WordPress.org

Make WordPress Core

Ticket #8833: 8833.patch

File 8833.patch, 114.0 KB (added by Viper007Bond, 9 years ago)

First pass, needs through testing and phpDoc feedback

  • wp-includes/functions.php

     
    3838                return $i;
    3939
    4040        if ( $translate)
    41             return date_i18n( $dateformatstring, $i );
     41                return date_i18n( $dateformatstring, $i );
    4242        else
    43             return date( $dateformatstring, $i );
     43                return date( $dateformatstring, $i );
    4444}
    4545
    4646/**
     
    16921692}
    16931693
    16941694/**
     1695 * Get the time-dependent variable for nonce creation.
     1696 *
     1697 * A nonce has a lifespan of two ticks. Nonces in their second tick may be
     1698 * updated, e.g. by autosave.
     1699 *
     1700 * This function should not be used directly. Use the pluggable version instead.
     1701.* @see wp_nonce_tick()
     1702 *
     1703 * @package WordPress
     1704 * @subpackage Security
     1705 * @since 2.8.0
     1706 *
     1707 * @return int
     1708 */
     1709function _wp_nonce_tick() {
     1710        $nonce_life = apply_filters('nonce_life', 86400);
     1711
     1712        return ceil( time() / ( $nonce_life / 2 ) );
     1713}
     1714
     1715/**
     1716 * Verify that correct nonce was used with time limit.
     1717 *
     1718 * The user is given an amount of time to use the token, so therefore, since the
     1719 * UID and $action remain the same, the independent variable is the time.
     1720 *
     1721 * This function should not be used directly. Use the pluggable version instead.
     1722.* @see wp_verify_nonce()
     1723 *
     1724 * @package WordPress
     1725 * @subpackage Security
     1726 * @since 2.8.0
     1727 *
     1728 * @param string $nonce Nonce that was used in the form to verify
     1729 * @param string|int $action Should give context to what is taking place and be the same when nonce was created.
     1730 * @return bool Whether the nonce check passed or failed.
     1731 */
     1732function _wp_verify_nonce( $nonce, $action = -1 ) {
     1733        $user = wp_get_current_user();
     1734        $uid = (int) $user->id;
     1735
     1736        $i = wp_nonce_tick();
     1737
     1738        // Nonce generated 0-12 hours ago
     1739        if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) == $nonce )
     1740                return 1;
     1741        // Nonce generated 12-24 hours ago
     1742        if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) == $nonce )
     1743                return 2;
     1744        // Invalid nonce
     1745        return false;
     1746}
     1747
     1748/**
     1749 * Creates a random, one time use token.
     1750 *
     1751 * This function should not be used directly. Use the pluggable version instead.
     1752.* @see wp_create_nonce()
     1753 *
     1754 * @package WordPress
     1755 * @subpackage Security
     1756 * @since 2.8.0
     1757 *
     1758 * @param string|int $action Scalar value to add context to the nonce.
     1759 * @return string The one use form token
     1760 */
     1761function _wp_create_nonce( $action = -1 ) {
     1762        $user = wp_get_current_user();
     1763        $uid = (int) $user->id;
     1764
     1765        $i = wp_nonce_tick();
     1766
     1767        return substr( wp_hash($i . $action . $uid, 'nonce'), -12, 10 );
     1768}
     1769
     1770/**
    16951771 * Retrieve URL with nonce added to URL query.
    16961772 *
    16971773 * @package WordPress
     
    17531829}
    17541830
    17551831/**
     1832 * Get salt to add to hashes to help prevent attacks.
     1833 *
     1834 * The secret key is located in two places: the database in case the secret key
     1835 * isn't defined in the second place, which is in the wp-config.php file. If you
     1836 * are going to set the secret key, then you must do so in the wp-config.php
     1837 * file.
     1838 *
     1839 * The secret key in the database is randomly generated and will be appended to
     1840 * the secret key that is in wp-config.php file in some instances. It is
     1841 * important to have the secret key defined or changed in wp-config.php.
     1842 *
     1843 * If you have installed WordPress 2.5 or later, then you will have the
     1844 * SECRET_KEY defined in the wp-config.php already. You will want to change the
     1845 * value in it because hackers will know what it is. If you have upgraded to
     1846 * WordPress 2.5 or later version from a version before WordPress 2.5, then you
     1847 * should add the constant to your wp-config.php file.
     1848 *
     1849 * Below is an example of how the SECRET_KEY constant is defined with a value.
     1850 * You must not copy the below example and paste into your wp-config.php. If you
     1851 * need an example, then you can have a
     1852 * {@link https://api.wordpress.org/secret-key/1.1/ secret key created} for you.
     1853 *
     1854 * <code>
     1855 * define('SECRET_KEY', 'mAry1HadA15|\/|b17w55w1t3asSn09w');
     1856 * </code>
     1857 *
     1858 * Salting passwords helps against tools which has stored hashed values of
     1859 * common dictionary strings. The added values makes it harder to crack if given
     1860 * salt string is not weak.
     1861 *
     1862 * This function should not be used directly. Use the pluggable version instead.
     1863.* @see wp_salt()
     1864 *
     1865 * @package WordPress
     1866 * @subpackage Security
     1867 * @since 2.8.0
     1868 * @link https://api.wordpress.org/secret-key/1.1/ Create a Secret Key for wp-config.php
     1869 *
     1870 * @return string Salt value from either 'SECRET_KEY' or 'secret' option
     1871 */
     1872function _wp_salt( $scheme = 'auth' ) {
     1873        global $wp_default_secret_key;
     1874        $secret_key = '';
     1875        if ( defined('SECRET_KEY') && ('' != SECRET_KEY) && ( $wp_default_secret_key != SECRET_KEY) )
     1876                $secret_key = SECRET_KEY;
     1877
     1878        if ( 'auth' == $scheme ) {
     1879                if ( defined('AUTH_KEY') && ('' != AUTH_KEY) && ( $wp_default_secret_key != AUTH_KEY) )
     1880                        $secret_key = AUTH_KEY;
     1881
     1882                if ( defined('AUTH_SALT') ) {
     1883                        $salt = AUTH_SALT;
     1884                } elseif ( defined('SECRET_SALT') ) {
     1885                        $salt = SECRET_SALT;
     1886                } else {
     1887                        $salt = get_option('auth_salt');
     1888                        if ( empty($salt) ) {
     1889                                $salt = wp_generate_password(64);
     1890                                update_option('auth_salt', $salt);
     1891                        }
     1892                }
     1893        } elseif ( 'secure_auth' == $scheme ) {
     1894                if ( defined('SECURE_AUTH_KEY') && ('' != SECURE_AUTH_KEY) && ( $wp_default_secret_key != SECURE_AUTH_KEY) )
     1895                        $secret_key = SECURE_AUTH_KEY;
     1896
     1897                if ( defined('SECURE_AUTH_SALT') ) {
     1898                        $salt = SECURE_AUTH_SALT;
     1899                } else {
     1900                        $salt = get_option('secure_auth_salt');
     1901                        if ( empty($salt) ) {
     1902                                $salt = wp_generate_password(64);
     1903                                update_option('secure_auth_salt', $salt);
     1904                        }
     1905                }
     1906        } elseif ( 'logged_in' == $scheme ) {
     1907                if ( defined('LOGGED_IN_KEY') && ('' != LOGGED_IN_KEY) && ( $wp_default_secret_key != LOGGED_IN_KEY) )
     1908                        $secret_key = LOGGED_IN_KEY;
     1909
     1910                if ( defined('LOGGED_IN_SALT') ) {
     1911                        $salt = LOGGED_IN_SALT;
     1912                } else {
     1913                        $salt = get_option('logged_in_salt');
     1914                        if ( empty($salt) ) {
     1915                                $salt = wp_generate_password(64);
     1916                                update_option('logged_in_salt', $salt);
     1917                        }
     1918                }
     1919        } elseif ( 'nonce' == $scheme ) {
     1920                if ( defined('NONCE_KEY') && ('' != NONCE_KEY) && ( $wp_default_secret_key != NONCE_KEY) )
     1921                        $secret_key = NONCE_KEY;
     1922
     1923                if ( defined('NONCE_SALT') ) {
     1924                        $salt = NONCE_SALT;
     1925                } else {
     1926                        $salt = get_option('nonce_salt');
     1927                        if ( empty($salt) ) {
     1928                                $salt = wp_generate_password(64);
     1929                                update_option('nonce_salt', $salt);
     1930                        }
     1931                }
     1932        } else {
     1933                // ensure each auth scheme has its own unique salt
     1934                $salt = hash_hmac('md5', $scheme, $secret_key);
     1935        }
     1936
     1937        return apply_filters('salt', $secret_key . $salt, $scheme);
     1938}
     1939
     1940/**
     1941 * Get hash of given string.
     1942 *
     1943 * This function should not be used directly. Use the pluggable version instead.
     1944.* @see wp_hash()
     1945 *
     1946 * @package WordPress
     1947 * @subpackage Security
     1948 * @since 2.8.0
     1949 * @uses wp_salt() Get WordPress salt
     1950 *
     1951 * @param string $data Plain text to hash
     1952 * @return string Hash of $data
     1953 */
     1954function _wp_hash( $data, $scheme = 'auth' ) {
     1955        $salt = wp_salt($scheme);
     1956
     1957        return hash_hmac('md5', $data, $salt);
     1958}
     1959
     1960/**
     1961 * Create a hash (encrypt) of a plain text password.
     1962 *
     1963 * This function should not be used directly. Use the pluggable version instead.
     1964.* @see wp_hash_password()
     1965 *
     1966 * @package WordPress
     1967 * @subpackage Security
     1968 * @since 2.8.0
     1969 * @global object $wp_hasher PHPass object
     1970 * @uses PasswordHash::HashPassword
     1971 *
     1972 * @param string $password Plain text user password to hash
     1973 * @return string The hash string of the password
     1974 */
     1975function _wp_hash_password( $password ) {
     1976        global $wp_hasher;
     1977
     1978        if ( empty($wp_hasher) ) {
     1979                require_once( ABSPATH . 'wp-includes/class-phpass.php');
     1980                // By default, use the portable hash from phpass
     1981                $wp_hasher = new PasswordHash(8, TRUE);
     1982        }
     1983
     1984        return $wp_hasher->HashPassword($password);
     1985}
     1986
     1987/**
     1988 * Checks the plaintext password against the encrypted password.
     1989 *
     1990 * Maintains compatibility between old version and the new cookie authentication
     1991 * protocol using PHPass library. The $hash parameter is the encrypted password
     1992 * and the function compares the plain text password when encypted similarly
     1993 * against the already encrypted password to see if they match.
     1994 *
     1995 * For integration with other applications, this function can be overwritten to
     1996 * instead use the other package password checking algorithm.
     1997 *
     1998 * This function should not be used directly. Use the pluggable version instead.
     1999.* @see wp_check_password()
     2000 *
     2001 * @package WordPress
     2002 * @subpackage Security
     2003 * @since 2.8.0
     2004 * @global object $wp_hasher PHPass object used for checking the password
     2005 *     against the $hash + $password
     2006 * @uses PasswordHash::CheckPassword
     2007 *
     2008 * @param string $password Plaintext user's password
     2009 * @param string $hash Hash of the user's password to check against.
     2010 * @return bool False, if the $password does not match the hashed password
     2011 */
     2012function _wp_check_password( $password, $hash, $user_id = '' ) {
     2013        global $wp_hasher;
     2014
     2015        // If the hash is still md5...
     2016        if ( strlen($hash) <= 32 ) {
     2017                $check = ( $hash == md5($password) );
     2018                if ( $check && $user_id ) {
     2019                        // Rehash using new hash.
     2020                        wp_set_password($password, $user_id);
     2021                        $hash = wp_hash_password($password);
     2022                }
     2023
     2024                return apply_filters('check_password', $check, $password, $hash, $user_id);
     2025        }
     2026
     2027        // If the stored hash is longer than an MD5, presume the
     2028        // new style phpass portable hash.
     2029        if ( empty($wp_hasher) ) {
     2030                require_once( ABSPATH . 'wp-includes/class-phpass.php');
     2031                // By default, use the portable hash from phpass
     2032                $wp_hasher = new PasswordHash(8, TRUE);
     2033        }
     2034
     2035        $check = $wp_hasher->CheckPassword($password, $hash);
     2036
     2037        return apply_filters('check_password', $check, $password, $hash, $user_id);
     2038}
     2039
     2040/**
     2041 * Generates a random password drawn from the defined set of characters.
     2042 *
     2043 * This function should not be used directly. Use the pluggable version instead.
     2044.* @see wp_generate_password()
     2045 *
     2046 * @since 2.8.0
     2047 *
     2048 * @param int $length The length of password to generate
     2049 * @param bool $special_chars Whether to include standard special characters
     2050 * @return string The random password
     2051 **/
     2052function _wp_generate_password( $length = 12, $special_chars = true ) {
     2053        $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
     2054        if ( $special_chars )
     2055                $chars .= '!@#$%^&*()';
     2056
     2057        $password = '';
     2058        for ( $i = 0; $i < $length; $i++ )
     2059                $password .= substr($chars, wp_rand(0, strlen($chars) - 1), 1);
     2060        return $password;
     2061}
     2062
     2063/**
     2064 * Generates a random number
     2065 *
     2066 * This function should not be used directly. Use the pluggable version instead.
     2067.* @see wp_rand()
     2068 *
     2069 * @since 2.8.0
     2070 *
     2071 * @param int $min Lower limit for the generated number (optional, default is 0)
     2072 * @param int $max Upper limit for the generated number (optional, default is 4294967295)
     2073 * @return int A random number between min and max
     2074 */
     2075function _wp_rand( $min = 0, $max = 0 ) {
     2076        global $rnd_value;
     2077
     2078        $seed = get_transient('random_seed');
     2079
     2080        // Reset $rnd_value after 14 uses
     2081        // 32(md5) + 40(sha1) + 40(sha1) / 8 = 14 random numbers from $rnd_value
     2082        if ( strlen($rnd_value) < 8 ) {
     2083                $rnd_value = md5( uniqid(microtime() . mt_rand(), true ) . $seed );
     2084                $rnd_value .= sha1($rnd_value);
     2085                $rnd_value .= sha1($rnd_value . $seed);
     2086                $seed = md5($seed . $rnd_value);
     2087                set_transient('random_seed', $seed);
     2088        }
     2089
     2090        // Take the first 8 digits for our value
     2091        $value = substr($rnd_value, 0, 8);
     2092
     2093        // Strip the first eight, leaving the remainder for the next call to wp_rand().
     2094        $rnd_value = substr($rnd_value, 8);
     2095
     2096        $value = abs(hexdec($value));
     2097
     2098        // Reduce the value to be within the min - max range
     2099        // 4294967295 = 0xffffffff = max random number
     2100        if ( $max != 0 )
     2101                $value = $min + (($max - $min + 1) * ($value / (4294967295 + 1)));
     2102
     2103        return abs(intval($value));
     2104}
     2105
     2106/**
    17562107 * Retrieve or display referer hidden field for forms.
    17572108 *
    17582109 * The referer link is the current Request URI from the server super global. The
     
