Wordpress 3.6
[autoinstalls/wordpress.git] / wp-includes / class-wp-xmlrpc-server.php
index e4a2d961fa61d27ea116d06529211468fb8dd926..922e0284a4b8e146d1dfd1f3eb4db47911b64ee5 100644 (file)
@@ -12,8 +12,8 @@
  * pingback. Additional WordPress API for managing comments, pages, posts,
  * options, etc.
  *
- * Since WordPress 2.6.0, WordPress XMLRPC server can be disabled in the
- * administration panels.
+ * As of WordPress 3.5.0, XML-RPC is enabled by default. It can be disabled
+ * via the xmlrpc_enabled filter found in wp_xmlrpc_server::login().
  *
  * @package WordPress
  * @subpackage Publishing
@@ -211,28 +211,22 @@ class wp_xmlrpc_server extends IXR_Server {
        }
 
        /**
-        * Sanitize string or array of strings for database.
+        * Escape string or array of strings for database.
         *
         * @since 1.5.2
         *
-        * @param string|array $array Sanitize single string or array of strings.
-        * @return string|array Type matches $array and sanitized for the database.
+        * @param string|array $data Escape single string or array of strings.
+        * @return string|array Type matches $data and sanitized for the database.
         */
-       function escape(&$array) {
-               global $wpdb;
-
-               if (!is_array($array)) {
-                       return($wpdb->escape($array));
-               } else {
-                       foreach ( (array) $array as $k => $v ) {
-                               if ( is_array($v) ) {
-                                       $this->escape($array[$k]);
-                               } else if ( is_object($v) ) {
-                                       //skip
-                               } else {
-                                       $array[$k] = $wpdb->escape($v);
-                               }
-                       }
+       function escape( &$data ) {
+               if ( ! is_array( $data ) )
+                       return wp_slash( $data );
+
+               foreach ( $data as &$v ) {
+                       if ( is_array( $v ) )
+                               $this->escape( $v );
+                       elseif ( ! is_object( $v ) )
+                               $v = wp_slash( $v );
                }
        }
 
@@ -280,16 +274,16 @@ class wp_xmlrpc_server extends IXR_Server {
                                $meta['id'] = (int) $meta['id'];
                                $pmeta = get_metadata_by_mid( 'post', $meta['id'] );
                                if ( isset($meta['key']) ) {
-                                       $meta['key'] = stripslashes( $meta['key'] );
-                                       if ( $meta['key'] != $pmeta->meta_key )
+                                       $meta['key'] = wp_unslash( $meta['key'] );
+                                       if ( $meta['key'] !== $pmeta->meta_key )
                                                continue;
-                                       $meta['value'] = stripslashes_deep( $meta['value'] );
+                                       $meta['value'] = wp_unslash( $meta['value'] );
                                        if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) )
                                                update_metadata_by_mid( 'post', $meta['id'], $meta['value'] );
                                } elseif ( current_user_can( 'delete_post_meta', $post_id, $pmeta->meta_key ) ) {
                                        delete_metadata_by_mid( 'post', $meta['id'] );
                                }
-                       } elseif ( current_user_can( 'add_post_meta', $post_id, stripslashes( $meta['key'] ) ) ) {
+                       } elseif ( current_user_can( 'add_post_meta', $post_id, wp_unslash( $meta['key'] ) ) ) {
                                add_post_meta( $post_id, $meta['key'], $meta['value'] );
                        }
                }
@@ -318,15 +312,25 @@ class wp_xmlrpc_server extends IXR_Server {
                                'value'         => $wp_version
                        ),
                        'blog_url'          => array(
-                               'desc'          => __( 'Site URL' ),
+                               'desc'          => __( 'WordPress Address (URL)' ),
                                'readonly'      => true,
                                'option'        => 'siteurl'
                        ),
                        'home_url'          => array(
-                               'desc'          => __( 'Home URL' ),
+                               'desc'          => __( 'Site Address (URL)' ),
                                'readonly'      => true,
                                'option'        => 'home'
                        ),
+                       'login_url'          => array(
+                               'desc'          => __( 'Login Address (URL)' ),
+                               'readonly'      => true,
+                               'value'         => wp_login_url( )
+                       ),
+                       'admin_url'          => array(
+                               'desc'          => __( 'The URL to the admin area' ),
+                               'readonly'      => true,
+                               'value'         => get_admin_url( )
+                       ),
                        'image_default_link_type' => array(
                                'desc'          => __( 'Image default link type' ),
                                'readonly'      => true,
@@ -562,13 +566,13 @@ class wp_xmlrpc_server extends IXR_Server {
                if ( ! is_array( $_term) )
                        $_term = get_object_vars( $_term );
 
