Issues in admin.php (ticket-41057) - Issues in ticket-41057 - ntwb/wordpress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4967)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/wp-admin/admin.php (2 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * WordPress Administration Bootstrap
 *
 * @package WordPress
 * @subpackage Administration
 */

/**
 * In WordPress Administration Screens
 *
 * @since 2.3.2
 */
if ( ! defined( 'WP_ADMIN' ) ) {
	define( 'WP_ADMIN', true );
}

if ( ! defined('WP_NETWORK_ADMIN') )
	define('WP_NETWORK_ADMIN', false);

if ( ! defined('WP_USER_ADMIN') )
	define('WP_USER_ADMIN', false);

if ( ! WP_NETWORK_ADMIN && ! WP_USER_ADMIN ) {
	define('WP_BLOG_ADMIN', true);
}

if ( isset($_GET['import']) && !defined('WP_LOAD_IMPORTERS') )
	define('WP_LOAD_IMPORTERS', true);

require_once(dirname(dirname(__FILE__)) . '/wp-load.php');

nocache_headers();

if ( get_option('db_upgraded') ) {
	flush_rewrite_rules();
	update_option( 'db_upgraded',  false );

	/**
	 * Fires on the next page load after a successful DB upgrade.
	 *
	 * @since 2.8.0
	 */
	do_action( 'after_db_upgrade' );
} elseif ( get_option('db_version') != $wp_db_version && empty($_POST) ) {
	if ( !is_multisite() ) {
		wp_redirect( admin_url( 'upgrade.php?_wp_http_referer=' . urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
		exit;

	/**
	 * Filters whether to attempt to perform the multisite DB upgrade routine.
	 *
	 * In single site, the user would be redirected to wp-admin/upgrade.php.
	 * In multisite, the DB upgrade routine is automatically fired, but only
	 * when this filter returns true.
	 *
	 * If the network is 50 sites or less, it will run every time. Otherwise,
	 * it will throttle itself to reduce load.
	 *
	 * @since 3.0.0
	 *
	 * @param bool $do_mu_upgrade Whether to perform the Multisite upgrade routine. Default true.
	 */
	} elseif ( apply_filters( 'do_mu_upgrade', true ) ) {
		$c = get_blog_count();

		/*
		 * If there are 50 or fewer sites, run every time. Otherwise, throttle to reduce load:
		 * attempt to do no more than threshold value, with some +/- allowed.
		 */
		if ( $c <= 50 || ( $c > 50 && mt_rand( 0, (int)( $c / 50 ) ) == 1 ) ) {
			require_once( ABSPATH . WPINC . '/http.php' );
			$response = wp_remote_get( admin_url( 'upgrade.php?step=1' ), array( 'timeout' => 120, 'httpversion' => '1.1' ) );
			/** This action is documented in wp-admin/network/upgrade.php */
			do_action( 'after_mu_upgrade', $response );
			unset($response);
		}
		unset($c);
	}
}

require_once(ABSPATH . 'wp-admin/includes/admin.php');

auth_redirect();

// Schedule trash collection
if ( ! wp_next_scheduled( 'wp_scheduled_delete' ) && ! wp_installing() )
	wp_schedule_event(time(), 'daily', 'wp_scheduled_delete');

set_screen_options();

$date_format = __( 'F j, Y' );
$time_format = __( 'g:i a' );

wp_enqueue_script( 'common' );




/**
 * $pagenow is set in vars.php
 * $wp_importers is sometimes set in wp-admin/includes/import.php
 * The remaining variables are imported as globals elsewhere, declared as globals here
 *
 * @global string $pagenow
 * @global array  $wp_importers
 * @global string $hook_suffix
 * @global string $plugin_page
 * @global string $typenow
 * @global string $taxnow
 */
global $pagenow, $wp_importers, $hook_suffix, $plugin_page, $typenow, $taxnow;

$page_hook = null;

$editing = false;

if ( isset($_GET['page']) ) {
	$plugin_page = wp_unslash( $_GET['page'] );
	$plugin_page = plugin_basename($plugin_page);
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}
}

if ( isset( $_REQUEST['post_type'] ) && post_type_exists( $_REQUEST['post_type'] ) )
	$typenow = $_REQUEST['post_type'];
else
	$typenow = '';

if ( isset( $_REQUEST['taxonomy'] ) && taxonomy_exists( $_REQUEST['taxonomy'] ) )
	$taxnow = $_REQUEST['taxonomy'];
else
	$taxnow = '';

if ( WP_NETWORK_ADMIN )
	require(ABSPATH . 'wp-admin/network/menu.php');
elseif ( WP_USER_ADMIN )
	require(ABSPATH . 'wp-admin/user/menu.php');
else
	require(ABSPATH . 'wp-admin/menu.php');

if ( current_user_can( 'manage_options' ) ) {
	wp_raise_memory_limit( 'admin' );
}

