Wordpress 3.1.3

author Edward Z. Yang <ezyang@mit.edu>

Sat, 28 May 2011 01:01:10 +0000 (02:01 +0100)

committer Edward Z. Yang <ezyang@mit.edu>

Sat, 28 May 2011 01:01:10 +0000 (02:01 +0100)
author Edward Z. Yang <ezyang@mit.edu>
Sat, 28 May 2011 01:01:10 +0000 (02:01 +0100)
committer Edward Z. Yang <ezyang@mit.edu>
Sat, 28 May 2011 01:01:10 +0000 (02:01 +0100)
diff --git a/readme.html b/readme.html

index 75d364979ecfc932b6d42708a5fb9f1b41615962..0939107c56462d72bc139c385931608e217991bb 100644 (file)
--- a/readme.html
+++ b/readme.html
@@ -8,7 +8,7 @@
  <body>
  <h1 id="logo">
         <a href="http://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" width="250" height="68" /></a>
  <body>
  <h1 id="logo">
         <a href="http://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" width="250" height="68" /></a>
-       <br /> Version 3.1.2
+       <br /> Version 3.1.3
  </h1>
  <p style="text-align: center">Semantic Personal Publishing Platform</p>
  
  </h1>
  <p style="text-align: center">Semantic Personal Publishing Platform</p>
  
diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php

index d2a8d4d20cd7291adbcd015fadb075f4587d2911..a7e0b48dd0ba100529d901b299c82f0d32e94670 100644 (file)
--- a/wp-admin/admin-ajax.php
+++ b/wp-admin/admin-ajax.php
@@ -396,7 +396,7 @@ case 'delete-meta' :
         if ( !$meta = get_post_meta_by_id( $id ) )
                 die('1');
  
         if ( !$meta = get_post_meta_by_id( $id ) )
                 die('1');
  
-       if ( !current_user_can( 'edit_post', $meta->post_id ) )
+       if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) )
                 die('-1');
         if ( delete_meta( $meta->meta_id ) )
                 die('1');
                 die('-1');
         if ( delete_meta( $meta->meta_id ) )
                 die('1');
@@ -855,6 +855,8 @@ case 'add-meta' :
                         die('0'); // if meta doesn't exist
                 if ( !current_user_can( 'edit_post', $meta->post_id ) )
                         die('-1');
                         die('0'); // if meta doesn't exist
                 if ( !current_user_can( 'edit_post', $meta->post_id ) )
                         die('-1');
+               if ( is_protected_meta( $meta->meta_key ) )
+                       die('-1');
                 if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
                         if ( !$u = update_meta( $mid, $key, $value ) )
                                 die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems).
                 if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
                         if ( !$u = update_meta( $mid, $key, $value ) )
                                 die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems).
diff --git a/wp-admin/custom-background.php b/wp-admin/custom-background.php

index e3fc23eb44a68cf45b10a9a3fe8fa0cb55a1705b..530cb9e4a567ca13f70c4761c706b9ed89e36176 100644 (file)
--- a/wp-admin/custom-background.php
+++ b/wp-admin/custom-background.php
@@ -337,7 +337,8 @@ if ( get_background_image() ) {
                         'post_title' => $filename,
                         'post_content' => $url,
                         'post_mime_type' => $type,
                         'post_title' => $filename,
                         'post_content' => $url,
                         'post_mime_type' => $type,
-                       'guid' => $url
+                       'guid' => $url,
+                       'context' => 'custom-background'
                 );
  
                 // Save the data
                 );
  
                 // Save the data
diff --git a/wp-admin/custom-header.php b/wp-admin/custom-header.php

index f1567f09df133a14fbb5994fbf8a39ea1fc4eb8b..bf5f415793e1482af5b98b38789e15f5d75b8da5 100644 (file)
--- a/wp-admin/custom-header.php
+++ b/wp-admin/custom-header.php
@@ -595,7 +595,8 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
                 'post_title' => $filename,
                 'post_content' => $url,
                 'post_mime_type' => $type,
                 'post_title' => $filename,
                 'post_content' => $url,
                 'post_mime_type' => $type,
-               'guid' => $url);
+               'guid' => $url,
+               'context' => 'custom-header');
  
                 // Save the data
                 $id = wp_insert_attachment($object, $file);
  
                 // Save the data
                 $id = wp_insert_attachment($object, $file);
@@ -687,7 +688,8 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
                         'post_title' => basename($cropped),
                         'post_content' => $url,
                         'post_mime_type' => 'image/jpeg',
                         'post_title' => basename($cropped),
                         'post_content' => $url,
                         'post_mime_type' => 'image/jpeg',
-                       'guid' => $url
+                       'guid' => $url,
+                       'context' => 'custom-header'
                 );
  
                 // Update the attachment
                 );
  
                 // Update the attachment
diff --git a/wp-admin/includes/class-wp-plugins-list-table.php b/wp-admin/includes/class-wp-plugins-list-table.php

index eefffb1033a6a4564f02e5f699599e35dc1fcaa7..b5ad6d48b6eefbd4095b9e837f0a090687b97e72 100644 (file)
--- a/wp-admin/includes/class-wp-plugins-list-table.php
+++ b/wp-admin/includes/class-wp-plugins-list-table.php
@@ -195,13 +195,6 @@ class WP_Plugins_List_Table extends WP_List_Table {
                 return array();
         }
  
                 return array();
         }
  
-       function display_tablenav( $which ) {
-               global $status;
-
-               if ( !in_array( $status, array( 'mustuse', 'dropins' ) ) )
-                       parent::display_tablenav( $which );
-       }
-
         function get_views() {
                 global $totals, $status;
  
         function get_views() {
                 global $totals, $status;
  
