Change wp_load_image for wp_get_image_editor

clean $_GET and $_POST

MF_GetDuplicate.php

@@ -26,10 +26,10 @@ function resolve() {
 										);
 		}else{
 
-		 	$customFieldId = $_POST['customFieldId'];
-			$groupCounter = $_POST['groupCounter'];
-			$fieldCounter = $_POST['fieldCounter'];
-			$groupId = $_POST['groupId'];
+		 	$customFieldId = (int)$_POST['customFieldId'];
+			$groupCounter = (int)$_POST['groupCounter'];
+			$fieldCounter = (int)$_POST['fieldCounter'];
+			$groupId = (int)$_POST['groupId'];
 			RCCWP_WritePostPage::CustomFieldInterface(
 														$customFieldId, 
 														$groupCounter, 

MF_GetFile.php

@@ -102,8 +102,9 @@ function downloadFile(){
 		if ($fp_source = @fopen($url, 'rb')) {
 			//Get target filename
 			$exploded_url = explode('.', $url);
-			$ext = array_pop( $exploded_url );	
-			$filename = time() . '_' . str_replace( 'rc_cwp_meta_', '', $_POST["input_name"]) . '.' . $ext;
+			$ext = array_pop( $exploded_url );
+			$input_name = filter_var($_POST["input_name"], FILTER_SANITIZE_SPECIAL_CHARS);
+			$filename = time() . '_' . str_replace( 'rc_cwp_meta_', '', $input_name) . '.' . $ext;
 
 			$directory = MF_FILES_PATH;
 

MF_ImageMedia.php

@@ -22,10 +22,12 @@ function get_info() {
     	}
 
     	// remove text aditional in attachment
-		$image_id = preg_replace('/del_attachment_/','',$_POST['image_id']);
+        $image_id = filter_var($_POST['image_id'], FILTER_SANITIZE_SPECIAL_CHARS);
+		$image_id = preg_replace('/del_attachment_/','',$image_id);
 		$info = wp_get_attachment_image_src($image_id,'original');
 
-		$field_id = preg_replace('/thumb_/','',$_POST['field_id']);
+        $field_id = filter_var($_POST['field_id'], FILTER_SANITIZE_SPECIAL_CHARS);
+		$field_id = preg_replace('/thumb_/','',$field_id);
 
 		if( count($info) ){
 			$image_thumb = PHPTHUMB.'?&w=150&h=120&src='.$info[0];

MF_ManageWritePanels.php

@@ -60,8 +60,8 @@ function change_botton_new_in_manage($where){
       </script>",
       $type_add_new[$parent_file],
       $contact,
-      $_GET['custom-write-panel-id'],
-      $_GET['custom-write-panel-id'],
+      (int)$_GET['custom-write-panel-id'],
+      (int)$_GET['custom-write-panel-id'],
       wp_create_nonce('unlink-write-panel')
       );
 
@@ -91,12 +91,12 @@ function change_number_manage($where){
 		if(is_wp30()){
 			$ver = '30';
 			$post_type = 'post';
-			if( isset($_GET['post_type']) ) $post_type = $_GET['post_type'];
+			if( isset($_GET['post_type']) ) $post_type = filter_var($_GET['post_type'], FILTER_SANITIZE_SPECIAL_CHARS);
 		}else{
 			$ver = '29';
 			$post_type = $parent_file;
 		}
-    $num_posts_mf = RCCWP_CustomWritePanel::GetCountPstWritePanel($_GET['custom-write-panel-id']);
+    $num_posts_mf = RCCWP_CustomWritePanel::GetCountPstWritePanel((int)$_GET['custom-write-panel-id']);
     printf("
       <script type=\"text/javascript\">
       //<![CDATA[
@@ -114,7 +114,7 @@ function change_number_manage($where){
       $num_posts_mf->trash,
       $num_posts_mf->future,
       $post_type ,
-      $_GET['custom-write-panel-id']
+      (int)$_GET['custom-write-panel-id']
     );
     $_SESSION['change_number_manage'] = "1"; 
   }
@@ -131,7 +131,7 @@ function change_title_manage($where){
   }
   if(isset($_GET['custom-write-panel-id'])){
 
