This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | /** |
||
3 | * Add Site Administration Screen |
||
4 | * |
||
5 | * @package WordPress |
||
6 | * @subpackage Multisite |
||
7 | * @since 3.1.0 |
||
8 | */ |
||
9 | |||
10 | /** Load WordPress Administration Bootstrap */ |
||
11 | require_once( dirname( __FILE__ ) . '/admin.php' ); |
||
12 | |||
13 | /** WordPress Translation Install API */ |
||
14 | require_once( ABSPATH . 'wp-admin/includes/translation-install.php' ); |
||
15 | |||
16 | if ( ! is_multisite() ) |
||
17 | wp_die( __( 'Multisite support is not enabled.' ) ); |
||
18 | |||
19 | if ( ! current_user_can( 'manage_sites' ) ) |
||
20 | wp_die( __( 'Sorry, you are not allowed to add sites to this network.' ) ); |
||
21 | |||
22 | get_current_screen()->add_help_tab( array( |
||
23 | 'id' => 'overview', |
||
24 | 'title' => __('Overview'), |
||
25 | 'content' => |
||
26 | '<p>' . __('This screen is for Super Admins to add new sites to the network. This is not affected by the registration settings.') . '</p>' . |
||
27 | '<p>' . __('If the admin email for the new site does not exist in the database, a new user will also be created.') . '</p>' |
||
28 | ) ); |
||
29 | |||
30 | get_current_screen()->set_help_sidebar( |
||
31 | '<p><strong>' . __('For more information:') . '</strong></p>' . |
||
32 | '<p>' . __('<a href="https://codex.wordpress.org/Network_Admin_Sites_Screen" target="_blank">Documentation on Site Management</a>') . '</p>' . |
||
33 | '<p>' . __('<a href="https://wordpress.org/support/forum/multisite/" target="_blank">Support Forums</a>') . '</p>' |
||
34 | ); |
||
35 | |||
36 | if ( isset($_REQUEST['action']) && 'add-site' == $_REQUEST['action'] ) { |
||
37 | check_admin_referer( 'add-blog', '_wpnonce_add-blog' ); |
||
38 | |||
39 | if ( ! is_array( $_POST['blog'] ) ) |
||
40 | wp_die( __( 'Can’t create an empty site.' ) ); |
||
41 | |||
42 | $blog = $_POST['blog']; |
||
43 | $domain = ''; |
||
44 | if ( preg_match( '|^([a-zA-Z0-9-])+$|', $blog['domain'] ) ) |
||
45 | $domain = strtolower( $blog['domain'] ); |
||
46 | |||
47 | // If not a subdomain install, make sure the domain isn't a reserved word |
||
48 | if ( ! is_subdomain_install() ) { |
||
49 | $subdirectory_reserved_names = get_subdirectory_reserved_names(); |
||
50 | |||
51 | if ( in_array( $domain, $subdirectory_reserved_names ) ) { |
||
52 | wp_die( |
||
53 | /* translators: %s: reserved names list */ |
||
54 | sprintf( __( 'The following words are reserved for use by WordPress functions and cannot be used as blog names: %s' ), |
||
55 | '<code>' . implode( '</code>, <code>', $subdirectory_reserved_names ) . '</code>' |
||
56 | ) |
||
57 | ); |
||
58 | } |
||
59 | } |
||
60 | |||
61 | $title = $blog['title']; |
||
62 | |||
63 | $meta = array( |
||
64 | 'public' => 1 |
||
65 | ); |
||
66 | |||
67 | // Handle translation install for the new site. |
||
68 | View Code Duplication | if ( ! empty( $_POST['WPLANG'] ) && wp_can_install_language_pack() ) { |
|
69 | $language = wp_download_language_pack( wp_unslash( $_POST['WPLANG'] ) ); |
||
0 ignored issues
–
show
|
|||
70 | if ( $language ) { |
||
71 | $meta['WPLANG'] = $language; |
||
72 | } |
||
73 | } |
||
74 | |||
75 | if ( empty( $domain ) ) |
||
76 | wp_die( __( 'Missing or invalid site address.' ) ); |
||
77 | |||
78 | if ( isset( $blog['email'] ) && '' === trim( $blog['email'] ) ) { |
||
79 | wp_die( __( 'Missing email address.' ) ); |
||
80 | } |
||
81 | |||
82 | $email = sanitize_email( $blog['email'] ); |
||
83 | if ( ! is_email( $email ) ) { |
||
84 | wp_die( __( 'Invalid email address.' ) ); |
||
85 | } |
||
86 | |||
87 | View Code Duplication | if ( is_subdomain_install() ) { |
|
88 | $newdomain = $domain . '.' . preg_replace( '|^www\.|', '', $current_site->domain ); |
||
89 | $path = $current_site->path; |
||
