<body>
<h1 id="logo">
<a href="http://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" width="250" height="68" /></a>
- <br /> Version 3.1.2
+ <br /> Version 3.1.3
</h1>
<p style="text-align: center">Semantic Personal Publishing Platform</p>
if ( !$meta = get_post_meta_by_id( $id ) )
die('1');
- if ( !current_user_can( 'edit_post', $meta->post_id ) )
+ if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) )
die('-1');
if ( delete_meta( $meta->meta_id ) )
die('1');
die('0'); // if meta doesn't exist
if ( !current_user_can( 'edit_post', $meta->post_id ) )
die('-1');
+ if ( is_protected_meta( $meta->meta_key ) )
+ die('-1');
if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
if ( !$u = update_meta( $mid, $key, $value ) )
die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems).
'post_title' => $filename,
'post_content' => $url,
'post_mime_type' => $type,
- 'guid' => $url
+ 'guid' => $url,
+ 'context' => 'custom-background'
);
// Save the data
'post_title' => $filename,
'post_content' => $url,
'post_mime_type' => $type,
- 'guid' => $url);
+ 'guid' => $url,
+ 'context' => 'custom-header');
// Save the data
$id = wp_insert_attachment($object, $file);
'post_title' => basename($cropped),
'post_content' => $url,
'post_mime_type' => 'image/jpeg',
- 'guid' => $url
+ 'guid' => $url,
+ 'context' => 'custom-header'
);
// Update the attachment
return array();
}
- function display_tablenav( $which ) {
- global $status;
-
- if ( !in_array( $status, array( 'mustuse', 'dropins' ) ) )
- parent::display_tablenav( $which );
- }
-
function get_views() {
global $totals, $status;
function extra_tablenav( $which ) {
global $status;
- if ( 'recently_activated' == $status ) { ?>
- <div class="alignleft actions">
- <?php submit_button( __( 'Clear List' ), 'secondary', 'clear-recent-list', false ); ?>
- </div>
- <?php }
+ if ( ! in_array($status, array('recently_activated', 'mustuse', 'dropins') ) )
+ return;
+
+ echo '<div class="alignleft actions">';
+
+ if ( 'recently_activated' == $status )
+ submit_button( __( 'Clear List' ), 'secondary', 'clear-recent-list', false );
+ elseif ( 'top' == $which && 'mustuse' == $status )
+ echo '<p>' . __( 'Files in the <code>/wp-content/mu-plugins</code> directory are executed automatically.' ) . '</p>';
+ elseif ( 'top' == $which && 'dropins' == $status )
+ echo '<p>' . __( 'Drop-ins are advanced plugins in the <code>/wp-content</code> directory that replace WordPress functionality when present.' ) . '</p>';
+
+ echo '</div>';
}
function current_action() {
$object = array( 'post_title' => $filename,
'post_content' => $url,
'post_mime_type' => $type,
- 'guid' => $url
+ 'guid' => $url,
+ 'context' => 'import',
+ 'post_status' => 'private'
);
// Save the data
$id = wp_insert_attachment( $object, $file );
+ // schedule a cleanup for one day from now in case of failed import or missing wp_import_cleanup() call
+ wp_schedule_single_event( time() + 86400, 'importer_scheduled_cleanup', array( $id ) );
+
return array( 'file' => $file, 'id' => $id );
}
$toggle_on = __( 'Show' );
$toggle_off = __( 'Hide' );
- $filename = basename( $post->guid );
+ $filename = esc_html( basename( $post->guid ) );
$title = esc_attr( $post->post_title );
if ( $_tags = get_the_tags( $attachment_id ) ) {
$post_ID = (int) $post_data['post_ID'];
$post = get_post( $post_ID );
$post_data['post_type'] = $post->post_type;
+ $post_data['post_mime_type'] = $post->post_mime_type;
$ptype = get_post_type_object($post_data['post_type']);
