X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/11be8dc178e77d0b46189bbd8e33a216a9b90942..refs/tags/wordpress-2.8:/xmlrpc.php diff --git a/xmlrpc.php b/xmlrpc.php index c45b14fa..55279426 100644 --- a/xmlrpc.php +++ b/xmlrpc.php @@ -238,6 +238,8 @@ class wp_xmlrpc_server extends IXR_Server { * @param string $user_login User's username. * @param string $user_pass User's password. * @return bool Whether authentication passed. + * @deprecated use wp_xmlrpc_server::login + * @see wp_xmlrpc_server::login */ function login_pass_ok($user_login, $user_pass) { if ( !get_option( 'enable_xmlrpc' ) ) { @@ -252,6 +254,32 @@ class wp_xmlrpc_server extends IXR_Server { return true; } + /** + * Log user in. + * + * @since 2.8 + * + * @param string $username User's username. + * @param string $password User's password. + * @return mixed WP_User object if authentication passed, false otherwise + */ + function login($username, $password) { + if ( !get_option( 'enable_xmlrpc' ) ) { + $this->error = new IXR_Error( 405, sprintf( __( 'XML-RPC services are disabled on this blog. An admin user can enable them at %s'), admin_url('options-writing.php') ) ); + return false; + } + + $user = wp_authenticate($username, $password); + + if (is_wp_error($user)) { + $this->error = new IXR_Error(403, __('Bad login/pass combination.')); + return false; + } + + set_current_user( $user->ID ); + return $user; + } + /** * Sanitize string or array of strings for database. * @@ -417,13 +445,12 @@ class wp_xmlrpc_server extends IXR_Server { $username = $args[0]; $password = $args[1]; - if( !$this->login_pass_ok( $username, $password ) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } do_action( 'xmlrpc_call', 'wp.getUsersBlogs' ); - $user = set_current_user( 0, $username ); - $blogs = (array) get_blogs_of_user( $user->ID ); $struct = array( ); @@ -441,7 +468,7 @@ class wp_xmlrpc_server extends IXR_Server { 'url' => get_option( 'home' ) . '/', 'blogid' => $blog_id, 'blogName' => get_option( 'blogname' ), - 'xmlrpc' => get_option( 'home' ) . '/xmlrpc.php' + 'xmlrpc' => site_url( 'xmlrpc.php' ) ); restore_current_blog( ); @@ -466,13 +493,12 @@ class wp_xmlrpc_server extends IXR_Server { $username = $args[2]; $password = $args[3]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_page', $page_id ) ) - return new IXR_Error( 401, __( 'Sorry, you can not edit this page.' ) ); + return new IXR_Error( 401, __( 'Sorry, you cannot edit this page.' ) ); do_action('xmlrpc_call', 'wp.getPage'); @@ -493,12 +519,12 @@ class wp_xmlrpc_server extends IXR_Server { } // Determine comment and ping settings. - $allow_comments = ("open" == $page->comment_status) ? 1 : 0; - $allow_pings = ("open" == $page->ping_status) ? 1 : 0; + $allow_comments = comments_open($page->ID) ? 1 : 0; + $allow_pings = pings_open($page->ID) ? 1 : 0; // Format page date. - $page_date = mysql2date("Ymd\TH:i:s", $page->post_date); - $page_date_gmt = mysql2date("Ymd\TH:i:s", $page->post_date_gmt); + $page_date = mysql2date("Ymd\TH:i:s", $page->post_date, false); + $page_date_gmt = mysql2date("Ymd\TH:i:s", $page->post_date_gmt, false); // Pull the categories info together. $categories = array(); @@ -564,13 +590,12 @@ class wp_xmlrpc_server extends IXR_Server { $password = $args[2]; $num_pages = (int) $args[3]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_pages' ) ) - return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) ); + return new IXR_Error( 401, __( 'Sorry, you cannot edit pages.' ) ); do_action('xmlrpc_call', 'wp.getPages'); @@ -579,7 +604,7 @@ class wp_xmlrpc_server extends IXR_Server { $page_limit = $num_pages; } - $pages = get_posts( "post_type=page&post_status=all&numberposts={$page_limit}" ); + $pages = get_posts( array('post_type' => 'page', 'post_status' => 'all', 'numberposts' => $page_limit) ); $num_pages = count($pages); // If we have pages, put together their info. @@ -616,17 +641,15 @@ class wp_xmlrpc_server extends IXR_Server { $page = $args[3]; $publish = $args[4]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } do_action('xmlrpc_call', 'wp.newPage'); - // Set the user context and check if they are allowed - // to add new pages. - $user = set_current_user(0, $username); + // Make sure the user is allowed to add new pages. if(!current_user_can("publish_pages")) { - return(new IXR_Error(401, __("Sorry, you can not add new pages."))); + return(new IXR_Error(401, __("Sorry, you cannot add new pages."))); } // Mark