    18352186}
    18362187
    18372188/**
     2189 * Makes sure that a user was referred from another admin page.
     2190 *
     2191 * To avoid security exploits.
     2192 *
     2193 * This function should not be used directly. Use the pluggable version instead.
     2194.* @see check_admin_referer()
     2195 *
     2196 * @since 2.8.0
     2197 * @uses do_action() Calls 'check_admin_referer' on $action.
     2198 *
     2199 * @param string $action Action nonce
     2200 * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
     2201 */
     2202function _check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
     2203        $adminurl = strtolower(admin_url());
     2204        $referer = strtolower(wp_get_referer());
     2205        $result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
     2206        if ( !$result && !(-1 == $action && strpos($referer, $adminurl) !== false) ) {
     2207                wp_nonce_ays($action);
     2208                die();
     2209        }
     2210        do_action('check_admin_referer', $action, $result);
     2211        return $result;
     2212}
     2213
     2214/**
     2215 * Verifies the AJAX request to prevent processing requests external of the blog.
     2216 *
     2217 * This function should not be used directly. Use the pluggable version instead.
     2218.* @see check_ajax_referer()
     2219 *
     2220 * @since 2.8.0
     2221 *
     2222 * @param string $action Action nonce
     2223 * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
     2224 */
     2225function _check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
     2226        if ( $query_arg )
     2227                $nonce = $_REQUEST[$query_arg];
     2228        else
     2229                $nonce = $_REQUEST['_ajax_nonce'] ? $_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce'];
     2230
     2231        $result = wp_verify_nonce( $nonce, $action );
     2232
     2233        if ( $die && false == $result )
     2234                die('-1');
     2235
     2236        do_action('check_ajax_referer', $action, $result);
     2237
     2238        return $result;
     2239}
     2240
     2241/**
     2242 * Redirects to another page, with a workaround for the IIS Set-Cookie bug.
     2243 *
     2244 * This function should not be used directly. Use the pluggable version instead.
     2245.* @see wp_redirect()
     2246 *
     2247 * @link http://support.microsoft.com/kb/q176113/
     2248 * @since 2.8.0
     2249 * @uses apply_filters() Calls 'wp_redirect' hook on $location and $status.
     2250 *
     2251 * @param string $location The path to redirect to
     2252 * @param int $status Status code to use
     2253 * @return bool False if $location is not set
     2254 */
     2255function _wp_redirect( $location, $status = 302 ) {
     2256        global $is_IIS;
     2257
     2258        $location = apply_filters('wp_redirect', $location, $status);
     2259        $status = apply_filters('wp_redirect_status', $status, $location);
     2260
     2261        if ( !$location ) // allows the wp_redirect filter to cancel a redirect
     2262                return false;
     2263
     2264        $location = wp_sanitize_redirect($location);
     2265
     2266        if ( $is_IIS ) {
     2267                header("Refresh: 0;url=$location");
     2268        } else {
     2269                if ( php_sapi_name() != 'cgi-fcgi' )
     2270                        status_header($status); // This causes problems on IIS and some FastCGI setups
     2271                header("Location: $location");
     2272        }
     2273}
     2274
     2275/**
     2276 * Sanitizes a URL for use in a redirect.
     2277 *
     2278 * This function should not be used directly. Use the pluggable version instead.
     2279.* @see wp_sanitize_redirect()
     2280 *
     2281 * @since 2.8.0
     2282 *
     2283 * @return string redirect-sanitized URL
     2284 **/
     2285function _wp_sanitize_redirect( $location ) {
     2286        $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location);
     2287        $location = wp_kses_no_null($location);
     2288
     2289        // remove %0d and %0a from location
     2290        $strip = array('%0d', '%0a');
     2291        $found = true;
     2292        while($found) {
     2293                $found = false;
     2294                foreach( (array) $strip as $val ) {
     2295                        while(strpos($location, $val) !== false) {
     2296                                $found = true;
     2297                                $location = str_replace($val, '', $location);
     2298                        }
     2299                }
     2300        }
     2301        return $location;
     2302}
     2303
     2304/**
     2305 * Performs a safe (local) redirect, using wp_redirect().
     2306 *
     2307 * Checks whether the $location is using an allowed host, if it has an absolute
     2308 * path. A plugin can therefore set or remove allowed host(s) to or from the
     2309 * list.
     2310 *
     2311 * If the host is not allowed, then the redirect is to wp-admin on the siteurl
     2312 * instead. This prevents malicious redirects which redirect to another host,
     2313 * but only used in a few places.
     2314 *
     2315 * This function should not be used directly. Use the pluggable version instead.
     2316.* @see wp_safe_redirect()
     2317 *
     2318 * @since 2.8.0
     2319 * @uses apply_filters() Calls 'allowed_redirect_hosts' on an array containing
     2320 *              WordPress host string and $location host string.
     2321 *
     2322 * @return void Does not return anything
     2323 **/
     2324function _wp_safe_redirect( $location, $status = 302 ) {
     2325        // Need to look at the URL the way it will end up in wp_redirect()
     2326        $location = wp_sanitize_redirect($location);
     2327
     2328        // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
     2329        if ( substr($location, 0, 2) == '//' )
     2330                $location = 'http:' . $location;
     2331
     2332        // In PHP5 parse_url may fail if the URL query part contains http://, bug #38143
     2333        $test = ( $cut = strpos($location, '?') ) ? substr( $location, 0, $cut ) : $location;
     2334
     2335        $lp  = parse_url($test);
     2336        $wpp = parse_url(get_option('home'));
     2337
     2338        $allowed_hosts = (array) apply_filters('allowed_redirect_hosts', array($wpp['host']), isset($lp['host']) ? $lp['host'] : '');
     2339
     2340        if ( isset($lp['host']) && ( !in_array($lp['host'], $allowed_hosts) && $lp['host'] != strtolower($wpp['host'])) )
     2341                $location = admin_url();
     2342
     2343        wp_redirect($location, $status);
     2344}
     2345
     2346/**
    18382347 * Recursive directory creation based on full path.
    18392348 *
    18402349 * Will attempt to set permissions on folders.
     