@@ -286,11 +279,19 @@ class WP_Plugins_List_Table extends WP_List_Table {
         function extra_tablenav( $which ) {
                 global $status;
  
         function extra_tablenav( $which ) {
                 global $status;
  
-               if ( 'recently_activated' == $status ) { ?>
-                       <div class="alignleft actions">
-                               <?php submit_button( __( 'Clear List' ), 'secondary', 'clear-recent-list', false ); ?>
-                       </div>
-               <?php }
+               if ( ! in_array($status, array('recently_activated', 'mustuse', 'dropins') ) )
+                       return;
+
+               echo '<div class="alignleft actions">';
+
+               if ( 'recently_activated' == $status )
+                       submit_button( __( 'Clear List' ), 'secondary', 'clear-recent-list', false );
+               elseif ( 'top' == $which && 'mustuse' == $status )
+                       echo '<p>' . __( 'Files in the <code>/wp-content/mu-plugins</code> directory are executed automatically.' ) . '</p>';
+               elseif ( 'top' == $which && 'dropins' == $status )
+                       echo '<p>' . __( 'Drop-ins are advanced plugins in the <code>/wp-content</code> directory that replace WordPress functionality when present.' ) . '</p>';
+
+               echo '</div>';
         }
  
         function current_action() {
         }
  
         function current_action() {
diff --git a/wp-admin/includes/import.php b/wp-admin/includes/import.php

index 51861bdcdbecac80f2346d47e0f7ceaa0bc3177d..f57be766c09a5a277df341aab01c6e20dbbbfeb8 100644 (file)
--- a/wp-admin/includes/import.php
+++ b/wp-admin/includes/import.php
@@ -80,12 +80,17 @@ function wp_import_handle_upload() {
         $object = array( 'post_title' => $filename,
                 'post_content' => $url,
                 'post_mime_type' => $type,
         $object = array( 'post_title' => $filename,
                 'post_content' => $url,
                 'post_mime_type' => $type,
-               'guid' => $url
+               'guid' => $url,
+               'context' => 'import',
+               'post_status' => 'private'
         );
  
         // Save the data
         $id = wp_insert_attachment( $object, $file );
  
         );
  
         // Save the data
         $id = wp_insert_attachment( $object, $file );
  
+       // schedule a cleanup for one day from now in case of failed import or missing wp_import_cleanup() call
+       wp_schedule_single_event( time() + 86400, 'importer_scheduled_cleanup', array( $id ) );
+
         return array( 'file' => $file, 'id' => $id );
  }
  
         return array( 'file' => $file, 'id' => $id );
  }
  
diff --git a/wp-admin/includes/media.php b/wp-admin/includes/media.php

index c9d603ea8fa25eabed533584c05b76020a2b1ff3..7e27ded13399e4d837adeb0b3a041be4dacfb62d 100644 (file)
--- a/wp-admin/includes/media.php
+++ b/wp-admin/includes/media.php
@@ -1192,7 +1192,7 @@ function get_media_item( $attachment_id, $args = null ) {
         $toggle_on  = __( 'Show' );
         $toggle_off = __( 'Hide' );
  
         $toggle_on  = __( 'Show' );
         $toggle_off = __( 'Hide' );
  
-       $filename = basename( $post->guid );
+       $filename = esc_html( basename( $post->guid ) );
         $title = esc_attr( $post->post_title );
  
         if ( $_tags = get_the_tags( $attachment_id ) ) {
         $title = esc_attr( $post->post_title );
  
         if ( $_tags = get_the_tags( $attachment_id ) ) {
diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php

index 12cbaa0f92c21f0688fd6c67422f6735bf910551..bb6f469fccaa362587f22e24784bf18936ae04f5 100644 (file)
--- a/wp-admin/includes/post.php
+++ b/wp-admin/includes/post.php
@@ -138,6 +138,7 @@ function edit_post( $post_data = null ) {
         $post_ID = (int) $post_data['post_ID'];
         $post = get_post( $post_ID );
         $post_data['post_type'] = $post->post_type;
         $post_ID = (int) $post_data['post_ID'];
         $post = get_post( $post_ID );
         $post_data['post_type'] = $post->post_type;
+       $post_data['post_mime_type'] = $post->post_mime_type;
  
         $ptype = get_post_type_object($post_data['post_type']);
         if ( !current_user_can( $ptype->cap->edit_post, $post_ID ) ) {
  
         $ptype = get_post_type_object($post_data['post_type']);
         if ( !current_user_can( $ptype->cap->edit_post, $post_ID ) ) {
@@ -199,6 +200,8 @@ function edit_post( $post_data = null ) {
                                 continue;
                         if ( $meta->post_id != $post_ID )
                                 continue;
                                 continue;
                         if ( $meta->post_id != $post_ID )
                                 continue;
+                       if ( is_protected_meta( $value['key'] ) )
+                               continue;
                         update_meta( $key, $value['key'], $value['value'] );
                 }
         }
                         update_meta( $key, $value['key'], $value['value'] );
                 }
         }
@@ -209,6 +212,8 @@ function edit_post( $post_data = null ) {
                                 continue;
                         if ( $meta->post_id != $post_ID )
                                 continue;
                                 continue;
                         if ( $meta->post_id != $post_ID )
                                 continue;
+                       if ( is_protected_meta( $meta->meta_key ) )
+                               continue;
                         delete_meta( $key );
                 }
         }
                         delete_meta( $key );
                 }
         }
@@ -527,6 +532,8 @@ function wp_write_post() {
                         return new WP_Error( 'edit_posts', __( 'You are not allowed to create posts or drafts on this site.' ) );
         }
  
                         return new WP_Error( 'edit_posts', __( 'You are not allowed to create posts or drafts on this site.' ) );
         }
  