this as content for a page. @@ -652,8 +675,8 @@ class wp_xmlrpc_server extends IXR_Server { $password = $args[2]; $page_id = (int) $args[3]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } do_action('xmlrpc_call', 'wp.deletePage'); @@ -668,8 +691,7 @@ class wp_xmlrpc_server extends IXR_Server { return(new IXR_Error(404, __("Sorry, no such page."))); } - // Set the user context and make sure they can delete pages. - set_current_user(0, $username); + // Make sure the user can delete pages. if(!current_user_can("delete_page", $page_id)) { return(new IXR_Error(401, __("Sorry, you do not have the right to delete this page."))); } @@ -700,8 +722,8 @@ class wp_xmlrpc_server extends IXR_Server { $content = $args[4]; $publish = $args[5]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } do_action('xmlrpc_call', 'wp.editPage'); @@ -715,8 +737,7 @@ class wp_xmlrpc_server extends IXR_Server { return(new IXR_Error(404, __("Sorry, no such page."))); } - // Set the user context and make sure they are allowed to edit pages. - set_current_user(0, $username); + // Make sure the user is allowed to edit pages. if(!current_user_can("edit_page", $page_id)) { return(new IXR_Error(401, __("Sorry, you do not have the right to edit this page."))); } @@ -754,13 +775,12 @@ class wp_xmlrpc_server extends IXR_Server { $username = $args[1]; $password = $args[2]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_pages' ) ) - return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) ); + return new IXR_Error( 401, __( 'Sorry, you cannot edit pages.' ) ); do_action('xmlrpc_call', 'wp.getPageList'); @@ -779,8 +799,8 @@ class wp_xmlrpc_server extends IXR_Server { // The date needs to be formated properly. $num_pages = count($page_list); for($i = 0; $i < $num_pages; $i++) { - $post_date = mysql2date("Ymd\TH:i:s", $page_list[$i]->post_date); - $post_date_gmt = mysql2date("Ymd\TH:i:s", $page_list[$i]->post_date_gmt); + $post_date = mysql2date("Ymd\TH:i:s", $page_list[$i]->post_date, false); + $post_date_gmt = mysql2date("Ymd\TH:i:s", $page_list[$i]->post_date_gmt, false); $page_list[$i]->dateCreated = new IXR_Date($post_date); $page_list[$i]->date_created_gmt = new IXR_Date($post_date_gmt); @@ -808,13 +828,12 @@ class wp_xmlrpc_server extends IXR_Server { $username = $args[1]; $password = $args[2]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } - set_current_user(0, $username); if(!current_user_can("edit_posts")) { - return(new IXR_Error(401, __("Sorry, you can not edit posts on this blog."))); + return(new IXR_Error(401, __("Sorry, you cannot edit posts on this blog."))); } do_action('xmlrpc_call', 'wp.getAuthors'); @@ -846,11 +865,10 @@ class wp_xmlrpc_server extends IXR_Server { $username = $args[1]; $password = $args[2]; - if( !$this->login_pass_ok( $username, $password ) ) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view tags.' ) ); } @@ -865,8 +883,8 @@ class wp_xmlrpc_server extends IXR_Server { $struct['name'] = $tag->name; $struct['count'] = $tag->count; $struct['slug'] = $tag->slug; - $struct['html_url'] = wp_specialchars( get_tag_link( $tag->term_id ) ); - $struct['rss_url'] = wp_specialchars( get_tag_feed_link( $tag->term_id ) ); + $struct['html_url'] = esc_html( get_tag_link( $tag->term_id ) ); + $struct['rss_url'] = esc_html( get_tag_feed_link( $tag->term_id ) ); $tags[] = $struct; } @@ -891,15 +909,13 @@ class wp_xmlrpc_server extends IXR_Server { $password = $args[2]; $category = $args[3]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } do_action('xmlrpc_call', 'wp.newCategory'); - // Set the user context and make sure they are - // allowed to add a category. - set_current_user(0, $username); + // Make sure the user is allowed to add a category. if(!current_user_can("manage_categories")) { return(new IXR_Error(401, __("Sorry, you do not have the right to add a category."))); } @@ -951,13 +967,12 @@ class wp_xmlrpc_server extends IXR_Server { $password = $args[2]; $category_id = (int) $args[3]; - if( !$this->login_pass_ok( $username, $password ) ) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'wp.deleteCategory'); - set_current_user(0, $username); if( !current_user_can("manage_categories") ) { return new IXR_Error( 401, __( "Sorry, you do not have the right to delete a category." ) ); } @@ -982,11 +997,10 @@ class wp_xmlrpc_server extends IXR_Server { $category = $args[3]; $max_results = (int) $args[4]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } - set_current_user(0, $username); if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts to this blog in order to view categories.' ) ); @@ -1020,10 +1034,10 @@ class wp_xmlrpc_server extends IXR_Server { $password = $args[2]; $comment_id = (int) $args[3]; - if ( !