function wfu_decode_plugin_options($encoded_options)
{
$decoded_array = explode(';', $encoded_options);
$plugin_options = array();
foreach ($decoded_array as $decoded_item) {
if (trim($decoded_item) != "") {
list($item_key, $item_value) = explode("=", $decoded_item, 2);
if ($item_key == 'shortcode' || $item_key == 'basedir' || $item_key == 'captcha_sitekey' || $item_key == 'captcha_secretkey') {
$plugin_options[$item_key] = wfu_plugin_decode_string($item_value);
} elseif ($item_key == 'browser_permissions') {
$plugin_options[$item_key] = wfu_decode_array_from_string($item_value);
} else {
$plugin_options[$item_key] = $item_value;
}
}
}
return $plugin_options;
}
function wfu_ajax_action_callback()
{
if (!isset($_REQUEST['session_token'])) {
die;
}
$session_token = sanitize_text_field($_REQUEST["session_token"]);
if ($session_token == "") {
die;
}
/* This section is executed when forceclassic is enabled or when redirection to the classic uploader was performed */
if (isset($_REQUEST['sid']) && isset($_REQUEST['start_time'])) {
//this request came from classic non-HTML5 uploader
$sid = sanitize_text_field($_REQUEST["sid"]);
if ($sid == "") {
die;
}
$start_time = sanitize_text_field($_REQUEST["start_time"]);
$_SESSION['wfu_check_refresh_' . $sid] = 'form button pressed';
$_SESSION['wfu_start_time_' . $sid] = $start_time;
die("wfu_response_success:");
}
/* This section is executed when normal HTML5 upload is performed */
if (!isset($_REQUEST['params_index'])) {
die;
}
$params_index = sanitize_text_field($_REQUEST["params_index"]);
if ($params_index == "") {
die;
}
$user = wp_get_current_user();
$arr = wfu_get_params_fields_from_index($params_index);
$sid = $arr['shortcode_id'];
//check referrer using server sessions to avoid CSRF attacks
if ($_SESSION["wfu_token_" . $sid] != $session_token) {
echo "Session failed!<br/><br/>Session Data:<br/>";
print_r(wfu_sanitize($_SESSION));
echo "<br/><br/>Post Data:<br/>";
print_r(wfu_sanitize($_POST));
die('force_errorabort_code');
}
if ($user->user_login != $arr['user_login']) {
echo "User failed!<br/><br/>User Data:<br/>";
print_r(wfu_sanitize($user));
echo "<br/><br/>Post Data:<br/>";
print_r(wfu_sanitize($_POST));
echo "<br/><br/>Params Data:<br/>";
print_r(wfu_sanitize($arr));
die('force_errorabort_code');
}
//if force_connection_close is set, then the first pass to this callback script is for closing the previous connection
if (isset($_POST["force_connection_close"]) && $_POST["force_connection_close"] === "1") {
header("Connection: Close");
die("success");
}
//get the unique id of the upload
$unique_id = isset($_POST['uniqueuploadid_' . $sid]) ? sanitize_text_field($_POST['uniqueuploadid_' . $sid]) : "";
if (strlen($unique_id) != 10) {
die('force_errorabort_code');
}
//if upload has finished then perform post upload actions
if (isset($_POST["upload_finished"]) && $_POST["upload_finished"] === "1") {
die("success");
}
$params_str = get_option('wfu_params_' . $arr['unique_id']);
$params = wfu_decode_array_from_string($params_str);
//if this is the first pass of an upload attempt then perform pre-upload actions
if (!isset($_SESSION['wfu_upload_first_pass_' . $unique_id]) || $_SESSION['wfu_upload_first_pass_' . $unique_id] != 'true') {
$_SESSION['wfu_upload_first_pass_' . $unique_id] = 'true';
}
if (!isset($_POST["subdir_sel_index"])) {
die;
}
$subdir_sel_index = sanitize_text_field($_POST["subdir_sel_index"]);
$params['subdir_selection_index'] = $subdir_sel_index;
$_SESSION['wfu_check_refresh_' . $params["uploadid"]] = 'do not process';
$wfu_process_file_array = wfu_process_files($params, 'ajax');
// extract safe_output from wfu_process_file_array and pass it as separate part of the response text
$safe_output = $wfu_process_file_array["general"]['safe_output'];
unset($wfu_process_file_array["general"]['safe_output']);
