10h30/ultimatemember
1
0
Fork 0
mirror of https://github.com/10h30/ultimatemember.git synced 2026-06-05 15:09:37 +09:00
Code Issues Packages Projects Releases Wiki Activity

Fix upload form with nonce

Browse Source
This commit is contained in:
champsupertramp
2016-06-17 11:39:04 +08:00
parent 47f2c29f4e
commit 07b3e71528
5 changed files with 57 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
assets/js/um-functions.js
+14 -2
View File
@@ -500,7 +500,13 @@ function initImageUpload_UM( trigger ) {
url: um_scripts.imageupload,
method: "POST",
multiple: false,
formData: {key: trigger.data('key'), set_id: trigger.data('set_id'), set_mode: trigger.data('set_mode') },
formData: {
key: trigger.data('key'),
set_id: trigger.data('set_id'),
set_mode: trigger.data('set_mode'),
_wpnonce: trigger.data('nonce'),
timestamp: trigger.data('timestamp')
},
fileName: trigger.data('key'),
allowedTypes: trigger.data('allowed_types'),
maxFileSize: trigger.data('max_size'),
@@ -586,7 +592,13 @@ function initFileUpload_UM( trigger ) {
url: um_scripts.fileupload,
method: "POST",
multiple: false,
formData: {key: trigger.data('key'), set_id: trigger.data('set_id'), set_mode: trigger.data('set_mode') },
formData: {
key: trigger.data('key'),
set_id: trigger.data('set_id'),
set_mode: trigger.data('set_mode'),
_wpnonce: trigger.data('nonce'),
timestamp: trigger.data('timestamp')
},
fileName: trigger.data('key'),
allowedTypes: trigger.data('allowed_types'),
maxFileSize: trigger.data('max_size'),
assets/js/um.min.js
Vendored
+8 -8
View File
File diff suppressed because one or more lines are too long
core/lib/upload/um-file-upload.php
+15 -3
View File
@@ -10,13 +10,25 @@ while( ++$i < 10 && !file_exists( $wp_load ) );
require_once( $wp_load );
global $ultimatemember;
$id = $_POST['key'];
$ultimatemember->fields->set_id = $_POST['set_id'];
$ultimatemember->fields->set_mode = $_POST['set_mode'];
$ret['error'] = null;
$ret = array();
$nonce = $_POST['_wpnonce'];
$id = $_POST['key'];
$timestamp = $_POST['timestamp'];
$ultimatemember->fields->set_id = $_POST['set_id'];
$ultimatemember->fields->set_mode = $_POST['set_mode'];
if ( ! wp_verify_nonce( $nonce, 'um_upload_nonce-'.$timestamp ) ) {
// This nonce is not valid.
$ret['error'] = 'Invalid nonce';
die( json_encode( $ret ) );
}
if(isset($_FILES[$id]['name'])) {
if(!is_array($_FILES[$id]['name'])) {
core/lib/upload/um-image-upload.php
+11 -2
View File
@@ -10,12 +10,21 @@ while( ++$i < 10 && !file_exists( $wp_load ) );
require_once( $wp_load );
global $ultimatemember;
$ret['error'] = null;
$ret = array();
$id = $_POST['key'];
$timestamp = $_POST['timestamp'];
$nonce = $_POST['_wpnonce'];
$ultimatemember->fields->set_id = $_POST['set_id'];
$ultimatemember->fields->set_mode = $_POST['set_mode'];
$ret['error'] = null;
$ret = array();
if ( ! wp_verify_nonce( $nonce, 'um_upload_nonce-'.$timestamp ) ) {
// This nonce is not valid.