/**
 * Fires as an admin screen or script is being initialized.
 *
 * Note, this does not just run on user-facing admin screens.
 * It runs on admin-ajax.php and admin-post.php as well.
 *
 * This is roughly analogous to the more general {@see 'init'} hook, which fires earlier.
 *
 * @since 2.5.0
 */
do_action( 'admin_init' );

if ( isset($plugin_page) ) {
	if ( !empty($typenow) )
		$the_parent = $pagenow . '?post_type=' . $typenow;
	else
		$the_parent = $pagenow;
	if ( ! $page_hook = get_plugin_page_hook($plugin_page, $the_parent) ) {
		$page_hook = get_plugin_page_hook($plugin_page, $plugin_page);

		// Back-compat for plugins using add_management_page().
		if ( empty( $page_hook ) && 'edit.php' == $pagenow && '' != get_plugin_page_hook($plugin_page, 'tools.php') ) {
			// There could be plugin specific params on the URL, so we need the whole query string
			if ( !empty($_SERVER[ 'QUERY_STRING' ]) )
				$query_string = $_SERVER[ 'QUERY_STRING' ];
			else
				$query_string = 'page=' . $plugin_page;
			wp_redirect( admin_url('tools.php?' . $query_string) );
			exit;
		}
	}
	unset($the_parent);
}

$hook_suffix = '';
if ( isset( $page_hook ) ) {
	$hook_suffix = $page_hook;
} elseif ( isset( $plugin_page ) ) {
	$hook_suffix = $plugin_page;
} elseif ( isset( $pagenow ) ) {
	$hook_suffix = $pagenow;
}

set_current_screen();

// Handle plugin admin pages.
if ( isset($plugin_page) ) {
	if ( $page_hook ) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
		/**
		 * Fires before a particular screen is loaded.
		 *
		 * The load-* hook fires in a number of contexts. This hook is for plugin screens
		 * where a callback is provided when the screen is registered.
		 *
		 * The dynamic portion of the hook name, `$page_hook`, refers to a mixture of plugin
		 * page information including:
		 * 1. The page type. If the plugin page is registered as a submenu page, such as for
		 *    Settings, the page type would be 'settings'. Otherwise the type is 'toplevel'.
		 * 2. A separator of '_page_'.
		 * 3. The plugin basename minus the file extension.
		 *
		 * Together, the three parts form the `$page_hook`. Citing the example above,
		 * the hook name used would be 'load-settings_page_pluginbasename'.
		 *
		 * @see get_plugin_page_hook()
		 *
		 * @since 2.1.0
		 */
		do_action( "load-{$page_hook}" );
		if (! isset($_GET['noheader']))
			require_once(ABSPATH . 'wp-admin/admin-header.php');

		/**
		 * Used to call the registered callback for a plugin screen.
		 *
		 * @ignore
		 * @since 1.5.0
		 */
		do_action( $page_hook );
	} else {
		if ( validate_file( $plugin_page ) ) {
			wp_die( __( 'Invalid plugin page.' ) );
		}

		if ( !( file_exists(WP_PLUGIN_DIR . "/$plugin_page") && is_file(WP_PLUGIN_DIR . "/$plugin_page") ) && !( file_exists(WPMU_PLUGIN_DIR . "/$plugin_page") && is_file(WPMU_PLUGIN_DIR . "/$plugin_page") ) )
			wp_die(sprintf(__('Cannot load %s.'), htmlentities($plugin_page)));