-               // For Intergers which may be largeer than XMLRPC supports ensure we return strings.
+               // For integers which may be larger than XML-RPC supports ensure we return strings.
                $_term['term_id'] = strval( $_term['term_id'] );
                $_term['term_group'] = strval( $_term['term_group'] );
                $_term['term_taxonomy_id'] = strval( $_term['term_taxonomy_id'] );
                $_term['parent'] = strval( $_term['parent'] );
 
-               // Count we are happy to return as an Integer because people really shouldn't use Terms that much.
+               // Count we are happy to return as an integer because people really shouldn't use terms that much.
                $_term['count'] = intval( $_term['count'] );
 
                return apply_filters( 'xmlrpc_prepare_term', $_term, $term );
@@ -1007,7 +1011,7 @@ class wp_xmlrpc_server extends IXR_Server {
                if ( $update ) {
                        if ( ! get_post( $post_data['ID'] ) )
                                return new IXR_Error( 401, __( 'Invalid post ID.' ) );
-                       if ( ! current_user_can( $post_type->cap->edit_post, $post_data['ID'] ) )
+                       if ( ! current_user_can( 'edit_post', $post_data['ID'] ) )
                                return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this post.' ) );
                        if ( $post_data['post_type'] != get_post_type( $post_data['ID'] ) )
                                return new IXR_Error( 401, __( 'The post type may not be changed.' ) );
@@ -1317,8 +1321,7 @@ class wp_xmlrpc_server extends IXR_Server {
                if ( empty( $post['ID'] ) )
                        return new IXR_Error( 404, __( 'Invalid post ID.' ) );
 
-               $post_type = get_post_type_object( $post['post_type'] );
-               if ( ! current_user_can( $post_type->cap->delete_post, $post_id ) )
+               if ( ! current_user_can( 'delete_post', $post_id ) )
                        return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete this post.' ) );
 
                $result = wp_delete_post( $post_id );
@@ -1399,8 +1402,7 @@ class wp_xmlrpc_server extends IXR_Server {
                if ( empty( $post['ID'] ) )
                        return new IXR_Error( 404, __( 'Invalid post ID.' ) );
 
-               $post_type = get_post_type_object( $post['post_type'] );
-               if ( ! current_user_can( $post_type->cap->edit_post, $post_id ) )
+               if ( ! current_user_can( 'edit_post', $post_id ) )
                        return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) );
 
                return $this->_prepare_post( $post, $fields );
@@ -1495,8 +1497,7 @@ class wp_xmlrpc_server extends IXR_Server {
                $struct = array();
 
                foreach ( $posts_list as $post ) {
-                       $post_type = get_post_type_object( $post['post_type'] );
-                       if ( ! current_user_can( $post_type->cap->edit_post, $post['ID'] ) )
+                       if ( ! current_user_can( 'edit_post', $post['ID'] ) )
                                continue;
 
                        $struct[] = $this->_prepare_post( $post, $fields );
@@ -2978,9 +2979,9 @@ class wp_xmlrpc_server extends IXR_Server {
                $comment['comment_post_ID'] = $post_id;
 
                if ( $logged_in ) {
-                       $comment['comment_author'] = $wpdb->escape( $user->display_name );
-                       $comment['comment_author_email'] = $wpdb->escape( $user->user_email );
-                       $comment['comment_author_url'] = $wpdb->escape( $user->user_url );
+                       $comment['comment_author'] = $this->escape( $user->display_name );
+                       $comment['comment_author_email'] = $this->escape( $user->user_email );
+                       $comment['comment_author_url'] = $this->escape( $user->user_url );
                        $comment['user_ID'] = $user->ID;
                } else {
                        $comment['comment_author'] = '';
@@ -3192,6 +3193,7 @@ class wp_xmlrpc_server extends IXR_Server {
         */
        function _getOptions($options) {
                $data = array();
+               $can_manage = current_user_can( 'manage_options' );
                foreach ( $options as $option ) {
                        if ( array_key_exists( $option, $this->blog_options ) ) {
                                $data[$option] = $this->blog_options[$option];
@@ -3200,6 +3202,9 @@ class wp_xmlrpc_server extends IXR_Server {
                                        $data[$option]['value'] = get_option( $data[$option]['option'] );
                                        unset($data[$option]['option']);
                                }
+
+                               if ( ! $can_manage )
+                                       $data[$option]['readonly'] = true;
                        }
                }
 
