Wordpress 2.0.4

[autoinstalls/wordpress.git] / wp-admin / templates.php

diff --git a/wp-admin/templates.php b/wp-admin/templates.php
index 3e1205045b838795704d513220b9b8f18cc23d7e..4631ac42dc113dbafbc7240a39bc17fe489098e1 100644 (file)
--- a/wp-admin/templates.php
+++ b/wp-admin/templates.php
@@ -36,6 +36,8 @@ switch($action) {
 
 case 'update':
 
+       check_admin_referer('edit-file_' . $file);
+
        if ( ! current_user_can('edit_files') )
        die('<p>'.__('You have do not have sufficient permissions to edit templates for this blog.').'</p>');
 
@@ -45,12 +47,12 @@ case 'update':
                if ( $f ) {
                        fwrite($f, $newcontent);
                        fclose($f);
-                       header("Location: templates.php?file=$file&a=te");
+                       wp_redirect("templates.php?file=$file&a=te");
                } else {
-                       header("Location: templates.php?file=$file&a=err");
+                       wp_redirect("templates.php?file=$file&a=err");
                }
        } else {
-               header("Location: templates.php?file=$file&a=err");
+               wp_redirect("templates.php?file=$file&a=err");
        }
 
        exit();
@@ -126,6 +128,7 @@ endif;
 </div>
 <?php if (!$error) { ?>
   <form name="template" id="template" action="templates.php" method="post"> 
+  <?php wp_nonce_field('edit-file_' . $file) ?>
      <div><textarea cols="70" rows="25" name="newcontent" id='newcontent' tabindex="1"><?php echo $content ?></textarea> 
      <input type="hidden" name="action" value="update" /> 
      <input type="hidden" name="file" value="<?php echo $file ?>" />