-    $write_panel = RCCWP_CustomWritePanel::Get($_GET['custom-write-panel-id']);
+    $write_panel = RCCWP_CustomWritePanel::Get((int)$_GET['custom-write-panel-id']);
     printf("
       <script type=\"text/javascript\">
       //<![CDATA[
@@ -160,7 +160,7 @@ function add_input_search_manage($where){
 
   if(isset($_GET['custom-write-panel-id'])){
 
-    $write_panel = RCCWP_CustomWritePanel::Get($_GET['custom-write-panel-id']);
+    $write_panel = RCCWP_CustomWritePanel::Get((int)$_GET['custom-write-panel-id']);
     printf("
       <script type=\"text/javascript\">
       //<![CDATA[
@@ -169,7 +169,7 @@ function add_input_search_manage($where){
         });
       //]]>
       </script>",
-      $_GET['custom-write-panel-id']
+      (int)$_GET['custom-write-panel-id']
     );
     $_SESSION['add_input_search_manage'] = "1"; 
   }

MF_PostTypesPage.php

@@ -30,7 +30,7 @@ function Dispacher(){
 		if(empty($_GET['action'])){
 			$action = "manage";
 		}else{
-			$action = $_GET['action'];
+			$action = filter_var($_GET['action'], FILTER_SANITIZE_SPECIAL_CHARS);
 		}
 
 		$action = esc_attr($action);
@@ -193,7 +193,6 @@ function SavePostType(){
 
 			//Saving the new post type
 			$wpdb->insert(MF_TABLE_POSTTYPES_TAXONOMIES,array('type' => 'posttype','name' => $name,'description' => $desc,'settings' => $settings),array('%s','%s','%s','%s'));
-			print_r($_POST);	
 		}
 	}
 

MF_thumb.php

@@ -20,9 +20,9 @@ function mfthumb(){
 	 * This function is almost equal to the image_resize (native function of wordpress)
 	 */
 	function image_resize( $file, $max_w, $max_h, $crop = false, $far = false, $iar = false, $dest_path = null, $jpeg_quality = 90 ) {
-		$image = wp_load_image( $file );
-		if ( !is_resource( $image ) )
-			return new WP_Error('error_loading_image', $image);
+		$image = wp_get_image_editor( $file );
+		if ( is_wp_error( $image ) )
+			return $image;
 
 		$size = @getimagesize( $file );
 		if ( !$size )
@@ -36,19 +36,23 @@ function image_resize( $file, $max_w, $max_h, $crop = false, $far = false, $iar
 		}
 		list($dst_x, $dst_y, $src_x, $src_y, $dst_w, $dst_h, $src_w, $src_h) = $dims;
 
-    $newimage = imagecreatetruecolor( $dst_w, $dst_h );
-    imagealphablending($newimage, false);
-    imagesavealpha($newimage, true);
-    $transparent = imagecolorallocatealpha($newimage, 255, 255, 255, 127);
-    imagefilledrectangle($newimage, 0, 0, $dst_w, $dst_h, $transparent);
-    imagecopyresampled( $newimage, $image, $dst_x, $dst_y, $src_x, $src_y, $dst_w, $dst_h, $src_w, $src_h);
+    	$newimage = imagecreatetruecolor( $dst_w, $dst_h );
+
+    	imagealphablending($newimage, false);
+    	imagesavealpha($newimage, true);
+    	$transparent = imagecolorallocatealpha($newimage, 255, 255, 255, 127);
+    	imagefilledrectangle($newimage, 0, 0, $dst_w, $dst_h, $transparent);
+
+    	@ini_set( 'memory_limit', apply_filters( 'image_memory_limit', WP_MAX_MEMORY_LIMIT ) );
+    	$imageTmp = imagecreatefromstring( file_get_contents( $file ) );
+    	imagecopyresampled( $newimage, $imageTmp, $dst_x, $dst_y, $src_x, $src_y, $dst_w, $dst_h, $src_w, $src_h);
 
 		// convert from full colors to index colors, like original PNG.
 		if ( IMAGETYPE_PNG == $orig_type && !imageistruecolor( $image ) )
 			imagetruecolortopalette( $newimage, false, imagecolorstotal( $image ) );
 
