This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | /** |
||
3 | * WordPress Administration Bootstrap |
||
4 | * |
||
5 | * @package WordPress |
||
6 | * @subpackage Administration |
||
7 | */ |
||
8 | |||
9 | /** |
||
10 | * In WordPress Administration Screens |
||
11 | * |
||
12 | * @since 2.3.2 |
||
13 | */ |
||
14 | if ( ! defined( 'WP_ADMIN' ) ) { |
||
15 | define( 'WP_ADMIN', true ); |
||
16 | } |
||
17 | |||
18 | if ( ! defined('WP_NETWORK_ADMIN') ) |
||
19 | define('WP_NETWORK_ADMIN', false); |
||
20 | |||
21 | if ( ! defined('WP_USER_ADMIN') ) |
||
22 | define('WP_USER_ADMIN', false); |
||
23 | |||
24 | if ( ! WP_NETWORK_ADMIN && ! WP_USER_ADMIN ) { |
||
25 | define('WP_BLOG_ADMIN', true); |
||
26 | } |
||
27 | |||
28 | if ( isset($_GET['import']) && !defined('WP_LOAD_IMPORTERS') ) |
||
29 | define('WP_LOAD_IMPORTERS', true); |
||
30 | |||
31 | require_once(dirname(dirname(__FILE__)) . '/wp-load.php'); |
||
32 | |||
33 | nocache_headers(); |
||
34 | |||
35 | if ( get_option('db_upgraded') ) { |
||
36 | flush_rewrite_rules(); |
||
37 | update_option( 'db_upgraded', false ); |
||
38 | |||
39 | /** |
||
40 | * Fires on the next page load after a successful DB upgrade. |
||
41 | * |
||
42 | * @since 2.8.0 |
||
43 | */ |
||
44 | do_action( 'after_db_upgrade' ); |
||
45 | } elseif ( get_option('db_version') != $wp_db_version && empty($_POST) ) { |
||
46 | if ( !is_multisite() ) { |
||
47 | wp_redirect( admin_url( 'upgrade.php?_wp_http_referer=' . urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ); |
||
48 | exit; |
||
49 | |||
50 | /** |
||
51 | * Filters whether to attempt to perform the multisite DB upgrade routine. |
||
52 | * |
||
53 | * In single site, the user would be redirected to wp-admin/upgrade.php. |
||
54 | * In multisite, the DB upgrade routine is automatically fired, but only |
||
55 | * when this filter returns true. |
||
56 | * |
||
57 | * If the network is 50 sites or less, it will run every time. Otherwise, |
||
58 | * it will throttle itself to reduce load. |
||
59 | * |
||
60 | * @since 3.0.0 |
||
61 | * |
||
62 | * @param bool $do_mu_upgrade Whether to perform the Multisite upgrade routine. Default true. |
||
63 | */ |
||
64 | } elseif ( apply_filters( 'do_mu_upgrade', true ) ) { |
||
65 | $c = get_blog_count(); |
||
66 | |||
67 | /* |
||
68 | * If there are 50 or fewer sites, run every time. Otherwise, throttle to reduce load: |
||
69 | * attempt to do no more than threshold value, with some +/- allowed. |
||
70 | */ |
||
71 | if ( $c <= 50 || ( $c > 50 && mt_rand( 0, (int)( $c / 50 ) ) == 1 ) ) { |
||
72 | require_once( ABSPATH . WPINC . '/http.php' ); |
||
73 | $response = wp_remote_get( admin_url( 'upgrade.php?step=1' ), array( 'timeout' => 120, 'httpversion' => '1.1' ) ); |
||
74 | /** This action is documented in wp-admin/network/upgrade.php */ |
||
75 | do_action( 'after_mu_upgrade', $response ); |
||
76 | unset($response); |
||
77 | } |
||
78 | unset($c); |
||
79 | } |
||
80 | } |
||
81 | |||
82 | require_once(ABSPATH . 'wp-admin/includes/admin.php'); |
||
83 | |||
84 | auth_redirect(); |
||
85 | |||
86 | // Schedule trash collection |
||
87 | if ( ! wp_next_scheduled( 'wp_scheduled_delete' ) && ! wp_installing() ) |
||
88 | wp_schedule_event(time(), 'daily', 'wp_scheduled_delete'); |
||
89 | |||
90 | set_screen_options(); |
||
91 | |||
92 | $date_format = __( 'F j, Y' ); |
||
93 | $time_format = __( 'g:i a' ); |
||
94 | |||
95 | wp_enqueue_script( 'common' ); |
||
96 | |||
97 | |||