90 | } else { |
||
91 | $newdomain = $current_site->domain; |
||
92 | $path = $current_site->path . $domain . '/'; |
||
93 | } |
||
94 | |||
95 | $password = 'N/A'; |
||
96 | $user_id = email_exists($email); |
||
97 | if ( !$user_id ) { // Create a new user with a random password |
||
98 | /** |
||
99 | * Fires immediately before a new user is created via the network site-new.php page. |
||
100 | * |
||
101 | * @since 4.5.0 |
||
102 | * |
||
103 | * @param string $email Email of the non-existent user. |
||
104 | */ |
||
105 | do_action( 'pre_network_site_new_created_user', $email ); |
||
106 | |||
107 | $user_id = username_exists( $domain ); |
||
108 | if ( $user_id ) { |
||
109 | wp_die( __( 'The domain or path entered conflicts with an existing username.' ) ); |
||
110 | } |
||
111 | $password = wp_generate_password( 12, false ); |
||
112 | $user_id = wpmu_create_user( $domain, $password, $email ); |
||
113 | if ( false === $user_id ) { |
||
114 | wp_die( __( 'There was an error creating the user.' ) ); |
||
115 | } |
||
116 | |||
117 | /** |
||
118 | * Fires after a new user has been created via the network site-new.php page. |
||
119 | * |
||
120 | * @since 4.4.0 |
||
121 | * |
||
122 | * @param int $user_id ID of the newly created user. |
||
123 | */ |
||
124 | do_action( 'network_site_new_created_user', $user_id ); |
||
125 | } |
||
126 | |||
127 | $wpdb->hide_errors(); |
||
128 | $id = wpmu_create_blog( $newdomain, $path, $title, $user_id, $meta, $current_site->id ); |
||
129 | $wpdb->show_errors(); |
||
130 | if ( ! is_wp_error( $id ) ) { |
||
131 | if ( ! is_super_admin( $user_id ) && !get_user_option( 'primary_blog', $user_id ) ) { |
||
132 | update_user_option( $user_id, 'primary_blog', $id, true ); |
||
133 | } |
||
134 | |||
135 | wp_mail( |
||
136 | get_site_option( 'admin_email' ), |
||
137 | sprintf( |
||
138 | /* translators: %s: network name */ |
||
139 | __( '[%s] New Site Created' ), |
||
140 | $current_site->site_name |
||
141 | ), |
||
142 | sprintf( |
||
143 | /* translators: 1: user login, 2: site url, 3: site name/title */ |
||
144 | __( 'New site created by %1$s |
||
145 | |||
146 | Address: %2$s |
||
147 | Name: %3$s' ), |
||
148 | $current_user->user_login, |
||
149 | get_site_url( $id ), |
||
150 | wp_unslash( $title ) |
||
151 | ), |
||
152 | sprintf( |
||
153 | 'From: "%1$s" <%2$s>', |
||
154 | _x( 'Site Admin', 'email "From" field' ), |
||
155 | get_site_option( 'admin_email' ) |
||
156 | ) |
||
157 | ); |
||
158 | wpmu_welcome_notification( $id, $user_id, $password, $title, array( 'public' => 1 ) ); |
||
159 | wp_redirect( add_query_arg( array( 'update' => 'added', 'id' => $id ), 'site-new.php' ) ); |
||
160 | exit; |
||
161 | } else { |
||
162 | wp_die( $id->get_error_message() ); |
||
163 | } |
||
164 | } |
||
165 | |||
166 | if ( isset($_GET['update']) ) { |
||
167 | $messages = array(); |
||
168 | if ( 'added' == $_GET['update'] ) |
||
169 | $messages[] = sprintf( |
||
170 | /* translators: 1: dashboard url, 2: network admin edit url */ |
||
171 | __( 'Site added. <a href="%1$s">Visit Dashboard</a> or <a href="%2$s">Edit Site</a>' ), |
||
172 | esc_url( get_admin_url( absint( $_GET['id'] ) ) ), |
||
173 | network_admin_url( 'site-info.php?id=' . absint( $_GET['id'] ) ) |
||
174 | ); |
||
175 | } |
||
176 | |||
177 | $title = __('Add New Site'); |
||
178 | $parent_file = 'sites.php'; |
||
179 | |||
180 | wp_enqueue_script( 'user-suggest' ); |
||
181 | |||
182 | require( ABSPATH . 'wp-admin/admin-header.php' ); |
||
183 | |||
184 | ?> |
||
185 | |||
186 | <div class="wrap"> |
||
187 | <h1 id="add-new-site"><?php _e( 'Add New Site' ); ?></h1> |
||
188 | <?php |
||
189 | if ( ! empty( $messages ) ) { |
||
190 | foreach ( $messages as $msg ) |
||
191 | echo '<div id="message" class="updated notice is-dismissible"><p>' . $msg . '</p></div>'; |