+       $_POST['post_mime_type'] = '';
+
         // Check for autosave collisions
         // Does this need to be updated? ~ Mark
         $temp_id = false;
         // Check for autosave collisions
         // Does this need to be updated? ~ Mark
         $temp_id = false;
@@ -632,8 +639,6 @@ function add_meta( $post_ID ) {
         global $wpdb;
         $post_ID = (int) $post_ID;
  
         global $wpdb;
         $post_ID = (int) $post_ID;
  
-       $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
-
         $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
         $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
         $metavalue = isset($_POST['metavalue']) ? maybe_serialize( stripslashes_deep( $_POST['metavalue'] ) ) : '';
         $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
         $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
         $metavalue = isset($_POST['metavalue']) ? maybe_serialize( stripslashes_deep( $_POST['metavalue'] ) ) : '';
@@ -650,7 +655,7 @@ function add_meta( $post_ID ) {
                 if ( $metakeyinput)
                         $metakey = $metakeyinput; // default
  
                 if ( $metakeyinput)
                         $metakey = $metakeyinput; // default
  
-               if ( in_array($metakey, $protected) )
+               if ( is_protected_meta( $metakey ) )
                         return false;
  
                 wp_cache_delete($post_ID, 'post_meta');
                         return false;
  
                 wp_cache_delete($post_ID, 'post_meta');
@@ -756,11 +761,9 @@ function has_meta( $postid ) {
  function update_meta( $meta_id, $meta_key, $meta_value ) {
         global $wpdb;
  
  function update_meta( $meta_id, $meta_key, $meta_value ) {
         global $wpdb;
  
-       $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
-
         $meta_key = stripslashes($meta_key);
  
         $meta_key = stripslashes($meta_key);
  
-       if ( in_array($meta_key, $protected) )
+       if ( is_protected_meta( $meta_key ) )
                 return false;
  
         if ( '' === trim( $meta_value ) )
                 return false;
  
         if ( '' === trim( $meta_value ) )
@@ -993,7 +996,12 @@ function wp_edit_attachments_query( $q = false ) {
         $q['m']   = isset( $q['m'] ) ? (int) $q['m'] : 0;
         $q['cat'] = isset( $q['cat'] ) ? (int) $q['cat'] : 0;
         $q['post_type'] = 'attachment';
         $q['m']   = isset( $q['m'] ) ? (int) $q['m'] : 0;
         $q['cat'] = isset( $q['cat'] ) ? (int) $q['cat'] : 0;
         $q['post_type'] = 'attachment';
-       $q['post_status'] = isset( $q['status'] ) && 'trash' == $q['status'] ? 'trash' : 'inherit';
+       $post_type = get_post_type_object( 'attachment' );
+       $states = array( 'inherit' );
+       if ( current_user_can( $post_type->cap->read_private_posts ) )
+               $states[] = 'private';
+
+       $q['post_status'] = isset( $q['status'] ) && 'trash' == $q['status'] ? 'trash' : $states;
         $media_per_page = (int) get_user_option( 'upload_per_page' );
         if ( empty( $media_per_page ) || $media_per_page < 1 )
                 $media_per_page = 20;
         $media_per_page = (int) get_user_option( 'upload_per_page' );
         if ( empty( $media_per_page ) || $media_per_page < 1 )
                 $media_per_page = 20;
diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php

index b345c36b76dcdbb08e8ade5d9e23cbd12fc450e4..2f16b3c125806cedcf673216222799757a3188d8 100644 (file)
--- a/wp-admin/includes/template.php
+++ b/wp-admin/includes/template.php
@@ -465,6 +465,10 @@ function list_meta( $meta ) {
   */
  function _list_meta_row( $entry, &$count ) {
         static $update_nonce = false;
   */
  function _list_meta_row( $entry, &$count ) {
         static $update_nonce = false;
+
+       if ( is_protected_meta( $entry['meta_key'] ) )
+               return;
+
         if ( !$update_nonce )
                 $update_nonce = wp_create_nonce( 'add-meta' );
  
         if ( !$update_nonce )
                 $update_nonce = wp_create_nonce( 'add-meta' );
  
diff --git a/wp-admin/includes/update-core.php b/wp-admin/includes/update-core.php

index 227baaefafcf40cd755f100ebceef95990d4e5c3..0673363b857f7148d00534020ba7d69f9e30a3ea 100644 (file)
--- a/wp-admin/includes/update-core.php
+++ b/wp-admin/includes/update-core.php
@@ -294,7 +294,7 @@ function update_core($from, $to) {
         $mysql_version  = $wpdb->db_version();
         $required_php_version = '4.3';
         $required_mysql_version = '4.1.2';
         $mysql_version  = $wpdb->db_version();
         $required_php_version = '4.3';
         $required_mysql_version = '4.1.2';
-       $wp_version = '3.1.2';
+       $wp_version = '3.1.3';
         $php_compat     = version_compare( $php_version, $required_php_version, '>=' );
         $mysql_compat   = version_compare( $mysql_version, $required_mysql_version, '>=' ) || file_exists( WP_CONTENT_DIR . '/db.php' );
  
         $php_compat     = version_compare( $php_version, $required_php_version, '>=' );
         $mysql_compat   = version_compare( $mysql_version, $required_mysql_version, '>=' ) || file_exists( WP_CONTENT_DIR . '/db.php' );
  
diff --git a/wp-admin/ms-delete-site.php b/wp-admin/ms-delete-site.php

index 8b26b0b6a36baa78cb0abd78e2bb9245b046d899..2ae22339b73b55d89536a965ce7691863c13d42b 100644 (file)
--- a/wp-admin/ms-delete-site.php
+++ b/wp-admin/ms-delete-site.php
@@ -34,6 +34,8 @@ screen_icon();
  echo '<h2>' . esc_html( $title ) . '</h2>';
  
  if ( isset( $_POST['action'] ) && $_POST['action'] == 'deleteblog' && isset( $_POST['confirmdelete'] ) && $_POST['confirmdelete'] == '1' ) {
  echo '<h2>' . esc_html( $title ) . '</h2>';
  
  if ( isset( $_POST['action'] ) && $_POST['action'] == 'deleteblog' && isset( $_POST['confirmdelete'] ) && $_POST['confirmdelete'] == '1' ) {
+       check_admin_referer( 'delete-blog' );
+
         $hash = wp_generate_password( 20, false );
         update_option( 'delete_blog_hash', $hash );
  