    31443653        return $structure;
    31453654}
    31463655
     3656/**
     3657 * Send mail, similar to PHP's mail
     3658 *
     3659 * A true return value does not automatically mean that the user received the
     3660 * email successfully. It just only means that the method used was able to
     3661 * process the request without any errors.
     3662 *
     3663 * Using the two 'wp_mail_from' and 'wp_mail_from_name' hooks allow from
     3664 * creating a from address like 'Name <email@address.com>' when both are set. If
     3665 * just 'wp_mail_from' is set, then just the email address will be used with no
     3666 * name.
     3667 *
     3668 * The default content type is 'text/plain' which does not allow using HTML.
     3669 * However, you can set the content type of the email by using the
     3670 * 'wp_mail_content_type' filter.
     3671 *
     3672 * The default charset is based on the charset used on the blog. The charset can
     3673 * be set using the 'wp_mail_charset' filter.
     3674 *
     3675 * This function should not be used directly. Use the pluggable version instead.
     3676.* @see wp_mail()
     3677 *
     3678 * @since 2.8.0
     3679 * @uses apply_filters() Calls 'wp_mail' hook on an array of all of the parameters.
     3680 * @uses apply_filters() Calls 'wp_mail_from' hook to get the from email address.
     3681 * @uses apply_filters() Calls 'wp_mail_from_name' hook to get the from address name.
     3682 * @uses apply_filters() Calls 'wp_mail_content_type' hook to get the email content type.
     3683 * @uses apply_filters() Calls 'wp_mail_charset' hook to get the email charset
     3684 * @uses do_action_ref_array() Calls 'phpmailer_init' hook on the reference to
     3685 *              phpmailer object.
     3686 * @uses PHPMailer
     3687 *
     3688 * @param string $to Email address to send message
     3689 * @param string $subject Email subject
     3690 * @param string $message Message contents
     3691 * @param string|array $headers Optional. Additional headers.
     3692 * @param string|array $attachments Optional. Files to attach.
     3693 * @return bool Whether the email contents were sent successfully.
     3694 */
     3695function _wp_mail( $to, $subject, $message, $headers = '', $attachments = array() ) {
     3696        // Compact the input, apply the filters, and extract them back out
     3697        extract( apply_filters( 'wp_mail', compact( 'to', 'subject', 'message', 'headers', 'attachments' ) ) );
    31473698
     3699        if ( !is_array($attachments) )
     3700                $attachments = explode( "\n", $attachments );
     3701
     3702        global $phpmailer;
     3703
     3704        // (Re)create it, if it's gone missing
     3705        if ( !is_object( $phpmailer ) || !is_a( $phpmailer, 'PHPMailer' ) ) {
     3706                require_once ABSPATH . WPINC . '/class-phpmailer.php';
     3707                require_once ABSPATH . WPINC . '/class-smtp.php';
     3708                $phpmailer = new PHPMailer();
     3709        }
     3710
     3711        // Headers
     3712        if ( empty( $headers ) ) {
     3713                $headers = array();
     3714        } else {
     3715                if ( !is_array( $headers ) ) {
     3716                        // Explode the headers out, so this function can take both
     3717                        // string headers and an array of headers.
     3718                        $tempheaders = (array) explode( "\n", $headers );
     3719                } else {
     3720                        $tempheaders = $headers;
     3721                }
     3722                $headers = array();
     3723
     3724                // If it's actually got contents
     3725                if ( !empty( $tempheaders ) ) {
     3726                        // Iterate through the raw headers
     3727                        foreach ( (array) $tempheaders as $header ) {
     3728                                if ( strpos($header, ':') === false )
     3729                                        continue;
     3730                                // Explode them out
     3731                                list( $name, $content ) = explode( ':', trim( $header ), 2 );
     3732
     3733                                // Cleanup crew
     3734                                $name = trim( $name );
     3735                                $content = trim( $content );
     3736
     3737                                // Mainly for legacy -- process a From: header if it's there
     3738                                if ( 'from' == strtolower($name) ) {
     3739                                        if ( strpos($content, '<' ) !== false ) {
     3740                                                // So... making my life hard again?
     3741                                                $from_name = substr( $content, 0, strpos( $content, '<' ) - 1 );
     3742                                                $from_name = str_replace( '"', '', $from_name );
     3743                                                $from_name = trim( $from_name );
     3744
     3745                                                $from_email = substr( $content, strpos( $content, '<' ) + 1 );
     3746                                                $from_email = str_replace( '>', '', $from_email );
     3747                                                $from_email = trim( $from_email );
     3748                                        } else {
     3749                                                $from_email = trim( $content );
     3750                                        }
     3751                                } elseif ( 'content-type' == strtolower($name) ) {
     3752                                        if ( strpos( $content,';' ) !== false ) {
     3753                                                list( $type, $charset ) = explode( ';', $content );
     3754                                                $content_type = trim( $type );
     3755                                                $charset = trim( str_replace( array( 'charset=', '"' ), '', $charset ) );
     3756                                        } else {
     3757                                                $content_type = trim( $content );
     3758                                        }
     3759                                } elseif ( 'cc' == strtolower($name) ) {
     3760                                        $cc = explode(",", $content);
     3761                                } elseif ( 'bcc' == strtolower($name) ) {
     3762                                        $bcc = explode(",", $content);
     3763                                } else {
     3764                                        // Add it to our grand headers array
     3765                                        $headers[trim( $name )] = trim( $content );
     3766                                }
     3767                        }
     3768                }
     3769        }
     3770
     3771        // Empty out the values that may be set
     3772        $phpmailer->ClearAddresses();
     3773        $phpmailer->ClearAllRecipients();
     3774        $phpmailer->ClearAttachments();
     3775        $phpmailer->ClearBCCs();
     3776        $phpmailer->ClearCCs();
     3777        $phpmailer->ClearCustomHeaders();
     3778        $phpmailer->ClearReplyTos();
     3779
     3780        // From email and name
     3781        // If we don't have a name from the input headers
     3782        if ( !isset( $from_name ) ) {
     3783                $from_name = 'WordPress';
     3784        }
     3785
     3786        /* If we don't have an email from the input headers default to wordpress@$sitename
     3787         * Some hosts will block outgoing mail from this address if it doesn't exist but
     3788         * there's no easy alternative. Defaulting to admin_email might appear to be another
     3789         * option but some hosts may refuse to relay mail from an unknown domain. See
     3790         * http://trac.wordpress.org/ticket/5007.
     3791         */
     3792
     3793        if ( !isset( $from_email ) ) {
     3794                // Get the site domain and get rid of www.
     3795                $sitename = strtolower( $_SERVER['SERVER_NAME'] );
     3796                if ( substr( $sitename, 0, 4 ) == 'www.' ) {
     3797                        $sitename = substr( $sitename, 4 );
     3798                }
     3799
     3800                $from_email = 'wordpress@' . $sitename;
     3801        }
     3802
     3803        // Plugin authors can override the potentially troublesome default
     3804        $phpmailer->From = apply_filters( 'wp_mail_from', $from_email );
     3805        $phpmailer->FromName = apply_filters( 'wp_mail_from_name', $from_name );
     3806
     3807        // Set destination address
     3808        $phpmailer->AddAddress( $to );
     3809
     3810        // Set mail's subject and body
     3811        $phpmailer->Subject = $subject;
     3812        $phpmailer->Body = $message;
     3813
     3814        // Add any CC and BCC recipients
     3815        if ( !empty($cc) ) {
     3816                foreach ( (array) $cc as $recipient ) {
     3817                        $phpmailer->AddCc( trim($recipient) );
     3818                }
     3819        }
     3820        if ( !empty($bcc) ) {
     3821                foreach ( (array) $bcc as $recipient) {
     3822                        $phpmailer->AddBcc( trim($recipient) );
     3823                }
     3824        }
     3825
     3826        // Set to use PHP's mail()
     3827        $phpmailer->IsMail();
     3828
     3829        // Set Content-Type and charset
     3830        // If we don't have a content-type from the input headers
     3831        if ( !isset( $content_type ) ) {
     3832                $content_type = 'text/plain';
     3833        }
     3834
     3835        $content_type = apply_filters( 'wp_mail_content_type', $content_type );
     3836
     3837        // Set whether it's plaintext or not, depending on $content_type
     3838        if ( $content_type == 'text/html' ) {
     3839                $phpmailer->IsHTML( true );
     3840        } else {
     3841                $phpmailer->IsHTML( false );
     3842        }
     3843
     3844        // If we don't have a charset from the input headers
     3845        if ( !isset( $charset ) ) {
     3846                $charset = get_bloginfo( 'charset' );
     3847        }
     3848
     3849        // Set the content-type and charset
     3850        $phpmailer->CharSet = apply_filters( 'wp_mail_charset', $charset );
     3851
     3852        // Set custom headers
     3853        if ( !empty( $headers ) ) {
     3854                foreach( (array) $headers as $name => $content ) {
     3855                        $phpmailer->AddCustomHeader( sprintf( '%1$s: %2$s', $name, $content ) );
     3856                }
     3857        }
     3858
     3859        if ( !empty( $attachments ) ) {
     3860                foreach ( $attachments as $attachment ) {
     3861                        $phpmailer->AddAttachment($attachment);
     3862                }
     3863        }
     3864
     3865        do_action_ref_array( 'phpmailer_init', array( &$phpmailer ) );
     3866
     3867        // Send!
     3868        $result = @$phpmailer->Send();
     3869
     3870        return $result;
     3871}
     3872
     3873/**
     3874 * Notify an author of a comment/trackback/pingback to one of their posts.
     3875 *
     3876 * This function should not be used directly. Use the pluggable version instead.
     3877.* @see wp_notify_postauthor()
     3878 *
     3879 * @since 2.8.0
     3880 *
     3881 * @param int $comment_id Comment ID
     3882 * @param string $comment_type Optional. The comment type either 'comment' (default), 'trackback', or 'pingback'
     3883 * @return bool False if user email does not exist. True on completion.
     3884 */
     3885function _wp_notify_postauthor( $comment_id, $comment_type = '' ) {
     3886        $comment = get_comment($comment_id);
     3887        $post    = get_post($comment->comment_post_ID);
     3888        $user    = get_userdata( $post->post_author );
     3889        $current_user = wp_get_current_user();
     3890       
     3891        if ( $current_user->ID == $user->ID ) return false; // The author moderated a comment on his own post
     3892
     3893        if ('' == $user->user_email) return false; // If there's no email to send the comment to
     3894
     3895        $comment_author_domain = @gethostbyaddr($comment->comment_author_IP);
     3896
     3897        $blogname = get_option('blogname');
     3898
     3899        if ( empty( $comment_type ) ) $comment_type = 'comment';
     3900
     3901        if ('comment' == $comment_type) {
     3902                $notify_message  = sprintf( __('New comment on your post #%1$s "%2$s"'), $comment->comment_post_ID, $post->post_title ) . "\r\n";
     3903                $notify_message .= sprintf( __('Author : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
     3904                $notify_message .= sprintf( __('E-mail : %s'), $comment->comment_author_email ) . "\r\n";
     3905                $notify_message .= sprintf( __('URL    : %s'), $comment->comment_author_url ) . "\r\n";
     3906                $notify_message .= sprintf( __('Whois  : http://ws.arin.net/cgi-bin/whois.pl?queryinput=%s'), $comment->comment_author_IP ) . "\r\n";
     3907                $notify_message .= __('Comment: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
     3908                $notify_message .= __('You can see all comments on this post here: ') . "\r\n";
     3909                $subject = sprintf( __('[%1$s] Comment: "%2$s"'), $blogname, $post->post_title );
     3910        } elseif ('trackback' == $comment_type) {
     3911                $notify_message  = sprintf( __('New trackback on your post #%1$s "%2$s"'), $comment->comment_post_ID, $post->post_title ) . "\r\n";
     3912                $notify_message .= sprintf( __('Website: %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
     3913                $notify_message .= sprintf( __('URL    : %s'), $comment->comment_author_url ) . "\r\n";
     3914                $notify_message .= __('Excerpt: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
     3915                $notify_message .= __('You can see all trackbacks on this post here: ') . "\r\n";
     3916                $subject = sprintf( __('[%1$s] Trackback: "%2$s"'), $blogname, $post->post_title );
     3917        } elseif ('pingback' == $comment_type) {
     3918                $notify_message  = sprintf( __('New pingback on your post #%1$s "%2$s"'), $comment->comment_post_ID, $post->post_title ) . "\r\n";
     3919                $notify_message .= sprintf( __('Website: %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
     3920                $notify_message .= sprintf( __('URL    : %s'), $comment->comment_author_url ) . "\r\n";
     3921                $notify_message .= __('Excerpt: ') . "\r\n" . sprintf('[...] %s [...]', $comment->comment_content ) . "\r\n\r\n";
     3922                $notify_message .= __('You can see all pingbacks on this post here: ') . "\r\n";
     3923                $subject = sprintf( __('[%1$s] Pingback: "%2$s"'), $blogname, $post->post_title );
     3924        }
     3925        $notify_message .= get_permalink($comment->comment_post_ID) . "#comments\r\n\r\n";
     3926        $notify_message .= sprintf( __('Delete it: %s'), admin_url("comment.php?action=cdc&c=$comment_id") ) . "\r\n";
     3927        $notify_message .= sprintf( __('Spam it: %s'), admin_url("comment.php?action=cdc&dt=spam&c=$comment_id") ) . "\r\n";
     3928
     3929        $wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME']));
     3930
     3931        if ( '' == $comment->comment_author ) {
     3932                $from = "From: \"$blogname\" <$wp_email>";
     3933                if ( '' != $comment->comment_author_email )
     3934                        $reply_to = "Reply-To: $comment->comment_author_email";
     3935        } else {
     3936                $from = "From: \"$comment->comment_author\" <$wp_email>";
     3937                if ( '' != $comment->comment_author_email )
     3938                        $reply_to = "Reply-To: \"$comment->comment_author_email\" <$comment->comment_author_email>";
     3939        }
     3940
     3941        $message_headers = "$from\n"
     3942                . "Content-Type: text/plain; charset=\"" . get_option('blog_charset') . "\"\n";
     3943
     3944        if ( isset($reply_to) )
     3945                $message_headers .= $reply_to . "\n";
     3946
     3947        $notify_message = apply_filters('comment_notification_text', $notify_message, $comment_id);
     3948        $subject = apply_filters('comment_notification_subject', $subject, $comment_id);
     3949        $message_headers = apply_filters('comment_notification_headers', $message_headers, $comment_id);
     3950
     3951        @wp_mail($user->user_email, $subject, $notify_message, $message_headers);
     3952
     3953        return true;
     3954}
     3955
     3956/**
     3957 * Notifies the moderator of the blog about a new comment that is awaiting approval.
     3958 *
     3959 * This function should not be used directly. Use the pluggable version instead.
     3960.* @see wp_notify_moderator()
     3961 *
     3962 * @since 2.8.0
     3963 * @uses $wpdb
     3964 *
     3965 * @param int $comment_id Comment ID
     3966 * @return bool Always returns true
     3967 */
     3968function _wp_notify_moderator( $comment_id ) {
     3969        global $wpdb;
     3970
     3971        if ( get_option( 'moderation_notify' ) == 0 )
     3972                return true;
     3973
     3974        $comment = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_ID=%d LIMIT 1", $comment_id));
     3975        $post = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID=%d LIMIT 1", $comment->comment_post_ID));
     3976
     3977        $comment_author_domain = @gethostbyaddr($comment->comment_author_IP);
     3978        $comments_waiting = $wpdb->get_var("SELECT count(comment_ID) FROM $wpdb->comments WHERE comment_approved = '0'");
     3979
     3980        switch ($comment->comment_type) {
     3981                case 'trackback':
     3982                        $notify_message  = sprintf( __('A new trackback on the post #%1$s "%2$s" is waiting for your approval'), $post->ID, $post->post_title ) . "\r\n";
     3983                        $notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
     3984                        $notify_message .= sprintf( __('Website : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
     3985                        $notify_message .= sprintf( __('URL    : %s'), $comment->comment_author_url ) . "\r\n";
     3986                        $notify_message .= __('Trackback excerpt: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
     3987                        break;
     3988                case 'pingback':
     3989                        $notify_message  = sprintf( __('A new pingback on the post #%1$s "%2$s" is waiting for your approval'), $post->ID, $post->post_title ) . "\r\n";
     3990                        $notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
     3991                        $notify_message .= sprintf( __('Website : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
     3992                        $notify_message .= sprintf( __('URL    : %s'), $comment->comment_author_url ) . "\r\n";
     3993                        $notify_message .= __('Pingback excerpt: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
     3994                        break;
     3995                default: //Comments
     3996                        $notify_message  = sprintf( __('A new comment on the post #%1$s "%2$s" is waiting for your approval'), $post->ID, $post->post_title ) . "\r\n";
     3997                        $notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
     3998                        $notify_message .= sprintf( __('Author : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
     3999                        $notify_message .= sprintf( __('E-mail : %s'), $comment->comment_author_email ) . "\r\n";
     4000                        $notify_message .= sprintf( __('URL    : %s'), $comment->comment_author_url ) . "\r\n";
     4001                        $notify_message .= sprintf( __('Whois  : http://ws.arin.net/cgi-bin/whois.pl?queryinput=%s'), $comment->comment_author_IP ) . "\r\n";
     4002                        $notify_message .= __('Comment: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
     4003                        break;
     4004        }
     4005
     4006        $notify_message .= sprintf( __('Approve it: %s'),  admin_url("comment.php?action=mac&c=$comment_id") ) . "\r\n";
     4007        $notify_message .= sprintf( __('Delete it: %s'), admin_url("comment.php?action=cdc&c=$comment_id") ) . "\r\n";
     4008        $notify_message .= sprintf( __('Spam it: %s'), admin_url("comment.php?action=cdc&dt=spam&c=$comment_id") ) . "\r\n";
     4009
     4010        $notify_message .= sprintf( _n('Currently %s comment is waiting for approval. Please visit the moderation panel:',
     4011                'Currently %s comments are waiting for approval. Please visit the moderation panel:', $comments_waiting), number_format_i18n($comments_waiting) ) . "\r\n";
     4012        $notify_message .= admin_url("edit-comments.php?comment_status=moderated") . "\r\n";
     4013
     4014        $subject = sprintf( __('[%1$s] Please moderate: "%2$s"'), get_option('blogname'), $post->post_title );
     4015        $admin_email = get_option('admin_email');
     4016
     4017        $notify_message = apply_filters('comment_moderation_text', $notify_message, $comment_id);
     4018        $subject = apply_filters('comment_moderation_subject', $subject, $comment_id);
     4019
     4020        @wp_mail($admin_email, $subject, $notify_message);
     4021
     4022        return true;
     4023}
     4024
     4025/**
     4026 * Notify the blog admin of a user changing password, normally via email.
     4027 *
     4028 * This function should not be used directly. Use the pluggable version instead.
     4029.* @see wp_password_change_notification()
     4030 *
     4031 * @since 2.8.0
     4032 *
     4033 * @param object $user User Object
     4034 */
     4035function _wp_password_change_notification( &$user ) {
     4036        // send a copy of password change notification to the admin
     4037        // but check to see if it's the admin whose password we're changing, and skip this
     4038        if ( $user->user_email != get_option('admin_email') ) {
     4039                $message = sprintf(__('Password Lost and Changed for user: %s'), $user->user_login) . "\r\n";
     4040                wp_mail(get_option('admin_email'), sprintf(__('[%s] Password Lost/Changed'), get_option('blogname')), $message);
     4041        }
     4042}
     4043
     4044/**
     4045 * Notify the blog admin of a new user, normally via email.
     4046 *
     4047 * This function should not be used directly. Use the pluggable version instead.
     4048.* @see wp_new_user_notification()
     4049 *
     4050 * @since 2.8.0
     4051 *
     4052 * @param int $user_id User ID
     4053 * @param string $plaintext_pass Optional. The user's plaintext password
     4054 */
     4055function _wp_new_user_notification( $user_id, $plaintext_pass = '' ) {
     4056        $user = new WP_User($user_id);
     4057
     4058        $user_login = stripslashes($user->user_login);
     4059        $user_email = stripslashes($user->user_email);
     4060
     4061        $message  = sprintf(__('New user registration on your blog %s:'), get_option('blogname')) . "\r\n\r\n";
     4062        $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
     4063        $message .= sprintf(__('E-mail: %s'), $user_email) . "\r\n";
     4064
     4065        @wp_mail( get_option('admin_email'), sprintf(__('[%s] New User Registration'), get_option('blogname') ), $message);
     4066
     4067        if ( empty($plaintext_pass) )
     4068                return;
     4069
     4070        $message  = sprintf(__('Username: %s'), $user_login) . "\r\n";
     4071        $message .= sprintf(__('Password: %s'), $plaintext_pass) . "\r\n";
     4072        $message .= wp_login_url() . "\r\n";
     4073
     4074        wp_mail( $user_email, sprintf( __('[%s] Your username and password'), get_option('blogname') ), $message );
     4075}
     4076
     4077/**
     4078 * Displays a human readable HTML representation of the difference between two strings.
     4079 *
     4080 * The Diff is available for getting the changes between versions. The output is
     4081 * HTML, so the primary use is for displaying the changes. If the two strings
     4082 * are equivalent, then an empty string will be returned.
     4083 *
     4084 * The arguments supported and can be changed are listed below.
     4085 *
     4086 * 'title' : Default is an empty string. Titles the diff in a manner compatible
     4087 *     with the output.
     4088 * 'title_left' : Default is an empty string. Change the HTML to the left of the
     4089 *     title.
     4090 * 'title_right' : Default is an empty string. Change the HTML to the right of
     4091 *     the title.
     4092 *
     4093 * This function should not be used directly. Use the pluggable version instead.
     4094.* @see wp_text_diff()
     4095 *
     4096 * @since 2.8.0
     4097 * @see wp_parse_args() Used to change defaults to user defined settings.
     4098 * @uses Text_Diff
     4099 * @uses WP_Text_Diff_Renderer_Table
     4100 *
     4101 * @param string $left_string "old" (left) version of string
     4102 * @param string $right_string "new" (right) version of string
     4103 * @param string|array $args Optional. Change 'title', 'title_left', and 'title_right' defaults.
     4104 * @return string Empty string if strings are equivalent or HTML with differences.
     4105 */
     4106function _wp_text_diff( $left_string, $right_string, $args = null ) {
     4107        $defaults = array( 'title' => '', 'title_left' => '', 'title_right' => '' );
     4108        $args = wp_parse_args( $args, $defaults );
     4109
     4110        if ( !class_exists( 'WP_Text_Diff_Renderer_Table' ) )
     4111                require( ABSPATH . WPINC . '/wp-diff.php' );
     4112
     4113        $left_string  = normalize_whitespace($left_string);
     4114        $right_string = normalize_whitespace($right_string);
     4115
     4116        $left_lines  = split("\n", $left_string);
     4117        $right_lines = split("\n", $right_string);
     4118
     4119        $text_diff = new Text_Diff($left_lines, $right_lines);
     4120        $renderer  = new WP_Text_Diff_Renderer_Table();
     4121        $diff = $renderer->render($text_diff);
     4122
     4123        if ( !$diff )
     4124                return '';
     4125
     4126        $r  = "<table class='diff'>\n";
     4127        $r .= "<col class='ltype' /><col class='content' /><col class='ltype' /><col class='content' />";
     4128
     4129        if ( $args['title'] || $args['title_left'] || $args['title_right'] )
     4130                $r .= "<thead>";
     4131        if ( $args['title'] )
     4132                $r .= "<tr class='diff-title'><th colspan='4'>$args[title]</th></tr>\n";
     4133        if ( $args['title_left'] || $args['title_right'] ) {
     4134                $r .= "<tr class='diff-sub-title'>\n";
     4135                $r .= "\t<td></td><th>$args[title_left]</th>\n";
     4136                $r .= "\t<td></td><th>$args[title_right]</th>\n";
     4137                $r .= "</tr>\n";
     4138        }
     4139        if ( $args['title'] || $args['title_left'] || $args['title_right'] )
     4140                $r .= "</thead>\n";
     4141
     4142        $r .= "<tbody>\n$diff\n</tbody>\n";
     4143        $r .= "</table>";
     4144
     4145        return $r;
     4146}
     4147
    31484148?>
  • wp-includes/pluggable.php