// get javascript code that has been defined in wfu_after_file_upload action
$js_script = wfu_plugin_encode_string($wfu_process_file_array["general"]['js_script']);
unset($wfu_process_file_array["general"]['js_script']);
die("wfu_fileupload_success:" . $js_script . ":" . $safe_output . ":" . wfu_encode_array_to_string($wfu_process_file_array));
}
function wfu_get_option($option, $default)
{
global $wpdb;
$table_name1 = $wpdb->prefix . "options";
$val = $wpdb->get_var($wpdb->prepare("SELECT option_value FROM {$table_name1} WHERE option_name = %s", $option));
if ($val === null && $default !== false) {
$val = $default;
} elseif (is_array($default)) {
$val = wfu_decode_array_from_string($val);
}
return $val;
}
function wfu_delete_shortcode_prompt($data_enc)
{
$siteurl = site_url();
$data = wfu_decode_array_from_string(wfu_get_shortcode_data_from_safe($data_enc));
$postid = $data['post_id'];
$echo_str = "\n" . '<div class="wrap">';
$echo_str .= "\n\t" . '<h2>Wordpress File Upload Control Panel</h2>';
$echo_str .= "\n\t" . '<div style="margin-top:20px;">';
$echo_str .= "\n\t\t" . '<a href="' . $siteurl . '/wp-admin/options-general.php?page=wordpress_file_upload&action=manage_mainmenu" class="button" title="go back">Go to Main Menu</a>';
$echo_str .= "\n\t" . '</div>';
$echo_str .= "\n\t" . '<h2 style="margin-bottom: 10px; margin-top: 20px;">Delete Shortcode</h2>';
$echo_str .= "\n\t" . '<form enctype="multipart/form-data" name="deletefile" id="deleteshortcode" method="post" action="' . $siteurl . '/wp-admin/options-general.php?page=wordpress_file_upload" class="validate">';
$echo_str .= "\n\t\t" . '<input type="hidden" name="action" value="deleteshortcode">';
$echo_str .= "\n\t\t" . '<input type="hidden" name="data" value="' . $data_enc . '">';
$echo_str .= "\n\t\t" . '<label>Are you sure that you want to delete shortcode for <strong>' . get_post_type($postid) . ' "' . get_the_title($postid) . '" (' . $postid . ') Position ' . $data['position'] . '</strong> ?</label><br/>';
$echo_str .= "\n\t\t" . '<p class="submit">';
$echo_str .= "\n\t\t\t" . '<input type="submit" class="button-primary" name="submit" value="Delete">';
$echo_str .= "\n\t\t\t" . '<input type="submit" class="button-primary" name="submit" value="Cancel">';
$echo_str .= "\n\t\t" . '</p>';
$echo_str .= "\n\t" . '</form>';
$echo_str .= "\n" . '</div>';
return $echo_str;
}
function wordpress_file_upload_manage_dashboard()
{
$_POST = stripslashes_deep($_POST);
$_GET = stripslashes_deep($_GET);
$action = !empty($_POST['action']) ? $_POST['action'] : (!empty($_GET['action']) ? $_GET['action'] : '');
$dir = !empty($_POST['dir']) ? $_POST['dir'] : (!empty($_GET['dir']) ? $_GET['dir'] : '');
$file = !empty($_POST['file']) ? $_POST['file'] : (!empty($_GET['file']) ? $_GET['file'] : '');
$data_enc = !empty($_POST['data']) ? $_POST['data'] : (!empty($_GET['data']) ? $_GET['data'] : '');
$echo_str = "";
if ($action == 'edit_settings') {
wfu_update_settings();
$echo_str = wfu_manage_settings();
} elseif ($action == 'shortcode_composer') {
$echo_str = wfu_shortcode_composer();
} elseif ($action == 'file_browser') {
$echo_str = wfu_browse_files($dir);
} elseif ($action == 'view_log') {
$echo_str = wfu_view_log();
} elseif ($action == 'rename_file' && $file != "") {
$echo_str = wfu_rename_file_prompt($file, 'file', false);
} elseif ($action == 'rename_dir' && $file != "") {
$echo_str = wfu_rename_file_prompt($file, 'dir', false);
} elseif ($action == 'renamefile' && $file != "") {
if (wfu_rename_file($file, 'file')) {
$echo_str = wfu_browse_files($dir);
} else {
$echo_str = wfu_rename_file_prompt($file, 'file', true);
}
} elseif ($action == 'renamedir' && $file != "") {
if (wfu_rename_file($file, 'dir')) {
$echo_str = wfu_browse_files($dir);
} else {
$echo_str = wfu_rename_file_prompt($file, 'dir', true);
}
} elseif ($action == 'delete_file' && $file != "") {
$echo_str = wfu_delete_file_prompt($file, 'file');
} elseif ($action == 'delete_dir' && $file != "") {
$echo_str = wfu_delete_file_prompt($file, 'dir');
} elseif ($action == 'deletefile' && $file != "") {
wfu_delete_file($file, 'file');
$echo_str = wfu_browse_files($dir);
} elseif ($action == 'deletedir' && $file != "") {
wfu_delete_file($file, 'dir');
$echo_str = wfu_browse_files($dir);
} elseif ($action == 'create_dir') {
$echo_str = wfu_create_dir_prompt($dir, false);
} elseif ($action == 'createdir') {
if (wfu_create_dir($dir)) {
$echo_str = wfu_browse_files($dir);
} else {
$echo_str = wfu_create_dir_prompt($dir, true);
}
} elseif ($action == 'file_details' && $file != "") {
$echo_str = wfu_file_details($file, false);
} elseif ($action == 'edit_filedetails' && $file != "") {
wfu_edit_filedetails($file);
$echo_str = wfu_file_details($file, false);
} elseif ($action == 'sync_db') {
$affected_items = wfu_sync_database();
$echo_str = wfu_manage_mainmenu('Database updated. ' . $affected_items . ' items where affected.');
} elseif ($action == 'plugin_settings') {
$echo_str = wfu_manage_settings();
} elseif ($action == 'edit_shortcode' && $data_enc != "") {
$data = wfu_decode_array_from_string($data_enc);
if (wfu_check_edit_shortcode($data)) {
wfu_shortcode_composer($data);
} else {
$echo_str = wfu_manage_mainmenu(WFU_DASHBOARD_EDIT_SHORTCODE_REJECTED);
}
} elseif ($action == 'delete_shortcode' && $data_enc != "") {
$data = wfu_decode_array_from_string($data_enc);
if (wfu_check_edit_shortcode($data)) {
$echo_str = wfu_delete_shortcode_prompt($data);
} else {
$echo_str = wfu_manage_mainmenu(WFU_DASHBOARD_DELETE_SHORTCODE_REJECTED);
}
} elseif ($action == 'deleteshortcode' && $data_enc != "") {
$data = wfu_decode_array_from_string($data_enc);
if (wfu_check_edit_shortcode($data)) {
wfu_delete_shortcode($data);
$echo_str = wfu_manage_mainmenu();
} else {
$echo_str = wfu_manage_mainmenu(WFU_DASHBOARD_DELETE_SHORTCODE_REJECTED);
}
} else {
$echo_str = wfu_manage_mainmenu();
}
echo $echo_str;
}
function wfu_ajax_action_callback()
{
if (!isset($_REQUEST['session_token'])) {
die;
}
$session_token = sanitize_text_field($_REQUEST["session_token"]);
if ($session_token == "") {
die;
}
check_ajax_referer('wfu-uploader-nonce', 'wfu_uploader_nonce');
if (!isset($_REQUEST['params_index'])) {
die;
}
$params_index = sanitize_text_field($_REQUEST["params_index"]);
if ($params_index == "") {
die;
}
$user = wp_get_current_user();
$arr = wfu_get_params_fields_from_index($params_index);
$sid = $arr['shortcode_id'];
//check referrer using server sessions to avoid CSRF attacks
if ($_SESSION["wfu_token_" . $sid] != $session_token) {
echo "Session failed!<br/><br/>Session Data:<br/>";
print_r(wfu_sanitize($_SESSION));
echo "<br/><br/>Post Data:<br/>";
print_r(wfu_sanitize($_POST));
die('force_errorabort_code');
}
if ($user->user_login != $arr['user_login']) {
echo "User failed!<br/><br/>User Data:<br/>";
print_r(wfu_sanitize($user));
echo "<br/><br/>Post Data:<br/>";
print_r(wfu_sanitize($_POST));
echo "<br/><br/>Params Data:<br/>";
print_r(wfu_sanitize($arr));
die('force_errorabort_code');
}
//if force_connection_close is set, then the first pass to this callback script is for closing the previous connection
if (isset($_POST["force_connection_close"]) && $_POST["force_connection_close"] === "1") {
header("Connection: Close");
die("success");
}
//get the unique id of the upload
$unique_id = isset($_POST['uniqueuploadid_' . $sid]) ? sanitize_text_field($_POST['uniqueuploadid_' . $sid]) : "";
if (strlen($unique_id) != 10) {
die('force_errorabort_code');
}
//if before upload actions have been executed and they have rejected the
//upload, but for some reason (hack attempt) the upload continued, then
//terminate it
if (isset($_SESSION["wfu_uploadstatus_" . $unique_id]) && $_SESSION["wfu_uploadstatus_" . $unique_id] == 0) {
die('force_errorabort_code');
}
//if upload has finished then perform post upload actions
if (isset($_POST["upload_finished"]) && $_POST["upload_finished"] === "1") {
$echo_str = "";
//execute after upload filters
$ret = wfu_execute_after_upload_filters($sid, $unique_id);
if ($ret["js_script"] != "") {
$echo_str = "CBUVJS[" . $ret["js_script"] . "]";
}
die($echo_str);
}
$params_str = get_option('wfu_params_' . $arr['unique_id']);
$params = wfu_decode_array_from_string($params_str);
//apply filters to determine if the upload will continue or stop
$ret = array("status" => "", "echo" => "");
$attr = array("sid" => $sid, "unique_id" => $unique_id, "params" => $params);
$ret = apply_filters("_wfu_pre_upload_check", $ret, $attr);
if ($ret["status"] == "die") {
die($ret["echo"]);
}
//if this is the first pass of an upload attempt then perform pre-upload actions
if (!isset($_SESSION['wfu_upload_first_pass_' . $unique_id]) || $_SESSION['wfu_upload_first_pass_' . $unique_id] != 'true') {
$_SESSION['wfu_upload_first_pass_' . $unique_id] = 'true';
}
if (!isset($_POST["subdir_sel_index"])) {
die;
}
$subdir_sel_index = sanitize_text_field($_POST["subdir_sel_index"]);
$params['subdir_selection_index'] = $subdir_sel_index;
$_SESSION['wfu_check_refresh_' . $params["uploadid"]] = 'do not process';
$wfu_process_file_array = wfu_process_files($params, 'ajax');
// extract safe_output from wfu_process_file_array and pass it as separate part of the response text
$safe_output = $wfu_process_file_array["general"]['safe_output'];
unset($wfu_process_file_array["general"]['safe_output']);
// get javascript code that has been defined in wfu_after_file_upload action
$js_script = wfu_plugin_encode_string($wfu_process_file_array["general"]['js_script']);
unset($wfu_process_file_array["general"]['js_script']);
die("wfu_fileupload_success:" . $js_script . ":" . $safe_output . ":" . wfu_encode_array_to_string($wfu_process_file_array));
}
function wfu_ajax_action_callback()
{
$user = wp_get_current_user();
$arr = wfu_get_params_fields_from_index($_POST['params_index']);
//check referrer using server sessions to avoid CSRF attacks
if ($_SESSION["wfu_token_" . $arr['shortcode_id']] != $_POST['session_token']) {
echo "Session failed!<br/><br/>Session Data:<br/>";
print_r(wfu_sanitize($_SESSION));
echo "<br/><br/>Post Data:<br/>";
print_r(wfu_sanitize($_POST));
die('force_errorabort_code');
}
if ($user->user_login != $arr['user_login']) {
echo "User failed!<br/><br/>User Data:<br/>";
print_r(wfu_sanitize($user));
echo "<br/><br/>Post Data:<br/>";
print_r(wfu_sanitize($_POST));
echo "<br/><br/>Params Data:<br/>";
print_r(wfu_sanitize($arr));
die('force_errorabort_code');
}
//get the unique id of the upload
$unique_id = isset($_POST['unique_id']) ? $_POST['unique_id'] : "";
//the first pass to this callback script is for closing the previous connection_aborted
if (isset($_POST["force_connection_close"]) && $_POST["force_connection_close"] === "1") {
header("Connection: Close");
die("success");
}
//if upload has finished then perform post upload actions
if (isset($_POST["upload_finished"]) && $_POST["upload_finished"] === "1") {
die("success");
}
$params_str = get_option('wfu_params_' . $arr['unique_id']);
$params = wfu_decode_array_from_string($params_str);
$params['subdir_selection_index'] = $_POST['subdir_sel_index'];
$_SESSION['wfu_check_refresh_' . $params["uploadid"]] = 'do not process';
$wfu_process_file_array = wfu_process_files($params, 'ajax');
// extract safe_output from wfu_process_file_array and pass it as separate part of the response text
$safe_output = $wfu_process_file_array["general"]['safe_output'];
unset($wfu_process_file_array["general"]['safe_output']);
die("wfu_fileupload_success:" . $safe_output . ":" . wfu_encode_array_to_string($wfu_process_file_array));
}