 		// we don't need the original in memory anymore
-		imagedestroy( $image );
+		imagedestroy( $imageTmp );
 		$info = pathinfo($dest_path);
 		$dir = $info['dirname'];
 		$ext = $info['extension'];

RCCWP_Application.php

@@ -382,7 +382,7 @@ public static function CheckInstallation(){
 
 		wp_mkdir_p(MF_UPLOAD_FILES_DIR);
 		wp_mkdir_p(MF_CACHE_DIR);
-    wp_mkdir_p(MF_GET_CACHE_DIR);
+    	wp_mkdir_p(MF_GET_CACHE_DIR);
 
 		// Giving full rights to folders. thanks Akis Kesoglou 
 		if (!is_dir(MF_CACHE_DIR)){

RCCWP_CreateCustomFieldPage.php

@@ -7,38 +7,30 @@ class RCCWP_CreateCustomFieldPage
 	public static function Main()
 	{
 		global $FIELD_TYPES,$mf_domain;
-		$customGroupID = $_REQUEST['custom-group-id'];
-
-    if (isset($customGroupID)) {
-      $group = RCCWP_CustomGroup::Get($customGroupID);
-
-      ?>
-
-      <script type="text/javascript">
-
-      var mf_create_field = true;
-
-      var mf_group_info = {
-        'name' : '<?php echo stripslashes($group->name) ?>',
-        'safe_name' : '<?php echo sanitize_title_with_dashes($group->name) ?>',
-        'singular_safe_name' : '<?php echo sanitize_title_with_dashes(Inflect::singularize($group->name)) ?>'
-      };
-
-      </script>
-
-      <?php
-    }
-
-		?>
-
-
+		$customGroupID = (int)$_REQUEST['custom-group-id'];
+
+    	if (isset($customGroupID)) {
+	      	$group = RCCWP_CustomGroup::Get($customGroupID);
+	      	?>
+
+	      	<script type="text/javascript">
+	      		var mf_create_field = true;
+		      	var mf_group_info = {
+		        	'name' : '<?php echo stripslashes($group->name) ?>',
+		        	'safe_name' : '<?php echo sanitize_title_with_dashes($group->name) ?>',
+		        	'singular_safe_name' : '<?php echo sanitize_title_with_dashes(Inflect::singularize($group->name)) ?>'
+		      	};
+	      	</script>
+
+	      <?php
+	    } ?>
   		<div class="wrap">
 
   		<h2><?php _e("Create Custom Field", $mf_domain); ?> <?php if ($group && $group->name != "__default") { _e("In Group", $mf_domain); echo " <em>".$group->name."</em>"; } ?></h2>
   		<br class="clear" />
   		<?php
 		if (isset($_GET['err_msg'])) :
-			switch ($_GET['err_msg']){
+			switch ($_GET['err_msg']) {
 				case -1:
 				?>
 				<div class="error"><p> <?php _e('A field with the same name already exists in this write panel. Please choose a different name.',$mf_domain);?></p></div>
@@ -52,10 +44,10 @@ public static function Main()
   		<?php wp_nonce_field('continue-create-custom-field'); ?>
 
 		<?php if(isset($_GET['custom-group-id']) && !empty($_GET['custom-group-id'])) { ?>
-  			<input type="hidden" name="custom-group-id" value="<?php echo $_GET['custom-group-id']?>">
+  			<input type="hidden" name="custom-group-id" value="<?php echo (int)$_GET['custom-group-id']?>">
 		<?php } ?>
 		<?php if(isset($_POST['custom-group-id']) && !empty($_POST['custom-group-id'])) { ?>
-  			<input type="hidden" name="custom-group-id" value="<?php echo $_POST['custom-group-id']?>">
+  			<input type="hidden" name="custom-group-id" value="<?php echo (int)$_POST['custom-group-id']?>">
 		<?php } ?>
 