         $hash = wp_generate_password( 20, false );
         update_option( 'delete_blog_hash', $hash );
  
@@ -68,11 +70,12 @@ Webmaster
         <p><?php _e( 'Remember, once deleted your site cannot be restored.' ) ?></p>
  
         <form method="post" name="deletedirect">
         <p><?php _e( 'Remember, once deleted your site cannot be restored.' ) ?></p>
  
         <form method="post" name="deletedirect">
+               <?php wp_nonce_field( 'delete-blog' ) ?>
                 <input type="hidden" name="action" value="deleteblog" />
                 <p><input id="confirmdelete" type="checkbox" name="confirmdelete" value="1" /> <label for="confirmdelete"><strong><?php printf( __( "I'm sure I want to permanently disable my site, and I am aware I can never get it back or use %s again." ), is_subdomain_install() ? $current_blog->domain : $current_blog->domain . $current_blog->path ); ?></strong></label></p>
                 <?php submit_button( __( 'Delete My Site Permanently' ) ); ?>
         </form>
                 <input type="hidden" name="action" value="deleteblog" />
                 <p><input id="confirmdelete" type="checkbox" name="confirmdelete" value="1" /> <label for="confirmdelete"><strong><?php printf( __( "I'm sure I want to permanently disable my site, and I am aware I can never get it back or use %s again." ), is_subdomain_install() ? $current_blog->domain : $current_blog->domain . $current_blog->path ); ?></strong></label></p>
                 <?php submit_button( __( 'Delete My Site Permanently' ) ); ?>
         </form>
-       <?php
+       <?php
  }
  echo '</div>';
  
  }
  echo '</div>';
  
diff --git a/wp-admin/plugins.php b/wp-admin/plugins.php

index 0c36bbd1015409b3a6d3f48436a81ca493d840de..f64d51b6f536e3729790e9e8c53780554dbccb2c 100644 (file)
--- a/wp-admin/plugins.php
+++ b/wp-admin/plugins.php
@@ -407,13 +407,6 @@ if ( $s )
  <input type="hidden" name="plugin_status" value="<?php echo esc_attr($status) ?>" />
  <input type="hidden" name="paged" value="<?php echo esc_attr($page) ?>" />
  
  <input type="hidden" name="plugin_status" value="<?php echo esc_attr($status) ?>" />
  <input type="hidden" name="paged" value="<?php echo esc_attr($page) ?>" />
  
-<?php
-if ( 'mustuse' == $status )
-       echo '<br class="clear" /><p>' . __( 'Files in the <code>/wp-content/mu-plugins</code> directory are executed automatically.' ) . '</p>';
-elseif ( 'dropins' == $status )
-       echo '<br class="clear" /><p>' . __( 'Drop-ins are advanced plugins in the <code>/wp-content</code> directory that replace WordPress functionality when present.' ) . '</p>';
-?>
-
  <?php $wp_list_table->display(); ?>
  </form>
  
  <?php $wp_list_table->display(); ?>
  </form>
  
diff --git a/wp-admin/press-this.php b/wp-admin/press-this.php

index e2b3f334db36466d56fad5859ee4d3a16e4aa42a..1f7b418ee53cb17959d2ad85514306fa8cfd69d7 100644 (file)
--- a/wp-admin/press-this.php
+++ b/wp-admin/press-this.php
@@ -225,7 +225,7 @@ if ( !empty($_REQUEST['ajax']) ) {
                                                 $src = 'http://'.str_replace('//','/', $host['host'].'/'.$src);
                                         else
                                                 $src = 'http://'.str_replace('//','/', $host['host'].'/'.dirname($host['path']).'/'.$src);
                                                 $src = 'http://'.str_replace('//','/', $host['host'].'/'.$src);
                                         else
                                                 $src = 'http://'.str_replace('//','/', $host['host'].'/'.dirname($host['path']).'/'.$src);
-                               $sources[] = esc_attr($src);
+                               $sources[] = esc_url($src);
                         }
                         return "'" . implode("','", $sources) . "'";
                 }
                         }
                         return "'" . implode("','", $sources) . "'";
                 }
diff --git a/wp-app.php b/wp-app.php

index 6de52882063c8a21dbca5944f86c6aae6caf0217..c836e2f7d2150c32129dd79c8098adcca4e876c6 100644 (file)
--- a/wp-app.php
+++ b/wp-app.php
@@ -607,13 +607,13 @@ EOD;
  
                 $slug = '';
                 if ( isset( $_SERVER['HTTP_SLUG'] ) )
  
