10h30/ultimatemember
1
0
Fork 0
mirror of https://github.com/10h30/ultimatemember.git synced 2026-06-05 15:09:37 +09:00
Code Issues Packages Projects Releases Wiki Activity

Custom dropdown callback functions security enhancements:

Browse Source 
- avoid using different letter case for bypass the blacklist e.g. phpInfo
- avoid using root namespace for bypass the blacklist e.g. \phpinfo
This commit is contained in:
Nikita Sinelnikov
2022-11-09 03:17:23 +02:00
parent 096a1caf27
commit 2004aa7dde
6 changed files with 31 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
includes/core/class-validation.php
+1 -1
View File
@@ -95,7 +95,7 @@ if ( ! class_exists( 'um\core\Validation' ) ) {
isset( $fields[ $key ]['custom_dropdown_options_source'] ) &&
! empty( $fields[ $key ]['custom_dropdown_options_source'] ) &&
function_exists( $fields[ $key ]['custom_dropdown_options_source'] ) ) {
if ( ! in_array( $fields[ $key ]['custom_dropdown_options_source'], UM()->fields()->dropdown_options_source_blacklist(), true ) ) {
if ( ! UM()->fields()->is_source_blacklisted( $fields[ $key ]['custom_dropdown_options_source'] ) ) {
$arr_options = call_user_func( $fields[ $key ]['custom_dropdown_options_source'] );
$fields[ $key ]['options'] = array_keys( $arr_options );
}