*	' . __('Name') . '	comment_post_ID) ) { echo "" . __('Edit') . ""; } ?>	comment_post_ID) ) { - echo "comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return confirm('" . sprintf(__("You are about to delete this comment by \'%s\'\\n \'Cancel\' to stop, \'OK\' to delete."), $comment->comment_author) . "')\" class='delete'>" . __('Delete') . ""; } ?>

Database Name			The name of the database you want to run WP in.
User Name			Your MySQL username
Password			...and MySQL password.
Database Host			99% chance you won't need to change this value.
Table Prefix			If you want to run multiple WordPress installations in a single database, change this.

Akismet will greatly reduce or even completely eliminate the comment and trackback spam you get on your site. If one does happen to get through, simply mark it as "spam" on the moderation screen and Akismet will learn from the mistakes. If you don\'t have a WordPress.com account yet, you can get one at WordPress.com.'), 'http://akismet.com/', 'http://wordpress.com/api-keys/'); ?>

- + - +

@@ -12,13 +12,13 @@ ID); $classname = ($_post->iconsize[0] <= 128 ? 'small' : '') . 'attachment'; // This lets us style narrow icons specially ?>

post_parent); ?> »

guid); ?>

Read the rest of this entry »

'); ?> - + Pages: ', '

', 'number'); ?> - +

This entry was posted @@ -29,39 +29,39 @@ on at and is filed under . You can follow any responses to this entry through the feed. - + comment_status) && ('open' == $post->ping_status)) { // Both Comments and Pings are open ?> You can leave a response, or trackback from your own site. - + comment_status) && ('open' == $post->ping_status)) { // Only Pings are Open ?> Responses are currently closed, but you can trackback from your own site. - + comment_status) && !('open' == $post->ping_status)) { // Comments are open, Pings are not ?> You can skip to the end and leave a response. Pinging is currently not allowed. - + comment_status) && !('open' == $post->ping_status)) { // Neither Comments, nor Pings are open ?> - Both comments and pings are currently closed. - + Both comments and pings are currently closed. + - +

- +

- + - + - +

Sorry, no attachments matched your criteria.

- + - +

diff --git a/wp-content/themes/default/comments-popup.php b/wp-content/themes/default/comments-popup.php index d5dd1763..3cd58a66 100644 --- a/wp-content/themes/default/comments-popup.php +++ b/wp-content/themes/default/comments-popup.php @@ -29,9 +29,8 @@ foreach ($posts as $post) { start_wp(); post_password) && $_COOKIE['wp-postpass_'. COOKIEHASH] != $post->post_password) { // and it doesn't match the cookie @@ -103,7 +102,7 @@ if (!empty($post->post_password) && $_COOKIE['wp-postpass_'. COOKIEHASH] != $pos diff --git a/wp-content/themes/default/index.php b/wp-content/themes/default/index.php index 32a432ee..ffb0779e 100644 --- a/wp-content/themes/default/index.php +++ b/wp-content/themes/default/index.php @@ -3,27 +3,27 @@

- + - +

- +

Posted in |

- + - +

Not Found

diff --git a/wp-content/themes/default/links.php b/wp-content/themes/default/links.php index 2970897a..3b2ad814 100644 --- a/wp-content/themes/default/links.php +++ b/wp-content/themes/default/links.php @@ -13,6 +13,6 @@ Template Name: Links -

diff --git a/wp-content/themes/default/page.php b/wp-content/themes/default/page.php index 5f914c12..33820f59 100644 --- a/wp-content/themes/default/page.php +++ b/wp-content/themes/default/page.php @@ -5,11 +5,11 @@

Read the rest of this page »

'); ?> - + Pages: ', '

', 'number'); ?> - +

diff --git a/wp-content/themes/default/search.php b/wp-content/themes/default/search.php index 4c6875fa..5bd1bc6f 100644 --- a/wp-content/themes/default/search.php +++ b/wp-content/themes/default/search.php @@ -5,7 +5,7 @@

Search Results

- + diff --git a/wp-content/themes/default/sidebar.php b/wp-content/themes/default/sidebar.php index 03364b89..46d8dddd 100644 --- a/wp-content/themes/default/sidebar.php +++ b/wp-content/themes/default/sidebar.php @@ -1,6 +1,6 @@

You are currently browsing the archives for the category.

You are currently browsing the weblog archives for the day .

You are currently browsing the weblog archives for .

You are currently browsing the weblog archives for the year .

You have searched the weblog archives for ''. If you are unable to find anything in these search results, you can try one of these links.

- + - +

Meta

@@ -66,7 +66,7 @@

- +

diff --git a/wp-content/themes/default/single.php b/wp-content/themes/default/single.php index 1130d2f5..fb071b1b 100644 --- a/wp-content/themes/default/single.php +++ b/wp-content/themes/default/single.php @@ -1,22 +1,22 @@

- + - + - +

- -

+ +

Read the rest of this entry »

'); ?> - + Pages: ', '

', 'number'); ?> - +

This entry was posted @@ -27,39 +27,39 @@ on at and is filed under . You can follow any responses to this entry through the feed. - + comment_status) && ('open' == $post->ping_status)) { // Both Comments and Pings are open ?> You can leave a response, or trackback from your own site. - + comment_status) && ('open' == $post->ping_status)) { // Only Pings are Open ?> Responses are currently closed, but you can trackback from your own site. - + comment_status) && !('open' == $post->ping_status)) { // Comments are open, Pings are not ?> You can skip to the end and leave a response. Pinging is currently not allowed. - + comment_status) && !('open' == $post->ping_status)) { // Neither Comments, nor Pings are open ?> - Both comments and pings are currently closed. - + Both comments and pings are currently closed. + - +

- +

- + - + - +

Sorry, no posts matched your criteria.