     
    1919 * @param string $name Optional. The user's username
    2020 * @return object returns wp_set_current_user()
    2121 */
    22 function set_current_user($id, $name = '') {
    23         return wp_set_current_user($id, $name);
     22function set_current_user( $id, $name = '' ) {
     23        return wp_set_current_user( $id, $name );
    2424}
    2525endif;
    2626
     
    3030 *
    3131 * Set $id to null and specify a name if you do not know a user's ID.
    3232 *
    33  * Some WordPress functionality is based on the current user and not based on
    34  * the signed in user. Therefore, it opens the ability to edit and perform
    35  * actions on users who aren't signed in.
     33 * @see _wp_set_current_user()
    3634 *
    3735 * @since 2.0.3
    38  * @global object $current_user The current user object which holds the user data.
    39  * @uses do_action() Calls 'set_current_user' hook after setting the current user.
    4036 *
    4137 * @param int $id User ID
    4238 * @param string $name User's username
    4339 * @return WP_User Current user User object
    4440 */
    45 function wp_set_current_user($id, $name = '') {
    46         global $current_user;
    47 
    48         if ( isset($current_user) && ($id == $current_user->ID) )
    49                 return $current_user;
    50 
    51         $current_user = new WP_User($id, $name);
    52 
    53         setup_userdata($current_user->ID);
    54 
    55         do_action('set_current_user');
    56 
    57         return $current_user;
     41function wp_set_current_user( $id, $name = '' ) {
     42        return _wp_set_current_user( $id, $name );
    5843}
    5944endif;
    6045
     
    6247/**
    6348 * Retrieve the current user object.
    6449 *
     50 * @see _wp_get_current_user()
     51 *
    6552 * @since 2.0.3
    6653 *
    6754 * @return WP_User Current user WP_User object
    6855 */
    6956function wp_get_current_user() {
    70         global $current_user;
    71 
    72         get_currentuserinfo();
    73 
    74         return $current_user;
     57        return _wp_get_current_user();
    7558}
    7659endif;
    7760
     