if ( !current_user_can( $ptype->cap->edit_post, $post_ID ) ) {
continue;
if ( $meta->post_id != $post_ID )
continue;
+ if ( is_protected_meta( $value['key'] ) )
+ continue;
update_meta( $key, $value['key'], $value['value'] );
}
}
continue;
if ( $meta->post_id != $post_ID )
continue;
+ if ( is_protected_meta( $meta->meta_key ) )
+ continue;
delete_meta( $key );
}
}
return new WP_Error( 'edit_posts', __( 'You are not allowed to create posts or drafts on this site.' ) );
}
+ $_POST['post_mime_type'] = '';
+
// Check for autosave collisions
// Does this need to be updated? ~ Mark
$temp_id = false;
global $wpdb;
$post_ID = (int) $post_ID;
- $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
-
$metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
$metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
$metavalue = isset($_POST['metavalue']) ? maybe_serialize( stripslashes_deep( $_POST['metavalue'] ) ) : '';
if ( $metakeyinput)
$metakey = $metakeyinput; // default
- if ( in_array($metakey, $protected) )
+ if ( is_protected_meta( $metakey ) )
return false;
wp_cache_delete($post_ID, 'post_meta');
function update_meta( $meta_id, $meta_key, $meta_value ) {
global $wpdb;
- $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
-
$meta_key = stripslashes($meta_key);
- if ( in_array($meta_key, $protected) )
+ if ( is_protected_meta( $meta_key ) )
return false;
if ( '' === trim( $meta_value ) )
$q['m'] = isset( $q['m'] ) ? (int) $q['m'] : 0;
$q['cat'] = isset( $q['cat'] ) ? (int) $q['cat'] : 0;
$q['post_type'] = 'attachment';
- $q['post_status'] = isset( $q['status'] ) && 'trash' == $q['status'] ? 'trash' : 'inherit';
+ $post_type = get_post_type_object( 'attachment' );
+ $states = array( 'inherit' );
+ if ( current_user_can( $post_type->cap->read_private_posts ) )
+ $states[] = 'private';
+
+ $q['post_status'] = isset( $q['status'] ) && 'trash' == $q['status'] ? 'trash' : $states;
$media_per_page = (int) get_user_option( 'upload_per_page' );
if ( empty( $media_per_page ) || $media_per_page < 1 )
$media_per_page = 20;
*/
function _list_meta_row( $entry, &$count ) {
static $update_nonce = false;
+
+ if ( is_protected_meta( $entry['meta_key'] ) )
+ return;
+
if ( !$update_nonce )
$update_nonce = wp_create_nonce( 'add-meta' );
$mysql_version = $wpdb->db_version();
$required_php_version = '4.3';
$required_mysql_version = '4.1.2';
- $wp_version = '3.1.2';
+ $wp_version = '3.1.3';
$php_compat = version_compare( $php_version, $required_php_version, '>=' );
$mysql_compat = version_compare( $mysql_version, $required_mysql_version, '>=' ) || file_exists( WP_CONTENT_DIR . '/db.php' );
echo '<h2>' . esc_html( $title ) . '</h2>';
if ( isset( $_POST['action'] ) && $_POST['action'] == 'deleteblog' && isset( $_POST['confirmdelete'] ) && $_POST['confirmdelete'] == '1' ) {
+ check_admin_referer( 'delete-blog' );
+
$hash = wp_generate_password( 20, false );
update_option( 'delete_blog_hash', $hash );
<p><?php _e( 'Remember, once deleted your site cannot be restored.' ) ?></p>
<form method="post" name="deletedirect">
+ <?php wp_nonce_field( 'delete-blog' ) ?>
<input type="hidden" name="action" value="deleteblog" />
<p><input id="confirmdelete" type="checkbox" name="confirmdelete" value="1" /> <label for="confirmdelete"><strong><?php printf( __( "I'm sure I want to permanently disable my site, and I am aware I can never get it back or use %s again." ), is_subdomain_install() ? $current_blog->domain : $current_blog->domain . $current_blog->path ); ?></strong></label></p>
