 'gutenberg/gutenberg.php' === $plugin ) { + wp_redirect( self_admin_url( "admin.php?page=gutenberg" ) ); + } else { + wp_redirect( self_admin_url() ); + } } else { wp_redirect( self_admin_url("plugins.php?activate=true&plugin_status=$status&paged=$page&s=$s") ); // overrides the ?error=true one above } @@ -65,11 +78,11 @@ case 'activate-selected': if ( ! current_user_can('activate_plugins') ) - wp_die(__('You do not have sufficient permissions to activate plugins for this site.')); + wp_die(__('Sorry, you are not allowed to activate plugins for this site.')); check_admin_referer('bulk-plugins'); - $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array(); + $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array(); if ( is_network_admin() ) { foreach ( $plugins as $i => $plugin ) { @@ -84,6 +97,10 @@ if ( is_plugin_active( $plugin ) || ( is_multisite() && is_network_only_plugin( $plugin ) ) ) { unset( $plugins[ $i ] ); } + // Only activate plugins which the user can activate. + if ( ! current_user_can( 'activate_plugin', $plugin ) ) { + unset( $plugins[ $i ] ); + } } } @@ -96,9 +113,18 @@ if ( ! is_network_admin() ) { $recent = (array) get_option('recently_activated' ); - foreach ( $plugins as $plugin ) - unset( $recent[ $plugin ] ); + } else { + $recent = (array) get_site_option('recently_activated' ); + } + + foreach ( $plugins as $plugin ) { + unset( $recent[ $plugin ] ); + } + + if ( ! is_network_admin() ) { update_option( 'recently_activated', $recent ); + } else { + update_site_option( 'recently_activated', $recent ); } wp_redirect( self_admin_url("plugins.php?activate-multi=true&plugin_status=$status&paged=$page&s=$s") ); @@ -109,9 +135,9 @@ check_admin_referer( 'bulk-plugins' ); if ( isset( $_GET['plugins'] ) ) - $plugins = explode( ',', $_GET['plugins'] ); + $plugins = explode( ',', wp_unslash( $_GET['plugins'] ) ); elseif ( isset( $_POST['checked'] ) ) - $plugins = (array) $_POST['checked']; + $plugins = (array) wp_unslash( $_POST['checked'] ); else $plugins = array(); @@ -122,7 +148,7 @@ require_once(ABSPATH . 'wp-admin/admin-header.php'); echo '
'; - echo '

' . esc_html( $title ) . '

'; + echo '

' . esc_html( $title ) . '