$this->login_pass_ok( $username, $password ) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); @@ -1033,8 +1047,8 @@ class wp_xmlrpc_server extends IXR_Server { return new IXR_Error( 404, __( 'Invalid comment ID.' ) ); // Format page date. - $comment_date = mysql2date("Ymd\TH:i:s", $comment->comment_date); - $comment_date_gmt = mysql2date("Ymd\TH:i:s", $comment->comment_date_gmt); + $comment_date = mysql2date("Ymd\TH:i:s", $comment->comment_date, false); + $comment_date_gmt = mysql2date("Ymd\TH:i:s", $comment->comment_date_gmt, false); if ( 0 == $comment->comment_approved ) $comment_status = 'hold'; @@ -1083,12 +1097,12 @@ class wp_xmlrpc_server extends IXR_Server { $password = $args[2]; $struct = $args[3]; - if ( !$this->login_pass_ok($username, $password) ) - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; + } - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) - return new IXR_Error( 401, __( 'Sorry, you can not edit comments.' ) ); + return new IXR_Error( 401, __( 'Sorry, you cannot edit comments.' ) ); do_action('xmlrpc_call', 'wp.getComments'); @@ -1143,10 +1157,10 @@ class wp_xmlrpc_server extends IXR_Server { $password = $args[2]; $comment_ID = (int) $args[3]; - if ( !$this->login_pass_ok( $username, $password ) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); @@ -1175,10 +1189,10 @@ class wp_xmlrpc_server extends IXR_Server { $comment_ID = (int) $args[3]; $content_struct = $args[4]; - if ( !$this->login_pass_ok( $username, $password ) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); @@ -1249,7 +1263,9 @@ class wp_xmlrpc_server extends IXR_Server { $allow_anon = apply_filters('xmlrpc_allow_anonymous_comments', false); - if ( !$this->login_pass_ok( $username, $password ) ) { + $user = $this->login($username, $password); + + if ( !$user ) { $logged_in = false; if ( $allow_anon && get_option('comment_registration') ) return new IXR_Error( 403, __( 'You must be registered to comment' ) ); @@ -1257,7 +1273,6 @@ class wp_xmlrpc_server extends IXR_Server { return $this->error; } else { $logged_in = true; - set_current_user( 0, $username ); } if ( is_numeric($post) ) @@ -1274,7 +1289,6 @@ class wp_xmlrpc_server extends IXR_Server { $comment['comment_post_ID'] = $post_id; if ( $logged_in ) { - $user = wp_get_current_user(); $comment['comment_author'] = $wpdb->escape( $user->display_name ); $comment['comment_author_email'] = $wpdb->escape( $user->user_email ); $comment['comment_author_url'] = $wpdb->escape( $user->user_url ); @@ -1326,10 +1340,10 @@ class wp_xmlrpc_server extends IXR_Server { $username = $args[1]; $password = $args[2]; - if ( !$this->login_pass_ok( $username, $password ) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); @@ -1354,11 +1368,10 @@ class wp_xmlrpc_server extends IXR_Server { $password = $args[2]; $post_id = (int) $args[3]; - if( !$this->login_pass_ok( $username, $password ) ) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about comments.' ) ); } @@ -1389,11 +1402,10 @@ class wp_xmlrpc_server extends IXR_Server { $username = $args[1]; $password = $args[2]; - if( !$this->login_pass_ok( $username, $password ) ) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); } @@ -1418,11 +1430,10 @@ class wp_xmlrpc_server extends IXR_Server { $username = $args[1]; $password = $args[2]; - if( !$this->login_pass_ok( $username, $password ) ) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); } @@ -1447,11 +1458,10 @@ class wp_xmlrpc_server extends IXR_Server { $username = $args[1]; $password = $args[2]; - if( !$this->login_pass_ok( $username, $password ) ) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_pages' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); } @@ -1478,10 +1488,9 @@ class wp_xmlrpc_server extends IXR_Server { $password = $args[2]; $options = (array) $args[3]; - if( !$this->login_pass_ok( $username, $password ) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; - - $user = set_current_user( 0, $username ); + } // If no specific options where asked for, return all of them if (count( $options ) == 0 ) { @@ -1533,10 +1542,10 @@ class wp_xmlrpc_server extends IXR_Server { $password = $args[2]; $options = (array) $args[3]; - if( !