 
@@ -189,8 +181,9 @@ function checkEmpty()
 	public static function SetOptions()
 	{
 		global $mf_domain;
-		$current_field = RCCWP_CustomField::GetCustomFieldTypes($_POST['custom-field-type']);
-		$customGroupID = $_REQUEST['custom-group-id'];
+		$custom_field_type = filter_var($_POST['custom-field-type'], FILTER_SANITIZE_SPECIAL_CHARS);
+		$current_field = RCCWP_CustomField::GetCustomFieldTypes($custom_field_type);
+		$customGroupID = (int)$_REQUEST['custom-group-id'];
 		$default = array(
 		  'custom-group-id' => '',
 		  'custom-field-name' => '',
@@ -223,7 +216,7 @@ public static function SetOptions()
 		<input type="hidden" name="custom-field-helptext" 		value="<?php echo $values['custom-field-helptext']?>" />
 
 		<!-- Hidden value for Image/Photo' Css Class-->
-		<input type="hidden" name="custom-field-css" value="<?php echo $_POST['custom-field-css']?>" />
+		<input type="hidden" name="custom-field-css" value="<?php echo filter_var($_POST['custom-field-css'], FILTER_SANITIZE_SPECIAL_CHARS); ?>" />
 
 
 

RCCWP_CustomField.php

@@ -40,7 +40,7 @@ public static function Create($customGroupId, $name, $label, $order = 1, $requir
 
 		$helptext = htmlspecialchars($helptext, ENT_QUOTES, 'UTF-8');
 
-		if(isset($_POST['custom-field-css'])) $css = $_POST['custom-field-css'];
+		if(isset($_POST['custom-field-css'])) $css = filter_var($_POST['custom-field-css'], FILTER_SANITIZE_SPECIAL_CHARS);
 		$sql = $wpdb->prepare(
 			"INSERT INTO " . MF_TABLE_GROUP_FIELDS .
 			" (group_id, name, description, display_order, required_field, type, CSS, duplicate,help_text) values (%d, %s, %s, %d, %d, %d, %s, %d, %s)",
@@ -379,7 +379,7 @@ public static function Update($customFieldId, $name, $label, $order = 1, $requir
 			$wpdb->query($sql);
 		}
 		$css = NULL;
-		if(isset($_POST['custom-field-css'])) $css = $_POST['custom-field-css'];
+		if(isset($_POST['custom-field-css'])) $css = filter_var($_POST['custom-field-css'], FILTER_SANITIZE_SPECIAL_CHARS);
 
 		$sql = $wpdb->prepare( "UPDATE " . MF_TABLE_GROUP_FIELDS .
 			" SET name = %s" .

RCCWP_CustomGroupPage.php

@@ -13,9 +13,9 @@ public static function Content($customGroup = null)
 		global $mf_domain;
 		$customGroupName = $customGroupDuplicate = $customGroupExpanded = "";
 		if (isset($_GET['custom-write-panel-id']) )
-			$customWritePanelId = $_GET['custom-write-panel-id'];
+			$customWritePanelId = filter_var($_GET['custom-write-panel-id'], FILTER_VALIDATE_INT);
 		if (isset($_POST['custom-write-panel-id']) )
-			$customWritePanelId = $_POST['custom-write-panel-id'];
+			$customWritePanelId = filter_var($_POST['custom-write-panel-id'], FILTER_VALIDATE_INT);
 
 		if ($customGroup != null)
 		{
@@ -55,7 +55,7 @@ public static function Content($customGroup = null)
 		<?php
 	}
 
-	function Edit()
+	public static function Edit()
 	{
 		global $mf_domain;
 		$customGroup = RCCWP_CustomGroup::Get((int)$_REQUEST['custom-group-id']);

RCCWP_CustomWritePanel.php

@@ -63,7 +63,7 @@ function Create($name, $description = '', $standardFields = array(), $categories
 
 
         $capabilityName = RCCWP_CustomWritePanel::GetCapabilityName($name);
-        if (!$type) $type = $_POST['radPostPage'];
+        if (!$type) $type = filter_var($_POST['radPostPage'], FILTER_SANITIZE_SPECIAL_CHARS);
 
