diff --git a/class.add-from-server.php b/class.add-from-server.php index b63afe5..e0031f9 100644 --- a/class.add-from-server.php +++ b/class.add-from-server.php @@ -66,35 +66,9 @@ function menu_page() { } function get_root() { - // Lock users to either - // a) The 'ADD_FROM_SERVER' constant. - // b) Their home directory. - // c) The parent directory of the current install or wp-content directory. - - if ( defined( 'ADD_FROM_SERVER' ) ) { - $root = ADD_FROM_SERVER; - } elseif ( str_starts_with( __FILE__, '/home/' ) ) { - $root = implode( '/', array_slice( explode( '/', __FILE__ ), 0, 3 ) ); - } else { - if ( str_starts_with( WP_CONTENT_DIR, ABSPATH ) ) { - $root = dirname( ABSPATH ); - } else { - $root = dirname( WP_CONTENT_DIR ); - } - } - - // Precautions. The user is using the folder placeholder code. Abort for lower-privledge users. - if ( - str_contains( get_option( 'frmsvr_root', '%' ), '%' ) - && - ! defined( 'ADD_FROM_SERVER' ) - && - ! current_user_can( 'unfiltered_html' ) - ) { - $root = false; - } - - return $root; + // Lock users to WP_CONTENT_DIR for security. + // For multisite, wp_upload_dir() will return the individual site's upload directory. + return WP_CONTENT_DIR; } function path_selection_cookie() { @@ -139,6 +113,11 @@ function handle_imports() { continue; } + // Security: Ensure the file is within WP_CONTENT_DIR + if ( ! str_starts_with( wp_normalize_path( $filename ), wp_normalize_path( $root ) ) ) { + continue; + } + $id = $this->handle_import_file( $filename ); if ( is_wp_error( $id ) ) { @@ -317,13 +296,8 @@ function handle_import_file( $file ) { } protected function get_default_dir() { - $root = $this->get_root(); - - if ( str_starts_with( WP_CONTENT_DIR, $root ) ) { - return WP_CONTENT_DIR; - } - - return $root; + // Always start at WP_CONTENT_DIR + return WP_CONTENT_DIR; } // Create the content for the page @@ -601,13 +575,11 @@ function outdated_options_notice() { $old_root && str_contains( $old_root, '%' ) - && - ! defined( 'ADD_FROM_SERVER' ) ) { printf( '

%s

', 'You previously used the "Root Directory" option with a placeholder, such as "%username% or "%role%".
' . - 'Unfortunately this feature is no longer supported. As a result, Add From Server has been disabled for users who have restricted upload privledges.
' . + 'Unfortunately this feature is no longer supported. Add From Server is now limited to the wp-content directory for security reasons.
' . 'To make this warning go away, empty the "frmsvr_root" option on options.php.' ); } @@ -617,8 +589,7 @@ function outdated_options_notice() { '

%s

', 'Warning: Root Directory changed. You previously used ' . esc_html( $old_root ) . ' as your "Root Directory", ' . 'this has been changed to ' . esc_html( $this->get_root() ) . '.
' . - 'To restore your previous settings, add the following line to your wp-config.php file:
' . - 'define( "ADD_FROM_SERVER", "' . $old_root . '" );
' . + 'Add From Server is now limited to the wp-content directory for security reasons.
' . 'To make this warning go away, empty the "frmsvr_root" option on options.php.' ); } diff --git a/readme.md b/readme.md index 1b313ea..6821003 100644 --- a/readme.md +++ b/readme.md @@ -62,10 +62,9 @@ https://developer.wordpress.org/cli/commands/media/import/ ## Frequently Asked Questions ### How can I import files from other folders? -In 3.4, the plugin changed to limit the directories you can import files from. -If you wish to import files from other folders, you need to add the ADD_FROM_SERVER constant to your wp-config.php file. -For example: -`define( 'ADD_FROM_SERVER', '/www/' );` +For security reasons, Add From Server is now limited to the `wp-content` directory. +Files can only be imported from within the WordPress content directory. +For multisite installations, each site is limited to its own upload directory. ### Why does the file I want to import have a red background? WordPress only allows the importing/uploading of certain file types to improve your security.