98 | |||
99 | |||
100 | /** |
||
101 | * $pagenow is set in vars.php |
||
102 | * $wp_importers is sometimes set in wp-admin/includes/import.php |
||
103 | * The remaining variables are imported as globals elsewhere, declared as globals here |
||
104 | * |
||
105 | * @global string $pagenow |
||
106 | * @global array $wp_importers |
||
107 | * @global string $hook_suffix |
||
108 | * @global string $plugin_page |
||
109 | * @global string $typenow |
||
110 | * @global string $taxnow |
||
111 | */ |
||
112 | global $pagenow, $wp_importers, $hook_suffix, $plugin_page, $typenow, $taxnow; |
||
113 | |||
114 | $page_hook = null; |
||
115 | |||
116 | $editing = false; |
||
117 | |||
118 | if ( isset($_GET['page']) ) { |
||
119 | $plugin_page = wp_unslash( $_GET['page'] ); |
||
120 | $plugin_page = plugin_basename($plugin_page); |
||
121 | } |
||
122 | |||
123 | View Code Duplication | if ( isset( $_REQUEST['post_type'] ) && post_type_exists( $_REQUEST['post_type'] ) ) |
|
124 | $typenow = $_REQUEST['post_type']; |
||
125 | else |
||
126 | $typenow = ''; |
||
127 | |||
128 | View Code Duplication | if ( isset( $_REQUEST['taxonomy'] ) && taxonomy_exists( $_REQUEST['taxonomy'] ) ) |
|
129 | $taxnow = $_REQUEST['taxonomy']; |
||
130 | else |
||
131 | $taxnow = ''; |
||
132 | |||
133 | if ( WP_NETWORK_ADMIN ) |
||
134 | require(ABSPATH . 'wp-admin/network/menu.php'); |
||
135 | elseif ( WP_USER_ADMIN ) |
||
136 | require(ABSPATH . 'wp-admin/user/menu.php'); |
||
137 | else |
||
138 | require(ABSPATH . 'wp-admin/menu.php'); |
||
139 | |||
140 | if ( current_user_can( 'manage_options' ) ) { |
||
141 | wp_raise_memory_limit( 'admin' ); |
||
142 | } |
||
143 | |||
144 | /** |
||
145 | * Fires as an admin screen or script is being initialized. |
||
146 | * |
||
147 | * Note, this does not just run on user-facing admin screens. |
||
148 | * It runs on admin-ajax.php and admin-post.php as well. |
||
149 | * |
||
150 | * This is roughly analogous to the more general {@see 'init'} hook, which fires earlier. |
||
151 | * |
||
152 | * @since 2.5.0 |
||
153 | */ |
||
154 | do_action( 'admin_init' ); |
||
155 | |||
156 | if ( isset($plugin_page) ) { |
||
157 | if ( !empty($typenow) ) |
||
158 | $the_parent = $pagenow . '?post_type=' . $typenow; |
||
159 | else |
||
160 | $the_parent = $pagenow; |
||
161 | if ( ! $page_hook = get_plugin_page_hook($plugin_page, $the_parent) ) { |
||
162 | $page_hook = get_plugin_page_hook($plugin_page, $plugin_page); |
||
163 | |||
164 | // Back-compat for plugins using add_management_page(). |
||
165 | if ( empty( $page_hook ) && 'edit.php' == $pagenow && '' != get_plugin_page_hook($plugin_page, 'tools.php') ) { |
||
166 | // There could be plugin specific params on the URL, so we need the whole query string |
||
167 | if ( !empty($_SERVER[ 'QUERY_STRING' ]) ) |
||
168 | $query_string = $_SERVER[ 'QUERY_STRING' ]; |
||
169 | else |
||
170 | $query_string = 'page=' . $plugin_page; |
||
171 | wp_redirect( admin_url('tools.php?' . $query_string) ); |
||
172 | exit; |
||
173 | } |
||
174 | } |
||
175 | unset($the_parent); |
||
176 | } |
||
177 | |||
178 | $hook_suffix = ''; |
||
179 | if ( isset( $page_hook ) ) { |
||
180 | $hook_suffix = $page_hook; |
||
181 | } elseif ( isset( $plugin_page ) ) { |
||
182 | $hook_suffix = $plugin_page; |
||
183 | } elseif ( isset( $pagenow ) ) { |
||
184 | $hook_suffix = $pagenow; |
||
185 | } |
||
186 | |||
187 | set_current_screen(); |
||
188 | |||
189 | // Handle plugin admin pages. |
||