@@ -3535,7 +3540,7 @@ class wp_xmlrpc_server extends IXR_Server {
                        return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit posts.' ) );
 
                // Check if revisions are enabled.
-               if ( ! WP_POST_REVISIONS || ! post_type_supports( $post->post_type, 'revisions' ) )
+               if ( ! wp_revisions_enabled( $post ) )
                        return new IXR_Error( 401, __( 'Sorry, revisions are disabled.' ) );
 
                $revisions = wp_get_post_revisions( $post_id );
@@ -3602,7 +3607,7 @@ class wp_xmlrpc_server extends IXR_Server {
                        return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) );
 
                // Check if revisions are disabled.
-               if ( ! WP_POST_REVISIONS || ! post_type_supports( $post->post_type, 'revisions' ) )
+               if ( ! wp_revisions_enabled( $post ) )
                        return new IXR_Error( 401, __( 'Sorry, revisions are disabled.' ) );
 
                $post = wp_restore_post_revision( $revision_id );
@@ -3746,9 +3751,9 @@ class wp_xmlrpc_server extends IXR_Server {
 
                $categories = implode(',', wp_get_post_categories($post_ID));
 
-               $content  = '<title>'.stripslashes($post_data['post_title']).'</title>';
+               $content  = '<title>'.wp_unslash($post_data['post_title']).'</title>';
                $content .= '<category>'.$categories.'</category>';
-               $content .= stripslashes($post_data['post_content']);
+               $content .= wp_unslash($post_data['post_content']);
 
                $struct = array(
                        'userid'    => $post_data['post_author'],
@@ -3784,6 +3789,9 @@ class wp_xmlrpc_server extends IXR_Server {
                if ( !$user = $this->login($username, $password) )
                        return $this->error;
 
+               if ( ! current_user_can( 'edit_posts' ) )
+                       return new IXR_Error( 401, __( 'Sorry, you cannot edit posts on this site.' ) );
+
                do_action('xmlrpc_call', 'blogger.getRecentPosts');
 
                $posts_list = wp_get_recent_posts( $query );
@@ -3800,9 +3808,9 @@ class wp_xmlrpc_server extends IXR_Server {
                        $post_date  = $this->_convert_date( $entry['post_date'] );
                        $categories = implode(',', wp_get_post_categories($entry['ID']));
 
-                       $content  = '<title>'.stripslashes($entry['post_title']).'</title>';
+                       $content  = '<title>'.wp_unslash($entry['post_title']).'</title>';
                        $content .= '<category>'.$categories.'</category>';
-                       $content .= stripslashes($entry['post_content']);
+                       $content .= wp_unslash($entry['post_content']);
 
                        $struct[] = array(
                                'userid' => $entry['post_author'],
@@ -4300,22 +4308,20 @@ class wp_xmlrpc_server extends IXR_Server {
                return strval($post_ID);
        }
 
-       function add_enclosure_if_new($post_ID, $enclosure) {
+       function add_enclosure_if_new( $post_ID, $enclosure ) {
                if ( is_array( $enclosure ) && isset( $enclosure['url'] ) && isset( $enclosure['length'] ) && isset( $enclosure['type'] ) ) {
-
-                       $encstring = $enclosure['url'] . "\n" . $enclosure['length'] . "\n" . $enclosure['type'];
+                       $encstring = $enclosure['url'] . "\n" . $enclosure['length'] . "\n" . $enclosure['type'] . "\n";
                        $found = false;
-                       foreach ( (array) get_post_custom($post_ID) as $key => $val) {
-                               if ($key == 'enclosure') {
-                                       foreach ( (array) $val as $enc ) {
-                                               if ($enc == $encstring) {
-                                                       $found = true;
-                                                       break 2;
-                                               }
+                       if ( $enclosures = get_post_meta( $post_ID, 'enclosure' ) ) {
+                               foreach ( $enclosures as $enc ) {
+                                       // This method used to omit the trailing new line. #23219
+                                       if ( rtrim( $enc, "\n" ) == rtrim( $encstring, "\n" ) ) {
+                                               $found = true;
+                                               break;
                                        }
                                }
                        }
-                       if (!$found)
+                       if ( ! $found )
                                add_post_meta( $post_ID, 'enclosure', $encstring );
                }
        }
@@ -4335,7 +4341,7 @@ class wp_xmlrpc_server extends IXR_Server {
                $attachments = $wpdb->get_results( "SELECT ID, guid FROM {$wpdb->posts} WHERE post_parent = '0' AND post_type = 'attachment'" );
                if ( is_array( $attachments ) ) {
                        foreach ( $attachments as $file ) {
-                               if ( strpos( $post_content, $file->guid ) !== false )
+                               if ( ! empty( $file->guid ) && strpos( $post_content, $file->guid ) !== false )
                                        $wpdb->update($wpdb->posts, array('post_parent' => $post_ID), array('ID' => $file->ID) );
                        }
                }
@@ -4757,6 +4763,9 @@ class wp_xmlrpc_server extends IXR_Server {
                if ( !$user = $this->login($username, $password) )
                        return $this->error;
 
