X-Git-Url: https://scripts.mit.edu/gitweb/autoinstallsdev/wordpress.git/blobdiff_plain/80e421fa26a0ef412d7c67749a64a6c1919d515a..c55863f11e8589bf8d4a5698bf15752406654f1c:/wp-includes/class-wp-xmlrpc-server.php diff --git a/wp-includes/class-wp-xmlrpc-server.php b/wp-includes/class-wp-xmlrpc-server.php index e4a2d961..5b508119 100644 --- a/wp-includes/class-wp-xmlrpc-server.php +++ b/wp-includes/class-wp-xmlrpc-server.php @@ -12,8 +12,8 @@ * pingback. Additional WordPress API for managing comments, pages, posts, * options, etc. * - * Since WordPress 2.6.0, WordPress XMLRPC server can be disabled in the - * administration panels. + * As of WordPress 3.5.0, XML-RPC is enabled by default. It can be disabled + * via the xmlrpc_enabled filter found in wp_xmlrpc_server::login(). * * @package WordPress * @subpackage Publishing @@ -211,28 +211,22 @@ class wp_xmlrpc_server extends IXR_Server { } /** - * Sanitize string or array of strings for database. + * Escape string or array of strings for database. * * @since 1.5.2 * - * @param string|array $array Sanitize single string or array of strings. - * @return string|array Type matches $array and sanitized for the database. + * @param string|array $data Escape single string or array of strings. + * @return string|array Type matches $data and sanitized for the database. */ - function escape(&$array) { - global $wpdb; - - if (!is_array($array)) { - return($wpdb->escape($array)); - } else { - foreach ( (array) $array as $k => $v ) { - if ( is_array($v) ) { - $this->escape($array[$k]); - } else if ( is_object($v) ) { - //skip - } else { - $array[$k] = $wpdb->escape($v); - } - } + function escape( &$data ) { + if ( ! is_array( $data ) ) + return wp_slash( $data ); + + foreach ( $data as &$v ) { + if ( is_array( $v ) ) + $this->escape( $v ); + elseif ( ! is_object( $v ) ) + $v = wp_slash( $v ); } } @@ -280,16 +274,16 @@ class wp_xmlrpc_server extends IXR_Server { $meta['id'] = (int) $meta['id']; $pmeta = get_metadata_by_mid( 'post', $meta['id'] ); if ( isset($meta['key']) ) { - $meta['key'] = stripslashes( $meta['key'] ); - if ( $meta['key'] != $pmeta->meta_key ) + $meta['key'] = wp_unslash( $meta['key'] ); + if ( $meta['key'] !== $pmeta->meta_key ) continue; - $meta['value'] = stripslashes_deep( $meta['value'] ); + $meta['value'] = wp_unslash( $meta['value'] ); if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) ) update_metadata_by_mid( 'post', $meta['id'], $meta['value'] ); } elseif ( current_user_can( 'delete_post_meta', $post_id, $pmeta->meta_key ) ) { delete_metadata_by_mid( 'post', $meta['id'] ); } - } elseif ( current_user_can( 'add_post_meta', $post_id, stripslashes( $meta['key'] ) ) ) { + } elseif ( current_user_can( 'add_post_meta', $post_id, wp_unslash( $meta['key'] ) ) ) { add_post_meta( $post_id, $meta['key'], $meta['value'] ); } } @@ -318,15 +312,25 @@ class wp_xmlrpc_server extends IXR_Server { 'value' => $wp_version ), 'blog_url' => array( - 'desc' => __( 'Site URL' ), + 'desc' => __( 'WordPress Address (URL)' ), 'readonly' => true, 'option' => 'siteurl' ), 'home_url' => array( - 'desc' => __( 'Home URL' ), + 'desc' => __( 'Site Address (URL)' ), 'readonly' => true, 'option' => 'home' ), + 'login_url' => array( + 'desc' => __( 'Login Address (URL)' ), + 'readonly' => true, + 'value' => wp_login_url( ) + ), + 'admin_url' => array( + 'desc' => __( 'The URL to the admin area' ), + 'readonly' => true, + 'value' => get_admin_url( ) + ), 'image_default_link_type' => array( 'desc' => __( 'Image default link type' ), 'readonly' => true, @@ -543,6 +547,9 @@ class wp_xmlrpc_server extends IXR_Server { if ( in_array( 'cap', $fields ) ) $_taxonomy['cap'] = (array) $taxonomy->cap; + if ( in_array( 'menu', $fields ) ) + $_taxonomy['show_in_menu'] = (bool) $_taxonomy->show_in_menu; + if ( in_array( 'object_type', $fields ) ) $_taxonomy['object_type'] = array_unique( (array) $taxonomy->object_type ); @@ -562,13 +569,13 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! is_array( $_term) ) $_term = get_object_vars( $_term ); - // For Intergers which may be largeer than XMLRPC supports ensure we return strings. + // For integers which may be larger than XML-RPC supports ensure we return strings. $_term['term_id'] = strval( $_term['term_id'] ); $_term['term_group'] = strval( $_term['term_group'] ); $_term['term_taxonomy_id'] = strval( $_term['term_taxonomy_id'] ); $_term['parent'] = strval( $_term['parent'] ); - // Count