[wp-trac] [WordPress Trac] #11922: Pages Hooked by add_menu_page() Have No Security

WordPress Trac wp-trac at lists.automattic.com
Sat Jan 16 14:33:19 UTC 2010 

#11922: Pages Hooked by add_menu_page() Have No Security
-----------------------------+----------------------------------------------
 Reporter:  miqrogroove      |       Owner:  westi            
     Type:  defect (bug)     |      Status:  accepted         
 Priority:  high             |   Milestone:  2.9.2            
Component:  Role/Capability  |     Version:                   
 Severity:  critical         |    Keywords:  reporter-feedback
-----------------------------+----------------------------------------------
Changes (by westi):

  * keywords:  has-patch => reporter-feedback
  * owner:  => westi
  * status:  new => accepted


Comment:

 Can you give more detail on how to reproduce this as I can't reproduce it
 with the following test code, based on the examples in the linked ticket:

 {{{
 function my_hack() {
         add_menu_page('Page Title', 'Works', 'manage_options', 'add-menu-
 page-works', 'menu_output_func_parent' );
         add_submenu_page('add-menu-page-works', 'Test Sublevel', 'Test
 Sublevel', 'manage_options', 'sub-page-works', 'menu_output_func_child');
         add_menu_page('Page Title', 'Not allowed', 'bad-cap', 'add-menu-
 page-not-allowed', 'menu_output_func_parent' );
         add_submenu_page('add-menu-page-not-allowed', 'Test Sublevel',
 'Test Sublevel', 'bad-cap', 'sub-page-not-allowed',
 'menu_output_func_child');
         add_menu_page('Page Title', 'Only Child allowed', 'bad-cap', 'add-
 menu-page-only-child-allowed', 'menu_output_func_parent' );
         add_submenu_page('add-menu-page-only-child-allowed', 'Test
 Sublevel', 'Test Sublevel', 'manage_options', 'sub-page-only-child-
 allowed', 'menu_output_func_child');
 }
 add_action('admin_menu','my_hack');

 function menu_output_func_parent() {
         echo 'Hello Parent World!';
 }

 function menu_output_func_child() {
         echo 'Hello Child World!';
 }
 }}}

 Code was placed in a file in mu-plugins to get auto loaded.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11922#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list