+               if ( ! current_user_can( 'edit_posts' ) )
+                       return new IXR_Error( 401, __( 'Sorry, you cannot edit posts on this site.' ) );
+
                do_action('xmlrpc_call', 'metaWeblog.getRecentPosts');
 
                $posts_list = wp_get_recent_posts( $query );
@@ -4908,8 +4917,8 @@ class wp_xmlrpc_server extends IXR_Server {
                global $wpdb;
 
                $blog_ID     = (int) $args[0];
-               $username  = $wpdb->escape($args[1]);
-               $password   = $wpdb->escape($args[2]);
+               $username  = $this->escape($args[1]);
+               $password   = $this->escape($args[2]);
                $data        = $args[3];
 
                $name = sanitize_file_name( $data['name'] );
@@ -5380,7 +5389,12 @@ class wp_xmlrpc_server extends IXR_Server {
                sleep(1);
 
                // Let's check the remote site
-               $linea = wp_remote_retrieve_body( wp_remote_get( $pagelinkedfrom, array( 'timeout' => 10, 'redirection' => 0, 'reject_unsafe_urls' => true ) ) );
+               $http_api_args = array(
+                       'timeout' => 10,
+                       'redirection' => 0,
+                       'limit_response_size' => 153600, // 150 KB
+               );
+               $linea = wp_remote_retrieve_body( wp_safe_remote_get( $pagelinkedfrom, $http_api_args ) );
 
                if ( !$linea )
                        return $this->pingback_error( 16, __( 'The source URL does not exist.' ) );
@@ -5389,7 +5403,7 @@ class wp_xmlrpc_server extends IXR_Server {
 
                // Work around bug in strip_tags():
                $linea = str_replace('<!DOC', '<DOC', $linea);
-               $linea = preg_replace( '/[\s\r\n\t]+/', ' ', $linea ); // normalize spaces
+               $linea = preg_replace( '/[\r\n\t ]+/', ' ', $linea ); // normalize spaces
                $linea = preg_replace( "/<\/*(h1|h2|h3|h4|h5|h6|p|th|td|li|dt|dd|pre|caption|input|textarea|button|body)[^>]*>/", "\n\n", $linea );
 
                preg_match('|<title>([^<]*?)</title>|is', $linea, $matchtitle);
@@ -5417,7 +5431,7 @@ class wp_xmlrpc_server extends IXR_Server {
 
                                // prevent really long link text
                                if ( strlen($context[1]) > 100 )
-                                       $context[1] = substr($context[1], 0, 100) . '...';
+                                       $context[1] = substr($context[1], 0, 100) . '&#8230;';
 
                                $marker = '<wpcontext>'.$context[1].'</wpcontext>';    // set up our marker
                                $excerpt= str_replace($context[0], $marker, $excerpt); // swap out the link for our marker
@@ -5435,8 +5449,8 @@ class wp_xmlrpc_server extends IXR_Server {
 
                $pagelinkedfrom = str_replace('&', '&amp;', $pagelinkedfrom);
 
-               $context = '[...] ' . esc_html( $excerpt ) . ' [...]';
-               $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom );
+               $context = '[&#8230;] ' . esc_html( $excerpt ) . ' [&#8230;]';
+               $pagelinkedfrom = $this->escape( $pagelinkedfrom );
 
                $comment_post_ID = (int) $post_ID;
                $comment_author = $title;