    7962/**
    8063 * Populate global variables with information about the currently logged in user.
    8164 *
    82  * Will set the current user, if the current user is not set. The current user
    83  * will be set to the logged in person. If no user is logged in, then it will
    84  * set the current user to 0, which is invalid and won't have any permissions.
     65 * @see _get_currentuserinfo()
    8566 *
    8667 * @since 0.71
    87  * @uses $current_user Checks if the current user is set
    88  * @uses wp_validate_auth_cookie() Retrieves current logged in user.
    8968 *
    90  * @return bool|null False on XMLRPC Request and invalid auth cookie. Null when current user set
     69 * @return bool|null False on XMLRPC Request and invalid auth cookie. Null when current user set.
    9170 */
    9271function get_currentuserinfo() {
    93         global $current_user;
    94 
    95         if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST )
    96                 return false;
    97 
    98         if ( ! empty($current_user) )
    99                 return;
    100 
    101         if ( ! $user = wp_validate_auth_cookie() ) {
    102                  if ( empty($_COOKIE[LOGGED_IN_COOKIE]) || !$user = wp_validate_auth_cookie($_COOKIE[LOGGED_IN_COOKIE], 'logged_in') ) {
    103                         wp_set_current_user(0);
    104                         return false;
    105                  }
    106         }
    107 
    108         wp_set_current_user($user);
     72        return _get_currentuserinfo();
    10973}
    11074endif;
    11175
     
    11377/**
    11478 * Retrieve user info by user ID.
    11579 *
     80 * @see _get_userdata()
     81 *
    11682 * @since 0.71
    11783 *
    11884 * @param int $user_id User ID
    11985 * @return bool|object False on failure, User DB row object
    12086 */
    12187function get_userdata( $user_id ) {
    122         global $wpdb;
    123 
    124         $user_id = absint($user_id);
    125         if ( $user_id == 0 )
    126                 return false;
    127 
    128         $user = wp_cache_get($user_id, 'users');
    129 
    130         if ( $user )
    131                 return $user;
    132 
    133         if ( !$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE ID = %d LIMIT 1", $user_id)) )
    134                 return false;
    135 
    136         _fill_user($user);
    137 
    138         return $user;
     88        return _get_userdata( $user_id );
    13989}
    14090endif;
    14191
     
    14393/**
    14494 * Retrieve user info by a given field
    14595 *
     96 * @see _get_user_by()
     97 *
    14698 * @since 2.8.0
    14799 *
    148100 * @param string $field The field to retrieve the user with.  id | slug | email | login
    149101 * @param int|string $value A value for $field.  A user ID, slug, email address, or login name.
    150102 * @return bool|object False on failure, User DB row object
    151103 */
    152 function get_user_by($field, $value) {
    153         global $wpdb;
    154 
    155         switch ($field) {
    156                 case 'id':
    157                         return get_userdata($value);
    158                         break;
    159                 case 'slug':
    160                         $user_id = wp_cache_get($value, 'userslugs');
    161                         $field = 'user_nicename';
    162                         break;
    163                 case 'email':
    164                         $user_id = wp_cache_get($value, 'useremail');
    165                         $field = 'user_email';
    166                         break;
    167                 case 'login':
    168                         $value = sanitize_user( $value );
    169                         $user_id = wp_cache_get($value, 'userlogins');
    170                         $field = 'user_login';
    171                         break;
    172                 default:
    173                         return false;
    174         }
    175 
    176          if ( false !== $user_id )
    177                 return get_userdata($user_id);
    178 
    179         if ( !$user = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->users WHERE $field = %s", $value) ) )
    180                 return false;
    181 
    182         _fill_user($user);
    183 
    184         return $user;
     104function get_user_by( $field, $value ) {
     105        return _get_user_by( $field, $value );
    185106}
    186107endif;
    187108
     
    194115 * @param string $user_login User's username
    195116 * @return bool|object False on failure, User DB row object
    196117 */
    197 function get_userdatabylogin($user_login) {
    198         return get_user_by('login', $user_login);
     118function get_userdatabylogin( $user_login ) {
     119        return get_user_by( 'login', $user_login );
    199120}
    200121endif;
    201122
     
    208129 * @param string $email User's email address
    209130 * @return bool|object False on failure, User DB row object
    210131 */
    211 function get_user_by_email($email) {
    212         return get_user_by('email', $email);
     132function get_user_by_email( $email ) {
     133        return get_user_by( 'email', $email );
    213134}
    214135endif;
    215136
     
    217138/**
    218139 * Send mail, similar to PHP's mail
    219140 *
    220  * A true return value does not automatically mean that the user received the
    221  * email successfully. It just only means that the method used was able to
    222  * process the request without any errors.
     141 * @see _wp_mail()
    223142 *
    224  * Using the two 'wp_mail_from' and 'wp_mail_from_name' hooks allow from
    225  * creating a from address like 'Name <email@address.com>' when both are set. If
    226  * just 'wp_mail_from' is set, then just the email address will be used with no
    227  * name.
    228  *
    229  * The default content type is 'text/plain' which does not allow using HTML.
    230  * However, you can set the content type of the email by using the
    231  * 'wp_mail_content_type' filter.
    232  *
    233  * The default charset is based on the charset used on the blog. The charset can
    234  * be set using the 'wp_mail_charset' filter.
    235  *
    236143 * @since 1.2.1
    237  * @uses apply_filters() Calls 'wp_mail' hook on an array of all of the parameters.
    238  * @uses apply_filters() Calls 'wp_mail_from' hook to get the from email address.
    239  * @uses apply_filters() Calls 'wp_mail_from_name' hook to get the from address name.
    240  * @uses apply_filters() Calls 'wp_mail_content_type' hook to get the email content type.
    241  * @uses apply_filters() Calls 'wp_mail_charset' hook to get the email charset
    242  * @uses do_action_ref_array() Calls 'phpmailer_init' hook on the reference to
    243  *              phpmailer object.
    244  * @uses PHPMailer
    245  * @
    246144 *
    247145 * @param string $to Email address to send message
    248146 * @param string $subject Email subject
     
    252150 * @return bool Whether the email contents were sent successfully.
    253151 */
    254152function wp_mail( $to, $subject, $message, $headers = '', $attachments = array() ) {
    255         // Compact the input, apply the filters, and extract them back out
    256         extract( apply_filters( 'wp_mail', compact( 'to', 'subject', 'message', 'headers', 'attachments' ) ) );
    257 
    258         if ( !is_array($attachments) )
    259                 $attachments = explode( "\n", $attachments );
    260 
    261         global $phpmailer;
    262 
    263         // (Re)create it, if it's gone missing
    264         if ( !is_object( $phpmailer ) || !is_a( $phpmailer, 'PHPMailer' ) ) {
    265                 require_once ABSPATH . WPINC . '/class-phpmailer.php';
    266                 require_once ABSPATH . WPINC . '/class-smtp.php';
    267                 $phpmailer = new PHPMailer();
    268         }
    269 
    270         // Headers
    271         if ( empty( $headers ) ) {
    272                 $headers = array();
    273         } else {
    274                 if ( !is_array( $headers ) ) {
    275                         // Explode the headers out, so this function can take both
    276                         // string headers and an array of headers.
    277                         $tempheaders = (array) explode( "\n", $headers );
    278                 } else {
    279                         $tempheaders = $headers;
    280                 }
    281                 $headers = array();
    282 
    283                 // If it's actually got contents
    284                 if ( !empty( $tempheaders ) ) {
    285                         // Iterate through the raw headers
    286                         foreach ( (array) $tempheaders as $header ) {
    287                                 if ( strpos($header, ':') === false )
    288                                         continue;
    289                                 // Explode them out
    290                                 list( $name, $content ) = explode( ':', trim( $header ), 2 );
    291 
    292                                 // Cleanup crew
    293                                 $name = trim( $name );
    294                                 $content = trim( $content );
    295 
    296                                 // Mainly for legacy -- process a From: header if it's there
    297                                 if ( 'from' == strtolower($name) ) {
    298                                         if ( strpos($content, '<' ) !== false ) {
    299                                                 // So... making my life hard again?
    300                                                 $from_name = substr( $content, 0, strpos( $content, '<' ) - 1 );
    301                                                 $from_name = str_replace( '"', '', $from_name );
    302                                                 $from_name = trim( $from_name );
    303 
    304                                                 $from_email = substr( $content, strpos( $content, '<' ) + 1 );
    305                                                 $from_email = str_replace( '>', '', $from_email );
    306                                                 $from_email = trim( $from_email );
    307                                         } else {
    308                                                 $from_email = trim( $content );
    309                                         }
    310                                 } elseif ( 'content-type' == strtolower($name) ) {
    311                                         if ( strpos( $content,';' ) !== false ) {
    312                                                 list( $type, $charset ) = explode( ';', $content );
    313                                                 $content_type = trim( $type );
    314                                                 $charset = trim( str_replace( array( 'charset=', '"' ), '', $charset ) );
    315                                         } else {
    316                                                 $content_type = trim( $content );
    317                                         }
    318                                 } elseif ( 'cc' == strtolower($name) ) {
    319                                         $cc = explode(",", $content);
    320                                 } elseif ( 'bcc' == strtolower($name) ) {
    321                                         $bcc = explode(",", $content);
    322                                 } else {
    323                                         // Add it to our grand headers array
    324                                         $headers[trim( $name )] = trim( $content );
    325                                 }
    326                         }
    327                 }
    328         }
    329 
    330         // Empty out the values that may be set
    331         $phpmailer->ClearAddresses();
    332         $phpmailer->ClearAllRecipients();
    333         $phpmailer->ClearAttachments();
    334         $phpmailer->ClearBCCs();
    335         $phpmailer->ClearCCs();
    336         $phpmailer->ClearCustomHeaders();
    337         $phpmailer->ClearReplyTos();
    338 
    339         // From email and name
    340         // If we don't have a name from the input headers
    341         if ( !isset( $from_name ) ) {
    342                 $from_name = 'WordPress';
    343         }
    344 
    345         /* If we don't have an email from the input headers default to wordpress@$sitename
    346          * Some hosts will block outgoing mail from this address if it doesn't exist but
    347          * there's no easy alternative. Defaulting to admin_email might appear to be another
    348          * option but some hosts may refuse to relay mail from an unknown domain. See
    349          * http://trac.wordpress.org/ticket/5007.
    350          */
    351 
    352         if ( !isset( $from_email ) ) {
    353                 // Get the site domain and get rid of www.
    354                 $sitename = strtolower( $_SERVER['SERVER_NAME'] );
    355                 if ( substr( $sitename, 0, 4 ) == 'www.' ) {
    356                         $sitename = substr( $sitename, 4 );
    357                 }
    358 
    359                 $from_email = 'wordpress@' . $sitename;
    360         }
    361 
    362         // Plugin authors can override the potentially troublesome default
    363         $phpmailer->From = apply_filters( 'wp_mail_from', $from_email );
    364         $phpmailer->FromName = apply_filters( 'wp_mail_from_name', $from_name );
    365 
    366         // Set destination address
    367         $phpmailer->AddAddress( $to );
    368 
    369         // Set mail's subject and body
    370         $phpmailer->Subject = $subject;
    371         $phpmailer->Body = $message;
    372 
    373         // Add any CC and BCC recipients
    374         if ( !empty($cc) ) {
    375                 foreach ( (array) $cc as $recipient ) {
    376                         $phpmailer->AddCc( trim($recipient) );
    377                 }
    378         }
    379         if ( !empty($bcc) ) {
    380                 foreach ( (array) $bcc as $recipient) {
    381                         $phpmailer->AddBcc( trim($recipient) );
    382                 }
    383         }
    384 
    385         // Set to use PHP's mail()
    386         $phpmailer->IsMail();
    387 
    388         // Set Content-Type and charset
    389         // If we don't have a content-type from the input headers
    390         if ( !isset( $content_type ) ) {
    391                 $content_type = 'text/plain';
    392         }
    393 
    394         $content_type = apply_filters( 'wp_mail_content_type', $content_type );
    395 
    396         // Set whether it's plaintext or not, depending on $content_type
    397         if ( $content_type == 'text/html' ) {
    398                 $phpmailer->IsHTML( true );
    399         } else {
    400                 $phpmailer->IsHTML( false );
    401         }
    402 
    403         // If we don't have a charset from the input headers
    404         if ( !isset( $charset ) ) {
    405                 $charset = get_bloginfo( 'charset' );
    406         }
    407 
    408         // Set the content-type and charset
    409         $phpmailer->CharSet = apply_filters( 'wp_mail_charset', $charset );
    410 
    411         // Set custom headers
    412         if ( !empty( $headers ) ) {
    413                 foreach( (array) $headers as $name => $content ) {
    414                         $phpmailer->AddCustomHeader( sprintf( '%1$s: %2$s', $name, $content ) );
    415                 }
    416         }
    417 
    418         if ( !empty( $attachments ) ) {
    419                 foreach ( $attachments as $attachment ) {
    420                         $phpmailer->AddAttachment($attachment);
    421                 }
    422         }
    423 
    424         do_action_ref_array( 'phpmailer_init', array( &$phpmailer ) );
    425 
    426         // Send!
    427         $result = @$phpmailer->Send();
    428 
    429         return $result;
     153        return _wp_mail( $to, $subject, $message, $headers, $attachments );
    430154}
    431155endif;
    432156
     