                 $slug = '';
                 if ( isset( $_SERVER['HTTP_SLUG'] ) )
-                       $slug = sanitize_file_name( $_SERVER['HTTP_SLUG'] );
+                       $slug = $_SERVER['HTTP_SLUG'];
                 elseif ( isset( $_SERVER['HTTP_TITLE'] ) )
                 elseif ( isset( $_SERVER['HTTP_TITLE'] ) )
-                       $slug = sanitize_file_name( $_SERVER['HTTP_TITLE'] );
+                       $slug = $_SERVER['HTTP_TITLE'];
                 elseif ( empty( $slug ) ) // just make a random name
                         $slug = substr( md5( uniqid( microtime() ) ), 0, 7);
                 $ext = preg_replace( '|.*/([a-z0-9]+)|', '$1', $_SERVER['CONTENT_TYPE'] );
                 elseif ( empty( $slug ) ) // just make a random name
                         $slug = substr( md5( uniqid( microtime() ) ), 0, 7);
                 $ext = preg_replace( '|.*/([a-z0-9]+)|', '$1', $_SERVER['CONTENT_TYPE'] );
-               $slug = "$slug.$ext";
+               $slug = sanitize_file_name( "$slug.$ext" );
                 $file = wp_upload_bits( $slug, NULL, $bits);
  
                 log_app('wp_upload_bits returns:',print_r($file,true));
                 $file = wp_upload_bits( $slug, NULL, $bits);
  
                 log_app('wp_upload_bits returns:',print_r($file,true));
diff --git a/wp-includes/canonical.php b/wp-includes/canonical.php

index d111514df7eb7388d244c6d37f9e0a83e8cc8eed..9d66856c8be62c02d0fbe9f7dab633acfe254551 100644 (file)
--- a/wp-includes/canonical.php
+++ b/wp-includes/canonical.php
@@ -141,8 +141,10 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
                                 $redirect['query'] = remove_query_arg('year', $redirect['query']);
                 } elseif ( is_author() && !empty($_GET['author']) && preg_match( '|^[0-9]+$|', $_GET['author'] ) ) {
                         $author = get_userdata(get_query_var('author'));
                                 $redirect['query'] = remove_query_arg('year', $redirect['query']);
                 } elseif ( is_author() && !empty($_GET['author']) && preg_match( '|^[0-9]+$|', $_GET['author'] ) ) {
                         $author = get_userdata(get_query_var('author'));
-                       if ( false !== $author && $redirect_url = get_author_posts_url($author->ID, $author->user_nicename) )
-                               $redirect['query'] = remove_query_arg('author', $redirect['query']);
+                       if ( ( false !== $author ) && $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE $wpdb->posts.post_author = %d AND $wpdb->posts.post_status = 'publish' LIMIT 1", $author->ID ) ) ) {
+                               if ( $redirect_url = get_author_posts_url($author->ID, $author->user_nicename) )
+                                       $redirect['query'] = remove_query_arg('author', $redirect['query']);
+                       }
                 } elseif ( is_category() || is_tag() || is_tax() ) { // Terms (Tags/categories)
  
                         $term_count = 0;
                 } elseif ( is_category() || is_tag() || is_tax() ) { // Terms (Tags/categories)
  
                         $term_count = 0;
diff --git a/wp-includes/class-oembed.php b/wp-includes/class-oembed.php

index 87e59a69b076fafe53ea4f929c5356c617026b11..8a275a2c922a989fc11ee834a87629e80d1ddf70 100644 (file)
--- a/wp-includes/class-oembed.php
+++ b/wp-includes/class-oembed.php
@@ -165,8 +165,8 @@ class WP_oEmbed {
         function fetch( $provider, $url, $args = '' ) {
                 $args = wp_parse_args( $args, wp_embed_defaults() );
  
         function fetch( $provider, $url, $args = '' ) {
                 $args = wp_parse_args( $args, wp_embed_defaults() );
  
-               $provider = add_query_arg( 'maxwidth', $args['width'], $provider );
-               $provider = add_query_arg( 'maxheight', $args['height'], $provider );
+               $provider = add_query_arg( 'maxwidth', (int) $args['width'], $provider );
+               $provider = add_query_arg( 'maxheight', (int) $args['height'], $provider );
                 $provider = add_query_arg( 'url', urlencode($url), $provider );
  
                 foreach( array( 'json', 'xml' ) as $format ) {
                 $provider = add_query_arg( 'url', urlencode($url), $provider );
  
                 foreach( array( 'json', 'xml' ) as $format ) {
diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php

index 4822e2ead0b9f6352f6196724f40dbb482a656bc..58e00b5e181b9697ce38e3c82624abce8f88f4ce 100644 (file)
--- a/wp-includes/default-filters.php
+++ b/wp-includes/default-filters.php
@@ -58,14 +58,14 @@ foreach ( array( 'comment_author_email', 'user_email' ) as $filter ) {
  
  // Save URL
  foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
  
  // Save URL
  foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
-       'pre_link_rss' ) as $filter ) {
+       'pre_link_rss', 'pre_post_guid' ) as $filter ) {
         add_filter( $filter, 'wp_strip_all_tags' );
         add_filter( $filter, 'esc_url_raw'       );
         add_filter( $filter, 'wp_filter_kses'    );
  }
  
  // Display URL
         add_filter( $filter, 'wp_strip_all_tags' );
         add_filter( $filter, 'esc_url_raw'       );
         add_filter( $filter, 'wp_filter_kses'    );
  }
  
  // Display URL
-foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url' ) as $filter ) {
+foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) {
         if ( is_admin() )
                 add_filter( $filter, 'wp_strip_all_tags' );
         add_filter( $filter, 'esc_url'           );
         if ( is_admin() )
                 add_filter( $filter, 'wp_strip_all_tags' );
         add_filter( $filter, 'esc_url'           );
@@ -86,6 +86,10 @@ foreach ( array( 'pre_post_status', 'pre_post_comment_status', 'pre_post_ping_st
         add_filter( $filter, 'sanitize_key' );
  }
  
         add_filter( $filter, 'sanitize_key' );
  }
  
+// Mime types
+add_filter( 'pre_post_mime_type', 'sanitize_mime_type' );
+add_filter( 'post_mime_type', 'sanitize_mime_type' );
+
  // Places to balance tags on input
  foreach ( array( 'content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content' ) as $filter ) {
         add_filter( $filter, 'balanceTags', 50 );
  // Places to balance tags on input
  foreach ( array( 'content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content' ) as $filter ) {
         add_filter( $filter, 'balanceTags', 50 );
@@ -218,6 +222,7 @@ add_action( 'template_redirect',   'wp_shortlink_header',           11, 0 );
  // Login actions
  add_action( 'login_head',          'wp_print_head_scripts',         9     );
  add_action( 'login_footer',        'wp_print_footer_scripts'              );
  // Login actions
  add_action( 'login_head',          'wp_print_head_scripts',         9     );
  add_action( 'login_footer',        'wp_print_footer_scripts'              );
+add_action( 'login_init',          'send_frame_options_header',     10, 0 );
  