$this->login_pass_ok( $username, $password ) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } - $user = set_current_user( 0, $username ); if( !current_user_can( 'manage_options' ) ) return new IXR_Error( 403, __( 'You are not allowed to update options.' ) ); @@ -1576,16 +1585,15 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'blogger.getUsersBlogs'); - set_current_user(0, $user_login); $is_admin = current_user_can('manage_options'); $struct = array( @@ -1593,7 +1601,7 @@ class wp_xmlrpc_server extends IXR_Server { 'url' => get_option('home') . '/', 'blogid' => '1', 'blogName' => get_option('blogname'), - 'xmlrpc' => get_option('home') . '/xmlrpc.php', + 'xmlrpc' => site_url( 'xmlrpc.php' ) ); return array($struct); @@ -1613,27 +1621,24 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you do not have access to user data on this blog.' ) ); do_action('xmlrpc_call', 'blogger.getUserInfo'); - $user_data = get_userdatabylogin($user_login); - $struct = array( - 'nickname' => $user_data->nickname, - 'userid' => $user_data->ID, - 'url' => $user_data->user_url, - 'lastname' => $user_data->last_name, - 'firstname' => $user_data->first_name + 'nickname' => $user->nickname, + 'userid' => $user->ID, + 'url' => $user->user_url, + 'lastname' => $user->last_name, + 'firstname' => $user->first_name ); return $struct; @@ -1652,16 +1657,15 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $post_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; + $username = $args[2]; + $password = $args[3]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_post', $post_ID ) ) - return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); + return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) ); do_action('xmlrpc_call', 'blogger.getPost'); @@ -1675,7 +1679,7 @@ class wp_xmlrpc_server extends IXR_Server { $struct = array( 'userid' => $post_data['post_author'], - 'dateCreated' => new IXR_Date(mysql2date('Ymd\TH:i:s', $post_data['post_date'])), + 'dateCreated' => new IXR_Date(mysql2date('Ymd\TH:i:s', $post_data['post_date'], false)), 'content' => $content, 'postid' => $post_data['ID'] ); @@ -1696,11 +1700,11 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $blog_ID = (int) $args[1]; /* though we don't use it yet */ - $user_login = $args[2]; - $user_pass = $args[3]; + $username = $args[2]; + $password = $args[3]; $num_posts = $args[4]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } @@ -1708,8 +1712,6 @@ class wp_xmlrpc_server extends IXR_Server { $posts_list = wp_get_recent_posts($num_posts); - set_current_user( 0, $user_login ); - if (!$posts_list) { $this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.')); return $this->error; @@ -1719,7 +1721,7 @@ class wp_xmlrpc_server extends IXR_Server { if( !current_user_can( 'edit_post', $entry['ID'] ) ) continue; - $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); + $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date'], false); $categories = implode(',', wp_get_post_categories($entry['ID'])); $content = ''.stripslashes($entry['post_title']).''; @@ -1756,17 +1758,16 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $blog_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; + $username = $args[2]; + $password = $args[3]; $template = $args[4]; /* could be 'main' or 'archiveIndex', but we don't use it */ - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'blogger.getTemplate'); - set_current_user(0, $user_login); if ( !current_user_can('edit_themes') ) { return new IXR_Error(401, __('Sorry, this user can not edit the template.')); } @@ -1798,20 +1799,19 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $blog_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; + $username = $args[2]; + $password = $args[3]; $content = $args[4]; $template = $args[5]; /* could be 'main' or 'archiveIndex', but we don't use it */ - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'blogger.setTemplate'); - set_current_user(0, $user_login); if ( !current_user_can('edit_themes') ) { - return new IXR_Error(401, __('Sorry, this user can not edit the template.')); + return new IXR_Error(401, __('Sorry, this user cannot edit the template.')); } /* warning: here we make the assumption that the blog's URL is on the same server */ @@ -1841,19 +1841,18 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $blog_ID = (int) $args[1]; /* though we don't use it yet */ - $user_login = $args[2]; - $user_pass = $args[3]; + $username = $args[2]; + $password = $args[3]; $content = $args[4]; $publish = $args[5]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'blogger.newPost'); $cap = ($publish) ? 