- + - +

diff --git a/wp-content/themes/default/style.css b/wp-content/themes/default/style.css index 667b7a56..a88d974a 100644 --- a/wp-content/themes/default/style.css +++ b/wp-content/themes/default/style.css @@ -2,7 +2,7 @@ Theme Name: WordPress Default Theme URI: http://wordpress.org/ Description: The default WordPress theme based on the famous Kubrick. -Version: 1.5 +Version: 1.6 Author: Michael Heilemann Author URI: http://binarybonsai.com/ @@ -14,13 +14,7 @@ Author URI: http://binarybonsai.com/ The CSS, XHTML and design is released under GPL: http://www.opensource.org/licenses/gpl-license.php - - *** REGARDING IMAGES *** - All CSS that involves the use of images, can be found in the 'index.php' file. - This is to ease installation inside subdirectories of a server. - - Have fun, and don't be afraid to contact me if you have questions. */ @@ -29,7 +23,7 @@ Author URI: http://binarybonsai.com/ body { font-size: 62.5%; /* Resets 1em to 10px */ font-family: 'Lucida Grande', Verdana, Arial, Sans-Serif; - background-color: #d5d6d7; + background: #d5d6d7 url('images/kubrickbgcolor.jpg'); color: #333; text-align: center; } @@ -41,9 +35,15 @@ body { } #header { - background-color: #73a0c5; + background: #73a0c5 url('images/kubrickheader.jpg') no-repeat bottom center; } +#headerimg { + margin: 7px 9px 0; + height: 192px; + width: 740px; + } + #content { font-size: 1.2em } @@ -59,7 +59,7 @@ body { .widecolumn { line-height: 1.6em; } - + .narrowcolumn .postmetadata { text-align: center; } @@ -71,7 +71,8 @@ body { } #footer { - background-color: #eee; + background: #eee url('images/kubrickfooter.jpg') no-repeat top; + border: none; } small { @@ -132,7 +133,7 @@ h2, h2 a, h2 a:hover, h2 a:visited, h3, h3 a, h3 a:hover, h3 a:visited, #sidebar .commentlist li, #commentform input, #commentform textarea { font: 0.9em 'Lucida Grande', Verdana, Arial, Sans-Serif; } - + .commentlist li { font-weight: bold; } @@ -164,7 +165,7 @@ h2, h2 a, h2 a:hover, h2 a:visited, h3, h3 a, h3 a:hover, h3 a:visited, #sidebar small, #sidebar ul ul li, #sidebar ul ol li, .nocomments, .postmetadata, blockquote, strike { color: #777; } - + code { font: 1.1em 'Courier New', Courier, Fixed; } @@ -184,7 +185,7 @@ a:hover { color: #147; text-decoration: underline; } - + #wp-calendar #prev a { font-size: 9pt; } @@ -208,7 +209,7 @@ a:hover { /* Begin Structure */ body { - margin: 0; + margin: 0 0 20px 0; padding: 0; } @@ -219,13 +220,13 @@ body { width: 760px; border: 1px solid #959596; } - + #header { - padding: 0; - margin: 0 auto; - height: 200px; - width: 100%; background-color: #73a0c5; + margin: 0 0 0 1px; + padding: 0; + height: 200px; + width: 758px; } #headerimg { @@ -246,7 +247,7 @@ body { margin: 5px 0 0 150px; width: 450px; } - + .post { margin: 0 0 40px; text-align: justify; @@ -281,7 +282,7 @@ body { } #footer { - padding: 0 0 0 1px; + padding: 0; margin: 0 auto; width: 760px; clear: both; @@ -339,13 +340,13 @@ p img { thought?!) align the image to the right. And using 'class="centered', will of course center the image. This is much better than using align="center", being much more futureproof (and valid) */ - + img.centered { display: block; margin-left: auto; margin-right: auto; } - + img.alignright { padding: 4px; margin: 0 0 2px 7px; @@ -361,7 +362,7 @@ img.alignleft { .alignright { float: right; } - + .alignleft { float: left } @@ -405,7 +406,7 @@ html>body .entry li { list-style-type: none; list-style-image: none; } - + #sidebar ul, #sidebar ul ol { margin: 0; padding: 0; @@ -449,7 +450,7 @@ ol li, #sidebar ul ol li { } #sidebar #searchform #s { - width: 115px; + width: 108px; padding: 2px; } diff --git a/wp-includes/cache.php b/wp-includes/cache.php index 4dd396d7..79a0566b 100644 --- a/wp-includes/cache.php +++ b/wp-includes/cache.php @@ -47,8 +47,8 @@ function wp_cache_set($key, $data, $flag = '', $expire = 0) { return $wp_object_cache->set($key, $data, $flag, $expire); } -define('CACHE_SERIAL_HEADER', ""); +define('CACHE_SERIAL_HEADER', ""); class WP_Object_Cache { var $cache_dir; @@ -64,6 +64,7 @@ class WP_Object_Cache { var $cold_cache_hits = 0; var $warm_cache_hits = 0; var $cache_misses = 0; + var $secret = ''; function acquire_lock() { // Acquire a write lock. @@ -103,7 +104,7 @@ class WP_Object_Cache { if ( ! $this->acquire_lock() ) return false; - + $this->rm_cache_dir(); $this->cache = array (); $this->dirty_objects = array (); @@ -142,7 +143,7 @@ class WP_Object_Cache { return false; } - $cache_file = $this->cache_dir.$this->get_group_dir($group)."/".md5($id.DB_PASSWORD).'.php'; + $cache_file = $this->cache_dir.$this->get_group_dir($group)."/".$this->hash($id).'.php'; if (!file_exists($cache_file)) { $this->non_existant_objects[$group][$id] = true; $this->cache_misses += 1; @@ -158,7 +159,7 @@ class WP_Object_Cache { return false; } - $this->cache[$group][$id] = unserialize(substr(@ file_get_contents($cache_file), strlen(CACHE_SERIAL_HEADER), -strlen(CACHE_SERIAL_FOOTER))); + $this->cache[$group][$id] = unserialize(base64_decode(substr(@ file_get_contents($cache_file), strlen(CACHE_SERIAL_HEADER), -strlen(CACHE_SERIAL_FOOTER)))); if (false === $this->cache[$group][$id]) $this->cache[$group][$id] = ''; @@ -173,6 +174,14 @@ class WP_Object_Cache { return "{$this->blog_id}/$group"; } + function hash($data) { + if ( function_exists('hash_hmac') ) { + return hash_hmac('md5', $data, $this->secret); + } else { + return md5($data . $this->secret); + } + } + function load_group_from_db($group) { global $wpdb; @@ -332,7 +341,7 @@ class WP_Object_Cache { $ids = array_unique($ids); foreach ($ids as $id) { - $cache_file = $group_dir.md5($id.DB_PASSWORD).'.php'; + $cache_file = $group_dir.$this->hash($id).'.php'; // Remove the cache file if the key is not set. if (!isset ($this->cache[$group][$id])) { @@ -342,7 +351,7 @@ class WP_Object_Cache { } $temp_file = tempnam($group_dir, 'tmp'); - $serial = CACHE_SERIAL_HEADER.serialize($this->cache[$group][$id]).CACHE_SERIAL_FOOTER; + $serial = CACHE_SERIAL_HEADER.base64_encode(serialize($this->cache[$group][$id])).CACHE_SERIAL_FOOTER; $fd = @fopen($temp_file, 'w'); if ( false === $fd ) { $errors++; @@ -400,6 +409,9 @@ class WP_Object_Cache { if (defined('DISABLE_CACHE')) return; + if ( ! defined('ENABLE_CACHE') ) + return; + // Disable the persistent cache if safe_mode is on. if ( ini_get('safe_mode') && ! defined('ENABLE_CACHE') ) return; @@ -421,7 +433,12 @@ class WP_Object_Cache { if (defined('CACHE_EXPIRATION_TIME')) $this->expiration_time = CACHE_EXPIRATION_TIME; - $this->blog_id = md5($blog_id); + if ( defined('WP_SECRET') ) + $this->secret = WP_SECRET; + else + $this->secret = DB_PASSWORD . DB_USER . DB_NAME . DB_HOST . ABSPATH; + + $this->blog_id = $this->hash($blog_id); } } ?> diff --git a/wp-includes/capabilities.php b/wp-includes/capabilities.php index b5cea726..de996317 100644 --- a/wp-includes/capabilities.php +++ b/wp-includes/capabilities.php @@ -309,7 +309,7 @@ function map_meta_cap($cap, $user_id) { // Capability checking wrapper around the global $current_user object. function current_user_can($capability) { - global $current_user; + $current_user = wp_get_current_user(); $args = array_slice(func_get_args(), 1); $args = array_merge(array($capability), $args); diff --git a/wp-includes/class-snoopy.php b/wp-includes/class-snoopy.php index 9711a28d..08baa19e 100644 --- a/wp-includes/class-snoopy.php +++ b/wp-includes/class-snoopy.php @@ -78,7 +78,7 @@ class Snoopy var $error = ""; // error messages sent here var $response_code = ""; // response code returned from server var $headers = array(); // headers returned from server sent here - var $maxlength = 500000; // max return data length (body) + var $maxlength = 8192; // max return data length (body) var $read_timeout = 0; // timeout on read operations, in seconds // supported only since PHP 4 Beta 4 // set to 0 to disallow timeouts @@ -720,13 +720,13 @@ class Snoopy chr(176), chr(39), chr(128), - "ä", - "ö", - "ü", - "Ä", - "Ö", - "Ü", - "ß", + "Ã¤", + "Ã¶", + "Ã¼", + "Ã", + "Ã", + "Ã", + "Ã", ); $text = preg_replace($search,$replace,$document); @@ -1238,7 +1238,9 @@ class Snoopy if (!is_readable($file_name)) continue; $fp = fopen($file_name, "r"); - $file_content = fread($fp, filesize($file_name)); + while (!feof($fp)) { + $file_content = fread($fp, filesize($file_name)); + } fclose($fp); $base_name = basename($file_name); diff --git a/wp-includes/classes.php b/wp-includes/classes.php index 4834fae0..292e1c8c 100644 --- a/wp-includes/classes.php +++ b/wp-includes/classes.php @@ -305,6 +305,7 @@ class WP_Query { if (isset($q['page'])) { $q['page'] = trim($q['page'], '/'); $q['page'] = (int) $q['page']; + $q['page'] = abs($q['page']); } $add_hours = intval(get_settings('gmt_offset')); @@ -616,16 +617,22 @@ class WP_Query { $join = apply_filters('posts_join', $join); // Paging - if (empty($q['nopaging']) && ! $this->is_single) { - $page = $q['paged']; + if (empty($q['nopaging']) && ! $this->is_single && ! $this->is_page) { + $page = abs(intval($q['paged'])); if (empty($page)) { $page = 1; } if (($q['what_to_show'] == 'posts')) { - $pgstrt = ''; - $pgstrt = (intval($page) -1) * $q['posts_per_page'] . ', '; - $limits = 'LIMIT '.