  // Feed Generator Tags
  foreach ( array( 'rss2_head', 'commentsrss2_head', 'rss_head', 'rdf_header', 'atom_head', 'comments_atom_head', 'opml_head', 'app_head' ) as $action ) {
  
  // Feed Generator Tags
  foreach ( array( 'rss2_head', 'commentsrss2_head', 'rss_head', 'rdf_header', 'atom_head', 'comments_atom_head', 'opml_head', 'app_head' ) as $action ) {
@@ -249,6 +254,8 @@ add_action( 'save_post',                  '_save_post_hook',          5, 2 );
  add_action( 'transition_post_status',     '_transition_post_status',  5, 3 );
  add_action( 'comment_form', 'wp_comment_form_unfiltered_html_nonce'        );
  add_action( 'wp_scheduled_delete',        'wp_scheduled_delete'            );
  add_action( 'transition_post_status',     '_transition_post_status',  5, 3 );
  add_action( 'comment_form', 'wp_comment_form_unfiltered_html_nonce'        );
  add_action( 'wp_scheduled_delete',        'wp_scheduled_delete'            );
+add_action( 'admin_init',                 'send_frame_options_header', 10, 0 );
+add_action( 'importer_scheduled_cleanup', 'wp_delete_attachment'           );
  
  // Navigation menu actions
  add_action( 'delete_post',                '_wp_delete_post_menu_item'      );
  
  // Navigation menu actions
  add_action( 'delete_post',                '_wp_delete_post_menu_item'      );
diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php

index c4f53e9c975ebc1c54f7100c11df59f1389d7b38..6c53f8631455252fb7c80193c38c3adaf7362f2c 100644 (file)
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@@ -718,7 +718,7 @@ function sanitize_file_name( $filename ) {
                 if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) {
                         $allowed = false;
                         foreach ( $mimes as $ext_preg => $mime_match ) {
                 if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) {
                         $allowed = false;
                         foreach ( $mimes as $ext_preg => $mime_match ) {
-                               $ext_preg = '!(^' . $ext_preg . ')$!i';
+                               $ext_preg = '!^(' . $ext_preg . ')$!i';
                                 if ( preg_match( $ext_preg, $part ) ) {
                                         $allowed = true;
                                         break;
                                 if ( preg_match( $ext_preg, $part ) ) {
                                         $allowed = true;
                                         break;
@@ -2903,4 +2903,17 @@ function capital_P_dangit( $text ) {
  
  }
  
  
  }
  
+/**
+ * Sanitize a mime type
+ *
+ * @since 3.1.3
+ *
+ * @param string $mime_type Mime type
+ * @return string Sanitized mime type
+ */
+function sanitize_mime_type( $mime_type ) {
+       $sani_mime_type = preg_replace( '/[^-*.a-zA-Z0-9\/]/', '', $mime_type );
+       return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
+}
+
  ?>
  ?>
diff --git a/wp-includes/functions.php b/wp-includes/functions.php

index 72843130a804171a3d451422ef45b79b90b0de5a..34fe1132ad384401140d98de50b679398f66558b 100644 (file)
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -4482,4 +4482,16 @@ function wp_find_hierarchy_loop_tortoise_hare( $callback, $start, $override = ar
         return false;
  }
  
         return false;
  }
  
+/**
+ * Send a HTTP header to limit rendering of pages to same origin iframes.
+ *
+ * @link https://developer.mozilla.org/en/the_x-frame-options_response_header
+ *
+ * @since 3.1.3
+ * @return none
+ */
+function send_frame_options_header() {
+       @header( 'X-Frame-Options: SAMEORIGIN' );
+}
+
  ?>
  ?>
diff --git a/wp-includes/meta.php b/wp-includes/meta.php

index 27a1288187b45c3bac6ada0b27085f5feb45bd4b..08d51a260624f8cb16ae3fc6fa843104d33a2306 100644 (file)
--- a/wp-includes/meta.php
+++ b/wp-includes/meta.php
@@ -45,6 +45,7 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique =
         // expected_slashed ($meta_key)
         $meta_key = stripslashes($meta_key);
         $meta_value = stripslashes_deep($meta_value);
         // expected_slashed ($meta_key)
         $meta_key = stripslashes($meta_key);
         $meta_value = stripslashes_deep($meta_value);
+       $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
  
         $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
         if ( null !== $check )
  
         $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
         if ( null !== $check )
@@ -113,6 +114,7 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v
         // expected_slashed ($meta_key)
         $meta_key = stripslashes($meta_key);
         $meta_value = stripslashes_deep($meta_value);
         // expected_slashed ($meta_key)
         $meta_key = stripslashes($meta_key);
         $meta_value = stripslashes_deep($meta_value);
+       $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
  
         $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
         if ( null !== $check )
  
