- fixed access redirect with "redirect_to" attribute;

- fixed vulnerability with dynamic_css function and $mode variable;
This commit is contained in:
nikitozzzzzzz
2018-01-07 14:15:18 +08:00
parent 955eef5e53
commit a40b1c57e1
2 changed files with 19 additions and 19 deletions
+6 -12
View File
@@ -54,9 +54,6 @@ if ( ! class_exists( 'Access' ) ) {
//check the site's accessible more priority have Individual Post/Term Restriction settings
add_action( 'template_redirect', array( &$this, 'template_redirect' ), 1000 );
//add_action( 'um_access_global_settings', array( &$this, 'um_access_global_settings' ) );
//add_action( 'um_access_home_page', array( &$this, 'um_access_home_page' ) );
//add_action( 'um_access_taxonomy_settings', array( &$this, 'um_access_taxonomy_settings' ) );
add_action( 'um_access_check_individual_term_settings', array( &$this, 'um_access_check_individual_term_settings' ) );
add_action( 'um_access_check_global_settings', array( &$this, 'um_access_check_global_settings' ) );
}
@@ -182,6 +179,8 @@ if ( ! class_exists( 'Access' ) ) {
function um_access_check_global_settings() {
global $post;
$curr = UM()->permalinks()->get_current_url();
if ( is_front_page() ) {
if ( is_user_logged_in() ) {
@@ -191,7 +190,7 @@ if ( ! class_exists( 'Access' ) ) {
return;
$redirect_to = ! empty( $role_meta['redirect_homepage'] ) ? $role_meta['redirect_homepage'] : um_get_core_page( 'user' );
$this->redirect_handler = $this->set_referer( $redirect_to, "custom_homepage" );
$this->redirect_handler = $this->set_referer( esc_url( add_query_arg( 'redirect_to', urlencode_deep( $curr ), $redirect_to ) ), "custom_homepage" );
} else {
$access = UM()->options()->get( 'accessible' );
@@ -206,7 +205,7 @@ if ( ! class_exists( 'Access' ) ) {
if ( ! $redirect )
$redirect = um_get_core_page( 'login' );
$this->redirect_handler = $this->set_referer( $redirect, 'global' );
$this->redirect_handler = $this->set_referer( esc_url( add_query_arg( 'redirect_to', urlencode_deep( $curr ), $redirect ) ), 'global' );
} else {
$this->allow_access = true;
return;
@@ -227,7 +226,7 @@ if ( ! class_exists( 'Access' ) ) {
if ( ! $redirect )
$redirect = um_get_core_page( 'login' );
$this->redirect_handler = $this->set_referer( $redirect, 'global' );
$this->redirect_handler = $this->set_referer( esc_url( add_query_arg( 'redirect_to', urlencode_deep( $curr ), $redirect ) ), 'global' );
} else {
$this->allow_access = true;
return;
@@ -263,7 +262,7 @@ if ( ! class_exists( 'Access' ) ) {
if ( ! $redirect )
$redirect = um_get_core_page( 'login' );
$this->redirect_handler = $this->set_referer( $redirect, 'global' );
$this->redirect_handler = $this->set_referer( esc_url( add_query_arg( 'redirect_to', urlencode_deep( $curr ), $redirect ) ), 'global' );
} else {
$this->redirect_handler = false;
$this->allow_access = true;
@@ -307,11 +306,6 @@ if ( ! class_exists( 'Access' ) ) {
//check global restrict content options
do_action( 'um_access_check_global_settings' );
/*var_dump($this->allow_access);
var_dump($this->redirect_handler);
var_dump('12345678');
exit;*/
$this->check_access();
}
+13 -7
View File
@@ -351,13 +351,14 @@ if ( ! class_exists( 'Shortcodes' ) ) {
}
/**
* Load dynamic css
*
* @param array $args
*/
/**
* Load dynamic css
*
* @param array $args
*
* @return string
*/
function dynamic_css( $args = array() ) {
/*
* for fix the issue #306
*/
@@ -365,16 +366,21 @@ if ( ! class_exists( 'Shortcodes' ) ) {
if ( $disable_css )
return '';
/**
* @var $mode
*/
extract( $args );
include_once um_path . 'assets/dynamic_css/dynamic_global.php';
if ( isset( $mode ) ) {
if ( isset( $mode ) && in_array( $mode, array( 'profile', 'directory' ) ) ) {
$file = um_path . 'assets/dynamic_css/dynamic_' . $mode . '.php';
if ( file_exists( $file ) )
include_once $file;
}
return '';
}