mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-07-19 06:33:50 +09:00
Custom dropdown callback functions security enhancements:
- avoid using different letter case for bypass the blacklist e.g. phpInfo - avoid using root namespace for bypass the blacklist e.g. \phpinfo
This commit is contained in:
@@ -295,7 +295,7 @@ function um_user_edit_profile( $args ) {
|
||||
|
||||
$options = array();
|
||||
if ( ! empty( $array['custom_dropdown_options_source'] ) && function_exists( $array['custom_dropdown_options_source'] ) && ! $has_custom_source ) {
|
||||
if ( ! in_array( $array['custom_dropdown_options_source'], UM()->fields()->dropdown_options_source_blacklist(), true ) ) {
|
||||
if ( ! UM()->fields()->is_source_blacklisted( $array['custom_dropdown_options_source'] ) ) {
|
||||
$callback_result = call_user_func( $array['custom_dropdown_options_source'], $array['options'] );
|
||||
if ( is_array( $callback_result ) ) {
|
||||
$options = array_keys( $callback_result );
|
||||
|
||||
Reference in New Issue
Block a user