<?php submit_button( __( 'Delete My Site Permanently' ) ); ?>
</form>
- <?php
+ <?php
}
echo '</div>';
<input type="hidden" name="plugin_status" value="<?php echo esc_attr($status) ?>" />
<input type="hidden" name="paged" value="<?php echo esc_attr($page) ?>" />
-<?php
-if ( 'mustuse' == $status )
- echo '<br class="clear" /><p>' . __( 'Files in the <code>/wp-content/mu-plugins</code> directory are executed automatically.' ) . '</p>';
-elseif ( 'dropins' == $status )
- echo '<br class="clear" /><p>' . __( 'Drop-ins are advanced plugins in the <code>/wp-content</code> directory that replace WordPress functionality when present.' ) . '</p>';
-?>
-
<?php $wp_list_table->display(); ?>
</form>
$src = 'http://'.str_replace('//','/', $host['host'].'/'.$src);
else
$src = 'http://'.str_replace('//','/', $host['host'].'/'.dirname($host['path']).'/'.$src);
- $sources[] = esc_attr($src);
+ $sources[] = esc_url($src);
}
return "'" . implode("','", $sources) . "'";
}
$slug = '';
if ( isset( $_SERVER['HTTP_SLUG'] ) )
- $slug = sanitize_file_name( $_SERVER['HTTP_SLUG'] );
+ $slug = $_SERVER['HTTP_SLUG'];
elseif ( isset( $_SERVER['HTTP_TITLE'] ) )
- $slug = sanitize_file_name( $_SERVER['HTTP_TITLE'] );
+ $slug = $_SERVER['HTTP_TITLE'];
elseif ( empty( $slug ) ) // just make a random name
$slug = substr( md5( uniqid( microtime() ) ), 0, 7);
$ext = preg_replace( '|.*/([a-z0-9]+)|', '$1', $_SERVER['CONTENT_TYPE'] );
- $slug = "$slug.$ext";
+ $slug = sanitize_file_name( "$slug.$ext" );
$file = wp_upload_bits( $slug, NULL, $bits);
log_app('wp_upload_bits returns:',print_r($file,true));
$redirect['query'] = remove_query_arg('year', $redirect['query']);
} elseif ( is_author() && !empty($_GET['author']) && preg_match( '|^[0-9]+$|', $_GET['author'] ) ) {
$author = get_userdata(get_query_var('author'));
- if ( false !== $author && $redirect_url = get_author_posts_url($author->ID, $author->user_nicename) )
- $redirect['query'] = remove_query_arg('author', $redirect['query']);
+ if ( ( false !== $author ) && $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE $wpdb->posts.post_author = %d AND $wpdb->posts.post_status = 'publish' LIMIT 1", $author->ID ) ) ) {
+ if ( $redirect_url = get_author_posts_url($author->ID, $author->user_nicename) )
+ $redirect['query'] = remove_query_arg('author', $redirect['query']);
+ }
} elseif ( is_category() || is_tag() || is_tax() ) { // Terms (Tags/categories)
$term_count = 0;
function fetch( $provider, $url, $args = '' ) {
$args = wp_parse_args( $args, wp_embed_defaults() );
- $provider = add_query_arg( 'maxwidth', $args['width'], $provider );
- $provider = add_query_arg( 'maxheight', $args['height'], $provider );
+ $provider = add_query_arg( 'maxwidth', (int) $args['width'], $provider );
+ $provider = add_query_arg( 'maxheight', (int) $args['height'], $provider );
$provider = add_query_arg( 'url', urlencode($url), $provider );
foreach( array( 'json', 'xml' ) as $format ) {
// Save URL
foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
- 'pre_link_rss' ) as $filter ) {
+ 'pre_link_rss', 'pre_post_guid' ) as $filter ) {
add_filter( $filter, 'wp_strip_all_tags' );
add_filter( $filter, 'esc_url_raw' );
add_filter( $filter, 'wp_filter_kses' );
}
// Display URL
-foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url' ) as $filter ) {
+foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) {
if ( is_admin() )
add_filter( $filter, 'wp_strip_all_tags' );