         $type = htmlspecialchars($type, ENT_QUOTES, 'UTF-8');
         $capabilityName = htmlspecialchars($capabilityName, ENT_QUOTES, 'UTF-8');
@@ -336,7 +336,7 @@ public static function Update($customWritePanelId, $name, $description = '', $st
                 $description,
                 $display_order,
                 $capabilityName,
-                $_POST['radPostPage'],
+                filter_var($_POST['radPostPage'], FILTER_SANITIZE_SPECIAL_CHARS),
                 $single_post,
                 $expanded,
                 $customWritePanelId
@@ -371,25 +371,11 @@ public static function Update($customWritePanelId, $name, $description = '', $st
         } else {
             $currentStandardFieldIds = array();
             $currentStandardFieldIds = RCCWP_CustomWritePanel::GetStandardFields($customWritePanelId);
-            Debug::log("currentStandardFieldIds");
-            Debug::log($currentStandardFieldIds);
 
             $keepStandardFieldIds = array_intersect($currentStandardFieldIds, $standardFields);
             $deleteStandardFieldIds = array_diff($currentStandardFieldIds, $keepStandardFieldIds);
             $insertStandardFieldIds = array_diff($standardFields, $keepStandardFieldIds);
 
-            Debug::log("standardFields");
-            Debug::log($standardFields);
-
-            Debug::log("keepStandardFieldIds");
-            Debug::log($keepStandardFieldIds);
-
-            Debug::log("deleteStandardFieldIds");
-            Debug::log($deleteStandardFieldIds);
-
-            Debug::log("insertStandardFieldIds");
-            Debug::log($insertStandardFieldIds);
-
             foreach ($insertStandardFieldIds as $standard_field_id) {
                 $wpdb->insert(
                     MF_TABLE_PANEL_STANDARD_FIELD,

RCCWP_ManagementPage.php

@@ -131,8 +131,8 @@ function GetCustomPanelModuleDeleteUrl($customWritePanelId, $panelModuleId)
 	 */
 	public static function GetCustomWritePanelGenericUrl($mfAction, $customWritePanelId = null)
 	{
-		if (empty($customWritePanelId) && isset($_REQUEST['custom-write-panel-id'])){
-			$customWritePanelId = $_REQUEST['custom-write-panel-id'];
+		if (empty($customWritePanelId) && isset($_REQUEST['custom-write-panel-id']) && filter_var($_REQUEST['custom-write-panel-id'], FILTER_VALIDATE_INT)){
+			$customWritePanelId = filter_var($_REQUEST['custom-write-panel-id'], FILTER_VALIDATE_INT);
 		}
 
 		if (!empty($customWritePanelId)){

RCCWP_Menu.php

@@ -15,7 +15,7 @@ public static function PrepareModulesPanelsMenuItems()
 		if(empty($_REQUEST['mf_action'])){
 			$currentAction = "";
 		}else{
-			$currentAction = $_REQUEST['mf_action'];
+			$currentAction = filter_var($_REQUEST['mf_action'], FILTER_SANITIZE_SPECIAL_CHARS);
 		}
 
 		switch ($currentAction){
@@ -440,7 +440,7 @@ public static function HighlightCustomPanel(){
 	    		//$id = $result[0]['meta_value'];
 	    		$base = 'post-new.php?';
 	    		if(isset($_GET['post_type']) && $_GET['post_type'] == 'page') $base = 'post-new.php?post_type=page&';
-				$submenu_file = $base."custom-write-panel-id=".$_GET['custom-write-panel-id'];
+				$submenu_file = $base."custom-write-panel-id=".(int)$_GET['custom-write-panel-id'];
 	  		}elseif (count($result) > 0 && $currPage =="post.php" ){
 	    		$id = $result[0]['meta_value'];
 	    		$base = 'edit.php?';
@@ -462,8 +462,8 @@ public static function HighlightCustomPanel(){
 	public static function FilterPostsPagesList($where){
 		global $wpdb;
 		if (isset($_GET['filter-posts'])) {
-			$panel_id = $_GET['custom-write-panel-id'];
-				$where .= " and $wpdb->postmeta.meta_key = '_mf_write_panel_id' and $wpdb->postmeta.meta_value = '$panel_id' ";
+			$panel_id = (int)$_GET['custom-write-panel-id'];
+			$where .= " and $wpdb->postmeta.meta_key = '_mf_write_panel_id' and $wpdb->postmeta.meta_value = '$panel_id' ";
 		}
 		return $where;
 	}