we are happy to return as an Integer because people really shouldn't use Terms that much. + // Count we are happy to return as an integer because people really shouldn't use terms that much. $_term['count'] = intval( $_term['count'] ); return apply_filters( 'xmlrpc_prepare_term', $_term, $term ); @@ -1007,7 +1014,7 @@ class wp_xmlrpc_server extends IXR_Server { if ( $update ) { if ( ! get_post( $post_data['ID'] ) ) return new IXR_Error( 401, __( 'Invalid post ID.' ) ); - if ( ! current_user_can( $post_type->cap->edit_post, $post_data['ID'] ) ) + if ( ! current_user_can( 'edit_post', $post_data['ID'] ) ) return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this post.' ) ); if ( $post_data['post_type'] != get_post_type( $post_data['ID'] ) ) return new IXR_Error( 401, __( 'The post type may not be changed.' ) ); @@ -1317,8 +1324,7 @@ class wp_xmlrpc_server extends IXR_Server { if ( empty( $post['ID'] ) ) return new IXR_Error( 404, __( 'Invalid post ID.' ) ); - $post_type = get_post_type_object( $post['post_type'] ); - if ( ! current_user_can( $post_type->cap->delete_post, $post_id ) ) + if ( ! current_user_can( 'delete_post', $post_id ) ) return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete this post.' ) ); $result = wp_delete_post( $post_id ); @@ -1399,8 +1405,7 @@ class wp_xmlrpc_server extends IXR_Server { if ( empty( $post['ID'] ) ) return new IXR_Error( 404, __( 'Invalid post ID.' ) ); - $post_type = get_post_type_object( $post['post_type'] ); - if ( ! current_user_can( $post_type->cap->edit_post, $post_id ) ) + if ( ! current_user_can( 'edit_post', $post_id ) ) return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) ); return $this->_prepare_post( $post, $fields ); @@ -1495,8 +1500,7 @@ class wp_xmlrpc_server extends IXR_Server { $struct = array(); foreach ( $posts_list as $post ) { - $post_type = get_post_type_object( $post['post_type'] ); - if ( ! current_user_can( $post_type->cap->edit_post, $post['ID'] ) ) + if ( ! current_user_can( 'edit_post', $post['ID'] ) ) continue; $struct[] = $this->_prepare_post( $post, $fields ); @@ -2978,9 +2982,9 @@ class wp_xmlrpc_server extends IXR_Server { $comment['comment_post_ID'] = $post_id; if ( $logged_in ) { - $comment['comment_author'] = $wpdb->escape( $user->display_name ); - $comment['comment_author_email'] = $wpdb->escape( $user->user_email ); - $comment['comment_author_url'] = $wpdb->escape( $user->user_url ); + $comment['comment_author'] = $this->escape( $user->display_name ); + $comment['comment_author_email'] = $this->escape( $user->user_email ); + $comment['comment_author_url'] = $this->escape( $user->user_url ); $comment['user_ID'] = $user->ID; } else { $comment['comment_author'] = ''; @@ -3192,6 +3196,7 @@ class wp_xmlrpc_server extends IXR_Server { */ function _getOptions($options) { $data = array(); + $can_manage = current_user_can( 'manage_options' ); foreach ( $options as $option ) { if ( array_key_exists( $option, $this->blog_options ) ) { $data[$option] = $this->blog_options[$option]; @@ -3200,6 +3205,9 @@ class wp_xmlrpc_server extends IXR_Server { $data[$option]['value'] = get_option( $data[$option]['option'] ); unset($data[$option]['option']); } + + if ( ! $can_manage ) + $data[$option]['readonly'] = true; } } @@ -3535,7 +3543,7 @@ class wp_xmlrpc_server extends IXR_Server { return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit posts.' ) ); // Check if revisions are enabled. - if ( ! WP_POST_REVISIONS || ! post_type_supports( $post->post_type, 'revisions' ) ) + if ( ! wp_revisions_enabled( $post ) ) return new IXR_Error( 401, __( 'Sorry, revisions are disabled.' ) ); $revisions = wp_get_post_revisions( $post_id ); @@ -3602,7 +3610,7 @@ class wp_xmlrpc_server extends IXR_Server { return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) ); // Check if revisions are disabled. - if ( ! WP_POST_REVISIONS || ! post_type_supports( $post->post_type, 'revisions' ) ) + if ( ! wp_revisions_enabled( $post ) ) return new IXR_Error( 401, __( 'Sorry, revisions are disabled.' ) ); $post = wp_restore_post_revision( $revision_id ); @@ -3746,9 +3754,9 @@ class wp_xmlrpc_server extends IXR_Server { $categories = implode(',', wp_get_post_categories($post_ID)); - $content = '