]> scripts.mit.edu Git - autoinstalls/wordpress.git/blobdiff - wp-content/plugins/wp-db-backup.php
scripts.mit.edu / autoinstalls / wordpress.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Wordpress 2.0.11
[autoinstalls/wordpress.git] / wp-content / plugins / wp-db-backup.php
diff --git a/wp-content/plugins/wp-db-backup.php b/wp-content/plugins/wp-db-backup.php
index d8d714217a62cefaf3dd3a0c17ac813280ef7e47..2a6974c8e5f4a2f8f04f9a54ae37cff241143439 100644 (file)
--- a/wp-content/plugins/wp-db-backup.php
+++ b/wp-content/plugins/wp-db-backup.php
@@ -4,7 +4,7 @@ Plugin Name: WordPress Database Backup
 Plugin URI: http://www.skippy.net/blog/plugins/
 Description: On-demand backup of your WordPress database.
 Author: Scott Merrill
-Version: 1.7
+Version: 1.8
 Author URI: http://www.skippy.net/
 
 Much of this was modified from Mark Ghosh's One Click Backup, which
@@ -36,13 +36,13 @@ class wpdbBackup {
        }
 
        function wpdbBackup() {
-                               
                add_action('wp_cron_daily', array(&$this, 'wp_cron_daily'));
 
                $this->backup_dir = trailingslashit($this->backup_dir);
                $this->basename = preg_replace('/^.*wp-content[\\\\\/]plugins[\\\\\/]/', '', __FILE__);
        
                if (isset($_POST['do_backup'])) {
+                       if ( !current_user_can('import') ) die(__('You are not allowed to perform backups.'));
                        switch($_POST['do_backup']) {
                        case 'backup':
                                $this->perform_backup();
@@ -52,8 +52,10 @@ class wpdbBackup {
                                break;                          
                        }
                } elseif (isset($_GET['fragment'] )) {
+                       if ( !current_user_can('import') ) die(__('You are not allowed to perform backups.'));
                        add_action('init', array(&$this, 'init'));
                } elseif (isset($_GET['backup'] )) {
+                       if ( !current_user_can('import') ) die(__('You are not allowed to perform backups.'));
                        add_action('init', array(&$this, 'init'));
                } else {
                        add_action('admin_menu', array(&$this, 'admin_menu'));
@@ -61,16 +63,14 @@ class wpdbBackup {
        }
        
        function init() {
-               global $user_level;
-               get_currentuserinfo();
-
-               if ($user_level < 9) die(__('Need higher user level.'));
+               if ( !current_user_can('import') ) die(__('You are not allowed to perform backups.'));
 
                if (isset($_GET['backup'])) {
                        $via = isset($_GET['via']) ? $_GET['via'] : 'http';
                        
                        $this->backup_file = $_GET['backup'];
-                       
+                       $this->validate_file($this->backup_file);
+
                        switch($via) {
                        case 'smtp':
                        case 'email':
@@ -96,6 +96,7 @@ class wpdbBackup {
                }
                if (isset($_GET['fragment'] )) {
                        list($table, $segment, $filename) = explode(':', $_GET['fragment']);
+                       $this->validate_file($filename);
                        $this->backup_fragment($table, $segment, $filename);
                }
 
@@ -307,7 +308,7 @@ class wpdbBackup {
                
                $core_tables = $_POST['core_tables'];
                $this->backup_file = $this->db_backup($core_tables, $also_backup);
-               if (FALSE !== $backup_file) {
+               if (FALSE !== $this->backup_file) {
                        if ('smtp' == $_POST['deliver']) {
                                $this->deliver_backup ($this->backup_file, $_POST['deliver'], $_POST['backup_recipient']);
                        } elseif ('http' == $_POST['deliver']) {
@@ -321,11 +322,11 @@ class wpdbBackup {
        
        ///////////////////////////////
        function admin_menu() {
-               add_management_page(__('Backup'), __('Backup'), 9, basename(__FILE__), array(&$this, 'backup_menu'));
+               add_management_page(__('Backup'), __('Backup'), 'import', basename(__FILE__), array(&$this, 'backup_menu'));
        }
 
        function fragment_menu() {
-               add_management_page(__('Backup'), __('Backup'), 9, basename(__FILE__), array(&$this, 'build_backup_script'));
+               add_management_page(__('Backup'), __('Backup'), 'import', basename(__FILE__), array(&$this, 'build_backup_script'));
        }
 
        /////////////////////////////////////////////////////////
@@ -882,8 +883,28 @@ class wpdbBackup {
                
                return;
        } // wp_cron_db_backup
+
+       function validate_file($file) {
+               if (false !== strpos($file, '..'))
+                       die(__("Cheatin' uh ?"));
+
+               if (false !== strpos($file, './'))
+                       die(__("Cheatin' uh ?"));
+
+               if (':' == substr($file, 1, 1))
+                       die(__("Cheatin' uh ?"));
+       }
+
+}
+
+function wpdbBackup_init() {
+       global $mywpdbbackup;
+
+       if ( !current_user_can('import') ) return;
+
+       $mywpdbbackup = new wpdbBackup();       
 }
 
-$mywpdbbackup = new wpdbBackup();
+add_action('plugins_loaded', 'wpdbBackup_init');
 
 ?>
WordPress autoinstaller for phpBB