escape download handler URLs

This commit is contained in:
toddlahman 2013-11-26 07:27:46 -08:00
parent b4c66db7e2
commit 6bed7bff94
1 changed files with 12 additions and 12 deletions

View File

@ -34,7 +34,7 @@ class WC_Download_Handler {
$_product = get_product( $product_id );
if ( ! is_email( $email) )
wp_die( __( 'Invalid email address.', 'woocommerce' ) . ' <a href="' . home_url() . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
wp_die( __( 'Invalid email address.', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
$query = "
SELECT order_id,downloads_remaining,user_id,download_count,access_expires,download_id
@ -58,7 +58,7 @@ class WC_Download_Handler {
$download_result = $wpdb->get_row( $wpdb->prepare( $query, $args ) );
if ( ! $download_result )
wp_die( __( 'Invalid download.', 'woocommerce' ) . ' <a href="'.home_url().'">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
wp_die( __( 'Invalid download.', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
$download_id = $download_result->download_id;
$order_id = $download_result->order_id;
@ -70,7 +70,7 @@ class WC_Download_Handler {
if ( $user_id && get_option( 'woocommerce_downloads_require_login' ) == 'yes' ) {
if ( ! is_user_logged_in() )
wp_die( __( 'You must be logged in to download files.', 'woocommerce' ) . ' <a href="' . wp_login_url( get_permalink( wc_get_page_id( 'myaccount' ) ) ) . '">' . __( 'Login &rarr;', 'woocommerce' ) . '</a>', __( 'Log in to Download Files', 'woocommerce' ) );
wp_die( __( 'You must be logged in to download files.', 'woocommerce' ) . ' <a href="' . esc_url( wp_login_url( get_permalink( wc_get_page_id( 'myaccount' ) ) ) ) . '">' . __( 'Login &rarr;', 'woocommerce' ) . '</a>', __( 'Log in to Download Files', 'woocommerce' ) );
elseif ( !current_user_can( 'download_file', $download_result ) )
wp_die( __( 'This is not your download link.', 'woocommerce' ) );
@ -78,20 +78,20 @@ class WC_Download_Handler {
}
if ( ! get_post( $product_id ) )
wp_die( __( 'Product no longer exists.', 'woocommerce' ) . ' <a href="' . home_url() . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
wp_die( __( 'Product no longer exists.', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
if ( $order_id ) {
$order = new WC_Order( $order_id );
if ( ! $order->is_download_permitted() || $order->post_status != 'publish' )
wp_die( __( 'Invalid order.', 'woocommerce' ) . ' <a href="' . home_url() . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
wp_die( __( 'Invalid order.', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
}
if ( $downloads_remaining == '0' )
wp_die( __( 'Sorry, you have reached your download limit for this file', 'woocommerce' ) . ' <a href="'.home_url().'">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
wp_die( __( 'Sorry, you have reached your download limit for this file', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
if ( $access_expires > 0 && strtotime( $access_expires) < current_time( 'timestamp' ) )
wp_die( __( 'Sorry, this download has expired', 'woocommerce' ) . ' <a href="' . home_url() . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
wp_die( __( 'Sorry, this download has expired', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
if ( $downloads_remaining > 0 ) {
$wpdb->update( $wpdb->prefix . "woocommerce_downloadable_product_permissions", array(
@ -134,7 +134,7 @@ class WC_Download_Handler {
$file_download_method = apply_filters( 'woocommerce_file_download_method', get_option( 'woocommerce_file_download_method' ), $product_id );
if ( ! $file_path )
wp_die( __( 'No file defined', 'woocommerce' ) . ' <a href="'.home_url().'">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
wp_die( __( 'No file defined', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
// Redirect to the file...
if ( $file_download_method == "redirect" ) {
@ -160,7 +160,7 @@ class WC_Download_Handler {
$site_url = is_ssl() ? str_replace( 'https:', 'http:', site_url() ) : site_url();
}
$file_path = str_replace( trailingslashit( $site_url ), ABSPATH, $file_path );
$file_path = str_replace( trailingslashit( esc_url( $site_url ) ), ABSPATH, $file_path );
} else {
@ -168,7 +168,7 @@ class WC_Download_Handler {
$upload_dir = wp_upload_dir();
// Try to replace network url
$file_path = str_replace( trailingslashit( $network_url ), ABSPATH, $file_path );
$file_path = str_replace( trailingslashit( esc_url( $network_url ) ), ABSPATH, $file_path );
// Now try to replace upload URL
$file_path = str_replace( $upload_dir['baseurl'], $upload_dir['basedir'], $file_path );
@ -264,7 +264,7 @@ class WC_Download_Handler {
if ( $remote_file )
$this->readfile_chunked( $file_path ) or header( 'Location: ' . $file_path );
else
$this->readfile_chunked( $file_path ) or wp_die( __( 'File not found', 'woocommerce' ) . ' <a href="' . home_url() . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
$this->readfile_chunked( $file_path ) or wp_die( __( 'File not found', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
exit;
}