rpms/wordpress-mu/EL-5 cve-2009-2334.patch, NONE, 1.1 wordpress-mu.spec, 1.7, 1.8
Bret Richard McMillan
bretm at fedoraproject.org
Fri Jul 10 18:40:36 UTC 2009
Author: bretm
Update of /cvs/pkgs/rpms/wordpress-mu/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29409
Modified Files:
wordpress-mu.spec
Added Files:
cve-2009-2334.patch
Log Message:
patch added for cve-2009-2334
cve-2009-2334.patch:
--- NEW FILE cve-2009-2334.patch ---
diff --git a/wp-admin/includes/plugin.php b/wp-admin/includes/plugin.php
index 796c4c9..1dd38ce 100644
--- a/wp-admin/includes/plugin.php
+++ b/wp-admin/includes/plugin.php
@@ -541,7 +541,7 @@ function uninstall_plugin($plugin) {
//
function add_menu_page( $page_title, $menu_title, $access_level, $file, $function = '', $icon_url = '' ) {
- global $menu, $admin_page_hooks;
+ global $menu, $admin_page_hooks, $_registered_pages;
$file = plugin_basename( $file );
@@ -556,11 +556,13 @@ function add_menu_page( $page_title, $menu_title, $access_level, $file, $functio
$menu[] = array ( $menu_title, $access_level, $file, $page_title, 'menu-top ' . $hookname, $hookname, $icon_url );
+ $_registered_pages[$hookname] = true;
+
return $hookname;
}
function add_object_page( $page_title, $menu_title, $access_level, $file, $function = '', $icon_url = '') {
- global $menu, $admin_page_hooks, $_wp_last_object_menu;
+ global $menu, $admin_page_hooks, $_wp_last_object_menu, $_registered_pages;
$file = plugin_basename( $file );
@@ -577,11 +579,13 @@ function add_object_page( $page_title, $menu_title, $access_level, $file, $funct
$menu[$_wp_last_object_menu] = array ( $menu_title, $access_level, $file, $page_title, 'menu-top ' . $hookname, $hookname, $icon_url );
+ $_registered_pages[$hookname] = true;
+
return $hookname;
}
function add_utility_page( $page_title, $menu_title, $access_level, $file, $function = '', $icon_url = '') {
- global $menu, $admin_page_hooks, $_wp_last_utility_menu;
+ global $menu, $admin_page_hooks, $_wp_last_utility_menu, $_registered_pages;
$file = plugin_basename( $file );
@@ -598,6 +602,8 @@ function add_utility_page( $page_title, $menu_title, $access_level, $file, $func
$menu[$_wp_last_utility_menu] = array ( $menu_title, $access_level, $file, $page_title, 'menu-top ' . $hookname, $hookname, $icon_url );
+ $_registered_pages[$hookname] = true;
+
return $hookname;
}
@@ -606,6 +612,7 @@ function add_submenu_page( $parent, $page_title, $menu_title, $access_level, $fi
global $menu;
global $_wp_real_parent_file;
global $_wp_submenu_nopriv;
+ global $_registered_pages;
$file = plugin_basename( $file );
@@ -635,6 +642,8 @@ function add_submenu_page( $parent, $page_title, $menu_title, $access_level, $fi
if (!empty ( $function ) && !empty ( $hookname ))
add_action( $hookname, $function );
+ $_registered_pages[$hookname] = true;
+
return $hookname;
}
@@ -859,14 +868,21 @@ function user_can_access_admin_page() {
global $_wp_menu_nopriv;
global $_wp_submenu_nopriv;
global $plugin_page;
+ global $_registered_pages;
$parent = get_admin_page_parent();
- if ( isset( $_wp_submenu_nopriv[$parent][$pagenow] ) )
+ if ( !isset( $plugin_page ) && isset( $_wp_submenu_nopriv[$parent][$pagenow] ) )
return false;
- if ( isset( $plugin_page ) && isset( $_wp_submenu_nopriv[$parent][$plugin_page] ) )
- return false;
+ if ( isset( $plugin_page ) ) {
+ if ( isset( $_wp_submenu_nopriv[$parent][$plugin_page] ) )
+ return false;
+
+ $hookname = get_plugin_page_hookname($plugin_page, $parent);
+ if ( !isset($_registered_pages[$hookname]) )
+ return false;
+ }
if ( empty( $parent) ) {
if ( isset( $_wp_menu_nopriv[$pagenow] ) )
@@ -875,6 +891,8 @@ function user_can_access_admin_page() {
return false;
if ( isset( $plugin_page ) && isset( $_wp_submenu_nopriv[$pagenow][$plugin_page] ) )
return false;
+ if ( isset( $plugin_page ) && isset( $_wp_menu_nopriv[$plugin_page] ) )
+ return false;
foreach (array_keys( $_wp_submenu_nopriv ) as $key ) {
if ( isset( $_wp_submenu_nopriv[$key][$pagenow] ) )
return false;
@@ -884,6 +902,9 @@ function user_can_access_admin_page() {
return true;
}
+ if ( isset( $plugin_page ) && ( $plugin_page == $parent ) && isset( $_wp_menu_nopriv[$plugin_page] ) )
+ return false;
+
if ( isset( $submenu[$parent] ) ) {
foreach ( $submenu[$parent] as $submenu_array ) {
if ( isset( $plugin_page ) && ( $submenu_array[2] == $plugin_page ) ) {
Index: wordpress-mu.spec
===================================================================
RCS file: /cvs/pkgs/rpms/wordpress-mu/EL-5/wordpress-mu.spec,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -p -r1.7 -r1.8
--- wordpress-mu.spec 25 Feb 2009 19:01:23 -0000 1.7
+++ wordpress-mu.spec 10 Jul 2009 18:40:36 -0000 1.8
@@ -2,12 +2,13 @@ Summary: WordPress-MU multi-user bloggin
URL: http://mu.wordpress.org/latest.tar.gz
Name: wordpress-mu
Version: 2.7
-Release: 5%{?dist}
+Release: 6%{?dist}
Group: Applications/Publishing
License: GPLv2
Source0: %{name}-%{version}.tar.gz
Source1: wordpress-mu-httpd-conf
Source2: README.fedora.wordpress-mu
+Patch0: cve-2009-2334.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: php >= 4.1.0, httpd, php-mysql
BuildArch: noarch
@@ -18,6 +19,7 @@ one instance to serve multiple users.
%prep
%setup -q -n wordpress-mu
+%patch0 -p1 -b .patch1
# disable-wordpress-core-update, updates are always installed via rpm
#
@@ -98,6 +100,9 @@ rm -rf %{buildroot}
%dir %{_sysconfdir}/wordpress-mu
%changelog
+* Fri Jul 10 2009 Bret McMillan <bretm at redhat.com> - 2.7-6
+- Patch for CVE-2009-2334
+
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
More information about the fedora-extras-commits
mailing list