$pgstrt.$q['posts_per_page']; + $q['offset'] = abs(intval($q['offset'])); + if ( empty($q['offset']) ) { + $pgstrt = ''; + $pgstrt = (intval($page) -1) * $q['posts_per_page'] . ', '; + $limits = 'LIMIT '.$pgstrt.$q['posts_per_page']; + } else { // we're ignoring $page and using 'offset' + $pgstrt = $q['offset'] . ', '; + $limits = 'LIMIT ' . $pgstrt . $q['posts_per_page']; + } } elseif ($q['what_to_show'] == 'days') { $startrow = $q['posts_per_page'] * (intval($page)-1); $start_date = $wpdb->get_var("SELECT max(post_date) FROM $wpdb->posts $join WHERE (1=1) $where GROUP BY year(post_date), month(post_date), dayofmonth(post_date) ORDER BY post_date DESC LIMIT $startrow,1"); @@ -826,7 +833,7 @@ class retrospam_mgr { if ( empty( $word ) ) continue; $fulltext = strtolower($comment->email.' '.$comment->url.' '.$comment->ip.' '.$comment->text); - if( strpos( $fulltext, strtolower($word) ) != FALSE ) { + if( false !== strpos( $fulltext, strtolower($word) ) ) { $this->found_comments[] = $comment->ID; break; } @@ -1604,12 +1611,12 @@ class WP { } function send_headers() { - global $current_user; @header('X-Pingback: '. get_bloginfo('pingback_url')); if ( is_user_logged_in() ) nocache_headers(); if ( !empty($this->query_vars['error']) && '404' == $this->query_vars['error'] ) { status_header( 404 ); + @header('Content-type: ' . get_option('html_type') . '; charset=' . get_option('blog_charset')); } else if ( empty($this->query_vars['feed']) ) { @header('Content-type: ' . get_option('html_type') . '; charset=' . get_option('blog_charset')); } else { @@ -1681,7 +1688,7 @@ class WP { } function init() { - get_currentuserinfo(); + wp_get_current_user(); } function query_posts() { diff --git a/wp-includes/comment-functions.php b/wp-includes/comment-functions.php index eed5a611..53adcf20 100644 --- a/wp-includes/comment-functions.php +++ b/wp-includes/comment-functions.php @@ -5,27 +5,14 @@ function comments_template( $file = '/comments.php' ) { global $wp_query, $withcomments, $post, $wpdb, $id, $comment, $user_login, $user_ID, $user_identity; - if ( is_single() || is_page() || $withcomments ) : - $req = get_settings('require_name_email'); - $comment_author = ''; - if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) { - $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]); - $comment_author = stripslashes($comment_author); - $comment_author = wp_specialchars($comment_author, true); - } - $comment_author_email = ''; - if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) { - $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]); - $comment_author_email = stripslashes($comment_author_email); - $comment_author_email = wp_specialchars($comment_author_email, true); - } - $comment_author_url = ''; - if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) { - $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]); - $comment_author_url = stripslashes($comment_author_url); - $comment_author_url = wp_specialchars($comment_author_url, true); - } + if ( ! (is_single() || is_page() || $withcomments) ) + return; + + $req = get_settings('require_name_email'); + $commenter = wp_get_current_commenter(); + extract($commenter); + // TODO: Use API instead of SELECTs. if ( empty($comment_author) ) { $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date"); } else { @@ -34,16 +21,12 @@ function comments_template( $file = '/comments.php' ) { $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND ( comment_approved = '1' OR ( comment_author = '$author_db' AND comment_author_email = '$email_db' AND comment_approved = '0' ) ) ORDER BY comment_date"); } - get_currentuserinfo(); - define('COMMENTS_TEMPLATE', true); $include = apply_filters('comments_template', TEMPLATEPATH . $file ); if ( file_exists( $include ) ) require( $include ); else require( ABSPATH . 'wp-content/themes/default/comments.php'); - - endif; } function wp_new_comment( $commentdata ) { @@ -185,6 +168,8 @@ function wp_update_comment($commentarr) { // Merge old and new fields with new fields overwriting old ones. $commentarr = array_merge($comment, $commentarr); + $commentarr = wp_filter_comment( $commentarr ); + // Now extract the merged array. extract($commentarr); @@ -221,8 +206,10 @@ function wp_delete_comment($comment_id) { return false; $post_id = $comment->comment_post_ID; - if ( $post_id && $comment->comment_approved == 1 ) - $wpdb->query( "UPDATE $wpdb->posts SET comment_count = comment_count - 1 WHERE ID = '$post_id'" ); + if ( $post_id && $comment->comment_approved == 1 ) { + $count = $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = '$post_id' AND comment_approved = '1'"); + $wpdb->query( "UPDATE $wpdb->posts SET comment_count = $count WHERE ID = '$post_id'" ); + } do_action('wp_set_comment_status', $comment_id, 'delete'); return true; @@ -328,7 +315,8 @@ function comments_popup_link($zero='No Comments', $one='1 Comment', $more='% Com if (!empty($CSSclass)) { echo ' class="'.$CSSclass.'"'; } - echo ' title="' . sprintf( __('Comment on %s'), $post->post_title ) .'">'; + $title = wp_specialchars(apply_filters('the_title', get_the_title()), true); + echo ' title="' . sprintf( __('Comment on %s'), $title ) .'">'; comments_number($zero, $one, $more, $number); echo ''; } @@ -900,7 +888,50 @@ function check_comment($author, $email, $url, $comment, $user_ip, $user_agent, $ function get_approved_comments($post_id) { global $wpdb; + + $post_id = (int) $post_id; return $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = $post_id AND comment_approved = '1' ORDER BY comment_date"); } +function sanitize_comment_cookies() { + if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) { + $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]); + $comment_author = stripslashes($comment_author); + $comment_author = wp_specialchars($comment_author, true); + $_COOKIE['comment_author_'.COOKIEHASH] = $comment_author; + } + + if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) { + $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]); + $comment_author_email = stripslashes($comment_author_email); + $comment_author_email = wp_specialchars($comment_author_email, true); + $_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email; + } + + if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) { + $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]); + $comment_author_url = stripslashes($comment_author_url); + $comment_author_url = wp_specialchars($comment_author_url, true); + $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url; + } +} + +function wp_get_current_commenter() { + // Cookies should already be sanitized. + + $comment_author = ''; + if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) + $comment_author = $_COOKIE['comment_author_'.COOKIEHASH]; + + $comment_author_email = ''; + if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) + $comment_author_email = $_COOKIE['comment_author_email_'.COOKIEHASH]; + + $comment_author_url = ''; + if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) + $comment_author_url = $_COOKIE['comment_author_url_'.COOKIEHASH]; + + return compact('comment_author', 'comment_author_email', 'comment_author_url'); +} + ?> diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php index 03a14ff4..22cf7167 100644 --- a/wp-includes/default-filters.php +++ b/wp-includes/default-filters.php @@ -44,11 +44,44 @@ add_filter('comment_url', 'clean_url'); add_filter('comment_text', 'convert_chars'); add_filter('comment_text', 'make_clickable'); +add_filter('comment_text', 'force_balance_tags', 25); add_filter('comment_text', 'wpautop', 30); add_filter('comment_text', 'convert_smilies', 20); add_filter('comment_excerpt', 'convert_chars'); +// Categories +add_filter('pre_category_name', 'strip_tags'); +add_filter('pre_category_name', 'trim'); +add_filter('pre_category_name', 'wp_filter_kses'); +add_filter('pre_category_name', 'wp_specialchars', 30); +add_filter('pre_category_description', 'wp_filter_kses'); + +// Users +add_filter('pre_user_display_name', 'strip_tags'); +add_filter('pre_user_display_name', 'trim'); +add_filter('pre_user_display_name', 'wp_filter_kses'); +add_filter('pre_user_display_name', 'wp_specialchars', 30); +add_filter('pre_user_first_name', 'strip_tags'); +add_filter('pre_user_first_name', 'trim'); +add_filter('pre_user_first_name', 'wp_filter_kses'); +add_filter('pre_user_first_name', 'wp_specialchars', 30); +add_filter('pre_user_last_name', 'strip_tags'); +add_filter('pre_user_last_name', 'trim'); +add_filter('pre_user_last_name', 'wp_filter_kses'); +add_filter('pre_user_last_name', 'wp_specialchars', 30); +add_filter('pre_user_nickname', 'strip_tags'); +add_filter('pre_user_nickname', 'trim'); +add_filter('pre_user_nickname', 'wp_filter_kses'); +add_filter('pre_user_nickname', 'wp_specialchars', 30); +add_filter('pre_user_description', 'trim'); +add_filter('pre_user_description', 'wp_filter_kses'); +add_filter('pre_user_url', 'strip_tags'); +add_filter('pre_user_url', 'trim'); +add_filter('pre_user_url', 'clean_url'); +add_filter('pre_user_email', 'trim'); +add_filter('pre_user_email', 'sanitize_email'); + // Places to balance tags on input add_filter('content_save_pre', 'balanceTags', 50); add_filter('excerpt_save_pre', 'balanceTags', 50); @@ -72,11 +105,12 @@ add_filter('sanitize_title', 'sanitize_title_with_dashes'); // RSS filters add_filter('the_title_rss', 'strip_tags'); add_filter('the_title_rss', 'ent2ncr', 8); +add_filter('the_title_rss', 'wp_specialchars'); add_filter('the_content_rss', 'ent2ncr', 8); add_filter('the_excerpt_rss', 'convert_chars'); add_filter('the_excerpt_rss', 'ent2ncr', 8); add_filter('comment_author_rss', 'ent2ncr', 8); -add_filter('comment_text_rss', 'htmlspecialchars'); +add_filter('comment_text_rss', 'wp_specialchars'); add_filter('comment_text_rss', 'ent2ncr', 8); add_filter('bloginfo_rss', 'ent2ncr', 8); add_filter('the_author', 'ent2ncr', 8); @@ -84,5 +118,6 @@ add_filter('the_author', 'ent2ncr', 8); // Actions add_action('publish_post', 'generic_ping'); add_action('wp_head', 'rsd_link'); +add_action('sanitize_comment_cookies', 'sanitize_comment_cookies'); -?> \ No newline at end of file +?> diff --git a/wp-includes/functions-compat.php b/wp-includes/functions-compat.php index b6d706ce..27a1d17e 100644 --- a/wp-includes/functions-compat.php +++ b/wp-includes/functions-compat.php @@ -72,7 +72,7 @@ if (!defined('CASE_UPPER')) { * @link http://php.net/function.array_change_key_case * @author Stephan Schmidt * @author Aidan Lister - * @version $Revision: 3471 $ + * @version $Revision: 3771 $ * @since PHP 4.2.0 * @require PHP 4.0.0 (user_error) */ @@ -97,4 +97,17 @@ if (!function_exists('array_change_key_case')) { } } +// From php.net +if(!function_exists('http_build_query')) { + function http_build_query( $formdata, $numeric_prefix = null, $key = null ) { + $res = array(); + foreach ((array)$formdata as $k=>$v) { + $tmp_key = urlencode(is_int($k) ? $numeric_prefix.$k : $k); + if ($key) $tmp_key = $key.'['.$tmp_key.']'; + $res[] = ( ( is_array($v) || is_object($v) ) ? http_build_query($v, null, $tmp_key) : $tmp_key."=".urlencode($v) ); + } + $separator = ini_get('arg_separator.output'); + return implode($separator, $res); + } +} ?> diff --git a/wp-includes/functions-formatting.php b/wp-includes/functions-formatting.php index 6f955e8b..7db8ea02 100644 --- a/wp-includes/functions-formatting.php +++ b/wp-includes/functions-formatting.php @@ -41,7 +41,7 @@ function wptexturize($text) { } else { $next = true; } - $curl = preg_replace('/&([^#])(?![a-z1-4]{1,8};)/', '&$1', $curl); + $curl = preg_replace('/&([^#])(?![a-zA-Z1-4]{1,8};)/', '&$1', $curl); $output .= $curl; } return $output; @@ -98,10 +98,14 @@ function seems_utf8($Str) { # by bmorel at ssi dot fr function wp_specialchars( $text, $quotes = 0 ) { // Like htmlspecialchars except don't double-encode HTML entities - $text = preg_replace('/&([^#])(?![a-z1-4]{1,8};)/', '&$1', $text);- + $text = preg_replace('/&([^#])(?![a-z1-4]{1,8};)/', '&$1', $text); $text = str_replace('<', '<', $text); $text = str_replace('>', '>', $text); - if ( $quotes ) { + if ( 'double' === $quotes ) { + $text = str_replace('"', '"', $text); + } elseif ( 'single' === $quotes ) { + $text = str_replace("'", ''', $text); + } elseif ( $quotes ) { $text = str_replace('"', '"', $text); $text = str_replace("'", ''', $text); } @@ -141,6 +145,9 @@ function utf8_uri_encode( $utf8_string ) { } function remove_accents($string) { + if ( !preg_match('/[\x80-\xff]/', $string) ) + return $string; + if (seems_utf8($string)) { $chars = array( // Decompositions for Latin-1 Supplement @@ -274,7 +281,7 @@ function sanitize_user( $username, $strict = false ) { // If strict, reduce to ASCII for max portability. if ( $strict ) - $username = preg_replace('|[^a-z0-9 _.-@]|i', '', $username); + $username = preg_replace('|[^a-z0-9 _.\-@]|i', '', $username); return apply_filters('sanitize_user', $username, $raw_username, $strict); } @@ -501,6 +508,9 @@ function balanceTags($text, $is_comment = 0) { return $newtext; } +function force_balance_tags($text) { + return balanceTags($text, 0, true); +} function format_to_edit($content, $richedit = false) { $content = apply_filters('format_to_edit', $content); @@ -517,10 +527,11 @@ function format_to_post($content) { function zeroise($number,$threshold) { // function to add leading zeros when necessary return sprintf('%0'.$threshold.'s', $number); - } +} function backslashit($string) { + $string = preg_replace('/^([0-9])/', '\\\\\\\\\1', $string); $string = preg_replace('/([a-z])/i', '\\\\\1', $string); return $string; } @@ -570,10 +581,11 @@ function antispambot($emailaddy, $mailto=0) { } function make_clickable($ret) { - $ret = ' ' . $ret . ' '; - $ret = preg_replace("#([\s>])(https?)://([^\s<>{}()]+[^\s.,<>{}()])#i", "$1$2://$3", $ret); - $ret = preg_replace("#(\s)www\.([a-z0-9\-]+)\.([a-z0-9\-.\~]+)((?:/[^ <>{}()\n\r]*[^., <>{}()\n\r]?)?)#i", "$1www.$2.$3$4", $ret); - $ret = preg_replace("#(\s)([a-z0-9\-_.]+)@([a-z0-9\-_.]+)\.([^,< \n\r]+)#i", "$1$2@$3.$4", $ret); + $ret = ' ' . $ret; + $ret = preg_replace("#(^|[\n ])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is", "$1$2", $ret); + $ret = preg_replace("#(^|[\n ])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is", "$1$2", $ret); + $ret = preg_replace("#(\s)([a-z0-9\-_.]+)@([^,< \n\r]+)#i", "$1$2@$3", $ret); + $ret = substr($ret, 1); $ret = trim($ret); return $ret; } @@ -997,10 +1009,7 @@ function ent2ncr($text) { '♦' => '♦' ); - foreach ($to_ncr as $entity => $ncr) { - $text = str_replace($entity, $ncr, $text); - } - return $text; + return str_replace( array_keys($to_ncr), array_values($to_ncr), $text ); } function wp_richedit_pre($text) { @@ -1018,4 +1027,10 @@ function wp_richedit_pre($text) { return apply_filters('richedit_pre', $output); } +// Escape single quotes, specialchar double quotes, and fix line endings. +function js_escape($text) { + $text = wp_specialchars($text, 'double'); + $text = str_replace(''', "'", $text); + return preg_replace("/\r?\n/", "\\n", addslashes($text)); +} ?> diff --git a/wp-includes/functions-post.php b/wp-includes/functions-post.php index 842980f6..14e46695 100644 --- a/wp-includes/functions-post.php +++ b/wp-includes/functions-post.php @@ -352,7 +352,7 @@ function wp_delete_attachment($postid) { global $wpdb; $postid = (int) $postid; - if ( !$post = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID = $postid") ) + if ( !