    434158/**
    435159 * Checks a user's login information and logs them in if it checks out.
    436160 *
     161 * @see _wp_authenticate()
     162 *
    437163 * @since 2.5.0
    438164 *
    439165 * @param string $username User's username
    440166 * @param string $password User's password
    441167 * @return WP_Error|WP_User WP_User object if login successful, otherwise WP_Error object.
    442168 */
    443 function wp_authenticate($username, $password) {
    444         $username = sanitize_user($username);
    445         $password = trim($password);
    446 
    447         $user = apply_filters('authenticate', null, $username, $password);
    448 
    449         if ( $user == null ) {
    450                 // TODO what should the error message be? (Or would these even happen?)
    451                 // Only needed if all authentication handlers fail to return anything.
    452                 $user = new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Invalid username or incorrect password.'));
    453         }
    454 
    455         $ignore_codes = array('empty_username', 'empty_password');
    456 
    457         if (is_wp_error($user) && !in_array($user->get_error_code(), $ignore_codes) ) {
    458                 do_action('wp_login_failed', $username);
    459         }
    460 
    461         return $user;
     169function wp_authenticate( $username, $password ) {
     170        return _wp_authenticate( $username, $password );
    462171}
    463172endif;
    464173
     
    466175/**
    467176 * Log the current user out.
    468177 *
     178 * @see _wp_logout()
     179 *
    469180 * @since 2.5.0
    470181 */
    471182function wp_logout() {
    472         wp_clear_auth_cookie();
    473         do_action('wp_logout');
     183        _wp_logout();
    474184}
    475185endif;
    476186
     
    478188/**
    479189 * Validates authentication cookie.
    480190 *
    481  * The checks include making sure that the authentication cookie is set and
    482  * pulling in the contents (if $cookie is not used).
     191 * @see _wp_authenticate()
    483192 *
    484  * Makes sure the cookie is not expired. Verifies the hash in cookie is what is
    485  * should be and compares the two.
    486  *
    487193 * @since 2.5
    488194 *
    489195 * @param string $cookie Optional. If used, will validate contents instead of cookie's
    490196 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
    491197 * @return bool|int False if invalid cookie, User ID if valid.
    492198 */
    493 function wp_validate_auth_cookie($cookie = '', $scheme = '') {
    494         if ( ! $cookie_elements = wp_parse_auth_cookie($cookie, $scheme) ) {
    495                 do_action('auth_cookie_malformed', $cookie, $scheme);
    496                 return false;
    497         }
    498 
    499         extract($cookie_elements, EXTR_OVERWRITE);
    500 
    501         $expired = $expiration;
    502 
    503         // Allow a grace period for POST and AJAX requests
    504         if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] )
    505                 $expired += 3600;
    506 
    507         // Quick check to see if an honest cookie has expired
    508         if ( $expired < time() ) {
    509                 do_action('auth_cookie_expired', $cookie_elements);
    510                 return false;
    511         }
    512 
    513         $user = get_userdatabylogin($username);
    514         if ( ! $user ) {
    515                 do_action('auth_cookie_bad_username', $cookie_elements);
    516                 return false;
    517         }
    518 
    519         $pass_frag = substr($user->user_pass, 8, 4);
    520 
    521         $key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);
    522         $hash = hash_hmac('md5', $username . '|' . $expiration, $key);
    523 
    524         if ( $hmac != $hash ) {
    525                 do_action('auth_cookie_bad_hash', $cookie_elements);
    526                 return false;
    527         }
    528 
    529         do_action('auth_cookie_valid', $cookie_elements, $user);
    530 
    531         return $user->ID;
     199function wp_validate_auth_cookie( $cookie = '', $scheme = '' ) {
     200        return _wp_validate_auth_cookie( $cookie, $scheme );
    532201}
    533202endif;
    534203
     
    536205/**
    537206 * Generate authentication cookie contents.
    538207 *
     208 * @see _wp_generate_auth_cookie()
     209 *
    539210 * @since 2.5
    540  * @uses apply_filters() Calls 'auth_cookie' hook on $cookie contents, User ID
    541  *              and expiration of cookie.
    542211 *
    543212 * @param int $user_id User ID
    544213 * @param int $expiration Cookie expiration in seconds
    545214 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
    546215 * @return string Authentication cookie contents
    547216 */
    548 function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') {
    549         $user = get_userdata($user_id);
    550 
    551         $pass_frag = substr($user->user_pass, 8, 4);
    552 
    553         $key = wp_hash($user->user_login . $pass_frag . '|' . $expiration, $scheme);
    554         $hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);
    555 
    556         $cookie = $user->user_login . '|' . $expiration . '|' . $hash;
    557 
    558         return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $scheme);
     217function wp_generate_auth_cookie( $user_id, $expiration, $scheme = 'auth' ) {
     218        return _wp_generate_auth_cookie( $user_id, $expiration, $scheme );
    559219}
    560220endif;
    561221
     
    563223/**
    564224 * Parse a cookie into its components
    565225 *
     226 * @see _wp_parse_auth_cookie()
     227 *
    566228 * @since 2.7
    567229 *
    568230 * @param string $cookie
    569231 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
    570232 * @return array Authentication cookie components
    571233 */
    572 function wp_parse_auth_cookie($cookie = '', $scheme = '') {
    573         if ( empty($cookie) ) {
    574                 switch ($scheme){
    575                         case 'auth':
    576                                 $cookie_name = AUTH_COOKIE;
    577                                 break;
    578                         case 'secure_auth':
    579                                 $cookie_name = SECURE_AUTH_COOKIE;
    580                                 break;
    581                         case "logged_in":
    582                                 $cookie_name = LOGGED_IN_COOKIE;
    583                                 break;
    584                         default:
    585                                 if ( is_ssl() ) {
    586                                         $cookie_name = SECURE_AUTH_COOKIE;
    587                                         $scheme = 'secure_auth';
    588                                 } else {
    589                                         $cookie_name = AUTH_COOKIE;
    590                                         $scheme = 'auth';
    591                                 }
    592             }
    593 
    594                 if ( empty($_COOKIE[$cookie_name]) )
    595                         return false;
    596                 $cookie = $_COOKIE[$cookie_name];
    597         }
    598 
    599         $cookie_elements = explode('|', $cookie);
    600         if ( count($cookie_elements) != 3 )
    601                 return false;
    602 
    603         list($username, $expiration, $hmac) = $cookie_elements;
    604 
    605         return compact('username', 'expiration', 'hmac', 'scheme');
     234function wp_parse_auth_cookie( $cookie = '', $scheme = '' ) {
     235        return _wp_parse_auth_cookie( $cookie, $scheme );
    606236}
    607237endif;
    608238
     
    614244 * default the cookie is kept without remembering is two days. When $remember is
    615245 * set, the cookies will be kept for 14 days or two weeks.
    616246 *
     247 * @see _wp_set_auth_cookie()
     248 *
    617249 * @since 2.5
    618250 *
    619251 * @param int $user_id User ID
    620252 * @param bool $remember Whether to remember the user or not
    621253 */
    622 function wp_set_auth_cookie($user_id, $remember = false, $secure = '') {
    623         if ( $remember ) {
    624                 $expiration = $expire = time() + apply_filters('auth_cookie_expiration', 1209600, $user_id, $remember);
    625         } else {
    626                 $expiration = time() + apply_filters('auth_cookie_expiration', 172800, $user_id, $remember);
    627                 $expire = 0;
    628         }
    629 
    630         if ( '' === $secure )
    631                 $secure = is_ssl() ? true : false;
    632 
    633         if ( $secure ) {
    634                 $auth_cookie_name = SECURE_AUTH_COOKIE;
    635                 $scheme = 'secure_auth';
    636         } else {
    637                 $auth_cookie_name = AUTH_COOKIE;
    638                 $scheme = 'auth';
    639         }
    640 
    641         $auth_cookie = wp_generate_auth_cookie($user_id, $expiration, $scheme);
    642         $logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in');
    643 
    644         do_action('set_auth_cookie', $auth_cookie, $expire, $expiration, $user_id, $scheme);
    645         do_action('set_logged_in_cookie', $logged_in_cookie, $expire, $expiration, $user_id, 'logged_in');
    646 
    647         // Set httponly if the php version is >= 5.2.0
    648         if ( version_compare(phpversion(), '5.2.0', 'ge') ) {
    649                 setcookie($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
    650                 setcookie($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
    651                 setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, false, true);
    652                 if ( COOKIEPATH != SITECOOKIEPATH )
    653                         setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, false, true);
    654         } else {
    655                 $cookie_domain = COOKIE_DOMAIN;
    656                 if ( !empty($cookie_domain) )
    657                         $cookie_domain .= '; HttpOnly';
    658                 setcookie($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, $cookie_domain, $secure);
    659                 setcookie($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, $cookie_domain, $secure);
    660                 setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, $cookie_domain);
    661                 if ( COOKIEPATH != SITECOOKIEPATH )
    662                         setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, $cookie_domain);
    663         }
     254function wp_set_auth_cookie( $user_id, $remember = false, $secure = '' ) {
     255        _wp_set_auth_cookie( $user_id, $remember, $secure );
    664256}
    665257endif;
    666258
     
    668260/**
    669261 * Removes all of the cookies associated with authentication.
    670262 *
     263 * @see _wp_clear_auth_cookie()
     264 *
    671265 * @since 2.5
    672266 */
    673267function wp_clear_auth_cookie() {
    674         do_action('clear_auth_cookie');
    675 
    676         setcookie(AUTH_COOKIE, ' ', time() - 31536000, ADMIN_COOKIE_PATH, COOKIE_DOMAIN);
    677         setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, ADMIN_COOKIE_PATH, COOKIE_DOMAIN);
    678         setcookie(AUTH_COOKIE, ' ', time() - 31536000, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN);
    679         setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN);
    680         setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
    681         setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
    682 
    683         // Old cookies
    684         setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
    685         setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
    686         setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
    687         setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
    688 
    689         // Even older cookies
    690         setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
    691         setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
    692         setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
    693         setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
     268        _wp_clear_auth_cookie();
    694269}
    695270endif;
    696271
     
    698273/**
    699274 * Checks if the current visitor is a logged in user.
    700275 *
     276 * @see _is_user_logged_in()
     277 *
    701278 * @since 2.0.0
    702279 *
    703280 * @return bool True if user is logged in, false if not logged in.
    704281 */
    705282function is_user_logged_in() {
    706         $user = wp_get_current_user();
    707 
    708         if ( $user->id == 0 )
    709                 return false;
    710 
    711         return true;
     283        return _is_user_logged_in();
    712284}
    713285endif;
    714286
     