'; $url = self_admin_url('update.php?action=update-selected&plugins=' . urlencode( join(',', $plugins) )); $url = wp_nonce_url($url, 'bulk-update-plugins'); @@ -133,8 +159,9 @@ exit; case 'error_scrape': - if ( ! current_user_can('activate_plugins') ) - wp_die(__('You do not have sufficient permissions to activate plugins for this site.')); + if ( ! current_user_can( 'activate_plugin', $plugin ) ) { + wp_die( __( 'Sorry, you are not allowed to activate this plugin.' ) ); + } check_admin_referer('plugin-activation-error_' . $plugin); @@ -148,18 +175,15 @@ @ini_set('display_errors', true); //Ensure that Fatal errors are displayed. // Go back to "sandbox" scope so we get the same errors as before - function plugin_sandbox_scrape( $plugin ) { - wp_register_plugin_realpath( WP_PLUGIN_DIR . '/' . $plugin ); - include( WP_PLUGIN_DIR . '/' . $plugin ); - } plugin_sandbox_scrape( $plugin ); /** This action is documented in wp-admin/includes/plugin.php */ do_action( "activate_{$plugin}" ); exit; case 'deactivate': - if ( ! current_user_can('activate_plugins') ) - wp_die(__('You do not have sufficient permissions to deactivate plugins for this site.')); + if ( ! current_user_can( 'deactivate_plugin', $plugin ) ) { + wp_die( __( 'Sorry, you are not allowed to deactivate this plugin.' ) ); + } check_admin_referer('deactivate-plugin_' . $plugin); @@ -169,8 +193,13 @@ } deactivate_plugins( $plugin, false, is_network_admin() ); - if ( ! is_network_admin() ) + + if ( ! is_network_admin() ) { update_option( 'recently_activated', array( $plugin => time() ) + (array) get_option( 'recently_activated' ) ); + } else { + update_site_option( 'recently_activated', array( $plugin => time() ) + (array) get_site_option( 'recently_activated' ) ); + } + if ( headers_sent() ) echo ""; else @@ -178,18 +207,27 @@ exit; case 'deactivate-selected': - if ( ! current_user_can('activate_plugins') ) - wp_die(__('You do not have sufficient permissions to deactivate plugins for this site.')); + if ( ! current_user_can( 'deactivate_plugins' ) ) { + wp_die(__('Sorry, you are not allowed to deactivate plugins for this site.')); + } check_admin_referer('bulk-plugins'); - $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array(); + $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array(); // Do not deactivate plugins which are already deactivated. if ( is_network_admin() ) { $plugins = array_filter( $plugins, 'is_plugin_active_for_network' ); } else { $plugins = array_filter( $plugins, 'is_plugin_active' ); $plugins = array_diff( $plugins, array_filter( $plugins, 'is_plugin_active_for_network' ) ); + + foreach ( $plugins as $i => $plugin ) { + // Only deactivate plugins which the user can deactivate. + if ( ! current_user_can( 'deactivate_plugin', $plugin ) ) { + unset( $plugins[ $i ] ); + } + } + } if ( empty($plugins) ) { wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") ); @@ -198,11 +236,15 @@ deactivate_plugins( $plugins, false, is_network_admin() ); + $deactivated = array(); + foreach ( $plugins as $plugin ) { + $deactivated[ $plugin ] = time(); + } + if ( ! is_network_admin() ) { - $deactivated = array(); - foreach ( $plugins as $plugin ) - $deactivated[ $plugin ] = time(); update_option( 'recently_activated', $deactivated + (array) get_option( 'recently_activated' ) ); + } else { + update_site_option( 'recently_activated', $deactivated + (array) get_site_option( 'recently_activated' ) ); } wp_redirect( self_admin_url("plugins.php?deactivate-multi=true&plugin_status=$status&paged=$page&s=$s") ); @@ -210,13 +252,13 @@ case 'delete-selected': if ( ! current_user_can('delete_plugins') ) { - wp_die(__('You do not have sufficient permissions to delete plugins for this site.')); + wp_die(__('Sorry, you are not allowed to delete plugins for this site.')); } check_admin_referer('bulk-plugins'); //$_POST = from the plugin form; $_GET = from the FTP details screen. - $plugins = isset( $_REQUEST['checked'] ) ? (array) $_REQUEST['checked'] : array(); + $plugins = isset( $_REQUEST['checked'] ) ? (array) wp_unslash( $_REQUEST['checked'] ) : array(); if ( empty( $plugins ) ) { wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") ); exit; @@ -228,6 +270,14 @@ exit; } + // Bail on all if any paths are invalid. + // validate_file() returns truthy for invalid files + $invalid_plugin_files = array_filter( $plugins, 'validate_file' ); + if ( $invalid_plugin_files ) { + wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") ); + exit; + } + include(ABSPATH . 'wp-admin/update.php'); $parent_file = 'plugins.php'; @@ -238,14 +288,12 @@ ?>
$data ) { + foreach ( $folder_plugins as $plugin_file => $data ) { $plugin_info[ $plugin_file ] = _get_plugin_data_markup_translate( $plugin_file, $data ); $plugin_info[ $plugin_file ]['is_uninstallable'] = is_uninstallable_plugin( $plugin ); if ( ! $plugin_info[ $plugin_file ]['Network'] ) { @@ -270,28 +312,18 @@ } } } - - // Add translation files. - if ( ! empty( $plugin_translations[ $plugin_slug ] ) ) { - $translations = $plugin_translations[ $plugin_slug ]; - - foreach ( $translations as $translation => $data ) { - $files_to_delete[] = $plugin_slug . '-' . $translation . '.po'; - $files_to_delete[] = $plugin_slug . '-' . $translation . '.mo'; - } - } } } $plugins_to_delete = count( $plugin_info ); ?> -

+

-

+

@@ -303,11 +335,11 @@ foreach ( $plugin_info as $plugin ) { if ( $plugin['is_uninstallable'] ) { /* translators: 1: plugin name, 2: plugin author */ - echo '
  • ', sprintf( __( '%1$s by %2$s (will also delete its data)' ), esc_html($plugin['Name']), esc_html($plugin['AuthorName']) ), '
    • '; + echo '
  • ', sprintf( __( '%1$s by %2$s (will also delete its data)' ), '' . $plugin['Name'] . '', '' . $plugin['AuthorName'] . '' ), '
    • '; $data_to_delete = true; } else { /* translators: 1: plugin name, 2: plugin author */ - echo '
  • ', sprintf( __('%1$s by %2$s' ), esc_html($plugin['Name']), esc_html($plugin['AuthorName']) ), '
    • '; + echo '
  • ', sprintf( _x('%1$s by %2$s', 'plugin' ), '' . $plugin['Name'] . '', '' . $plugin['AuthorName'] ) . '', '
    • '; } } ?> @@ -327,41 +359,50 @@ } ?> - +
    - +
    - -

    -
    id, $sendback, $action, $plugins ); + wp_safe_redirect( $sendback ); + exit; + } break; } + } $wp_list_table->prepare_items(); @@ -376,31 +417,54 @@ 'title' => __('Overview'), 'content' => '