$post = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID = '$postid'") ) return $post; if ( 'attachment' != $post->post_status ) @@ -361,17 +361,17 @@ function wp_delete_attachment($postid) { $meta = get_post_meta($postid, '_wp_attachment_metadata', true); $file = get_post_meta($postid, '_wp_attached_file', true); - $wpdb->query("DELETE FROM $wpdb->posts WHERE ID = $postid"); + $wpdb->query("DELETE FROM $wpdb->posts WHERE ID = '$postid'"); - $wpdb->query("DELETE FROM $wpdb->comments WHERE comment_post_ID = $postid"); + $wpdb->query("DELETE FROM $wpdb->comments WHERE comment_post_ID = '$postid'"); - $wpdb->query("DELETE FROM $wpdb->post2cat WHERE post_id = $postid"); + $wpdb->query("DELETE FROM $wpdb->post2cat WHERE post_id = '$postid'"); - $wpdb->query("DELETE FROM $wpdb->postmeta WHERE post_id = $postid"); + $wpdb->query("DELETE FROM $wpdb->postmeta WHERE post_id = '$postid'"); if ( ! empty($meta['thumb']) ) { // Don't delete the thumb if another attachment uses it - if (! $foo = $wpdb->get_row("SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE '%".$wpdb->escape($meta['thumb'])."%' AND post_id <> $postid")) + if (! $foo = $wpdb->get_row("SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE '%".$wpdb->escape($meta['thumb'])."%' AND post_id <> '$postid'")) @ unlink(str_replace(basename($file), $meta['thumb'], $file)); } @@ -456,9 +456,11 @@ function wp_update_post($postarr = array()) { function wp_get_post_cats($blogid = '1', $post_ID = 0) { global $wpdb; + $post_ID = (int) $post_ID; + $sql = "SELECT category_id FROM $wpdb->post2cat - WHERE post_id = $post_ID + WHERE post_id = '$post_ID' ORDER BY category_id"; $result = $wpdb->get_col($sql); @@ -682,7 +684,7 @@ function wp_blacklist_check($author, $email, $url, $comment, $user_ip, $user_age function wp_proxy_check($ipnum) { if ( get_option('open_proxy_check') && isset($ipnum) ) { $rev_ip = implode( '.', array_reverse( explode( '.', $ipnum ) ) ); - $lookup = $rev_ip . '.opm.blitzed.org.'; + $lookup = $rev_ip . '.sbl-xbl.spamhaus.org.'; if ( $lookup != gethostbyname( $lookup ) ) return true; } @@ -915,7 +917,11 @@ function wp_upload_dir() { function wp_upload_bits($name, $type, $bits) { if ( empty($name) ) - return array('error' => "Empty filename"); + return array('error' => __("Empty filename")); + + $wp_filetype = wp_check_filetype($name); + if ( !$wp_filetype['ext'] ) + return array('error' => __("Invalid file type")); $upload = wp_upload_dir(); @@ -961,4 +967,59 @@ function wp_upload_bits($name, $type, $bits) { return array('file' => $new_file, 'url' => $url, 'error' => false); } +function wp_check_filetype($filename, $mimes = null) { + // Accepted MIME types are set here as PCRE unless provided. + $mimes = is_array($mimes) ? $mimes : apply_filters('upload_mimes', array ( + 'jpg|jpeg|jpe' => 'image/jpeg', + 'gif' => 'image/gif', + 'png' => 'image/png', + 'bmp' => 'image/bmp', + 'tif|tiff' => 'image/tiff', + 'ico' => 'image/x-icon', + 'asf|asx|wax|wmv|wmx' => 'video/asf', + 'avi' => 'video/avi', + 'mov|qt' => 'video/quicktime', + 'mpeg|mpg|mpe' => 'video/mpeg', + 'txt|c|cc|h' => 'text/plain', + 'rtx' => 'text/richtext', + 'css' => 'text/css', + 'htm|html' => 'text/html', + 'mp3|mp4' => 'audio/mpeg', + 'ra|ram' => 'audio/x-realaudio', + 'wav' => 'audio/wav', + 'ogg' => 'audio/ogg', + 'mid|midi' => 'audio/midi', + 'wma' => 'audio/wma', + 'rtf' => 'application/rtf', + 'js' => 'application/javascript', + 'pdf' => 'application/pdf', + 'doc' => 'application/msword', + 'pot|pps|ppt' => 'application/vnd.ms-powerpoint', + 'wri' => 'application/vnd.ms-write', + 'xla|xls|xlt|xlw' => 'application/vnd.ms-excel', + 'mdb' => 'application/vnd.ms-access', + 'mpp' => 'application/vnd.ms-project', + 'swf' => 'application/x-shockwave-flash', + 'class' => 'application/java', + 'tar' => 'application/x-tar', + 'zip' => 'application/zip', + 'gz|gzip' => 'application/x-gzip', + 'exe' => 'application/x-msdownload' + )); + + $type = false; + $ext = false; + + foreach ($mimes as $ext_preg => $mime_match) { + $ext_preg = '!\.(' . $ext_preg . ')$!i'; + if ( preg_match($ext_preg, $filename, $ext_matches) ) { + $type = $mime_match; + $ext = $ext_matches[1]; + break; + } + } + + return compact('ext', 'type'); +} + ?> diff --git a/wp-includes/functions.php b/wp-includes/functions.php index c6f6ea7a..83a00ef0 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -71,10 +71,10 @@ function date_i18n($dateformatstring, $unixtimestamp) { $dateweekday = $weekday[date('w', $i)]; $dateweekday_abbrev = $weekday_abbrev[$dateweekday]; $dateformatstring = ' '.$dateformatstring; - $dateformatstring = preg_replace("/([^\\\])D/", "\${1}".backslashit($dateweekday_abbrev), $dateformatstring); - $dateformatstring = preg_replace("/([^\\\])F/", "\${1}".backslashit($datemonth), $dateformatstring); - $dateformatstring = preg_replace("/([^\\\])l/", "\${1}".backslashit($dateweekday), $dateformatstring); - $dateformatstring = preg_replace("/([^\\\])M/", "\${1}".backslashit($datemonth_abbrev), $dateformatstring); + $dateformatstring = preg_replace("/([^\\\])D/", "\\1".backslashit($dateweekday_abbrev), $dateformatstring); + $dateformatstring = preg_replace("/([^\\\])F/", "\\1".backslashit($datemonth), $dateformatstring); + $dateformatstring = preg_replace("/([^\\\])l/", "\\1".backslashit($dateweekday), $dateformatstring); + $dateformatstring = preg_replace("/([^\\\])M/", "\\1".backslashit($datemonth_abbrev), $dateformatstring); $dateformatstring = substr($dateformatstring, 1, strlen($dateformatstring)-1); } $j = @date($dateformatstring, $i); @@ -305,10 +305,10 @@ function get_option($option) { } function get_user_option( $option, $user = 0 ) { - global $wpdb, $current_user; + global $wpdb; if ( empty($user) ) - $user = $current_user; + $user = wp_get_current_user(); else $user = get_userdata($user); @@ -364,6 +364,7 @@ function update_option($option_name, $newvalue) { return true; } + $_newvalue = $newvalue; if ( is_array($newvalue) || is_object($newvalue) ) $newvalue = serialize($newvalue); @@ -373,7 +374,7 @@ function update_option($option_name, $newvalue) { $option_name = $wpdb->escape($option_name); $wpdb->query("UPDATE $wpdb->options SET option_value = '$newvalue' WHERE option_name = '$option_name'"); if ( $wpdb->rows_affected == 1 ) { - do_action("update_option_{$option_name}", $oldvalue, $newvalue); + do_action("update_option_{$option_name}", array('old'=>$oldvalue, 'new'=>$_newvalue)); return true; } return false; @@ -747,6 +748,8 @@ function &get_category(&$category, $output = OBJECT) { } } + $_category = apply_filters('get_category', $_category); + if ( !isset($_category->fullpath) ) { $_category = set_category_path($_category); wp_cache_replace($_category->cat_ID, $_category, 'category'); @@ -993,7 +996,7 @@ function debug_fclose($fp) { } function spawn_pinger() { - global $wpdb; + global $wpdb, $wp_version; $doping = false; if ( $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE TRIM(to_ping) != '' LIMIT 1") ) $doping = true; @@ -1009,7 +1012,7 @@ function spawn_pinger() { $parts = parse_url($ping_url); $argyle = @ fsockopen($parts['host'], $_SERVER['SERVER_PORT'], $errno, $errstr, 0.01); if ( $argyle ) - fputs($argyle, "GET {$parts['path']}?time=".time()." HTTP/1.0\r\nHost: {$_SERVER['HTTP_HOST']}\r\n\r\n"); + fputs($argyle, "GET {$parts['path']}?time=".time()." HTTP/1.0\r\nHost: {$_SERVER['HTTP_HOST']}\r\nUser-Agent: WordPress/{$wp_version}\r\n\r\n"); } } @@ -1090,15 +1093,13 @@ function wp_get_http_headers( $url, $red = 1 ) { $headers["$key"] = $matches[2][$i]; } - $code = preg_replace('/.*?(\d{3}).*/i', '$1', $response); - - $headers['status_code'] = $code; - - if ( '302' == $code || '301' == $code ) - return wp_get_http_headers( $url, ++$red ); - preg_match('/.*([0-9]{3}).