    716288/**
    717289 * Checks if a user is logged in, if not it redirects them to the login page.
    718290 *
     291 * @see _auth_redirect()
     292 *
    719293 * @since 1.5
    720294 */
    721295function auth_redirect() {
    722         // Checks if a user is logged in, if not redirects them to the login page
    723 
    724         if ( is_ssl() || force_ssl_admin() )
    725                 $secure = true;
    726         else
    727                 $secure = false;
    728 
    729         // If https is required and request is http, redirect
    730         if ( $secure && !is_ssl() && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin') ) {
    731                 if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
    732                         wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
    733                         exit();
    734                 } else {
    735                         wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    736                         exit();
    737                 }
    738         }
    739 
    740         if ( $user_id = wp_validate_auth_cookie() ) {
    741                 do_action('auth_redirect', $user_id);
    742 
    743                 // If the user wants ssl but the session is not ssl, redirect.
    744                 if ( !$secure && get_user_option('use_ssl', $user_id) && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin') ) {
    745                         if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
    746                                 wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
    747                                 exit();
    748                         } else {
    749                                 wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    750                                 exit();
    751                         }
    752                 }
    753 
    754                 return;  // The cookie is good so we're done
    755         }
    756 
    757         // The cookie is no good so force login
    758         nocache_headers();
    759 
    760         if ( is_ssl() )
    761                 $proto = 'https://';
    762         else
    763                 $proto = 'http://';
    764 
    765         $redirect = ( strpos($_SERVER['REQUEST_URI'], '/options.php') && wp_get_referer() ) ? wp_get_referer() : $proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
    766 
    767         $login_url = wp_login_url($redirect);
    768 
    769         wp_redirect($login_url);
    770         exit();
     296        _auth_redirect();
    771297}
    772298endif;
    773299
     
    777303 *
    778304 * To avoid security exploits.
    779305 *
     306 * @see _check_admin_referer()
     307 *
    780308 * @since 1.2.0
    781  * @uses do_action() Calls 'check_admin_referer' on $action.
    782309 *
    783310 * @param string $action Action nonce
    784311 * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
    785312 */
    786 function check_admin_referer($action = -1, $query_arg = '_wpnonce') {
    787         $adminurl = strtolower(admin_url());
    788         $referer = strtolower(wp_get_referer());
    789         $result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
    790         if ( !$result && !(-1 == $action && strpos($referer, $adminurl) !== false) ) {
    791                 wp_nonce_ays($action);
    792                 die();
    793         }
    794         do_action('check_admin_referer', $action, $result);
    795         return $result;
    796 }endif;
     313function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
     314        return _check_admin_referer( $action, $query_arg );
     315}
     316endif;
    797317
    798318if ( !function_exists('check_ajax_referer') ) :
    799319/**
    800320 * Verifies the AJAX request to prevent processing requests external of the blog.
    801321 *
     322 * @see _check_ajax_referer()
     323 *
    802324 * @since 2.0.3
    803325 *
    804326 * @param string $action Action nonce
    805327 * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
    806328 */
    807329function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
    808         if ( $query_arg )
    809                 $nonce = $_REQUEST[$query_arg];
    810         else
    811                 $nonce = $_REQUEST['_ajax_nonce'] ? $_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce'];
    812 
    813         $result = wp_verify_nonce( $nonce, $action );
    814 
    815         if ( $die && false == $result )
    816                 die('-1');
    817 
    818         do_action('check_ajax_referer', $action, $result);
    819 
    820         return $result;
     330        return _check_ajax_referer( $action, $query_arg, $die );
    821331}
    822332endif;
    823333
    824334if ( !function_exists('wp_redirect') ) :
    825335/**
    826  * Redirects to another page, with a workaround for the IIS Set-Cookie bug.
     336 * Redirects to another page.
    827337 *
    828  * @link http://support.microsoft.com/kb/q176113/
     338 * @see _wp_redirect()
     339 *
    829340 * @since 1.5.1
    830  * @uses apply_filters() Calls 'wp_redirect' hook on $location and $status.
    831341 *
    832342 * @param string $location The path to redirect to
    833343 * @param int $status Status code to use
    834344 * @return bool False if $location is not set
    835345 */
    836 function wp_redirect($location, $status = 302) {
    837         global $is_IIS;
    838 
    839         $location = apply_filters('wp_redirect', $location, $status);
    840         $status = apply_filters('wp_redirect_status', $status, $location);
    841 
    842         if ( !$location ) // allows the wp_redirect filter to cancel a redirect
    843                 return false;
    844 
    845         $location = wp_sanitize_redirect($location);
    846 
    847         if ( $is_IIS ) {
    848                 header("Refresh: 0;url=$location");
    849         } else {
    850                 if ( php_sapi_name() != 'cgi-fcgi' )
    851                         status_header($status); // This causes problems on IIS and some FastCGI setups
    852                 header("Location: $location");
    853         }
     346function wp_redirect( $location, $status = 302 ) {
     347        _wp_redirect( $location, $status );
    854348}
    855349endif;
    856350
     
    858352/**
    859353 * Sanitizes a URL for use in a redirect.
    860354 *
     355 * @see _wp_sanitize_redirect()
     356 *
    861357 * @since 2.3
    862358 *
    863359 * @return string redirect-sanitized URL
    864360 **/
    865 function wp_sanitize_redirect($location) {
    866         $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location);
    867         $location = wp_kses_no_null($location);
    868 
    869         // remove %0d and %0a from location
    870         $strip = array('%0d', '%0a');
    871         $found = true;
    872         while($found) {
    873                 $found = false;
    874                 foreach( (array) $strip as $val ) {
    875                         while(strpos($location, $val) !== false) {
    876                                 $found = true;
    877                                 $location = str_replace($val, '', $location);
    878                         }
    879                 }
    880         }
    881         return $location;
     361function wp_sanitize_redirect( $location ) {
     362        return _wp_sanitize_redirect( $location );
    882363}
    883364endif;
    884365
     
    894375 * instead. This prevents malicious redirects which redirect to another host,
    895376 * but only used in a few places.
    896377 *
     378 * @see _wp_safe_redirect()
     379 *
    897380 * @since 2.3
    898381 * @uses apply_filters() Calls 'allowed_redirect_hosts' on an array containing
    899382 *              WordPress host string and $location host string.
    900383 *
    901384 * @return void Does not return anything
    902385 **/
    903 function wp_safe_redirect($location, $status = 302) {
    904 
    905         // Need to look at the URL the way it will end up in wp_redirect()
    906         $location = wp_sanitize_redirect($location);
    907 
    908         // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
    909         if ( substr($location, 0, 2) == '//' )
    910                 $location = 'http:' . $location;
    911 
    912         // In php 5 parse_url may fail if the URL query part contains http://, bug #38143
    913         $test = ( $cut = strpos($location, '?') ) ? substr( $location, 0, $cut ) : $location;
    914 
    915         $lp  = parse_url($test);
    916         $wpp = parse_url(get_option('home'));
    917 
    918         $allowed_hosts = (array) apply_filters('allowed_redirect_hosts', array($wpp['host']), isset($lp['host']) ? $lp['host'] : '');
    919 
    920         if ( isset($lp['host']) && ( !in_array($lp['host'], $allowed_hosts) && $lp['host'] != strtolower($wpp['host'])) )
    921                 $location = admin_url();
    922 
    923         wp_redirect($location, $status);
     386function wp_safe_redirect( $location, $status = 302 ) {
     387        _wp_safe_redirect( $location, $status );
    924388}
    925389endif;
    926390
    927 if ( ! function_exists('wp_notify_postauthor') ) :
     391if ( !function_exists('wp_notify_postauthor') ) :
    928392/**
    929393 * Notify an author of a comment/trackback/pingback to one of their posts.
    930394 *
     395 * @see _wp_notify_postauthor()
     396 *
    931397 * @since 1.0.0
    932398 *
    933399 * @param int $comment_id Comment ID
    934400 * @param string $comment_type Optional. The comment type either 'comment' (default), 'trackback', or 'pingback'
    935401 * @return bool False if user email does not exist. True on completion.
    936402 */
    937 function wp_notify_postauthor($comment_id, $comment_type='') {
    938         $comment = get_comment($comment_id);
    939         $post    = get_post($comment->comment_post_ID);
    940         $user    = get_userdata( $post->post_author );
    941         $current_user = wp_get_current_user();
    942        
    943         if ( $current_user->ID == $user->ID ) return false; // The author moderated a comment on his own post
    944 
    945         if ('' == $user->user_email) return false; // If there's no email to send the comment to
    946 
    947         $comment_author_domain = @gethostbyaddr($comment->comment_author_IP);
    948 
    949         $blogname = get_option('blogname');
    950 
    951         if ( empty( $comment_type ) ) $comment_type = 'comment';
    952 
    953         if ('comment' == $comment_type) {
    954                 $notify_message  = sprintf( __('New comment on your post #%1$s "%2$s"'), $comment->comment_post_ID, $post->post_title ) . "\r\n";
    955                 $notify_message .= sprintf( __('Author : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
    956                 $notify_message .= sprintf( __('E-mail : %s'), $comment->comment_author_email ) . "\r\n";
    957                 $notify_message .= sprintf( __('URL    : %s'), $comment->comment_author_url ) . "\r\n";
    958                 $notify_message .= sprintf( __('Whois  : http://ws.arin.net/cgi-bin/whois.pl?queryinput=%s'), $comment->comment_author_IP ) . "\r\n";
    959                 $notify_message .= __('Comment: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
    960                 $notify_message .= __('You can see all comments on this post here: ') . "\r\n";
    961                 $subject = sprintf( __('[%1$s] Comment: "%2$s"'), $blogname, $post->post_title );
    962         } elseif ('trackback' == $comment_type) {
    963                 $notify_message  = sprintf( __('New trackback on your post #%1$s "%2$s"'), $comment->comment_post_ID, $post->post_title ) . "\r\n";
    964                 $notify_message .= sprintf( __('Website: %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
    965                 $notify_message .= sprintf( __('URL    : %s'), $comment->comment_author_url ) . "\r\n";
    966                 $notify_message .= __('Excerpt: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
    967                 $notify_message .= __('You can see all trackbacks on this post here: ') . "\r\n";
    968                 $subject = sprintf( __('[%1$s] Trackback: "%2$s"'), $blogname, $post->post_title );
    969         } elseif ('pingback' == $comment_type) {
    970                 $notify_message  = sprintf( __('New pingback on your post #%1$s "%2$s"'), $comment->comment_post_ID, $post->post_title ) . "\r\n";
    971                 $notify_message .= sprintf( __('Website: %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
    972                 $notify_message .= sprintf( __('URL    : %s'), $comment->comment_author_url ) . "\r\n";
    973                 $notify_message .= __('Excerpt: ') . "\r\n" . sprintf('[...] %s [...]', $comment->comment_content ) . "\r\n\r\n";
    974                 $notify_message .= __('You can see all pingbacks on this post here: ') . "\r\n";
    975                 $subject = sprintf( __('[%1$s] Pingback: "%2$s"'), $blogname, $post->post_title );
    976         }
    977         $notify_message .= get_permalink($comment->comment_post_ID) . "#comments\r\n\r\n";
    978         $notify_message .= sprintf( __('Delete it: %s'), admin_url("comment.php?action=cdc&c=$comment_id") ) . "\r\n";
    979         $notify_message .= sprintf( __('Spam it: %s'), admin_url("comment.php?action=cdc&dt=spam&c=$comment_id") ) . "\r\n";
    980 
    981         $wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME']));
    982 
    983         if ( '' == $comment->comment_author ) {
    984                 $from = "From: \"$blogname\" <$wp_email>";
    985                 if ( '' != $comment->comment_author_email )
    986                         $reply_to = "Reply-To: $comment->comment_author_email";
    987         } else {
    988                 $from = "From: \"$comment->comment_author\" <$wp_email>";
    989                 if ( '' != $comment->comment_author_email )
    990                         $reply_to = "Reply-To: \"$comment->comment_author_email\" <$comment->comment_author_email>";
    991         }
    992 
    993         $message_headers = "$from\n"
    994                 . "Content-Type: text/plain; charset=\"" . get_option('blog_charset') . "\"\n";
    995 
    996         if ( isset($reply_to) )
    997                 $message_headers .= $reply_to . "\n";
    998 
    999         $notify_message = apply_filters('comment_notification_text', $notify_message, $comment_id);
    1000         $subject = apply_filters('comment_notification_subject', $subject, $comment_id);
    1001         $message_headers = apply_filters('comment_notification_headers', $message_headers, $comment_id);
    1002 
    1003         @wp_mail($user->user_email, $subject, $notify_message, $message_headers);
    1004 
    1005         return true;
     403function wp_notify_postauthor( $comment_id, $comment_type = '' ) {
     404        return _wp_notify_postauthor( $comment_id, $comment_type );
    1006405}
    1007406endif;
    1008407
     
