Ticket #3155: 3155-part1.diff

wp-content/themes/default/comments.php

@@ -1 +1 @@
 <?php // Do not delete these lines
-        if ('comments.php' == basename($_SERVER['SCRIPT_FILENAME']))
+        if (!empty($_SERVER['SCRIPT_FILENAME']) && 'comments.php' == basename($_SERVER['SCRIPT_FILENAME']))
                 die ('Please do not load this page directly. Thanks!');
 
         if (!empty($post->post_password)) { // if there's a password

wp-content/themes/default/header.php

@@ -14 +14 @@
 
 <?php
 // Checks to see whether it needs a sidebar or not
-if ( !$withcomments && !is_single() ) {
+if ( !empty($withcomments) && !is_single() ) {
 ?>
         #page { background: url("<?php bloginfo('stylesheet_directory'); ?>/images/kubrickbg-<?php bloginfo('text_direction'); ?>.jpg") repeat-y top; border: none; }
 <?php } else { // No sidebar ?>

wp-includes/cache.php

@@ -353 +353 @@
                         $data = '';
 
                 $this->cache[$group][$id] = $data;
-                unset ($this->non_existant_objects[$group][$id]);
 
+                if(isset($this->non_existant_objects[$group][$id]))
+                        unset ($this->non_existant_objects[$group][$id]);
+
                 return true;
         }
 

wp-includes/classes.php

@@ -185 +185 @@
                         @header('Content-Type: ' . get_option('html_type') . '; charset=' . get_option('blog_charset'));
                 } else {
                         // We're showing a feed, so WP is indeed the only thing that last changed
-                        if ( $this->query_vars['withcomments']
-                                || ( !$this->query_vars['withoutcomments']
-                                        && ( $this->query_vars['p']
-                                                || $this->query_vars['name']
-                                                || $this->query_vars['page_id']
-                                                || $this->query_vars['pagename']
-                                                || $this->query_vars['attachment']
-                                                || $this->query_vars['attachment_id']
+                        if ( !empty($this->query_vars['withcomments'])
+                                || ( empty($this->query_vars['withoutcomments'])
+                                        && ( !empty($this->query_vars['p'])
+                                                || !empty($this->query_vars['name'])
+                                                || !empty($this->query_vars['page_id'])
+                                                || !empty($this->query_vars['pagename'])
+                                                || !empty($this->query_vars['attachment'])
+                                                || !empty($this->query_vars['attachment_id'])
                                         )
                                 )
                         )
@@ -208 +208 @@
                                 $client_etag = stripslashes(stripslashes($_SERVER['HTTP_IF_NONE_MATCH']));
                         else $client_etag = false;
 
-                        $client_last_modified = trim( $_SERVER['HTTP_IF_MODIFIED_SINCE']);
+                        $client_last_modified = empty($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? '' : trim($_SERVER['HTTP_IF_MODIFIED_SINCE']);
                         // If string is empty, return 0. If not, attempt to parse into a timestamp
                         $client_modified_timestamp = $client_last_modified ? strtotime($client_last_modified) : 0;
 

wp-includes/comment-template.php

@@ -729 +729 @@
         }
 
         if ( !empty($post->post_password) ) { // if there's a password
-                if ( $_COOKIE['wp-postpass_' . COOKIEHASH] != $post->post_password ) {  // and it doesn't match the cookie
+                if ( !isset($_COOKIE['wp-postpass_' . COOKIEHASH]) || $_COOKIE['wp-postpass_' . COOKIEHASH] != $post->post_password ) {  // and it doesn't match the cookie
                         echo __('Enter your password to view comments');
                         return;
                 }

wp-includes/feed.php

@@ -145 +145 @@
 
 function rss_enclosure() {
         global $post;
-        if ( !empty($post->post_password) && ($_COOKIE['wp-postpass_'.COOKIEHASH] != $post->post_password) )
+        if ( !empty($post->post_password) && (!isset($_COOKIE['wp-postpass_'.COOKIEHASH]) || $_COOKIE['wp-postpass_'.COOKIEHASH] != $post->post_password) )
                 return;
 
         foreach (get_post_custom() as $key => $val) {

wp-includes/link-template.php

@@ -524 +524 @@
         $current_post_date = $post->post_date;
 
         $join = '';
+        $posts_in_ex_cats_sql = '';
         if ( $in_same_cat || !empty($excluded_categories) ) {
                 $join = " INNER JOIN $wpdb->term_relationships AS tr ON p.ID = tr.object_id INNER JOIN $wpdb->term_taxonomy tt ON tr.term_taxonomy_id = tt.term_taxonomy_id";
 
@@ -615 +616 @@
                 $qs_regex = '|\?.*?$|';
                 preg_match( $qs_regex, $request, $qs_match );
 
-                if ( $qs_match[0] ) {
+                if ( !empty( $qs_match[0] ) ) {
                         $query_string = $qs_match[0];
                         $request = preg_replace( $qs_regex, '', $request );
                 } else {

wp-includes/pluggable.php

@@ -775 +775 @@
         $lp  = parse_url($location);
         $wpp = parse_url(get_option('home'));
 