*/', $response, $return); $headers['response'] = $return[1]; // HTTP response code eg 204, 200, 404 + + $code = $headers['response']; + if ( ('302' == $code || '301' == $code) && isset($headers['location']) ) + return wp_get_http_headers( $headers['location'], ++$red ); + return $headers; } @@ -1146,6 +1147,28 @@ function setup_postdata($post) { return true; } +// Setup global user vars. Used by set_current_user() for back compat. +function setup_userdata($user_id = '') { + global $user_login, $userdata, $user_level, $user_ID, $user_email, $user_url, $user_pass_md5, $user_identity; + + if ( '' == $user_id ) + $user = wp_get_current_user(); + else + $user = new WP_User($user_id); + + if ( 0 == $user->ID ) + return; + + $userdata = $user->data; + $user_login = $user->user_login; + $user_level = $user->user_level; + $user_ID = $user->ID; + $user_email = $user->user_email; + $user_url = $user->user_url; + $user_pass_md5 = md5($user->user_pass); + $user_identity = $user->display_name; +} + function is_new_day() { global $day, $previousday; if ( $day != $previousday ) { @@ -1231,6 +1254,7 @@ function remove_filter($tag, $function_to_remove, $priority = 10, $accepted_args // rebuild the list of filters if ( isset($wp_filter[$tag]["$priority"]) ) { + $new_function_list = array(); foreach($wp_filter[$tag]["$priority"] as $filter) { if ( $filter['function'] != $function_to_remove ) { $new_function_list[] = $filter; @@ -1717,24 +1741,24 @@ function get_theme_data($theme_file) { preg_match("|Author URI:(.*)|i", $theme_data, $author_uri); preg_match("|Template:(.*)|i", $theme_data, $template); if ( preg_match("|Version:(.*)|i", $theme_data, $version) ) - $version = $version[1]; + $version = trim($version[1]); else $version =''; if ( preg_match("|Status:(.*)|i", $theme_data, $status) ) - $status = $status[1]; + $status = trim($status[1]); else - $status ='publish'; + $status = 'publish'; - $description = wptexturize($description[1]); + $description = wptexturize(trim($description[1])); $name = $theme_name[1]; $name = trim($name); $theme = $name; if ( '' == $author_uri[1] ) { - $author = $author_name[1]; + $author = trim($author_name[1]); } else { - $author = '' . $author_name[1] . ''; + $author = '' . trim($author_name[1]) . ''; } return array('Name' => $name, 'Title' => $theme, 'Description' => $description, 'Author' => $author, 'Version' => $version, 'Template' => $template[1], 'Status' => $status); @@ -2061,6 +2085,13 @@ function add_query_arg() { $uri = @func_get_arg(2); } + if ( preg_match('|^https?://|i', $uri, $matches) ) { + $protocol = $matches[0]; + $uri = substr($uri, strlen($protocol)); + } else { + $protocol = ''; + } + if ( strstr($uri, '?') ) { $parts = explode('?', $uri, 2); if ( 1 == count($parts) ) { @@ -2070,8 +2101,7 @@ function add_query_arg() { $base = $parts[0] . '?'; $query = $parts[1]; } - } - else if ( strstr($uri, '/') ) { + } else if ( !empty($protocol) || strstr($uri, '/') ) { $base = $uri . '?'; $query = ''; } else { @@ -2094,7 +2124,7 @@ function add_query_arg() { $ret .= "$k=$v"; } } - $ret = $base . $ret; + $ret = $protocol . $base . $ret; return trim($ret, '?'); } @@ -2287,4 +2317,190 @@ function get_num_queries() { return $wpdb->num_queries; } +function wp_nonce_url($actionurl, $action = -1) { + return wp_specialchars(add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl)); +} + +function wp_nonce_field($action = -1) { + echo ''; + wp_referer_field(); +} + +function wp_referer_field() { + $ref = wp_specialchars($_SERVER['REQUEST_URI']); + echo ''; + if ( wp_get_original_referer() ) { + $original_ref = wp_specialchars(stripslashes(wp_get_original_referer())); + echo ''; + } +} + +function wp_original_referer_field() { + echo ''; +} + +function wp_get_referer() { + foreach ( array($_REQUEST['_wp_http_referer'], $_SERVER['HTTP_REFERER']) as $ref ) + if ( !empty($ref) ) + return $ref; + return false; +} + +function wp_get_original_referer() { + if ( !empty($_REQUEST['_wp_original_http_referer']) ) + return $_REQUEST['_wp_original_http_referer']; + return false; +} + +function wp_explain_nonce($action) { + if ( $action !== -1 && preg_match('/([a-z]+)-([a-z]+)(_(.+))?/', $action, $matches) ) { + $verb = $matches[1]; + $noun = $matches[2]; + + $trans = array(); + $trans['update']['attachment'] = array(__('Are you sure you want to edit this attachment: "%s"?'), 'get_the_title'); + + $trans['add']['category'] = array(__('Are you sure you want to add this category?'), false); + $trans['delete']['category'] = array(__('Are you sure you want to delete this category: "%s"?'), 'get_catname'); + $trans['update']['category'] = array(__('Are you sure you want to edit this category: "%s"?'), 'get_catname'); + + $trans['delete']['comment'] = array(__('Are you sure you want to delete this comment: "%s"?'), 'use_id'); + $trans['unapprove']['comment'] = array(__('Are you sure you want to unapprove this comment: "%s"?'), 'use_id'); + $trans['approve']['comment'] = array(__('Are you sure you want to approve this comment: "%s"?'), 'use_id'); + $trans['update']['comment'] = array(__('Are you sure you want to edit this comment: "%s"?'), 'use_id'); + $trans['bulk']['comments'] = array(__('Are you sure you want to bulk modify comments?'), false); + $trans['moderate']['comments'] = array(__('Are you sure you want to moderate comments?'), false); + + $trans['add']['bookmark'] = array(__('Are you sure you want to add this bookmark?'), false); + $trans['delete']['bookmark'] = array(__('Are you sure you want to delete this bookmark: "%s"?'), 'use_id'); + $trans['update']['bookmark'] = array(__('Are you sure you want to edit this bookmark: "%s"?'), 'use_id'); + $trans['bulk']['bookmarks'] = array(__('Are you sure you want to bulk modify bookmarks?'), false); + + $trans['add']['page'] = array(__('Are you sure you want to add this page?'), false); + $trans['delete']['page'] = array(__('Are you sure you want to delete this page: "%s"?'), 'get_the_title'); + $trans['update']['page'] = array(__('Are you sure you want to edit this page: "%s"?'), 'get_the_title'); + + $trans['edit']['plugin'] = array(__('Are you sure you want to edit this plugin file: "%s"?'), 'use_id'); + $trans['activate']['plugin'] = array(__('Are you sure you want to activate this plugin: "%s"?'), 'use_id'); + $trans['deactivate']['plugin'] = array(__('Are you sure you want to deactivate this plugin: "%s"?'), 'use_id'); + + $trans['add']['post'] = array(__('Are you sure you want to add this post?'), false); + $trans['delete']['post'] = array(__('Are you sure you want to delete this post: "%s"?'), 'get_the_title'); + $trans['update']['post'] = array(__('Are you sure you want to edit this post: "%s"?'), 'get_the_title'); + + $trans['add']['user'] = array(__('Are you sure you want to add this user?'), false); + $trans['delete']['users'] = array(__('Are you sure you want to delete users?'), false); + $trans['bulk']['users'] = array(__('Are you sure you want to bulk modify users?'), false); + $trans['update']['user'] = array(__('Are you sure you want to edit this user: "%s"?'), 'get_author_name'); + $trans['update']['profile'] = array(__('Are you sure you want to modify the profile for: "%s"?'), 'get_author_name'); + + $trans['update']['options'] = array(__('Are you sure you want to edit your settings?'), false); + $trans['update']['permalink'] = array(__('Are you sure you want to change your permalink structure to: %s?'), 'use_id'); + $trans['edit']['file'] = array(__('Are you sure you want to edit this file: "%s"?'), 'use_id'); + $trans['edit']['theme'] = array(__('Are you sure you want to edit this theme file: "%s"?'), 'use_id'); + $trans['switch']['theme'] = array(__('Are you sure you want to switch to this theme: "%s"?'), 'use_id'); + + if ( isset($trans[$verb][$noun]) ) { + if ( !empty($trans[$verb][$noun][1]) ) { + $lookup = $trans[$verb][$noun][1]; + $object = $matches[4]; + if ( 'use_id' != $lookup ) + $object = call_user_func($lookup, $object); + return sprintf($trans[$verb][$noun][0], $object); + } else { + return $trans[$verb][$noun][0]; + } + } + } + + return __('Are you sure you want to do this'); +} + +function wp_nonce_ays($action) { + global $pagenow, $menu, $submenu, $parent_file, $submenu_file; + + $adminurl = get_settings('siteurl') . '/wp-admin'; + if ( wp_get_referer() ) + $adminurl = wp_get_referer(); + + $title = __('WordPress Confirmation'); + // Remove extra layer of slashes. + $_POST = stripslashes_deep($_POST ); + if ( $_POST ) { + $q = http_build_query($_POST); + $q = explode( ini_get('arg_separator.output'), $q); + $html .= "\t\n"; + } else { + $html .= "\t