$ret['error'] = 'Invalid nonce';
die( json_encode( $ret ) );
}
if(isset($_FILES[$id]['name'])) {
core/um-fields.php
+9 -3
View File
@@ -6,6 +6,7 @@ class UM_Fields {
$this->editing = false;
$this->viewing = false;
$this->timestamp = current_time('timestamp');
}
@@ -1409,8 +1410,10 @@ class UM_Fields {
$set_mode = '';
}
$output .= '<div class="um-single-image-preview '. $crop_class .'" data-crop="'.$crop_data.'" data-ratio="'.$ratio.'" data-min_width="'.$min_width.'" data-min_height="'.$min_height.'" data-coord=""><a href="#" class="cancel"><i class="um-icon-close"></i></a><img src="" alt="" /></div>';
$output .= '<div class="um-single-image-upload" data-icon="'.$icon.'" data-set_id="'.$set_id.'" data-set_mode="'.$set_mode.'" data-type="'.$type.'" data-key="'.$key.'" data-max_size="'.$max_size.'" data-max_size_error="'.$max_size_error.'" data-min_size_error="'.$min_size_error.'" data-extension_error="'.$extension_error.'" data-allowed_types="'.$allowed_types.'" data-upload_text="'.$upload_text.'" data-max_files_error="'.$max_files_error.'" data-upload_help_text="'.$upload_help_text.'">'.$button_text.'</div>';
$nonce = wp_create_nonce( 'um_upload_nonce-'.$this->timestamp );
$output .= '<div class="um-single-image-preview '. $crop_class .'" data-crop="'.$crop_data.'" data-ratio="'.$ratio.'" data-min_width="'.$min_width.'" data-min_height="'.$min_height.'" data-coord=""><a href="#" class="cancel"><i class="um-icon-close"></i></a><img src="" alt="" /></div>';
$output .= '<div class="um-single-image-upload" data-nonce="'.$nonce.'" data-timestamp="'.$this->timestamp.'" data-icon="'.$icon.'" data-set_id="'.$set_id.'" data-set_mode="'.$set_mode.'" data-type="'.$type.'" data-key="'.$key.'" data-max_size="'.$max_size.'" data-max_size_error="'.$max_size_error.'" data-min_size_error="'.$min_size_error.'" data-extension_error="'.$extension_error.'" data-allowed_types="'.$allowed_types.'" data-upload_text="'.$upload_text.'" data-max_files_error="'.$max_files_error.'" data-upload_help_text="'.$upload_help_text.'">'.$button_text.'</div>';
$output .= '<div class="um-modal-footer">
<div class="um-modal-right">
@@ -1495,7 +1498,10 @@ class UM_Fields {
</a>
</div>
</div>';
$output .= '<div class="um-single-file-upload" data-icon="'.$icon.'" data-set_id="'.$set_id.'" data-set_mode="'.$set_mode.'" data-type="'.$type.'" data-key="'.$key.'" data-max_size="'.$max_size.'" data-max_size_error="'.$max_size_error.'" data-min_size_error="'.$min_size_error.'" data-extension_error="'.$extension_error.'" data-allowed_types="'.$allowed_types.'" data-upload_text="'.$upload_text.'" data-max_files_error="'.$max_files_error.'" data-upload_help_text="'.$upload_help_text.'">'.$button_text.'</div>';
$nonce = wp_create_nonce( 'um_upload_nonce-'.$this->timestamp );
$output .= '<div class="um-single-file-upload" data-timestamp="'.$this->timestamp.'" data-nonce="'.$nonce.'" data-icon="'.$icon.'" data-set_id="'.$set_id.'" data-set_mode="'.$set_mode.'" data-type="'.$type.'" data-key="'.$key.'" data-max_size="'.$max_size.'" data-max_size_error="'.$max_size_error.'" data-min_size_error="'.$min_size_error.'" data-extension_error="'.$extension_error.'" data-allowed_types="'.$allowed_types.'" data-upload_text="'.$upload_text.'" data-max_files_error="'.$max_files_error.'" data-upload_help_text="'.$upload_help_text.'">'.$button_text.'</div>';
$output .= '<div class="um-modal-footer">
<div class="um-modal-right">