diff --git a/class.add-from-server.php b/class.add-from-server.php
index b63afe5..e0031f9 100644
--- a/class.add-from-server.php
+++ b/class.add-from-server.php
@@ -66,35 +66,9 @@ function menu_page() {
}
function get_root() {
- // Lock users to either
- // a) The 'ADD_FROM_SERVER' constant.
- // b) Their home directory.
- // c) The parent directory of the current install or wp-content directory.
-
- if ( defined( 'ADD_FROM_SERVER' ) ) {
- $root = ADD_FROM_SERVER;
- } elseif ( str_starts_with( __FILE__, '/home/' ) ) {
- $root = implode( '/', array_slice( explode( '/', __FILE__ ), 0, 3 ) );
- } else {
- if ( str_starts_with( WP_CONTENT_DIR, ABSPATH ) ) {
- $root = dirname( ABSPATH );
- } else {
- $root = dirname( WP_CONTENT_DIR );
- }
- }
-
- // Precautions. The user is using the folder placeholder code. Abort for lower-privledge users.
- if (
- str_contains( get_option( 'frmsvr_root', '%' ), '%' )
- &&
- ! defined( 'ADD_FROM_SERVER' )
- &&
- ! current_user_can( 'unfiltered_html' )
- ) {
- $root = false;
- }
-
- return $root;
+ // Lock users to WP_CONTENT_DIR for security.
+ // For multisite, wp_upload_dir() will return the individual site's upload directory.
+ return WP_CONTENT_DIR;
}
function path_selection_cookie() {
@@ -139,6 +113,11 @@ function handle_imports() {
continue;
}
+ // Security: Ensure the file is within WP_CONTENT_DIR
+ if ( ! str_starts_with( wp_normalize_path( $filename ), wp_normalize_path( $root ) ) ) {
+ continue;
+ }
+
$id = $this->handle_import_file( $filename );
if ( is_wp_error( $id ) ) {
@@ -317,13 +296,8 @@ function handle_import_file( $file ) {
}
protected function get_default_dir() {
- $root = $this->get_root();
-
- if ( str_starts_with( WP_CONTENT_DIR, $root ) ) {
- return WP_CONTENT_DIR;
- }
-
- return $root;
+ // Always start at WP_CONTENT_DIR
+ return WP_CONTENT_DIR;
}
// Create the content for the page
@@ -601,13 +575,11 @@ function outdated_options_notice() {
$old_root
&&
str_contains( $old_root, '%' )
- &&
- ! defined( 'ADD_FROM_SERVER' )
) {
printf(
'',
'You previously used the "Root Directory" option with a placeholder, such as "%username% or "%role%".
' .
- 'Unfortunately this feature is no longer supported. As a result, Add From Server has been disabled for users who have restricted upload privledges.
' .
+ 'Unfortunately this feature is no longer supported. Add From Server is now limited to the wp-content directory for security reasons.
' .
'To make this warning go away, empty the "frmsvr_root" option on options.php.'
);
}
@@ -617,8 +589,7 @@ function outdated_options_notice() {
'',
'Warning: Root Directory changed. You previously used ' . esc_html( $old_root ) . ' as your "Root Directory", ' .
'this has been changed to ' . esc_html( $this->get_root() ) . '.
' .
- 'To restore your previous settings, add the following line to your wp-config.php file:
' .
- 'define( "ADD_FROM_SERVER", "' . $old_root . '" );
' .
+ 'Add From Server is now limited to the wp-content directory for security reasons.
' .
'To make this warning go away, empty the "frmsvr_root" option on options.php.'
);
}
diff --git a/readme.md b/readme.md
index 1b313ea..6821003 100644
--- a/readme.md
+++ b/readme.md
@@ -62,10 +62,9 @@ https://developer.wordpress.org/cli/commands/media/import/
## Frequently Asked Questions
### How can I import files from other folders?
-In 3.4, the plugin changed to limit the directories you can import files from.
-If you wish to import files from other folders, you need to add the ADD_FROM_SERVER constant to your wp-config.php file.
-For example:
-`define( 'ADD_FROM_SERVER', '/www/' );`
+For security reasons, Add From Server is now limited to the `wp-content` directory.
+Files can only be imported from within the WordPress content directory.
+For multisite installations, each site is limited to its own upload directory.
### Why does the file I want to import have a red background?
WordPress only allows the importing/uploading of certain file types to improve your security.