190 | if ( isset($plugin_page) ) { |
||
191 | if ( $page_hook ) { |
||
0 ignored issues
–
show
|
|||
192 | /** |
||
193 | * Fires before a particular screen is loaded. |
||
194 | * |
||
195 | * The load-* hook fires in a number of contexts. This hook is for plugin screens |
||
196 | * where a callback is provided when the screen is registered. |
||
197 | * |
||
198 | * The dynamic portion of the hook name, `$page_hook`, refers to a mixture of plugin |
||
199 | * page information including: |
||
200 | * 1. The page type. If the plugin page is registered as a submenu page, such as for |
||
201 | * Settings, the page type would be 'settings'. Otherwise the type is 'toplevel'. |
||
202 | * 2. A separator of '_page_'. |
||
203 | * 3. The plugin basename minus the file extension. |
||
204 | * |
||
205 | * Together, the three parts form the `$page_hook`. Citing the example above, |
||
206 | * the hook name used would be 'load-settings_page_pluginbasename'. |
||
207 | * |
||
208 | * @see get_plugin_page_hook() |
||
209 | * |
||
210 | * @since 2.1.0 |
||
211 | */ |
||
212 | do_action( "load-{$page_hook}" ); |
||
213 | if (! isset($_GET['noheader'])) |
||
214 | require_once(ABSPATH . 'wp-admin/admin-header.php'); |
||
215 | |||
216 | /** |
||
217 | * Used to call the registered callback for a plugin screen. |
||
218 | * |
||
219 | * @ignore |
||
220 | * @since 1.5.0 |
||
221 | */ |
||
222 | do_action( $page_hook ); |
||
223 | } else { |
||
224 | if ( validate_file( $plugin_page ) ) { |
||
225 | wp_die( __( 'Invalid plugin page.' ) ); |
||
226 | } |
||
227 | |||
228 | if ( !( file_exists(WP_PLUGIN_DIR . "/$plugin_page") && is_file(WP_PLUGIN_DIR . "/$plugin_page") ) && !( file_exists(WPMU_PLUGIN_DIR . "/$plugin_page") && is_file(WPMU_PLUGIN_DIR . "/$plugin_page") ) ) |
||
229 | wp_die(sprintf(__('Cannot load %s.'), htmlentities($plugin_page))); |
||
230 | |||
231 | /** |
||
232 | * Fires before a particular screen is loaded. |
||
233 | * |
||
234 | * The load-* hook fires in a number of contexts. This hook is for plugin screens |
||
235 | * where the file to load is directly included, rather than the use of a function. |
||
236 | * |
||
237 | * The dynamic portion of the hook name, `$plugin_page`, refers to the plugin basename. |
||
238 | * |
||
239 | * @see plugin_basename() |
||
240 | * |
||
241 | * @since 1.5.0 |
||
242 | */ |
||
243 | do_action( "load-{$plugin_page}" ); |
||
244 | |||
245 | if ( !isset($_GET['noheader'])) |
||
246 | require_once(ABSPATH . 'wp-admin/admin-header.php'); |
||
247 | |||
248 | if ( file_exists(WPMU_PLUGIN_DIR . "/$plugin_page") ) |
||
249 | include(WPMU_PLUGIN_DIR . "/$plugin_page"); |
||
250 | else |
||
251 | include(WP_PLUGIN_DIR . "/$plugin_page"); |
||
252 | } |
||
253 | |||
254 | include(ABSPATH . 'wp-admin/admin-footer.php'); |
||
255 | |||
256 | exit(); |
||
257 | } elseif ( isset( $_GET['import'] ) ) { |
||
258 | |||
259 | $importer = $_GET['import']; |
||
260 | |||
261 | if ( ! current_user_can( 'import' ) ) { |
||
262 | wp_die( __( 'Sorry, you are not allowed to import content.' ) ); |
||
263 | } |
||
264 | |||
265 | if ( validate_file($importer) ) { |
||
266 | wp_redirect( admin_url( 'import.php?invalid=' . $importer ) ); |
||
267 | exit; |
||
268 | } |
||
269 | |||
270 | if ( ! isset($wp_importers[$importer]) || ! is_callable($wp_importers[$importer][2]) ) { |
||
271 | wp_redirect( admin_url( 'import.php?invalid=' . $importer ) ); |
||
272 | exit; |
||
273 | } |
||
274 | |||
275 | /** |
||