'publish_posts' : 'edit_posts'; - $user = set_current_user(0, $user_login); if ( !current_user_can($cap) ) return new IXR_Error(401, __('Sorry, you are not allowed to post on this blog.')); @@ -1897,12 +1896,12 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $post_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; + $username = $args[2]; + $password = $args[3]; $content = $args[4]; $publish = $args[5]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } @@ -1916,7 +1915,6 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($actual_post); - set_current_user(0, $user_login); if ( !current_user_can('edit_post', $post_ID) ) return new IXR_Error(401, __('Sorry, you do not have the right to edit this post.')); @@ -1953,11 +1951,11 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $post_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; + $username = $args[2]; + $password = $args[3]; $publish = $args[4]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } @@ -1969,7 +1967,6 @@ class wp_xmlrpc_server extends IXR_Server { return new IXR_Error(404, __('Sorry, no such post.')); } - set_current_user(0, $user_login); if ( !current_user_can('edit_post', $post_ID) ) return new IXR_Error(401, __('Sorry, you do not have the right to delete this post.')); @@ -1998,15 +1995,14 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $blog_ID = (int) $args[0]; // we will support this in the near future - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; $content_struct = $args[3]; $publish = $args[4]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - $user = set_current_user(0, $user_login); do_action('xmlrpc_call', 'metaWeblog.newPost'); @@ -2219,15 +2215,19 @@ class wp_xmlrpc_server extends IXR_Server { return new IXR_Error(500, __('Sorry, your entry could not be posted. Something wrong happened.')); } + // Only posts can be sticky + if ( $post_type == 'post' && isset( $content_struct['sticky'] ) ) + if ( $content_struct['sticky'] == true ) + stick_post( $post_ID ); + elseif ( $content_struct['sticky'] == false ) + unstick_post( $post_ID ); + if ( isset($content_struct['custom_fields']) ) { $this->set_custom_fields($post_ID, $content_struct['custom_fields']); } // Handle enclosures - $enclosure = $content_struct['enclosure']; - if( is_array( $enclosure ) && isset( $enclosure['url'] ) && isset( $enclosure['length'] ) && isset( $enclosure['type'] ) ) { - add_post_meta( $post_ID, 'enclosure', $enclosure['url'] . "\n" . $enclosure['length'] . "\n" . $enclosure['type'] ); - } + $this->add_enclosure_if_new($post_ID, $content_struct['enclosure']); $this->attach_uploads( $post_ID, $post_content ); @@ -2236,6 +2236,27 @@ class wp_xmlrpc_server extends IXR_Server { return strval($post_ID); } + function add_enclosure_if_new($post_ID, $enclosure) { + if( is_array( $enclosure ) && isset( $enclosure['url'] ) && isset( $enclosure['length'] ) && isset( $enclosure['type'] ) ) { + + $encstring = $enclosure['url'] . "\n" . $enclosure['length'] . "\n" . $enclosure['type']; + $found = false; + foreach ( (array) get_post_custom($post_ID) as $key => $val) { + if ($key == 'enclosure') { + foreach ( (array) $val as $enc ) { + if ($enc == $encstring) { + $found = true; + break 2; + } + } + } + } + if (!$found) { + add_post_meta( $post_ID, 'enclosure', $encstring ); + } + } + } + /** * Attach upload to a post. * @@ -2252,7 +2273,7 @@ class wp_xmlrpc_server extends IXR_Server { if( is_array( $attachments ) ) { foreach( $attachments as $file ) { if( strpos( $post_content, $file->guid ) !== false ) { - $wpdb->query( $wpdb->prepare("UPDATE {$wpdb->posts} SET post_parent = %d WHERE ID = %d", $post_ID, $file->ID) ); + $wpdb->update($wpdb->posts, array('post_parent' => $post_ID), array('ID' => $file->ID) ); } } } @@ -2271,15 +2292,14 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; $content_struct = $args[3]; $publish = $args[4]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - $user = set_current_user(0, $user_login); do_action('xmlrpc_call', 'metaWeblog.editPost'); @@ -2314,7 +2334,7 @@ class wp_xmlrpc_server extends IXR_Server { // now and return an error. Other wise a new post will be // created (which was the old behavior). if(empty($postdata["ID"])) { - return(new IXR_Error(404, __("Invalid post