    ' . __('Plugins extend and expand the functionality of WordPress. Once a plugin is installed, you may activate it or deactivate it here.') . '

    ' . - '

    ' . sprintf(__('You can find additional plugins for your site by using the Plugin Browser/Installer functionality or by browsing the WordPress Plugin Directory directly and installing new plugins manually. To manually install a plugin you generally just need to upload the plugin file into your /wp-content/plugins directory. Once a plugin has been installed, you can activate it here.'), 'plugin-install.php', 'https://wordpress.org/plugins/') . '

    ' + '

    ' . __( 'The search for installed plugins will search for terms in their name, description, or author.' ) . ' ' . __( 'The search results will be updated as you type.' ) . '

    ' . + '

    ' . sprintf( + /* translators: %s: WordPress Plugin Directory URL */ + __( 'If you would like to see more plugins to choose from, click on the “Add New” button and you will be able to browse or search for additional plugins from the WordPress Plugin Directory. Plugins in the WordPress Plugin Directory are designed and developed by third parties, and are compatible with the license WordPress uses. Oh, and they’re free!' ), + __( 'https://wordpress.org/plugins/' ) + ) . '

    ' ) ); get_current_screen()->add_help_tab( array( 'id' => 'compatibility-problems', 'title' => __('Troubleshooting'), 'content' => '

    ' . __('Most of the time, plugins play nicely with the core of WordPress and with other plugins. Sometimes, though, a plugin’s code will get in the way of another plugin, causing compatibility issues. If your site starts doing strange things, this may be the problem. Try deactivating all your plugins and re-activating them in various combinations until you isolate which one(s) caused the issue.') . '

    ' . - '

    ' . sprintf( __('If something goes wrong with a plugin and you can’t use WordPress, delete or rename that file in the %s directory and it will be automatically deactivated.'), WP_PLUGIN_DIR) . '

    ' + '

    ' . sprintf( + /* translators: WP_PLUGIN_DIR constant value */ + __( 'If something goes wrong with a plugin and you can’t use WordPress, delete or rename that file in the %s directory and it will be automatically deactivated.' ), + '' . WP_PLUGIN_DIR . '' + ) . '

    ' ) ); get_current_screen()->set_help_sidebar( '

    ' . __('For more information:') . '

    ' . - '

    ' . __('Documentation on Managing Plugins') . '

    ' . - '

    ' . __('Support Forums') . '

    ' + '

    ' . __('Documentation on Managing Plugins') . '

    ' . + '

    ' . __('Support Forums') . '

    ' ); +get_current_screen()->set_screen_reader_content( array( + 'heading_views' => __( 'Filter plugins list' ), + 'heading_pagination' => __( 'Plugins list navigation' ), + 'heading_list' => __( 'Plugins list' ), +) ); + $title = __('Plugins'); $parent_file = 'plugins.php'; require_once(ABSPATH . 'wp-admin/admin-header.php'); $invalid = validate_active_plugins(); -if ( !empty($invalid) ) - foreach ( $invalid as $plugin_file => $error ) - echo '

    ' . sprintf(__('The plugin %s has been deactivated due to an error: %s'), esc_html($plugin_file), $error->get_error_message()) . '

    '; +if ( ! empty( $invalid ) ) { + foreach ( $invalid as $plugin_file => $error ) { + echo '

    '; + printf( + /* translators: 1: plugin file 2: error message */ + __( 'The plugin %1$s has been deactivated due to an error: %2$s' ), + '' . esc_html( $plugin_file ) . '', + $error->get_error_message() ); + echo '

    '; + } +} ?>

    - + if ( ! isset( $_GET['main'] ) && ! isset( $_GET['charsout'] ) && wp_verify_nonce( $_GET['_error_nonce'], 'plugin-activation-error_' . $plugin ) ) { + $iframe_url = add_query_arg( array( + 'action' => 'error_scrape', + 'plugin' => urlencode( $plugin ), + '_wpnonce' => urlencode( $_GET['_error_nonce'] ), + ), admin_url( 'plugins.php' ) ); + ?> + @@ -428,7 +498,17 @@ if ( is_wp_error($delete_result) ) : ?>

    get_error_message() ); ?>

    -

    deleted.'); ?>

    +
    +

    + deleted.' ); + } else { + _e( 'The selected plugins have been deleted.' ); + } + ?> +

    +

    activated.') ?>

    @@ -439,17 +519,27 @@

    deactivated.'); ?>

    -

    +

    -

    + + - -' . __('Search results for “%s”') . '', esc_html( $s ) ); ?> - + +' . __( 'Search results for “%s”' ) . '', esc_html( urldecode( $s ) ) ); +} +?> + +
    views(); ?> -
    + search_box( __( 'Search Installed Plugins' ), 'plugin' ); ?>
    @@ -481,9 +571,12 @@ display(); ?> +