wp_edit_theme_plugin_file()
云策文档标注
概述
wp_edit_theme_plugin_file() 是 WordPress 核心函数,用于安全编辑主题或插件文件。它执行严格的权限、路径和内容验证,并在编辑 PHP 文件时通过 loopback 请求检测致命错误,若检测到错误则自动回滚更改。
关键要点
- 函数接受一个数组参数 $args,包含 file、plugin、theme、newcontent 和 nonce 等键,参数直接来自 $_POST 且未经验证或清理。
- 编辑前会检查用户权限(edit_plugins 或 edit_themes)、文件路径有效性(使用 validate_file())、nonce 验证以及文件扩展名是否允许编辑。
- 对于 PHP 文件,如果主题或插件处于激活状态,会向管理界面和首页发送 loopback 请求以检测致命错误;若检测到错误,文件内容将被回滚到之前状态。
- 函数返回 true 表示成功,或 WP_Error 对象表示失败,错误代码包括 missing_file、bad_file、unauthorized、nonce_failure 等。
- 涉及多个相关函数和 Hook,如 wp_verify_nonce()、validate_file()、wp_remote_get() 和 apply_filters('https_local_ssl_verify', $ssl_verify, $url)。
代码示例
function wp_edit_theme_plugin_file( $args ) {
if ( empty( $args['file'] ) ) {
return new WP_Error( 'missing_file' );
}
// 更多验证和编辑逻辑...
}注意事项
- 参数 $args 来自 $_POST,开发者需确保传入数据的安全性,避免直接使用未经验证的输入。
- 编辑 PHP 文件时的 loopback 请求可能因服务器配置失败,导致回滚并返回错误,建议在支持环境中使用。
- 函数自 WordPress 4.9.0 版本引入,主要用于后台的 AJAX 处理函数 wp_ajax_edit_theme_plugin_file()。
原文内容
Attempts to edit a file for a theme or plugin.
Description
When editing a PHP file, loopback requests will be made to the admin and the homepage to attempt to see if there is a fatal error introduced. If so, the PHP change will be reverted.
Parameters
$argsstring[]required-
Args. Note that all of the arg values are already unslashed. They are, however, coming straight from
$_POSTand are not validated or sanitized in any way.filestringRelative path to file.pluginstringPath to the plugin file relative to the plugins directory.themestringTheme being edited.newcontentstringNew content for the file.noncestringNonce.
Source
function wp_edit_theme_plugin_file( $args ) {
if ( empty( $args['file'] ) ) {
return new WP_Error( 'missing_file' );
}
if ( 0 !== validate_file( $args['file'] ) ) {
return new WP_Error( 'bad_file' );
}
if ( ! isset( $args['newcontent'] ) ) {
return new WP_Error( 'missing_content' );
}
if ( ! isset( $args['nonce'] ) ) {
return new WP_Error( 'missing_nonce' );
}
$file = $args['file'];
$content = $args['newcontent'];
$plugin = null;
$theme = null;
$real_file = null;
if ( ! empty( $args['plugin'] ) ) {
$plugin = $args['plugin'];
if ( ! current_user_can( 'edit_plugins' ) ) {
return new WP_Error( 'unauthorized', __( 'Sorry, you are not allowed to edit plugins for this site.' ) );
}
if ( ! wp_verify_nonce( $args['nonce'], 'edit-plugin_' . $file ) ) {
return new WP_Error( 'nonce_failure' );
}
if ( ! array_key_exists( $plugin, get_plugins() ) ) {
return new WP_Error( 'invalid_plugin' );
}
if ( 0 !== validate_file( $file, get_plugin_files( $plugin ) ) ) {
return new WP_Error( 'bad_plugin_file_path', __( 'Sorry, that file cannot be edited.' ) );
}
$editable_extensions = wp_get_plugin_file_editable_extensions( $plugin );
$real_file = WP_PLUGIN_DIR . '/' . $file;
$is_active = in_array(
$plugin,
(array) get_option( 'active_plugins', array() ),
true
);
} elseif ( ! empty( $args['theme'] ) ) {
$stylesheet = $args['theme'];
if ( 0 !== validate_file( $stylesheet ) ) {
return new WP_Error( 'bad_theme_path' );
}
if ( ! current_user_can( 'edit_themes' ) ) {