-        $allowed_hosts = (array) apply_filters('allowed_redirect_hosts', array($wpp['host']), $lp['host']);
+        $allowed_hosts = (array) apply_filters('allowed_redirect_hosts', array($wpp['host']), isset($lp['host']) ? $lp['host'] : '');
 
         if ( isset($lp['host']) && ( !in_array($lp['host'], $allowed_hosts) && $lp['host'] != strtolower($wpp['host'])) )
                 $location = get_option('siteurl') . '/wp-admin/';

wp-includes/post-template.php

@@ -86 +86 @@
         $output = '';
 
         if ( !empty($post->post_password) ) { // if there's a password
-                if ( stripslashes($_COOKIE['wp-postpass_'.COOKIEHASH]) != $post->post_password ) {      // and it doesn't match the cookie
+                if ( !isset($_COOKIE['wp-postpass_'.COOKIEHASH]) || stripslashes($_COOKIE['wp-postpass_'.COOKIEHASH]) != $post->post_password ) {       // and it doesn't match the cookie
                         $output = get_the_password_form();
                         return $output;
                 }
@@ -141 +141 @@
         $output = '';
         $output = $post->post_excerpt;
         if ( !empty($post->post_password) ) { // if there's a password
-                if ( $_COOKIE['wp-postpass_'.COOKIEHASH] != $post->post_password ) {  // and it doesn't match the cookie
+                if ( !isset($_COOKIE['wp-postpass_'.COOKIEHASH]) || $_COOKIE['wp-postpass_'.COOKIEHASH] != $post->post_password ) {  // and it doesn't match the cookie
                         $output = __('There is no excerpt because this is a protected post.');
                         return $output;
                 }

wp-includes/user.php

@@ -216 +216 @@
 
         $userdata = $user->data;
         $user_login     = $user->user_login;
-        $user_level     = (int) $user->user_level;
+        $user_level     = (int) isset($user->user_level) ? $user->user_level : 0;
         $user_ID        = (int) $user->ID;
         $user_email     = $user->user_email;
         $user_url       = $user->user_url;

wp-includes/wp-db.php

@@ -339 +339 @@
                         $this->query($query);
 
                 // Extract var out of cached results based x,y vals
-                if ( $this->last_result[$y] ) {
+                if ( !empty( $this->last_result[$y] ) ) {
                         $values = array_values(get_object_vars($this->last_result[$y]));
                 }
 

wp-login.php

@@ -174 +174 @@
 // Main
 //
 
-$action = $_REQUEST['action'];
+$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : '';
 $errors = new WP_Error();
 
 if ( isset($_GET['key']) )
@@ -351 +351 @@
                 $errors->add('test_cookie', __("<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href='http://www.google.com/cookies.html'>enable cookies</a> to use WordPress."));
 
         // Some parts of this script use the main login form to display a message
-        if              ( TRUE == $_GET['loggedout'] )                  $errors->add('loggedout', __('You are now logged out.'));
-        elseif  ( 'disabled' == $_GET['registration'] ) $errors->add('registerdiabled', __('User registration is currently not allowed.'));
-        elseif  ( 'confirm' == $_GET['checkemail'] )    $errors->add('confirm', __('Check your e-mail for the confirmation link.'));
-        elseif  ( 'newpass' == $_GET['checkemail'] )    $errors->add('newpass', __('Check your e-mail for your new password.'));
-        elseif  ( 'registered' == $_GET['checkemail'] ) $errors->add('registered', __('Registration complete. Please check your e-mail.'));
+        if              ( isset($_GET['loggedout']) && TRUE == $_GET['loggedout'] )                     $errors->add('loggedout', __('You are now logged out.'));
+        elseif  ( isset($_GET['registration']) && 'disabled' == $_GET['registration'] ) $errors->add('registerdiabled', __('User registration is currently not allowed.'));
+        elseif  ( isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail'] )      $errors->add('confirm', __('Check your e-mail for the confirmation link.'));
+        elseif  ( isset($_GET['checkemail']) && 'newpass' == $_GET['checkemail'] )      $errors->add('newpass', __('Check your e-mail for your new password.'));
+        elseif  ( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] )   $errors->add('registered', __('Registration complete. Please check your e-mail.'));
 
         login_header(__('Login'), '', $errors);
 ?>
 
 <form name="loginform" id="loginform" action="wp-login.php" method="post">
-<?php if ( !in_array( $_GET['checkemail'], array('confirm', 'newpass') ) ) : ?>
+<?php if ( !isset($_GET['checkemail']) || !in_array( $_GET['checkemail'], array('confirm', 'newpass') ) ) : ?>
         <p>
                 <label><?php _e('Username') ?><br />
                 <input type="text" name="log" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($user_login)); ?>" size="20" tabindex="10" /></label>
@@ -384 +384 @@
 </form>
 
 <p id="nav">
-<?php if ( in_array( $_GET['checkemail'], array('confirm', 'newpass') ) ) : ?>
+<?php if ( isset($_GET['checkemail']) && in_array( $_GET['checkemail'], array('confirm', 'newpass') ) ) : ?>
 <?php elseif (get_option('users_can_register')) : ?>
 <a href="<?php bloginfo('wpurl'); ?>/wp-login.php?action=register"><?php _e('Register') ?></a> |
 <a href="<?php bloginfo('wpurl'); ?>/wp-login.php?action=lostpassword" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>