		/**
		 * Fires before a particular screen is loaded.
		 *
		 * The load-* hook fires in a number of contexts. This hook is for plugin screens
		 * where the file to load is directly included, rather than the use of a function.
		 *
		 * The dynamic portion of the hook name, `$plugin_page`, refers to the plugin basename.
		 *
		 * @see plugin_basename()
		 *
		 * @since 1.5.0
		 */
		do_action( "load-{$plugin_page}" );

		if ( !isset($_GET['noheader']))
			require_once(ABSPATH . 'wp-admin/admin-header.php');

		if ( file_exists(WPMU_PLUGIN_DIR . "/$plugin_page") )
			include(WPMU_PLUGIN_DIR . "/$plugin_page");
		else
			include(WP_PLUGIN_DIR . "/$plugin_page");
	}

	include(ABSPATH . 'wp-admin/admin-footer.php');

	exit();
} elseif ( isset( $_GET['import'] ) ) {

	$importer = $_GET['import'];

	if ( ! current_user_can( 'import' ) ) {
		wp_die( __( 'Sorry, you are not allowed to import content.' ) );
	}

	if ( validate_file($importer) ) {
		wp_redirect( admin_url( 'import.php?invalid=' . $importer ) );
		exit;
	}

	if ( ! isset($wp_importers[$importer]) || ! is_callable($wp_importers[$importer][2]) ) {
		wp_redirect( admin_url( 'import.php?invalid=' . $importer ) );
		exit;
	}

	/**
	 * Fires before an importer screen is loaded.
	 *
	 * The dynamic portion of the hook name, `$importer`, refers to the importer slug.
	 *
	 * @since 3.5.0
	 */
	do_action( "load-importer-{$importer}" );

	$parent_file = 'tools.php';
	$submenu_file = 'import.php';
	$title = __('Import');

	if (! isset($_GET['noheader']))
		require_once(ABSPATH . 'wp-admin/admin-header.php');

	require_once(ABSPATH . 'wp-admin/includes/upgrade.php');

	define('WP_IMPORTING', true);

	/**
	 * Whether to filter imported data through kses on import.
	 *
	 * Multisite uses this hook to filter all data through kses by default,
	 * as a super administrator may be assisting an untrusted user.
	 *
	 * @since 3.1.0
	 *
	 * @param bool $force Whether to force data to be filtered through kses. Default false.
	 */
	if ( apply_filters( 'force_filtered_html_on_import', false ) ) {
		kses_init_filters();  // Always filter imported data with kses on multisite.
	}

	call_user_func($wp_importers[$importer][2]);

	include(ABSPATH . 'wp-admin/admin-footer.php');

	// Make sure rules are flushed
	flush_rewrite_rules(false);

	exit();
} else {
	/**
	 * Fires before a particular screen is loaded.
	 *
	 * The load-* hook fires in a number of contexts. This hook is for core screens.
	 *
	 * The dynamic portion of the hook name, `$pagenow`, is a global variable
	 * referring to the filename of the current page, such as 'admin.php',
	 * 'post-new.php' etc. A complete hook for the latter would be
	 * 'load-post-new.php'.
	 *
	 * @since 2.1.0
	 */
	do_action( "load-{$pagenow}" );

	/*
	 * The following hooks are fired to ensure backward compatibility.
	 * In all other cases, 'load-' . $pagenow should be used instead.
	 */
	if ( $typenow == 'page' ) {
		if ( $pagenow == 'post-new.php' )
			do_action( 'load-page-new.php' );
		elseif ( $pagenow == 'post.php' )
			do_action( 'load-page.php' );
	}  elseif ( $pagenow == 'edit-tags.php' ) {
		if ( $taxnow == 'category' )
			do_action( 'load-categories.php' );
		elseif ( $taxnow == 'link_category' )
			do_action( 'load-edit-link-categories.php' );
	} elseif( 'term.php' === $pagenow ) {
		do_action( 'load-edit-tags.php' );
	}
}

if ( ! empty( $_REQUEST['action'] ) ) {
	/**
	 * Fires when an 'action' request variable is sent.
	 *
	 * The dynamic portion of the hook name, `$_REQUEST['action']`,
	 * refers to the action derived from the `GET` or `POST` request.
	 *
	 * @since 2.6.0
	 */
	do_action( 'admin_action_' . $_REQUEST['action'] );
}