id."))); + return(new IXR_Error(404, __("Invalid post ID."))); } $this->escape($postdata); @@ -2502,15 +2522,19 @@ class wp_xmlrpc_server extends IXR_Server { return new IXR_Error(500, __('Sorry, your entry could not be edited. Something wrong happened.')); } + // Only posts can be sticky + if ( $post_type == 'post' && isset( $content_struct['sticky'] ) ) + if ( $content_struct['sticky'] == true ) + stick_post( $post_ID ); + elseif ( $content_struct['sticky'] == false ) + unstick_post( $post_ID ); + if ( isset($content_struct['custom_fields']) ) { $this->set_custom_fields($post_ID, $content_struct['custom_fields']); } // Handle enclosures - $enclosure = $content_struct['enclosure']; - if( is_array( $enclosure ) && isset( $enclosure['url'] ) && isset( $enclosure['length'] ) && isset( $enclosure['type'] ) ) { - add_post_meta( $post_ID, 'enclosure', $enclosure['url'] . "\n" . $enclosure['length'] . "\n" . $enclosure['type'] ); - } + $this->add_enclosure_if_new($post_ID, $content_struct['enclosure']); $this->attach_uploads( $ID, $post_content ); @@ -2532,24 +2556,23 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_post', $post_ID ) ) - return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); + return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) ); do_action('xmlrpc_call', 'metaWeblog.getPost'); $postdata = wp_get_single_post($post_ID, ARRAY_A); if ($postdata['post_date'] != '') { - $post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date']); - $post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']); + $post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date'], false); + $post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt'], false); $categories = array(); $catids = wp_get_post_categories($post_ID); @@ -2580,6 +2603,10 @@ class wp_xmlrpc_server extends IXR_Server { $postdata['post_status'] = 'publish'; } + $sticky = false; + if ( is_sticky( $post_ID ) ) + $sticky = true; + $enclosure = array(); foreach ( (array) get_post_custom($post_ID) as $key => $val) { if ($key == 'enclosure') { @@ -2615,7 +2642,8 @@ class wp_xmlrpc_server extends IXR_Server { 'wp_author_display_name' => $author->display_name, 'date_created_gmt' => new IXR_Date($post_date_gmt), 'post_status' => $postdata['post_status'], - 'custom_fields' => $this->get_custom_fields($post_ID) + 'custom_fields' => $this->get_custom_fields($post_ID), + 'sticky' => $sticky ); if (!empty($enclosure)) $resp['enclosure'] = $enclosure; @@ -2639,11 +2667,11 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $blog_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; $num_posts = (int) $args[3]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } @@ -2655,14 +2683,12 @@ class wp_xmlrpc_server extends IXR_Server { return array( ); } - set_current_user( 0, $user_login ); - foreach ($posts_list as $entry) { if( !current_user_can( 'edit_post', $entry['ID'] ) ) continue; - $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); - $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']); + $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date'], false); + $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt'], false); $categories = array(); $catids = wp_get_post_categories($entry['ID']); @@ -2743,14 +2769,13 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $blog_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) ); @@ -2765,8 +2790,8 @@ class wp_xmlrpc_server extends IXR_Server { $struct['description'] = $cat->name; $struct['categoryDescription'] = $cat->description; $struct['categoryName'] = $cat->name; - $struct['htmlUrl'] = wp_specialchars(get_category_link($cat->term_id)); - $struct['rssUrl'] = wp_specialchars(get_category_feed_link($cat->term_id, 'rss2')); + $struct['htmlUrl'] = esc_html(get_category_link($cat->term_id)); + $struct['rssUrl'] = esc_html(get_category_feed_link($cat->term_id, 'rss2')); $categories_struct[] = $struct; } @@ -2791,8 +2816,8 @@ class wp_xmlrpc_server extends IXR_Server { global $wpdb; $blog_ID = (int) $args[0]; - $user_login = $wpdb->escape($args[1]); - $user_pass = $wpdb->escape($args[2]); + $username = $wpdb->escape($args[1]); + $password = $wpdb->escape($args[2]); $data = $args[3]; $name = sanitize_file_name( $data['name'] ); @@ -2801,12 +2826,12 @@ class wp_xmlrpc_server extends IXR_Server { logIO('O', '(MW) Received '.strlen($bits).' bytes'); - if ( !