return new WP_Error( 'unauthorized', __( 'Sorry, you are not allowed to edit templates for this site.' ) );
}
$theme = wp_get_theme( $stylesheet );
if ( ! $theme->exists() ) {
return new WP_Error( 'non_existent_theme', __( 'The requested theme does not exist.' ) );
}
if ( ! wp_verify_nonce( $args['nonce'], 'edit-theme_' . $stylesheet . '_' . $file ) ) {
return new WP_Error( 'nonce_failure' );
}
if ( $theme->errors() && 'theme_no_stylesheet' === $theme->errors()->get_error_code() ) {
return new WP_Error(
'theme_no_stylesheet',
__( 'The requested theme does not exist.' ) . ' ' . $theme->errors()->get_error_message()
);
}
$editable_extensions = wp_get_theme_file_editable_extensions( $theme );
$allowed_files = array();
foreach ( $editable_extensions as $type ) {
switch ( $type ) {
case 'php':
$allowed_files = array_merge( $allowed_files, $theme->get_files( 'php', -1 ) );
break;
case 'css':
$style_files = $theme->get_files( 'css', -1 );
$allowed_files['style.css'] = $style_files['style.css'];
$allowed_files = array_merge( $allowed_files, $style_files );
break;
default:
$allowed_files = array_merge( $allowed_files, $theme->get_files( $type, -1 ) );
break;
}
}
// Compare based on relative paths.
if ( 0 !== validate_file( $file, array_keys( $allowed_files ) ) ) {
return new WP_Error( 'disallowed_theme_file', __( 'Sorry, that file cannot be edited.' ) );
}
$real_file = $theme->get_stylesheet_directory() . '/' . $file;
$is_active = ( get_stylesheet() === $stylesheet || get_template() === $stylesheet );
} else {
return new WP_Error( 'missing_theme_or_plugin' );
}
// Ensure file is real.
if ( ! is_file( $real_file ) ) {
return new WP_Error( 'file_does_not_exist', __( 'File does not exist! Please double check the name and try again.' ) );
}
// Ensure file extension is allowed.
$extension = null;
if ( preg_match( '/.([^.]+)$/', $real_file, $matches ) ) {
$extension = strtolower( $matches[1] );
if ( ! in_array( $extension, $editable_extensions, true ) ) {
return new WP_Error( 'illegal_file_type', __( 'Files of this type are not editable.' ) );
}
}
$previous_content = file_get_contents( $real_file );
if ( ! is_writable( $real_file ) ) {
return new WP_Error( 'file_not_writable' );
}
$f = fopen( $real_file, 'w+' );
if ( false === $f ) {
return new WP_Error( 'file_not_writable' );
}
$written = fwrite( $f, $content );
fclose( $f );
if ( false === $written ) {
return new WP_Error( 'unable_to_write', __( 'Unable to write to file.' ) );
}
wp_opcache_invalidate( $real_file, true );
if ( $is_active && 'php' === $extension ) {
$scrape_key = md5( rand() );
$transient = 'scrape_key_' . $scrape_key;
$scrape_nonce = (string) rand();
// It shouldn't take more than 60 seconds to make the two loopback requests.
set_transient( $transient, $scrape_nonce, 60 );
$cookies = wp_unslash( $_COOKIE );
$scrape_params = array(
'wp_scrape_key' => $scrape_key,
'wp_scrape_nonce' => $scrape_nonce,
);
$headers = array(
'Cache-Control' => 'no-cache',
);
/** This filter is documented in wp-includes/class-wp-http-streams.php */
$sslverify = apply_filters( 'https_local_ssl_verify', false );
// Include Basic auth in loopback requests.