1		<?php
2		/**
3		* WordPress Administration Bootstrap
4		*
5		* @package WordPress
6		* @subpackage Administration
7		*/
8
9		/**
10		* In WordPress Administration Screens
11		*
12		* @since 2.3.2
13		*/
14		if ( ! defined( 'WP_ADMIN' ) ) {
15		define( 'WP_ADMIN', true );
16		}
17
18		if ( ! defined('WP_NETWORK_ADMIN') )
19		define('WP_NETWORK_ADMIN', false);
20
21		if ( ! defined('WP_USER_ADMIN') )
22		define('WP_USER_ADMIN', false);
23
24		if ( ! WP_NETWORK_ADMIN && ! WP_USER_ADMIN ) {
25		define('WP_BLOG_ADMIN', true);
26		}
27
28		if ( isset($_GET['import']) && !defined('WP_LOAD_IMPORTERS') )
29		define('WP_LOAD_IMPORTERS', true);
30
31		require_once(dirname(dirname(__FILE__)) . '/wp-load.php');
32
33		nocache_headers();
34
35		if ( get_option('db_upgraded') ) {
36		flush_rewrite_rules();
37		update_option( 'db_upgraded', false );
38
39		/**
40		* Fires on the next page load after a successful DB upgrade.
41		*
42		* @since 2.8.0
43		*/
44		do_action( 'after_db_upgrade' );
45		} elseif ( get_option('db_version') != $wp_db_version && empty($_POST) ) {
46		if ( !is_multisite() ) {
47		wp_redirect( admin_url( 'upgrade.php?_wp_http_referer=' . urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
48		exit;
49
50		/**
51		* Filters whether to attempt to perform the multisite DB upgrade routine.
52		*
53		* In single site, the user would be redirected to wp-admin/upgrade.php.
54		* In multisite, the DB upgrade routine is automatically fired, but only
55		* when this filter returns true.
56		*
57		* If the network is 50 sites or less, it will run every time. Otherwise,
58		* it will throttle itself to reduce load.
59		*
60		* @since 3.0.0
61		*
62		* @param bool $do_mu_upgrade Whether to perform the Multisite upgrade routine. Default true.
63		*/
64		} elseif ( apply_filters( 'do_mu_upgrade', true ) ) {
65		$c = get_blog_count();
66
67		/*
68		* If there are 50 or fewer sites, run every time. Otherwise, throttle to reduce load:
69		* attempt to do no more than threshold value, with some +/- allowed.
70		*/
71		if ( $c <= 50 \|\| ( $c > 50 && mt_rand( 0, (int)( $c / 50 ) ) == 1 ) ) {
72		require_once( ABSPATH . WPINC . '/http.php' );
73		$response = wp_remote_get( admin_url( 'upgrade.php?step=1' ), array( 'timeout' => 120, 'httpversion' => '1.1' ) );
74		/** This action is documented in wp-admin/network/upgrade.php */
75		do_action( 'after_mu_upgrade', $response );
76		unset($response);
77		}
78		unset($c);
79		}
80		}
81
82		require_once(ABSPATH . 'wp-admin/includes/admin.php');
83
84		auth_redirect();
85
86		// Schedule trash collection
87		if ( ! wp_next_scheduled( 'wp_scheduled_delete' ) && ! wp_installing() )
88		wp_schedule_event(time(), 'daily', 'wp_scheduled_delete');
89
90		set_screen_options();
91
92		$date_format = __( 'F j, Y' );
93		$time_format = __( 'g:i a' );
94
95		wp_enqueue_script( 'common' );
96
97
98
99
100		/**
101		* $pagenow is set in vars.php
102		* $wp_importers is sometimes set in wp-admin/includes/import.php
103		* The remaining variables are imported as globals elsewhere, declared as globals here
104		*
105		* @global string $pagenow
106		* @global array $wp_importers
107		* @global string $hook_suffix
108		* @global string $plugin_page
109		* @global string $typenow
110		* @global string $taxnow
111		*/
112		global $pagenow, $wp_importers, $hook_suffix, $plugin_page, $typenow, $taxnow;
113
114		$page_hook = null;
115
116		$editing = false;
117
118		if ( isset($_GET['page']) ) {
119		$plugin_page = wp_unslash( $_GET['page'] );
120		$plugin_page = plugin_basename($plugin_page);
		0 ignored issues – show Bug introduced 2016-03-16 22:18 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$plugin_page` can also be of type `array`; however, `plugin_basename()` does only seem to accept `string`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
121		}
122
123	View Code Duplication	if ( isset( $_REQUEST['post_type'] ) && post_type_exists( $_REQUEST['post_type'] ) )
124		$typenow = $_REQUEST['post_type'];
125		else
126		$typenow = '';
127