$this->login_pass_ok($user_login, $user_pass) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } do_action('xmlrpc_call', 'metaWeblog.newMediaObject'); - set_current_user(0, $user_login); if ( !current_user_can('upload_files') ) { logIO('O', '(MW) User does not have upload_files capability'); $this->error = new IXR_Error(401, __('You are not allowed to upload files to this site.')); @@ -2876,11 +2901,11 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $blog_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; $num_posts = (int) $args[3]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } @@ -2893,14 +2918,12 @@ class wp_xmlrpc_server extends IXR_Server { return $this->error; } - set_current_user( 0, $user_login ); - foreach ($posts_list as $entry) { if( !current_user_can( 'edit_post', $entry['ID'] ) ) continue; - $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); - $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']); + $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date'], false); + $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt'], false); $struct[] = array( 'dateCreated' => new IXR_Date($post_date), @@ -2933,14 +2956,13 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $blog_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) ); @@ -2973,14 +2995,13 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_post', $post_ID ) ) return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); @@ -3015,19 +3036,18 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; $categories = $args[3]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'mt.setPostCategories'); - set_current_user(0, $user_login); if ( !current_user_can('edit_post', $post_ID) ) - return new IXR_Error(401, __('Sorry, you can not edit this post.')); + return new IXR_Error(401, __('Sorry, you cannot edit this post.')); foreach($categories as $cat) { $catids[] = $cat['categoryId']; @@ -3127,18 +3147,17 @@ class wp_xmlrpc_server extends IXR_Server { $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'mt.publishPost'); - set_current_user(0, $user_login); if ( !current_user_can('edit_post', $post_ID) ) - return new IXR_Error(401, __('Sorry, you can not edit this post.')); + return new IXR_Error(401, __('Sorry, you cannot edit this post.')); $postdata = wp_get_single_post($post_ID,ARRAY_A); @@ -3225,7 +3244,7 @@ class wp_xmlrpc_server extends IXR_Server { } } else { // TODO: Attempt to extract a post ID from the given URL - return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn\'t exist, or it is not a pingback-enabled resource.')); + return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); } $post_ID = (int) $post_ID; @@ -3235,14 +3254,14 @@ class wp_xmlrpc_server extends IXR_Server { $post = get_post($post_ID); if ( !$post ) // Post_ID not found - return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn\'t exist, or it is not a pingback-enabled resource.')); + return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); if ( $post_ID == url_to_postid($pagelinkedfrom) ) return new IXR_Error(0, __('The source URL and the target URL cannot both point to the same resource.')); // Check if pings are on if ( !pings_open($post) ) - return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn\'t exist, or it is not a pingback-enabled resource.')); + return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); // Let's check that the remote site didn't already pingback this entry $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $post_ID, $pagelinkedfrom) ); @@ -3308,7 +3327,7 @@ class wp_xmlrpc_server extends IXR_Server { $pagelinkedfrom = str_replace('&', '&', $pagelinkedfrom); - $context = '[...] ' . wp_specialchars( $excerpt ) . ' [...]'; + $context = '[...] ' . esc_html( $excerpt ) . ' [...]'; $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom ); $comment_post_ID = (int) $post_ID; @@ -3341,7 +3360,7 @@ class wp_xmlrpc_server extends IXR_Server { global $wpdb; - do_action('xmlrpc_call', 'pingback.extensions.getPingsbacks'); + do_action('xmlrpc_call', 'pingback.extensions.getPingbacks'); $this->escape($args); @@ -3350,7 +3369,7 @@ class wp_xmlrpc_server extends IXR_Server { $post_ID = url_to_postid($url); if (!$post_ID) { // We aren't sure that the resource is available and/or pingback enabled - return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn\'t exist, or it is not a pingback-enabled resource.')); + return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); } $actual_post = wp_get_single_post($post_ID, ARRAY_A);