         $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
         if ( null !== $check )
@@ -488,4 +490,33 @@ function _get_meta_table($type) {
  
         return $wpdb->$table_name;
  }
  
         return $wpdb->$table_name;
  }
+
+/**
+ * Determine whether a meta key is protected
+ *
+ * @since 3.1.3
+ *
+ * @param string $meta_key Meta key
+ * @return bool True if the key is protected, false otherwise.
+ */
+function is_protected_meta( $meta_key, $meta_type = null ) {
+       $protected = (  '_' == $meta_key[0] );
+
+       return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
+}
+
+/**
+ * Sanitize meta value
+ *
+ * @since 3.1.3
+ *
+ * @param string $meta_key Meta key
+ * @param mixed $meta_value Meta value to sanitize
+ * @param string $meta_type Type of meta
+ * @return mixed Sanitized $meta_value
+ */
+function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) {
+       return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );
+}
+
  ?>
  ?>
diff --git a/wp-includes/post.php b/wp-includes/post.php

index 191b42c5d211e7c045bbe294086b2688532ac0c0..d859473b482b788590afd6bc687c23ac1d0ee1e1 100644 (file)
--- a/wp-includes/post.php
+++ b/wp-includes/post.php
@@ -557,12 +557,18 @@ function get_post_status($ID = '') {
         if ( !is_object($post) )
                 return false;
  
         if ( !is_object($post) )
                 return false;
  
-       // Unattached attachments are assumed to be published.
-       if ( ('attachment' == $post->post_type) && ('inherit' == $post->post_status) && ( 0 == $post->post_parent) )
-               return 'publish';
+       if ( 'attachment' == $post->post_type ) {
+               if ( 'private' == $post->post_status )
+                       return 'private';
  
  
-       if ( ('attachment' == $post->post_type) && $post->post_parent && ($post->ID != $post->post_parent) )
-               return get_post_status($post->post_parent);
+               // Unattached attachments are assumed to be published
+               if ( ( 'inherit' == $post->post_status ) && ( 0 == $post->post_parent) )
+                       return 'publish';
+
+               // Inherit status from the parent
+               if ( $post->post_parent && ( $post->ID != $post->post_parent ) )
+                       return get_post_status($post->post_parent);
+       }
  
         return $post->post_status;
  }
  
         return $post->post_status;
  }
@@ -3532,10 +3538,10 @@ function is_local_attachment($url) {
  function wp_insert_attachment($object, $file = false, $parent = 0) {
         global $wpdb, $user_ID;
  
  function wp_insert_attachment($object, $file = false, $parent = 0) {
         global $wpdb, $user_ID;
  
-       $defaults = array('post_status' => 'draft', 'post_type' => 'post', 'post_author' => $user_ID,
+       $defaults = array('post_status' => 'inherit', 'post_type' => 'post', 'post_author' => $user_ID,
                 'ping_status' => get_option('default_ping_status'), 'post_parent' => 0,
                 'menu_order' => 0, 'to_ping' =>  '', 'pinged' => '', 'post_password' => '',
                 'ping_status' => get_option('default_ping_status'), 'post_parent' => 0,
                 'menu_order' => 0, 'to_ping' =>  '', 'pinged' => '', 'post_password' => '',
-               'guid' => '', 'post_content_filtered' => '', 'post_excerpt' => '', 'import_id' => 0);
+               'guid' => '', 'post_content_filtered' => '', 'post_excerpt' => '', 'import_id' => 0, 'context' => '');
  
         $object = wp_parse_args($object, $defaults);
         if ( !empty($parent) )
  
         $object = wp_parse_args($object, $defaults);
         if ( !empty($parent) )
@@ -3550,7 +3556,9 @@ function wp_insert_attachment($object, $file = false, $parent = 0) {
                 $post_author = $user_ID;
  
         $post_type = 'attachment';
                 $post_author = $user_ID;
  
         $post_type = 'attachment';
-       $post_status = 'inherit';
+
+       if ( ! in_array( $post_status, array( 'inherit', 'private' ) ) )
+               $post_status = 'inherit';
  
         // Make sure we set a valid category.
         if ( !isset($post_category) || 0 == count($post_category) || !is_array($post_category) ) {
  
         // Make sure we set a valid category.
         if ( !isset($post_category) || 0 == count($post_category) || !is_array($post_category) ) {
@@ -3653,6 +3661,9 @@ function wp_insert_attachment($object, $file = false, $parent = 0) {
         if ( isset($post_parent) && $post_parent < 0 )
                 add_post_meta($post_ID, '_wp_attachment_temp_parent', $post_parent, true);
  
         if ( isset($post_parent) && $post_parent < 0 )
                 add_post_meta($post_ID, '_wp_attachment_temp_parent', $post_parent, true);
  
+       if ( ! empty( $context ) )
+               add_post_meta( $post_ID, '_wp_attachment_context', $context, true );
+
         if ( $update) {
                 do_action('edit_attachment', $post_ID);
         } else {
         if ( $update) {
                 do_action('edit_attachment', $post_ID);
         } else {
diff --git a/wp-includes/query.php b/wp-includes/query.php

index ed08ebc450ec8be5bbebd8aa36aefad0487f8bfa..14942d94ec5af7c80dd19cf89cc8581e205385d5 100644 (file)
--- a/wp-includes/query.php
+++ b/wp-includes/query.php
@@ -2231,10 +2231,6 @@ class WP_Query {
                         }
                 }
  
                         }
                 }
  
-               if ( !empty( $this->tax_query->queries ) || !empty( $q['meta_key'] ) ) {
-                       $groupby = "{$wpdb->posts}.ID";
-               }
-
                 // Author/user stuff
  
                 if ( empty($q['author']) || ($q['author'] == '0') ) {
                 // Author/user stuff
  
                 if ( empty($q['author']) || ($q['author'] == '0') ) {
@@ -2480,6 +2476,10 @@ class WP_Query {
                         $where .= $clauses['where'];
                 }
  