add_filter( $filter, 'esc_url' );
add_filter( $filter, 'sanitize_key' );
}
+// Mime types
+add_filter( 'pre_post_mime_type', 'sanitize_mime_type' );
+add_filter( 'post_mime_type', 'sanitize_mime_type' );
+
// Places to balance tags on input
foreach ( array( 'content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content' ) as $filter ) {
add_filter( $filter, 'balanceTags', 50 );
// Login actions
add_action( 'login_head', 'wp_print_head_scripts', 9 );
add_action( 'login_footer', 'wp_print_footer_scripts' );
+add_action( 'login_init', 'send_frame_options_header', 10, 0 );
// Feed Generator Tags
foreach ( array( 'rss2_head', 'commentsrss2_head', 'rss_head', 'rdf_header', 'atom_head', 'comments_atom_head', 'opml_head', 'app_head' ) as $action ) {
add_action( 'transition_post_status', '_transition_post_status', 5, 3 );
add_action( 'comment_form', 'wp_comment_form_unfiltered_html_nonce' );
add_action( 'wp_scheduled_delete', 'wp_scheduled_delete' );
+add_action( 'admin_init', 'send_frame_options_header', 10, 0 );
+add_action( 'importer_scheduled_cleanup', 'wp_delete_attachment' );
// Navigation menu actions
add_action( 'delete_post', '_wp_delete_post_menu_item' );
if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) {
$allowed = false;
foreach ( $mimes as $ext_preg => $mime_match ) {
- $ext_preg = '!(^' . $ext_preg . ')$!i';
+ $ext_preg = '!^(' . $ext_preg . ')$!i';
if ( preg_match( $ext_preg, $part ) ) {
$allowed = true;
break;
}
+/**
+ * Sanitize a mime type
+ *
+ * @since 3.1.3
+ *
+ * @param string $mime_type Mime type
+ * @return string Sanitized mime type
+ */
+function sanitize_mime_type( $mime_type ) {
+ $sani_mime_type = preg_replace( '/[^-*.a-zA-Z0-9\/]/', '', $mime_type );
+ return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
+}
+
?>
return false;
}
+/**
+ * Send a HTTP header to limit rendering of pages to same origin iframes.
+ *
+ * @link https://developer.mozilla.org/en/the_x-frame-options_response_header
+ *
+ * @since 3.1.3
+ * @return none
+ */
+function send_frame_options_header() {
+ @header( 'X-Frame-Options: SAMEORIGIN' );
+}
+
?>
// expected_slashed ($meta_key)
$meta_key = stripslashes($meta_key);
$meta_value = stripslashes_deep($meta_value);
+ $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
$check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
if ( null !== $check )
// expected_slashed ($meta_key)
$meta_key = stripslashes($meta_key);
$meta_value = stripslashes_deep($meta_value);
+ $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
$check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
if ( null !== $check )
return $wpdb->$table_name;
}
+
+/**
+ * Determine whether a meta key is protected
+ *
+ * @since 3.1.3
+ *
+ * @param string $meta_key Meta key
+ * @return bool True if the key is protected, false otherwise.
+ */
+function is_protected_meta( $meta_key, $meta_type = null ) {
+ $protected = ( '_' == $meta_key[0] );
+
+ return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
+}
+
+/**
+ * Sanitize meta value
+ *
+ * @since 3.1.3
+ *
+ * @param string $meta_key Meta key
+ * @param mixed $meta_value Meta value to sanitize
+ * @param string $meta_type Type of meta
+ * @return mixed Sanitized $meta_value
+ */
+function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) {
+ return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );
+}
+
?>
if ( !is_object($post) )
return false;
- // Unattached attachments are assumed to be published.
