Custom dropdown callback functions security enhancements:

- avoid using different letter case for bypass the blacklist e.g. phpInfo
- avoid using root namespace for bypass the blacklist e.g. \phpinfo
This commit is contained in:
Nikita Sinelnikov
2022-11-09 03:17:23 +02:00
parent 096a1caf27
commit 2004aa7dde
6 changed files with 31 additions and 12 deletions
+1 -1
View File
@@ -148,7 +148,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
wp_send_json( $arr_options );
}
if ( in_array( $ajax_source_func, UM()->fields()->dropdown_options_source_blacklist(), true ) ) {
if ( UM()->fields()->is_source_blacklisted( $ajax_source_func ) ) {
$arr_options['status'] = 'error';
$arr_options['message'] = __( 'This is not possible for security reasons.', 'ultimate-member' );