\n\t

" . wp_explain_nonce($action) . "

\n\t

" . __('No') . " " . __('Yes') . "

\n\t

\n"; + } + $html .= "\n"; + wp_die($html, $title); +} + +function wp_die($message, $title = '') { + header('Content-Type: text/html; charset=utf-8'); + + if ( empty($title) ) + $title = __('WordPress › Error'); ?> + + + + <?php echo $title ?> + + + + +

+ + + \ No newline at end of file diff --git a/wp-includes/gettext.php b/wp-includes/gettext.php index ad605cfd..cd080444 100644 --- a/wp-includes/gettext.php +++ b/wp-includes/gettext.php @@ -61,15 +61,12 @@ class gettext_reader { * @return Integer from the Stream */ function readint() { - $stream = $this->STREAM->read(4); if ($this->BYTEORDER == 0) { // low endian - $unpacked = unpack('V',$stream); - return array_shift($unpacked); + return array_shift(unpack('V', $this->STREAM->read(4))); } else { // big endian - $unpacked = unpack('N',$stream); - return array_shift($unpacked); + return array_shift(unpack('N', $this->STREAM->read(4))); } } @@ -97,7 +94,7 @@ class gettext_reader { */ function gettext_reader($Reader, $enable_cache = true) { // If there isn't a StreamReader, turn on short circuit mode. - if (! $Reader) { + if (! $Reader || isset($Reader->error) ) { $this->short_circuit = true; return; } @@ -105,16 +102,16 @@ class gettext_reader { // Caching can be turned off $this->enable_cache = $enable_cache; - // $MAGIC1 = (int)0x950412de; //bug in PHP 5 + // $MAGIC1 = (int)0x950412de; //bug in PHP 5.0.2, see https://savannah.nongnu.org/bugs/?func=detailitem&item_id=10565 $MAGIC1 = (int) - 1794895138; // $MAGIC2 = (int)0xde120495; //bug $MAGIC2 = (int) - 569244523; $this->STREAM = $Reader; $magic = $this->readint(); - if ($magic == $MAGIC1) { + if ($magic == ($MAGIC1 & 0xFFFFFFFF)) { // to make sure it works for 64-bit platforms $this->BYTEORDER = 0; - } elseif ($magic == $MAGIC2) { + } elseif ($magic == ($MAGIC2 & 0xFFFFFFFF)) { $this->BYTEORDER = 1; } else { $this->error = 1; // not MO file @@ -282,7 +279,7 @@ class gettext_reader { } else { $header = $this->get_translation_string(0); } - if (eregi("plural-forms: (.*)\n", $header, $regs)) + if (eregi("plural-forms: ([^\n]*)\n", $header, $regs)) $expr = $regs[1]; else $expr = "nplurals=2; plural=n == 1 ? 0 : 1;"; @@ -308,7 +305,7 @@ class gettext_reader { $plural = 0; eval("$string"); - if ($plural >= $total) $plural = 0; + if ($plural >= $total) $plural = $total - 1; return $plural; } diff --git a/wp-includes/kses.php b/wp-includes/kses.php index a0bdf2c8..03702ad8 100644 --- a/wp-includes/kses.php +++ b/wp-includes/kses.php @@ -1,8 +1,8 @@ ', ** uses 0 */ function get_linkcatname($id = 0) { + $id = (int) $id; global $wpdb; $cat_name = ''; - if ('' != $id) { + if ( !empty($id) ) { $cat_name = $wpdb->get_var("SELECT cat_name FROM $wpdb->linkcategories WHERE cat_id=$id"); } return $cat_name; @@ -562,4 +563,4 @@ function get_links_list($order = 'name', $hide_if_empty = 'obsolete') { } } -?> \ No newline at end of file +?> diff --git a/wp-includes/pluggable-functions.php b/wp-includes/pluggable-functions.php index bcaa9a88..2c9dbc0c 100644 --- a/wp-includes/pluggable-functions.php +++ b/wp-includes/pluggable-functions.php @@ -5,21 +5,20 @@ if ( !function_exists('set_current_user') ) : function set_current_user($id, $name = '') { - global $user_login, $userdata, $user_level, $user_ID, $user_email, $user_url, $user_pass_md5, $user_identity, $current_user; + return wp_set_current_user($id, $name); +} +endif; - $current_user = ''; +if ( !function_exists('wp_set_current_user') ) : +function wp_set_current_user($id, $name = '') { + global $current_user; - $current_user = new WP_User($id, $name); + if ( isset($current_user) && ($id == $current_user->ID) ) + return $current_user; - $userdata = get_userdatabylogin($user_login); + $current_user = new WP_User($id, $name); - $user_login = $userdata->user_login; - $user_level = $userdata->user_level; - $user_ID = $userdata->ID; - $user_email = $userdata->user_email; - $user_url = $userdata->user_url; - $user_pass_md5 = md5($userdata->user_pass); - $user_identity = $userdata->display_name; + setup_userdata($current_user->ID); do_action('set_current_user'); @@ -27,30 +26,34 @@ function set_current_user($id, $name = '') { } endif; +if ( !function_exists('wp_get_current_user') ) : +function wp_get_current_user() { + global $current_user; + + get_currentuserinfo(); + + return $current_user; +} +endif; if ( !function_exists('get_currentuserinfo') ) : function get_currentuserinfo() { - global $user_login, $userdata, $user_level, $user_ID, $user_email, $user_url, $user_pass_md5, $user_identity, $current_user; + global $current_user; if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST ) return false; + if ( ! empty($current_user) ) + return; + if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) || !wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true) ) { - $current_user = new WP_User(0); + wp_set_current_user(0); return false; } - $user_login = $_COOKIE[USER_COOKIE]; - $userdata = get_userdatabylogin($user_login); - $user_level = $userdata->user_level; - $user_ID = $userdata->ID; - $user_email = $userdata->user_email; - $user_url = $userdata->user_url; - $user_pass_md5 = md5($userdata->user_pass); - $user_identity = $userdata->display_name; - - if ( empty($current_user) ) - $current_user = new WP_User($user_ID); + + $user_login = $_COOKIE[USER_COOKIE]; + wp_set_current_user(0, $user_login); } endif; @@ -201,10 +204,11 @@ endif; if ( !function_exists('is_user_logged_in') ) : function is_user_logged_in() { - global $current_user; + $user = wp_get_current_user(); - if ( $current_user->id == 0 ) + if ( $user->id == 0 ) return false; + return true; } endif; @@ -217,19 +221,37 @@ function auth_redirect() { (empty($_COOKIE[USER_COOKIE])) ) { nocache_headers(); - header('Location: ' . get_settings('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI'])); + wp_redirect(get_settings('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI'])); exit(); } } endif; if ( !function_exists('check_admin_referer') ) : -function check_admin_referer() { +function check_admin_referer($action = -1) { $adminurl = strtolower(get_settings('siteurl')).'/wp-admin'; - $referer = strtolower($_SERVER['HTTP_REFERER']); - if (!strstr($referer, $adminurl)) - die(__('Sorry, you need to enable sending referrers for this feature to work.')); - do_action('check_admin_referer'); + $referer = strtolower(wp_get_referer()); + if ( !wp_verify_nonce($_REQUEST['_wpnonce'], $action) && + !(-1 == $action && strstr($referer, $adminurl)) ) { + wp_nonce_ays($action); + die(); + } + do_action('check_admin_referer', $action); +} +endif; + +if ( !function_exists('check_ajax_referer') ) : +function check_ajax_referer() { + $cookie = explode('; ', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie + foreach ( $cookie as $tasty ) { + if ( false !== strpos($tasty, USER_COOKIE) ) + $user = urldecode(substr(strstr($tasty, '='), 1)); // Nasty double encoding + if ( false !== strpos($tasty, PASS_COOKIE) ) + $pass = urldecode(substr(strstr($tasty, '='), 1)); + } + if ( wp_login( $user, $pass, true ) ) + return true; + return false; } endif; @@ -239,7 +261,10 @@ if ( !function_exists('wp_redirect') ) : function wp_redirect($location) { global $is_IIS; - $location = str_replace( array("\n", "\r"), '', $location); + $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location); + + $strip = array('%0d', '%0a'); + $location = str_replace($strip, '', $location); if ($is_IIS) header("Refresh: 0;url=$location"); @@ -248,6 +273,16 @@ function wp_redirect($location) { } endif; +if ( !function_exists('wp_get_cookie_login') ): +function wp_get_cookie_login() { + if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) ) + return false; + + return array('login' => $_COOKIE[USER_COOKIE], 'password' => $_COOKIE[PASS_COOKIE]); +} + +endif; + if ( !function_exists('wp_setcookie') ) : function wp_setcookie($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) { if ( !$already_md5 ) @@ -429,4 +464,51 @@ function wp_new_user_notification($user_id, $plaintext_pass = '') { } endif; +if ( !function_exists('wp_verify_nonce') ) : +function wp_verify_nonce($nonce, $action = -1) { + $user = wp_get_current_user(); + $uid = $user->id; + + $i = ceil(time() / 43200); + + //Allow for expanding range, but only do one check if we can + if( substr(wp_hash($i . $action . $uid), -12, 10) == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce ) + return true; + return false; +} +endif; + +if ( !function_exists('wp_create_nonce') ) : +function wp_create_nonce($action = -1) { + $user = wp_get_current_user(); + $uid = $user->id; + + $i = ceil(time() / 43200); + + return substr(wp_hash($i . $action . $uid), -12, 10); +} +endif; + +if ( !function_exists('wp_salt') ) : +function wp_salt() { + $salt = get_option('secret'); + if ( empty($salt) ) + $salt = DB_PASSWORD . DB_USER . DB_NAME . DB_HOST . ABSPATH; + + return $salt; +} +endif; + +if ( !function_exists('wp_hash') ) : +function wp_hash($data) { + $salt = wp_salt(); + + if ( function_exists('hash_hmac') ) { + return hash_hmac('md5', $data, $salt); + } else { + return md5($data . $salt); + } +} +endif; + ?> diff --git a/wp-includes/registration-functions.php b/wp-includes/registration-functions.php index ff9db3d2..dcf81f50 100644 --- a/wp-includes/registration-functions.php +++ b/wp-includes/registration-functions.php @@ -27,6 +27,7 @@ function wp_insert_user($userdata) { // Are we updating or creating? if ( !empty($ID) ) { + $ID = (int) $ID; $update = true; } else { $update = false; @@ -35,16 +36,40 @@ function wp_insert_user($userdata) { } $user_login = sanitize_user($user_login, true); + $user_login = apply_filters('pre_user_login', $user_login); if ( empty($user_nicename) ) $user_nicename = sanitize_title( $user_login ); + $user_nicename = apply_filters('pre_user_nicename', $user_nicename); + + if ( empty($user_url) ) + $user_url = ''; + $user_url = apply_filters('pre_user_url', $user_url); + + if ( empty($user_email) ) + $user_email = ''; + $user_email = apply_filters('pre_user_email', $user_email); if ( empty($display_name) ) $display_name = $user_login; - + $display_name = apply_filters('pre_user_display_name', $display_name); + if ( empty($nickname) ) $nickname = $user_login; - + $nickname = apply_filters('pre_user_nickname', $nickname); + + if ( empty($first_name) ) + $first_name = ''; + $first_name = apply_filters('pre_user_first_name', $first_name); + + if ( empty($last_name) ) + $last_name = ''; + $last_name = apply_filters('pre_user_last_name', $last_name); + + if ( empty($description) ) + $description = ''; + $description = apply_filters('pre_user_description', $description); + if ( empty($user_registered) ) $user_registered = gmdate('Y-m-d H:i:s'); @@ -93,7 +118,7 @@ function wp_insert_user($userdata) { } function wp_update_user($userdata) { - global $wpdb, $current_user; + global $wpdb; $ID = (int) $userdata['ID']; @@ -114,6 +139,7 @@ function wp_update_user($userdata) { $user_id = wp_insert_user($userdata); // Update the cookies if the password changed. + $current_user = wp_get_current_user(); if( $current_user->id == $ID ) { if ( isset($plaintext_pass) ) { wp_clearcookie(); diff --git a/wp-includes/streams.php b/wp-includes/streams.php index c69841ed..d57aac64 100644 --- a/wp-includes/streams.php +++ b/wp-includes/streams.php @@ -105,7 +105,14 @@ class FileReader { function read($bytes) { if ($bytes) { fseek($this->_fd, $this->_pos); - $data = fread($this->_fd, $bytes); + + // PHP 5.1.1 does not read more than 8192 bytes in one fread() + // the discussions at PHP Bugs suggest it's the intended behaviour + while ($bytes > 0) { + $chunk = fread($this->_fd, $bytes); + $data .= $chunk; + $bytes -= strlen($chunk); + } $this->_pos = ftell($this->_fd); return $data; diff --git a/wp-includes/template-functions-author.php b/wp-includes/template-functions-author.php index 4f443b38..0838f5ff 100644 --- a/wp-includes/template-functions-author.php +++ b/wp-includes/template-functions-author.php @@ -133,7 +133,7 @@ function the_author_posts_link($idmode='') { echo '' . the_author($idmode, false) . ''; } -function get_author_link($echo = false, $author_id, $author_nicename) { +function get_author_link($echo = false, $author_id, $author_nicename = '') { global $wpdb, $wp_rewrite, $post, $cache_userdata; $auth_ID = $author_id; $link = $wp_rewrite->get_author_permastruct(); @@ -142,8 +142,11 @@ function get_author_link($echo = false, $author_id, $author_nicename) { $file = get_settings('home') . '/'; $link = $file . '?author=' . $auth_ID; } else { - if ( '' == $author_nicename ) - $author_nicename = $cache_userdata[$author_id]->user_nicename; + if ( '' == $author_nicename ) { + $user = get_userdata($author_id); + if ( !empty($user->user_nicename) ) + $author_nicename = $user->user_nicename; + } $link = str_replace('%author%', $author_nicename, $link); $link = get_settings('home') . trailingslashit($link); } diff --git a/wp-includes/template-functions-general.php b/wp-includes/template-functions-general.php index b52b4167..84d83175 100644 --- a/wp-includes/template-functions-general.php +++ b/wp-includes/template-functions-general.php @@ -27,10 +27,7 @@ function get_sidebar() { function wp_loginout() { - global $user_ID; - get_currentuserinfo(); - - if ('' == $user_ID) + if ( ! is_user_logged_in() ) $link = '' . __('Login') . ''; else $link = '' . __('Logout') . ''; @@ -40,16 +37,15 @@ function wp_loginout() { function wp_register( $before = '