- if ( ('attachment' == $post->post_type) && ('inherit' == $post->post_status) && ( 0 == $post->post_parent) )
- return 'publish';
+ if ( 'attachment' == $post->post_type ) {
+ if ( 'private' == $post->post_status )
+ return 'private';
- if ( ('attachment' == $post->post_type) && $post->post_parent && ($post->ID != $post->post_parent) )
- return get_post_status($post->post_parent);
+ // Unattached attachments are assumed to be published
+ if ( ( 'inherit' == $post->post_status ) && ( 0 == $post->post_parent) )
+ return 'publish';
+
+ // Inherit status from the parent
+ if ( $post->post_parent && ( $post->ID != $post->post_parent ) )
+ return get_post_status($post->post_parent);
+ }
return $post->post_status;
}
function wp_insert_attachment($object, $file = false, $parent = 0) {
global $wpdb, $user_ID;
- $defaults = array('post_status' => 'draft', 'post_type' => 'post', 'post_author' => $user_ID,
+ $defaults = array('post_status' => 'inherit', 'post_type' => 'post', 'post_author' => $user_ID,
'ping_status' => get_option('default_ping_status'), 'post_parent' => 0,
'menu_order' => 0, 'to_ping' => '', 'pinged' => '', 'post_password' => '',
- 'guid' => '', 'post_content_filtered' => '', 'post_excerpt' => '', 'import_id' => 0);
+ 'guid' => '', 'post_content_filtered' => '', 'post_excerpt' => '', 'import_id' => 0, 'context' => '');
$object = wp_parse_args($object, $defaults);
if ( !empty($parent) )
$post_author = $user_ID;
$post_type = 'attachment';
- $post_status = 'inherit';
+
+ if ( ! in_array( $post_status, array( 'inherit', 'private' ) ) )
+ $post_status = 'inherit';
// Make sure we set a valid category.
if ( !isset($post_category) || 0 == count($post_category) || !is_array($post_category) ) {
if ( isset($post_parent) && $post_parent < 0 )
add_post_meta($post_ID, '_wp_attachment_temp_parent', $post_parent, true);
+ if ( ! empty( $context ) )
+ add_post_meta( $post_ID, '_wp_attachment_context', $context, true );
+
if ( $update) {
do_action('edit_attachment', $post_ID);
} else {
}
}
- if ( !empty( $this->tax_query->queries ) || !empty( $q['meta_key'] ) ) {
- $groupby = "{$wpdb->posts}.ID";
- }
-
// Author/user stuff
if ( empty($q['author']) || ($q['author'] == '0') ) {
$where .= $clauses['where'];
}
+ if ( ! empty( $this->tax_query->queries ) || ! empty( $q['meta_query'] ) ) {
+ $groupby = "{$wpdb->posts}.ID";
+ }
+
// Apply filters on where and join prior to paging so that any
// manipulations to them are reflected in the paging by day queries.
if ( !$q['suppress_filters'] ) {
$where .= " AND t.slug = '$slug'";
}
- if ( !empty($name__like) )
- $where .= " AND t.name LIKE '" . like_escape( $name__like ) . "%'";
+ if ( !empty($name__like) ) {
+ $name__like = like_escape( $name__like );
+ $where .= $wpdb->prepare( " AND t.name LIKE %s", $name__like . '%' );
+ }
if ( '' !== $parent ) {
$parent = (int) $parent;
if ( !empty($search) ) {
$search = like_escape($search);
- $where .= " AND (t.name LIKE '%$search%')";
+ $where .= $wpdb->prepare( " AND (t.name LIKE %s)", '%' . $search . '%');
}
$selects = array();
else
$url = str_replace( 'https://', 'http://', $url );
- return $url;
+ return esc_url_raw( $url );
}
/**
*
* @global string $wp_version
*/
-$wp_version = '3.1.2';
+$wp_version = '3.1.3';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
// allow plugins to override the default actions, and to add extra actions if they want
-do_action('login_form_' . $action);
+do_action( 'login_init' );
+do_action( 'login_form_' . $action );
$http_post = ('POST' == $_SERVER['REQUEST_METHOD']);
switch ($action) {