276 | * Fires before an importer screen is loaded. |
||
277 | * |
||
278 | * The dynamic portion of the hook name, `$importer`, refers to the importer slug. |
||
279 | * |
||
280 | * @since 3.5.0 |
||
281 | */ |
||
282 | do_action( "load-importer-{$importer}" ); |
||
283 | |||
284 | $parent_file = 'tools.php'; |
||
285 | $submenu_file = 'import.php'; |
||
286 | $title = __('Import'); |
||
287 | |||
288 | if (! isset($_GET['noheader'])) |
||
289 | require_once(ABSPATH . 'wp-admin/admin-header.php'); |
||
290 | |||
291 | require_once(ABSPATH . 'wp-admin/includes/upgrade.php'); |
||
292 | |||
293 | define('WP_IMPORTING', true); |
||
294 | |||
295 | /** |
||
296 | * Whether to filter imported data through kses on import. |
||
297 | * |
||
298 | * Multisite uses this hook to filter all data through kses by default, |
||
299 | * as a super administrator may be assisting an untrusted user. |
||
300 | * |
||
301 | * @since 3.1.0 |
||
302 | * |
||
303 | * @param bool $force Whether to force data to be filtered through kses. Default false. |
||
304 | */ |
||
305 | if ( apply_filters( 'force_filtered_html_on_import', false ) ) { |
||
306 | kses_init_filters(); // Always filter imported data with kses on multisite. |
||
307 | } |
||
308 | |||
309 | call_user_func($wp_importers[$importer][2]); |
||
310 | |||
311 | include(ABSPATH . 'wp-admin/admin-footer.php'); |
||
312 | |||
313 | // Make sure rules are flushed |
||
314 | flush_rewrite_rules(false); |
||
315 | |||
316 | exit(); |
||
317 | } else { |
||
318 | /** |
||
319 | * Fires before a particular screen is loaded. |
||
320 | * |
||
321 | * The load-* hook fires in a number of contexts. This hook is for core screens. |
||
322 | * |
||
323 | * The dynamic portion of the hook name, `$pagenow`, is a global variable |
||
324 | * referring to the filename of the current page, such as 'admin.php', |
||
325 | * 'post-new.php' etc. A complete hook for the latter would be |
||
326 | * 'load-post-new.php'. |
||
327 | * |
||
328 | * @since 2.1.0 |
||
329 | */ |
||
330 | do_action( "load-{$pagenow}" ); |
||
331 | |||
332 | /* |
||
333 | * The following hooks are fired to ensure backward compatibility. |
||
334 | * In all other cases, 'load-' . $pagenow should be used instead. |
||
335 | */ |
||
336 | if ( $typenow == 'page' ) { |
||
337 | if ( $pagenow == 'post-new.php' ) |
||
338 | do_action( 'load-page-new.php' ); |
||
339 | elseif ( $pagenow == 'post.php' ) |
||
340 | do_action( 'load-page.php' ); |
||
341 | } elseif ( $pagenow == 'edit-tags.php' ) { |
||
342 | if ( $taxnow == 'category' ) |
||
343 | do_action( 'load-categories.php' ); |
||
344 | elseif ( $taxnow == 'link_category' ) |
||
345 | do_action( 'load-edit-link-categories.php' ); |
||
346 | } elseif( 'term.php' === $pagenow ) { |
||
347 | do_action( 'load-edit-tags.php' ); |
||
348 | } |
||
349 | } |
||
350 | |||
351 | if ( ! empty( $_REQUEST['action'] ) ) { |
||
352 | /** |
||
353 | * Fires when an 'action' request variable is sent. |
||
354 | * |
||
355 | * The dynamic portion of the hook name, `$_REQUEST['action']`, |
||
356 | * refers to the action derived from the `GET` or `POST` request. |
||
357 | * |
||
358 | * @since 2.6.0 |
||
359 | */ |
||
360 | do_action( 'admin_action_' . $_REQUEST['action'] ); |
||
361 | } |
||
362 |
In PHP, under loose comparison (like
==
, or!=
, orswitch
conditions), values of different types might be equal.For
string
values, the empty string''
is a special case, in particular the following results might be unexpected: