Only allow admins to check plugin versions

fd628cf3 · Scott · cd259154 · fd628cf3 · fd628cf3
Commit fd628cf3 authored Mar 13, 2016 by Scott
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

version.php qa-include/ajax/version.php +6 -0

qa-base.php qa-include/qa-base.php +5 -0

No files found.
--- a/qa-include/ajax/version.php
+++ b/qa-include/ajax/version.php
@@ -21,6 +21,12 @@
 */

 	require_once QA_INCLUDE_DIR.'app/admin.php';
+	require_once QA_INCLUDE_DIR.'app/users.php';
+
+	if (qa_get_logged_in_level() < QA_USER_LEVEL_ADMIN) {
+		echo "QA_AJAX_RESPONSE\n0\n" . qa_lang_html('admin/no_privileges');
+		return;
+	}

 	$uri = qa_post_text('uri');
 	$version = qa_post_text('version');

--- a/qa-include/qa-base.php
+++ b/qa-include/qa-base.php
@@ -1545,6 +1545,11 @@
 	{
 		if (qa_to_override(__FUNCTION__)) { $args=func_get_args(); return qa_call_override(__FUNCTION__, $args); }

+		// ensure we're fetching a remote URL
+		if (!preg_match('#^https?://#', $url)) {
+			return '';
+		}
+
 		$contents=@file_get_contents($url);

 		if ((!strlen($contents)) && function_exists('curl_exec')) { // try curl as a backup (if allow_url_fopen not set)