||
192 | } ?> |
||
193 | <form method="post" action="<?php echo network_admin_url( 'site-new.php?action=add-site' ); ?>" novalidate="novalidate"> |
||
194 | <?php wp_nonce_field( 'add-blog', '_wpnonce_add-blog' ) ?> |
||
195 | <table class="form-table"> |
||
196 | <tr class="form-field form-required"> |
||
197 | <th scope="row"><label for="site-address"><?php _e( 'Site Address (URL)' ) ?></label></th> |
||
198 | <td> |
||
199 | <?php if ( is_subdomain_install() ) { ?> |
||
200 | <input name="blog[domain]" type="text" class="regular-text" id="site-address" aria-describedby="site-address-desc" autocapitalize="none" autocorrect="off"/><span class="no-break">.<?php echo preg_replace( '|^www\.|', '', $current_site->domain ); ?></span> |
||
201 | <?php } else { |
||
202 | echo $current_site->domain . $current_site->path ?><input name="blog[domain]" type="text" class="regular-text" id="site-address" aria-describedby="site-address-desc" autocapitalize="none" autocorrect="off" /> |
||
203 | <?php } |
||
204 | echo '<p class="description" id="site-address-desc">' . __( 'Only lowercase letters (a-z), numbers, and hyphens are allowed.' ) . '</p>'; |
||
205 | ?> |
||
206 | </td> |
||
207 | </tr> |
||
208 | <tr class="form-field form-required"> |
||
209 | <th scope="row"><label for="site-title"><?php _e( 'Site Title' ) ?></label></th> |
||
210 | <td><input name="blog[title]" type="text" class="regular-text" id="site-title" /></td> |
||
211 | </tr> |
||
212 | <?php |
||
213 | $languages = get_available_languages(); |
||
214 | $translations = wp_get_available_translations(); |
||
215 | View Code Duplication | if ( ! empty( $languages ) || ! empty( $translations ) ) : |
|
216 | ?> |
||
217 | <tr class="form-field form-required"> |
||
218 | <th scope="row"><label for="site-language"><?php _e( 'Site Language' ); ?></label></th> |
||
219 | <td> |
||
220 | <?php |
||
221 | // Network default. |
||
222 | $lang = get_site_option( 'WPLANG' ); |
||
223 | |||
224 | // Use English if the default isn't available. |
||
225 | if ( ! in_array( $lang, $languages ) ) { |
||
226 | $lang = ''; |
||
227 | } |
||
228 | |||
229 | wp_dropdown_languages( array( |
||
230 | 'name' => 'WPLANG', |
||
231 | 'id' => 'site-language', |
||
232 | 'selected' => $lang, |
||
233 | 'languages' => $languages, |
||
234 | 'translations' => $translations, |
||
235 | 'show_available_translations' => wp_can_install_language_pack(), |
||
236 | ) ); |
||
237 | ?> |
||
238 | </td> |
||
239 | </tr> |
||
240 | <?php endif; // Languages. ?> |
||
241 | <tr class="form-field form-required"> |
||
242 | <th scope="row"><label for="admin-email"><?php _e( 'Admin Email' ) ?></label></th> |
||
243 | <td><input name="blog[email]" type="email" class="regular-text wp-suggest-user" id="admin-email" data-autocomplete-type="search" data-autocomplete-field="user_email" /></td> |
||
244 | </tr> |
||
245 | <tr class="form-field"> |
||
246 | <td colspan="2"><?php _e( 'A new user will be created if the above email address is not in the database.' ) ?><br /><?php _e( 'The username and password will be mailed to this email address.' ) ?></td> |
||
247 | </tr> |
||
248 | </table> |
||
249 | |||
250 | <?php |
||
251 | /** |
||
252 | * Fires at the end of the new site form in network admin. |
||
253 | * |
||
254 | * @since 4.5.0 |
||
255 | */ |
||
256 | do_action( 'network_site_new_form' ); |
||
257 | |||
258 | submit_button( __( 'Add Site' ), 'primary', 'add-site' ); |
||
259 | ?> |
||
260 | </form> |
||
261 | </div> |
||
262 | <?php |
||
263 | require( ABSPATH . 'wp-admin/admin-footer.php' ); |
||
264 |
This check looks at variables that are passed out again to other methods.
If the outgoing method call has stricter type requirements than the method itself, an issue is raised.
An additional type check may prevent trouble.