if ( isset( $_SERVER['PHP_AUTH_USER'] ) && isset( $_SERVER['PHP_AUTH_PW'] ) ) {
$headers['Authorization'] = 'Basic ' . base64_encode( wp_unslash( $_SERVER['PHP_AUTH_USER'] ) . ':' . wp_unslash( $_SERVER['PHP_AUTH_PW'] ) );
}
// Make sure PHP process doesn't die before loopback requests complete.
if ( function_exists( 'set_time_limit' ) ) {
set_time_limit( 5 * MINUTE_IN_SECONDS );
}
// Time to wait for loopback requests to finish.
$timeout = 100; // 100 seconds.
$needle_start = "###### wp_scraping_result_start:$scrape_key ######";
$needle_end = "###### wp_scraping_result_end:$scrape_key ######";
// Attempt loopback request to editor to see if user just whitescreened themselves.
if ( $plugin ) {
$url = add_query_arg( compact( 'plugin', 'file' ), admin_url( 'plugin-editor.php' ) );
} elseif ( isset( $stylesheet ) ) {
$url = add_query_arg(
array(
'theme' => $stylesheet,
'file' => $file,
),
admin_url( 'theme-editor.php' )
);
} else {
$url = admin_url();
}
if ( function_exists( 'session_status' ) && PHP_SESSION_ACTIVE === session_status() ) {
/*
* Close any active session to prevent HTTP requests from timing out
* when attempting to connect back to the site.
*/
session_write_close();
}
$url = add_query_arg( $scrape_params, $url );
$r = wp_remote_get( $url, compact( 'cookies', 'headers', 'timeout', 'sslverify' ) );
$body = wp_remote_retrieve_body( $r );
$scrape_result_position = strpos( $body, $needle_start );
$loopback_request_failure = array(
'code' => 'loopback_request_failed',
'message' => __( 'Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.' ),
);
$json_parse_failure = array(
'code' => 'json_parse_error',
);
$result = null;
if ( false === $scrape_result_position ) {
$result = $loopback_request_failure;
} else {
$error_output = substr( $body, $scrape_result_position + strlen( $needle_start ) );
$error_output = substr( $error_output, 0, strpos( $error_output, $needle_end ) );
$result = json_decode( trim( $error_output ), true );
if ( empty( $result ) ) {
$result = $json_parse_failure;
}
}
// Try making request to homepage as well to see if visitors have been whitescreened.
if ( true === $result ) {
$url = home_url( '/' );
$url = add_query_arg( $scrape_params, $url );
$r = wp_remote_get( $url, compact( 'cookies', 'headers', 'timeout', 'sslverify' ) );
$body = wp_remote_retrieve_body( $r );
$scrape_result_position = strpos( $body, $needle_start );
if ( false === $scrape_result_position ) {
$result = $loopback_request_failure;
} else {
$error_output = substr( $body, $scrape_result_position + strlen( $needle_start ) );
$error_output = substr( $error_output, 0, strpos( $error_output, $needle_end ) );
$result = json_decode( trim( $error_output ), true );
if ( empty( $result ) ) {
$result = $json_parse_failure;
}
}
}
delete_transient( $transient );
if ( true !== $result ) {
// Roll-back file change.
file_put_contents( $real_file, $previous_content );
wp_opcache_invalidate( $real_file, true );
if ( ! isset( $result['message'] ) ) {
$message = __( 'An error occurred. Please try again later.' );
} else {
$message = $result['message'];
unset( $result['message'] );
}
return new WP_Error( 'php_error', $message, $result );
}
}
if ( $theme instanceof WP_Theme ) {
$theme->cache_delete();
}
return true;
}
Hooks
- apply_filters( ‘https_local_ssl_verify’, bool|string $ssl_verify, string $url )
-
Filters whether SSL should be verified for local HTTP API requests.
Changelog
| Version | Description |
|---|---|
| 4.9.0 | Introduced. |