128	View Code Duplication	if ( isset( $_REQUEST['taxonomy'] ) && taxonomy_exists( $_REQUEST['taxonomy'] ) )
129		$taxnow = $_REQUEST['taxonomy'];
130		else
131		$taxnow = '';
132
133		if ( WP_NETWORK_ADMIN )
134		require(ABSPATH . 'wp-admin/network/menu.php');
135		elseif ( WP_USER_ADMIN )
136		require(ABSPATH . 'wp-admin/user/menu.php');
137		else
138		require(ABSPATH . 'wp-admin/menu.php');
139
140		if ( current_user_can( 'manage_options' ) ) {
141		wp_raise_memory_limit( 'admin' );
142		}
143
144		/**
145		* Fires as an admin screen or script is being initialized.
146		*
147		* Note, this does not just run on user-facing admin screens.
148		* It runs on admin-ajax.php and admin-post.php as well.
149		*
150		* This is roughly analogous to the more general {@see 'init'} hook, which fires earlier.
151		*
152		* @since 2.5.0
153		*/
154		do_action( 'admin_init' );
155
156		if ( isset($plugin_page) ) {
157		if ( !empty($typenow) )
158		$the_parent = $pagenow . '?post_type=' . $typenow;
159		else
160		$the_parent = $pagenow;
161		if ( ! $page_hook = get_plugin_page_hook($plugin_page, $the_parent) ) {
162		$page_hook = get_plugin_page_hook($plugin_page, $plugin_page);
163
164		// Back-compat for plugins using add_management_page().
165		if ( empty( $page_hook ) && 'edit.php' == $pagenow && '' != get_plugin_page_hook($plugin_page, 'tools.php') ) {
166		// There could be plugin specific params on the URL, so we need the whole query string
167		if ( !empty($_SERVER[ 'QUERY_STRING' ]) )
168		$query_string = $_SERVER[ 'QUERY_STRING' ];
169		else
170		$query_string = 'page=' . $plugin_page;
171		wp_redirect( admin_url('tools.php?' . $query_string) );
172		exit;
173		}
174		}
175		unset($the_parent);
176		}
177
178		$hook_suffix = '';
179		if ( isset( $page_hook ) ) {
180		$hook_suffix = $page_hook;
181		} elseif ( isset( $plugin_page ) ) {
182		$hook_suffix = $plugin_page;
183		} elseif ( isset( $pagenow ) ) {
184		$hook_suffix = $pagenow;
185		}
186
187		set_current_screen();
188
189		// Handle plugin admin pages.
190		if ( isset($plugin_page) ) {
191		if ( $page_hook ) {
		0 ignored issues – show Bug Best Practice introduced 2015-12-17 04:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$page_hook` of type `string\|null` is loosely compared to `true`; this is ambiguous if the string can be empty. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
192		/**
193		* Fires before a particular screen is loaded.
194		*
195		* The load-* hook fires in a number of contexts. This hook is for plugin screens
196		* where a callback is provided when the screen is registered.
197		*
198		* The dynamic portion of the hook name, `$page_hook`, refers to a mixture of plugin
199		* page information including:
200		* 1. The page type. If the plugin page is registered as a submenu page, such as for
201		* Settings, the page type would be 'settings'. Otherwise the type is 'toplevel'.
202		* 2. A separator of '_page_'.
203		* 3. The plugin basename minus the file extension.
204		*
205		* Together, the three parts form the `$page_hook`. Citing the example above,
206		* the hook name used would be 'load-settings_page_pluginbasename'.
207		*
208		* @see get_plugin_page_hook()
209		*
210		* @since 2.1.0
211		*/
212		do_action( "load-{$page_hook}" );
213		if (! isset($_GET['noheader']))
214		require_once(ABSPATH . 'wp-admin/admin-header.php');
215
216		/**
217		* Used to call the registered callback for a plugin screen.
218		*
219		* @ignore
220		* @since 1.5.0
221		*/
222		do_action( $page_hook );
223		} else {
224		if ( validate_file( $plugin_page ) ) {
225		wp_die( __( 'Invalid plugin page.' ) );
226		}
227
228		if ( !( file_exists(WP_PLUGIN_DIR . "/$plugin_page") && is_file(WP_PLUGIN_DIR . "/$plugin_page") ) && !( file_exists(WPMU_PLUGIN_DIR . "/$plugin_page") && is_file(WPMU_PLUGIN_DIR . "/$plugin_page") ) )
229		wp_die(sprintf(__('Cannot load %s.'), htmlentities($plugin_page)));
230
231		/**
232		* Fires before a particular screen is loaded.
233		*
234		* The load-* hook fires in a number of contexts. This hook is for plugin screens