                         $where .= $clauses['where'];
                 }
  
+               if ( ! empty( $this->tax_query->queries ) || ! empty( $q['meta_query'] ) ) {
+                       $groupby = "{$wpdb->posts}.ID";
+               }
+
                 // Apply filters on where and join prior to paging so that any
                 // manipulations to them are reflected in the paging by day queries.
                 if ( !$q['suppress_filters'] ) {
                 // Apply filters on where and join prior to paging so that any
                 // manipulations to them are reflected in the paging by day queries.
                 if ( !$q['suppress_filters'] ) {
diff --git a/wp-includes/taxonomy.php b/wp-includes/taxonomy.php

index 33d4329debf83e2d75ab71e0370b40010320b7a8..d9ae2d5a8b40603db843ceee24db3c5c64960400 100644 (file)
--- a/wp-includes/taxonomy.php
+++ b/wp-includes/taxonomy.php
@@ -1255,8 +1255,10 @@ function &get_terms($taxonomies, $args = '') {
                 $where .= " AND t.slug = '$slug'";
         }
  
                 $where .= " AND t.slug = '$slug'";
         }
  
-       if ( !empty($name__like) )
-               $where .= " AND t.name LIKE '" . like_escape( $name__like ) . "%'";
+       if ( !empty($name__like) ) {
+               $name__like = like_escape( $name__like );
+               $where .= $wpdb->prepare( " AND t.name LIKE %s", $name__like . '%' );
+       }
  
         if ( '' !== $parent ) {
                 $parent = (int) $parent;
  
         if ( '' !== $parent ) {
                 $parent = (int) $parent;
@@ -1278,7 +1280,7 @@ function &get_terms($taxonomies, $args = '') {
  
         if ( !empty($search) ) {
                 $search = like_escape($search);
  
         if ( !empty($search) ) {
                 $search = like_escape($search);
-               $where .= " AND (t.name LIKE '%$search%')";
+               $where .= $wpdb->prepare( " AND (t.name LIKE %s)", '%' . $search . '%');
         }
  
         $selects = array();
         }
  
         $selects = array();
diff --git a/wp-includes/theme.php b/wp-includes/theme.php

index c2960557db893f5742a134e9ce8b3eb5c206acb0..14176ac7123fa992ecc146c32ae50cf5a6e61ac2 100644 (file)
--- a/wp-includes/theme.php
+++ b/wp-includes/theme.php
@@ -1435,7 +1435,7 @@ function get_header_image() {
         else
                 $url = str_replace( 'https://', 'http://', $url );
  
         else
                 $url = str_replace( 'https://', 'http://', $url );
  
-       return $url;
+       return esc_url_raw( $url );
  }
  
  /**
  }
  
  /**
diff --git a/wp-includes/version.php b/wp-includes/version.php

index 14980a3d037b73224271549e78db132aaeee190c..aefcfeb210c88815f4cfa904f0e7deeb65ee4310 100644 (file)
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -22,7 +22,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   *
   * @global string $wp_version
   */
   *
   * @global string $wp_version
   */
-$wp_version = '3.1.2';
+$wp_version = '3.1.3';
  
  /**
   * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
  
  /**
   * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
diff --git a/wp-login.php b/wp-login.php

index ab9cff5580a6e05c2615c98c24631dda76c8ec59..0f471b0d7b7b14d0fe2b7715c381c41649cbf3f1 100644 (file)
--- a/wp-login.php
+++ b/wp-login.php
@@ -368,7 +368,8 @@ if ( SITECOOKIEPATH != COOKIEPATH )
         setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
  
  // allow plugins to override the default actions, and to add extra actions if they want
         setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
  
  // allow plugins to override the default actions, and to add extra actions if they want
-do_action('login_form_' . $action);
+do_action( 'login_init' );
+do_action( 'login_form_' . $action );
  
  $http_post = ('POST' == $_SERVER['REQUEST_METHOD']);
  switch ($action) {
  
  $http_post = ('POST' == $_SERVER['REQUEST_METHOD']);
  switch ($action) {
author	Edward Z. Yang <ezyang@mit.edu>
	Sat, 28 May 2011 01:01:10 +0000 (02:01 +0100)
committer	Edward Z. Yang <ezyang@mit.edu>
	Sat, 28 May 2011 01:01:10 +0000 (02:01 +0100)
readme.html		patch \| blob \| history
wp-admin/admin-ajax.php		patch \| blob \| history
wp-admin/custom-background.php		patch \| blob \| history
wp-admin/custom-header.php		patch \| blob \| history
wp-admin/includes/class-wp-plugins-list-table.php		patch \| blob \| history
wp-admin/includes/import.php		patch \| blob \| history
wp-admin/includes/media.php		patch \| blob \| history
wp-admin/includes/post.php		patch \| blob \| history
wp-admin/includes/template.php		patch \| blob \| history
wp-admin/includes/update-core.php		patch \| blob \| history
wp-admin/ms-delete-site.php		patch \| blob \| history
wp-admin/plugins.php		patch \| blob \| history
wp-admin/press-this.php		patch \| blob \| history
wp-app.php		patch \| blob \| history
wp-includes/canonical.php		patch \| blob \| history
wp-includes/class-oembed.php		patch \| blob \| history
wp-includes/default-filters.php		patch \| blob \| history
wp-includes/formatting.php		patch \| blob \| history
wp-includes/functions.php		patch \| blob \| history
wp-includes/meta.php		patch \| blob \| history
wp-includes/post.php		patch \| blob \| history
wp-includes/query.php		patch \| blob \| history
wp-includes/taxonomy.php		patch \| blob \| history
wp-includes/theme.php		patch \| blob \| history
wp-includes/version.php		patch \| blob \| history
wp-login.php		patch \| blob \| history