', $after = '

' ) { - global $user_ID; - - get_currentuserinfo(); - if ( '' == $user_ID && get_settings('users_can_register') ) - $link = $before . '' . __('Register') . '' . $after; - elseif ( '' == $user_ID && !get_settings('users_can_register') ) - $link = ''; - else + if ( ! is_user_logged_in() ) { + if ( get_settings('users_can_register') ) + $link = $before . '' . __('Register') . '' . $after; + else + $link = ''; + } else { $link = $before . '' . __('Site Admin') . '' . $after; + } echo apply_filters('register', $link); } @@ -62,7 +58,9 @@ function wp_meta() { function bloginfo($show='') { $info = get_bloginfo($show); - if ( ! (strstr($info, 'url') || strstr($info, 'directory')) ) { + if (!strstr($show, 'url') && //don't filter URLs + !strstr($show, 'directory') && + !strstr($show, 'home')) { $info = apply_filters('bloginfo', $info, $show); $info = convert_chars($info); } @@ -401,9 +399,11 @@ function calendar_week_mod($num) { function get_calendar($daylength = 1) { global $wpdb, $m, $monthnum, $year, $timedifference, $month, $month_abbrev, $weekday, $weekday_initial, $weekday_abbrev, $posts; - // Quick check. If we have no posts at all, abort! + $now = current_time('mysql'); + + // Quick check. If we have no posts yet published, abort! if ( !$posts ) { - $gotsome = $wpdb->get_var("SELECT ID from $wpdb->posts WHERE post_status = 'publish' ORDER BY post_date DESC LIMIT 1"); + $gotsome = $wpdb->get_var("SELECT ID from $wpdb->posts WHERE post_status = 'publish' AND post_date < '$now' ORDER BY post_date DESC LIMIT 1"); if ( !$gotsome ) return; } @@ -449,6 +449,7 @@ function get_calendar($daylength = 1) { $next = $wpdb->get_row("SELECT DISTINCT MONTH(post_date) AS month, YEAR(post_date) AS year FROM $wpdb->posts WHERE post_date > '$thisyear-$thismonth-01' + AND post_date < '$now' AND MONTH( post_date ) != MONTH( '$thisyear-$thismonth-01' ) AND post_status = 'publish' ORDER BY post_date ASC @@ -507,8 +508,8 @@ function get_calendar($daylength = 1) { // Get days with posts $dayswithposts = $wpdb->get_results("SELECT DISTINCT DAYOFMONTH(post_date) - FROM $wpdb->posts WHERE MONTH(post_date) = $thismonth - AND YEAR(post_date) = $thisyear + FROM $wpdb->posts WHERE MONTH(post_date) = '$thismonth' + AND YEAR(post_date) = '$thisyear' AND post_status = 'publish' AND post_date < '" . current_time('mysql') . '\'', ARRAY_N); if ( $dayswithposts ) { diff --git a/wp-includes/template-functions-links.php b/wp-includes/template-functions-links.php index 9ec7b331..d14817bc 100644 --- a/wp-includes/template-functions-links.php +++ b/wp-includes/template-functions-links.php @@ -62,14 +62,15 @@ function get_permalink($id = 0) { $authordata = get_userdata($post->post_author); $author = $authordata->user_nicename; + $date = explode(" ",date('Y m d H i s', $unixtime)); $rewritereplace = array( - date('Y', $unixtime), - date('m', $unixtime), - date('d', $unixtime), - date('H', $unixtime), - date('i', $unixtime), - date('s', $unixtime), + $date[0], + $date[1], + $date[2], + $date[3], + $date[4], + $date[5], $post->post_name, $post->ID, $category, diff --git a/wp-includes/vars.php b/wp-includes/vars.php index 705d8b25..2573b27e 100644 --- a/wp-includes/vars.php +++ b/wp-includes/vars.php @@ -1,7 +1,7 @@ 'icon_smile.gif', - ' :D' => 'icon_biggrin.gif', - ' :-D' => 'icon_biggrin.gif', - ':grin:' => 'icon_biggrin.gif', - ' :)' => 'icon_smile.gif', - ' :-)' => 'icon_smile.gif', - ':smile:' => 'icon_smile.gif', - ' :(' => 'icon_sad.gif', - ' :-(' => 'icon_sad.gif', - ':sad:' => 'icon_sad.gif', - ' :o' => 'icon_surprised.gif', - ' :-o' => 'icon_surprised.gif', - ':eek:' => 'icon_surprised.gif', - ' 8O' => 'icon_eek.gif', - ' 8-O' => 'icon_eek.gif', - ':shock:' => 'icon_eek.gif', - ' :?' => 'icon_confused.gif', - ' :-?' => 'icon_confused.gif', - ' :???:' => 'icon_confused.gif', - ' 8)' => 'icon_cool.gif', - ' 8-)' => 'icon_cool.gif', - ':cool:' => 'icon_cool.gif', - ':lol:' => 'icon_lol.gif', - ' :x' => 'icon_mad.gif', - ' :-x' => 'icon_mad.gif', - ':mad:' => 'icon_mad.gif', - ' :P' => 'icon_razz.gif', - ' :-P' => 'icon_razz.gif', - ':razz:' => 'icon_razz.gif', - ':oops:' => 'icon_redface.gif', - ':cry:' => 'icon_cry.gif', - ':evil:' => 'icon_evil.gif', - ':twisted:' => 'icon_twisted.gif', - ':roll:' => 'icon_rolleyes.gif', - ':wink:' => 'icon_wink.gif', - ' ;)' => 'icon_wink.gif', - ' ;-)' => 'icon_wink.gif', - ':!:' => 'icon_exclaim.gif', - ':?:' => 'icon_question.gif', - ':idea:' => 'icon_idea.gif', - ':arrow:' => 'icon_arrow.gif', - ' :|' => 'icon_neutral.gif', - ' :-|' => 'icon_neutral.gif', - ':neutral:' => 'icon_neutral.gif', - ':mrgreen:' => 'icon_mrgreen.gif', + ':mrgreen:' => 'icon_mrgreen.gif', + ':neutral:' => 'icon_neutral.gif', + ':twisted:' => 'icon_twisted.gif', + ':arrow:' => 'icon_arrow.gif', + ':shock:' => 'icon_eek.gif', + ':smile:' => 'icon_smile.gif', + ' :???:' => 'icon_confused.gif', + ':cool:' => 'icon_cool.gif', + ':evil:' => 'icon_evil.gif', + ':grin:' => 'icon_biggrin.gif', + ':idea:' => 'icon_idea.gif', + ':oops:' => 'icon_redface.gif', + ':razz:' => 'icon_razz.gif', + ':roll:' => 'icon_rolleyes.gif', + ':wink:' => 'icon_wink.gif', + ':cry:' => 'icon_cry.gif', + ':eek:' => 'icon_surprised.gif', + ':lol:' => 'icon_lol.gif', + ':mad:' => 'icon_mad.gif', + ':sad:' => 'icon_sad.gif', + ' 8-)' => 'icon_cool.gif', + ' 8-O' => 'icon_eek.gif', + ' :-(' => 'icon_sad.gif', + ' :-)' => 'icon_smile.gif', + ' :-?' => 'icon_confused.gif', + ' :-D' => 'icon_biggrin.gif', + ' :-P' => 'icon_razz.gif', + ' :-o' => 'icon_surprised.gif', + ' :-x' => 'icon_mad.gif', + ' :-|' => 'icon_neutral.gif', + ' ;-)' => 'icon_wink.gif', + ' 8)' => 'icon_cool.gif', + ' 8O' => 'icon_eek.gif', + ' :(' => 'icon_sad.gif', + ' :)' => 'icon_smile.gif', + ' :?' => 'icon_confused.gif', + ' :D' => 'icon_biggrin.gif', + ' :P' => 'icon_razz.gif', + ' :o' => 'icon_surprised.gif', + ' :x' => 'icon_mad.gif', + ' :|' => 'icon_neutral.gif', + ' ;)' => 'icon_wink.gif', + ':!:' => 'icon_exclaim.gif', + ':?:' => 'icon_question.gif', ); } -// sorts the smilies' array -if (!function_exists('smiliescmp')) { -function smiliescmp ($a, $b) { - if (strlen($a) == strlen($b)) { - return strcmp($a, $b); - } - return (strlen($a) > strlen($b)) ? -1 : 1; - } -} -uksort($wpsmiliestrans, 'smiliescmp'); // generates smilies' search & replace arrays foreach($wpsmiliestrans as $smiley => $img) { diff --git a/wp-includes/version.php b/wp-includes/version.php index 3a2e5dfe..cab8bbed 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -2,7 +2,7 @@ // This just holds the version number, in a separate file so we can bump it without cluttering the SVN -$wp_version = '2.0.2'; -$wp_db_version = 3437; +$wp_version = '2.0.4'; +$wp_db_version = 3440; ?> diff --git a/wp-includes/wp-db.php b/wp-includes/wp-db.php index 97238c39..8a4ebaa6 100644 --- a/wp-includes/wp-db.php +++ b/wp-includes/wp-db.php @@ -93,12 +93,14 @@ class wpdb { $EZSQL_ERROR[] = array ('query' => $this->last_query, 'error_str' => $str); + $str = htmlspecialchars($str, ENT_QUOTES); + $query = htmlspecialchars($this->last_query, ENT_QUOTES); // Is error output turned on or not.. if ( $this->show_errors ) { // If there is an error then take note of it print "

WordPress database error: [$str]
- $this->last_query

+ $query

"; } else { return false; diff --git a/wp-login.php b/wp-login.php index 0864edbd..3a45bc9e 100644 --- a/wp-login.php +++ b/wp-login.php @@ -27,7 +27,7 @@ case 'logout': $redirect_to = 'wp-login.php'; if ( isset($_REQUEST['redirect_to']) ) - $redirect_to = preg_replace('|[^a-z0-9-~+_.?#=&;,/:]|i', '', $_REQUEST['redirect_to']); + $redirect_to = $_REQUEST['redirect_to']; wp_redirect($redirect_to); exit(); @@ -170,19 +170,18 @@ default: $redirect_to = 'wp-admin/'; else $redirect_to = $_REQUEST['redirect_to']; - $redirect_to = preg_replace('|[^a-z0-9-~+_.?#=&;,/:]|i', '', $redirect_to); if( $_POST ) { $user_login = $_POST['log']; $user_login = sanitize_user( $user_login ); $user_pass = $_POST['pwd']; $rememberme = $_POST['rememberme']; - } elseif ( !empty($_COOKIE) ) { - if ( !empty($_COOKIE[USER_COOKIE]) ) - $user_login = $_COOKIE[USER_COOKIE]; - if ( !empty($_COOKIE[PASS_COOKIE]) ) { - $user_pass = $_COOKIE[PASS_COOKIE]; + } else { + $cookie_login = wp_get_cookie_login(); + if ( ! empty($cookie_login) ) { $using_cookie = true; + $user_login = $cookie_login['login']; + $user_pass = $cookie_login['password']; } } @@ -205,6 +204,8 @@ default: if ( $using_cookie ) $error = __('Your session has expired.'); } + } else if ( $user_login || $user_pass ) { + $error = __('Error: The password field is empty.'); } ?> @@ -237,7 +238,7 @@ if ( $error )

- +

diff --git a/wp-pass.php b/wp-pass.php index d7d23a66..e1cb4e05 100644 --- a/wp-pass.php +++ b/wp-pass.php @@ -7,5 +7,5 @@ if ( get_magic_quotes_gpc() ) // 10 days setcookie('wp-postpass_' . COOKIEHASH, $_POST['post_password'], time() + 864000, COOKIEPATH); -wp_redirect($_SERVER['HTTP_REFERER']); +wp_redirect(wp_get_referer()); ?> \ No newline at end of file diff --git a/wp-settings.php b/wp-settings.php index 312c52e1..f01ccb7e 100644 --- a/wp-settings.php +++ b/wp-settings.php @@ -18,7 +18,6 @@ function unregister_GLOBALS() { unregister_GLOBALS(); -$HTTP_USER_AGENT = getenv('HTTP_USER_AGENT'); unset( $wp_filter, $cache_userdata, $cache_lastcommentmodified, $cache_lastpostdate, $cache_settings, $category_cache, $cache_categories ); if ( ! isset($blog_id) ) @@ -198,6 +197,8 @@ $_POST = add_magic_quotes($_POST ); $_COOKIE = add_magic_quotes($_COOKIE); $_SERVER = add_magic_quotes($_SERVER); +do_action('sanitize_comment_cookies'); + $wp_query = new WP_Query(); $wp_rewrite = new WP_Rewrite(); $wp = new WP(); diff --git a/wp-trackback.php b/wp-trackback.php index fb7845ee..1779c17a 100644 --- a/wp-trackback.php +++ b/wp-trackback.php @@ -55,7 +55,7 @@ if ( !intval( $tb_id ) ) if (empty($title) && empty($tb_url) && empty($blog_name)) { // If it doesn't look like a trackback at all... - header('Location: ' . get_permalink($tb_id)); + wp_redirect(get_permalink($tb_id)); exit; } diff --git a/xmlrpc.php b/xmlrpc.php index 045acba7..c5b36177 100644 --- a/xmlrpc.php +++ b/xmlrpc.php @@ -1228,10 +1228,12 @@ class wp_xmlrpc_server extends IXR_Server { $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom ); $original_title = $title; - $comment_post_ID = $post_ID; + $comment_post_ID = (int) $post_ID; $comment_author = $title; + $this->escape($comment_author); $comment_author_url = $pagelinkedfrom; $comment_content = $context; + $this->escape($comment_content); $comment_type = 'pingback'; $commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_url', 'comment_content', 'comment_type');

comment_author_email) { ?>| comment_author_url && 'http://' != $comment->comment_author_url) { ?> | | |

comment_author_email) { ?>| comment_author_url && 'http://' != $comment->comment_author_url) { ?> | |

- + — — [ +comment_post_ID); +$post_title = wp_specialchars( $post->post_title, 'double' ); +$post_title = ('' == $post_title) ? "# $comment->comment_post_ID" : $post_title; +?> + ]

+ + -

WordPress

+ +

WordPress

Archive for the '' Category

Archive for

Archive for

Archive for

Search Results

Author Archive

Not Found

post_parent); ?> »

Not Found

Search Results

No posts found. Try a different search?

Meta