235		* where the file to load is directly included, rather than the use of a function.
236		*
237		* The dynamic portion of the hook name, `$plugin_page`, refers to the plugin basename.
238		*
239		* @see plugin_basename()
240		*
241		* @since 1.5.0
242		*/
243		do_action( "load-{$plugin_page}" );
244
245		if ( !isset($_GET['noheader']))
246		require_once(ABSPATH . 'wp-admin/admin-header.php');
247
248		if ( file_exists(WPMU_PLUGIN_DIR . "/$plugin_page") )
249		include(WPMU_PLUGIN_DIR . "/$plugin_page");
250		else
251		include(WP_PLUGIN_DIR . "/$plugin_page");
252		}
253
254		include(ABSPATH . 'wp-admin/admin-footer.php');
255
256		exit();
257		} elseif ( isset( $_GET['import'] ) ) {
258
259		$importer = $_GET['import'];
260
261		if ( ! current_user_can( 'import' ) ) {
262		wp_die( __( 'Sorry, you are not allowed to import content.' ) );
263		}
264
265		if ( validate_file($importer) ) {
266		wp_redirect( admin_url( 'import.php?invalid=' . $importer ) );
267		exit;
268		}
269
270		if ( ! isset($wp_importers[$importer]) \|\| ! is_callable($wp_importers[$importer][2]) ) {
271		wp_redirect( admin_url( 'import.php?invalid=' . $importer ) );
272		exit;
273		}
274
275		/**
276		* Fires before an importer screen is loaded.
277		*
278		* The dynamic portion of the hook name, `$importer`, refers to the importer slug.
279		*
280		* @since 3.5.0
281		*/
282		do_action( "load-importer-{$importer}" );
283
284		$parent_file = 'tools.php';
285		$submenu_file = 'import.php';
286		$title = __('Import');
287
288		if (! isset($_GET['noheader']))
289		require_once(ABSPATH . 'wp-admin/admin-header.php');
290
291		require_once(ABSPATH . 'wp-admin/includes/upgrade.php');
292
293		define('WP_IMPORTING', true);
294
295		/**
296		* Whether to filter imported data through kses on import.
297		*
298		* Multisite uses this hook to filter all data through kses by default,
299		* as a super administrator may be assisting an untrusted user.
300		*
301		* @since 3.1.0
302		*
303		* @param bool $force Whether to force data to be filtered through kses. Default false.
304		*/
305		if ( apply_filters( 'force_filtered_html_on_import', false ) ) {
306		kses_init_filters(); // Always filter imported data with kses on multisite.
307		}
308
309		call_user_func($wp_importers[$importer][2]);
310
311		include(ABSPATH . 'wp-admin/admin-footer.php');
312
313		// Make sure rules are flushed
314		flush_rewrite_rules(false);
315
316		exit();
317		} else {
318		/**
319		* Fires before a particular screen is loaded.
320		*
321		* The load-* hook fires in a number of contexts. This hook is for core screens.
322		*
323		* The dynamic portion of the hook name, `$pagenow`, is a global variable
324		* referring to the filename of the current page, such as 'admin.php',
325		* 'post-new.php' etc. A complete hook for the latter would be
326		* 'load-post-new.php'.
327		*
328		* @since 2.1.0
329		*/
330		do_action( "load-{$pagenow}" );
331
332		/*
333		* The following hooks are fired to ensure backward compatibility.
334		* In all other cases, 'load-' . $pagenow should be used instead.
335		*/
336		if ( $typenow == 'page' ) {
337		if ( $pagenow == 'post-new.php' )
338		do_action( 'load-page-new.php' );
339		elseif ( $pagenow == 'post.php' )
340		do_action( 'load-page.php' );
341		} elseif ( $pagenow == 'edit-tags.php' ) {
342		if ( $taxnow == 'category' )
343		do_action( 'load-categories.php' );
344		elseif ( $taxnow == 'link_category' )
345		do_action( 'load-edit-link-categories.php' );
346		} elseif( 'term.php' === $pagenow ) {
347		do_action( 'load-edit-tags.php' );
348		}
349		}
350
351		if ( ! empty( $_REQUEST['action'] ) ) {
352		/**
353		* Fires when an 'action' request variable is sent.
354		*
355		* The dynamic portion of the hook name, `$_REQUEST['action']`,
356		* refers to the action derived from the `GET` or `POST` request.
357		*
358		* @since 2.6.0
359		*/
360		do_action( 'admin_action_' . $_REQUEST['action'] );
361		}
362

ntwb / wordpress

Issues (4967)

Security Analysis not enabled

src/wp-admin/admin.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like