    1010409/**
    1011410 * Notifies the moderator of the blog about a new comment that is awaiting approval.
    1012411 *
     412 * @see _wp_notify_moderator()
     413 *
    1013414 * @since 1.0
    1014  * @uses $wpdb
    1015415 *
    1016416 * @param int $comment_id Comment ID
    1017417 * @return bool Always returns true
    1018418 */
    1019 function wp_notify_moderator($comment_id) {
    1020         global $wpdb;
    1021 
    1022         if( get_option( "moderation_notify" ) == 0 )
    1023                 return true;
    1024 
    1025         $comment = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_ID=%d LIMIT 1", $comment_id));
    1026         $post = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID=%d LIMIT 1", $comment->comment_post_ID));
    1027 
    1028         $comment_author_domain = @gethostbyaddr($comment->comment_author_IP);
    1029         $comments_waiting = $wpdb->get_var("SELECT count(comment_ID) FROM $wpdb->comments WHERE comment_approved = '0'");
    1030 
    1031         switch ($comment->comment_type)
    1032         {
    1033                 case 'trackback':
    1034                         $notify_message  = sprintf( __('A new trackback on the post #%1$s "%2$s" is waiting for your approval'), $post->ID, $post->post_title ) . "\r\n";
    1035                         $notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
    1036                         $notify_message .= sprintf( __('Website : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
    1037                         $notify_message .= sprintf( __('URL    : %s'), $comment->comment_author_url ) . "\r\n";
    1038                         $notify_message .= __('Trackback excerpt: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
    1039                         break;
    1040                 case 'pingback':
    1041                         $notify_message  = sprintf( __('A new pingback on the post #%1$s "%2$s" is waiting for your approval'), $post->ID, $post->post_title ) . "\r\n";
    1042                         $notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
    1043                         $notify_message .= sprintf( __('Website : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
    1044                         $notify_message .= sprintf( __('URL    : %s'), $comment->comment_author_url ) . "\r\n";
    1045                         $notify_message .= __('Pingback excerpt: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
    1046                         break;
    1047                 default: //Comments
    1048                         $notify_message  = sprintf( __('A new comment on the post #%1$s "%2$s" is waiting for your approval'), $post->ID, $post->post_title ) . "\r\n";
    1049                         $notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
    1050                         $notify_message .= sprintf( __('Author : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
    1051                         $notify_message .= sprintf( __('E-mail : %s'), $comment->comment_author_email ) . "\r\n";
    1052                         $notify_message .= sprintf( __('URL    : %s'), $comment->comment_author_url ) . "\r\n";
    1053                         $notify_message .= sprintf( __('Whois  : http://ws.arin.net/cgi-bin/whois.pl?queryinput=%s'), $comment->comment_author_IP ) . "\r\n";
    1054                         $notify_message .= __('Comment: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
    1055                         break;
    1056         }
    1057 
    1058         $notify_message .= sprintf( __('Approve it: %s'),  admin_url("comment.php?action=mac&c=$comment_id") ) . "\r\n";
    1059         $notify_message .= sprintf( __('Delete it: %s'), admin_url("comment.php?action=cdc&c=$comment_id") ) . "\r\n";
    1060         $notify_message .= sprintf( __('Spam it: %s'), admin_url("comment.php?action=cdc&dt=spam&c=$comment_id") ) . "\r\n";
    1061 
    1062         $notify_message .= sprintf( _n('Currently %s comment is waiting for approval. Please visit the moderation panel:',
    1063                 'Currently %s comments are waiting for approval. Please visit the moderation panel:', $comments_waiting), number_format_i18n($comments_waiting) ) . "\r\n";
    1064         $notify_message .= admin_url("edit-comments.php?comment_status=moderated") . "\r\n";
    1065 
    1066         $subject = sprintf( __('[%1$s] Please moderate: "%2$s"'), get_option('blogname'), $post->post_title );
    1067         $admin_email = get_option('admin_email');
    1068 
    1069         $notify_message = apply_filters('comment_moderation_text', $notify_message, $comment_id);
    1070         $subject = apply_filters('comment_moderation_subject', $subject, $comment_id);
    1071 
    1072         @wp_mail($admin_email, $subject, $notify_message);
    1073 
    1074         return true;
     419function wp_notify_moderator( $comment_id ) {
     420        return _wp_notify_moderator( $comment_id );
    1075421}
    1076422endif;
    1077423
     
    1079425/**
    1080426 * Notify the blog admin of a user changing password, normally via email.
    1081427 *
     428 * @see _wp_password_change_notification()
     429 *
    1082430 * @since 2.7
    1083431 *
    1084432 * @param object $user User Object
    1085433 */
    1086 function wp_password_change_notification(&$user) {
    1087         // send a copy of password change notification to the admin
    1088         // but check to see if it's the admin whose password we're changing, and skip this
    1089         if ( $user->user_email != get_option('admin_email') ) {
    1090                 $message = sprintf(__('Password Lost and Changed for user: %s'), $user->user_login) . "\r\n";
    1091                 wp_mail(get_option('admin_email'), sprintf(__('[%s] Password Lost/Changed'), get_option('blogname')), $message);
    1092         }
     434function wp_password_change_notification( &$user ) {
     435        _wp_password_change_notification( $user );
    1093436}
    1094437endif;
    1095438
     
    1097440/**
    1098441 * Notify the blog admin of a new user, normally via email.
    1099442 *
     443 * @see _wp_new_user_notification()
     444 *
    1100445 * @since 2.0
    1101446 *
    1102447 * @param int $user_id User ID
    1103448 * @param string $plaintext_pass Optional. The user's plaintext password
    1104449 */
    1105 function wp_new_user_notification($user_id, $plaintext_pass = '') {
    1106         $user = new WP_User($user_id);
    1107 
    1108         $user_login = stripslashes($user->user_login);
    1109         $user_email = stripslashes($user->user_email);
    1110 
    1111         $message  = sprintf(__('New user registration on your blog %s:'), get_option('blogname')) . "\r\n\r\n";
    1112         $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
    1113         $message .= sprintf(__('E-mail: %s'), $user_email) . "\r\n";
    1114 
    1115         @wp_mail(get_option('admin_email'), sprintf(__('[%s] New User Registration'), get_option('blogname')), $message);
    1116 
    1117         if ( empty($plaintext_pass) )
    1118                 return;
    1119 
    1120         $message  = sprintf(__('Username: %s'), $user_login) . "\r\n";
    1121         $message .= sprintf(__('Password: %s'), $plaintext_pass) . "\r\n";
    1122         $message .= wp_login_url() . "\r\n";
    1123 
    1124         wp_mail($user_email, sprintf(__('[%s] Your username and password'), get_option('blogname')), $message);
    1125 
     450function wp_new_user_notification( $user_id, $plaintext_pass = '' ) {
     451        _wp_new_user_notification( $user_id, $plaintext_pass );
    1126452}
    1127453endif;
    1128454
     
    1130456/**
    1131457 * Get the time-dependent variable for nonce creation.
    1132458 *
    1133  * A nonce has a lifespan of two ticks. Nonces in their second tick may be
    1134  * updated, e.g. by autosave.
     459 * @see _wp_nonce_tick()
    1135460 *
    1136461 * @since 2.5
    1137462 *
    1138463 * @return int
    1139464 */
    1140465function wp_nonce_tick() {
    1141         $nonce_life = apply_filters('nonce_life', 86400);
    1142 
    1143         return ceil(time() / ( $nonce_life / 2 ));
     466        return _wp_nonce_tick();
    1144467}
    1145468endif;
    1146469
     
    1151474 * The user is given an amount of time to use the token, so therefore, since the
    1152475 * UID and $action remain the same, the independent variable is the time.
    1153476 *
     477 * @see _wp_verify_nonce()
     478 *
    1154479 * @since 2.0.3
    1155480 *
    1156481 * @param string $nonce Nonce that was used in the form to verify
    1157482 * @param string|int $action Should give context to what is taking place and be the same when nonce was created.
    1158483 * @return bool Whether the nonce check passed or failed.
    1159484 */
    1160 function wp_verify_nonce($nonce, $action = -1) {
    1161         $user = wp_get_current_user();
    1162         $uid = (int) $user->id;
    1163 
    1164         $i = wp_nonce_tick();
    1165 
    1166         // Nonce generated 0-12 hours ago
    1167         if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) == $nonce )
    1168                 return 1;
    1169         // Nonce generated 12-24 hours ago
    1170         if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) == $nonce )
    1171                 return 2;
    1172         // Invalid nonce
    1173         return false;
     485function wp_verify_nonce( $nonce, $action = -1 ) {
     486        return _wp_verify_nonce( $nonce, $action );
    1174487}
    1175488endif;
    1176489
     
    1178491/**
    1179492 * Creates a random, one time use token.
    1180493 *
     494 * @see _wp_create_nonce()
     495 *
    1181496 * @since 2.0.3
    1182497 *
    1183498 * @param string|int $action Scalar value to add context to the nonce.
    1184499 * @return string The one use form token
    1185500 */
    1186 function wp_create_nonce($action = -1) {
    1187         $user = wp_get_current_user();
    1188         $uid = (int) $user->id;
    1189 
    1190         $i = wp_nonce_tick();
    1191 
    1192         return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10);
     501function wp_create_nonce( $action = -1 ) {
     502        return _wp_create_nonce( $action );
    1193503}
    1194504endif;
    1195505
     
    1197507/**
    1198508 * Get salt to add to hashes to help prevent attacks.
    1199509 *
    1200  * The secret key is located in two places: the database in case the secret key
    1201  * isn't defined in the second place, which is in the wp-config.php file. If you
    1202  * are going to set the secret key, then you must do so in the wp-config.php
    1203  * file.
     510 * @see _wp_salt()
    1204511 *
    1205  * The secret key in the database is randomly generated and will be appended to
    1206  * the secret key that is in wp-config.php file in some instances. It is
    1207  * important to have the secret key defined or changed in wp-config.php.
    1208  *
    1209  * If you have installed WordPress 2.5 or later, then you will have the
    1210  * SECRET_KEY defined in the wp-config.php already. You will want to change the
    1211  * value in it because hackers will know what it is. If you have upgraded to
    1212  * WordPress 2.5 or later version from a version before WordPress 2.5, then you
    1213  * should add the constant to your wp-config.php file.
    1214  *
    1215  * Below is an example of how the SECRET_KEY constant is defined with a value.
    1216  * You must not copy the below example and paste into your wp-config.php. If you
    1217  * need an example, then you can have a
    1218  * {@link https://api.wordpress.org/secret-key/1.1/ secret key created} for you.
    1219  *
    1220  * <code>
    1221  * define('SECRET_KEY', 'mAry1HadA15|\/|b17w55w1t3asSn09w');
    1222  * </code>
    1223  *
    1224  * Salting passwords helps against tools which has stored hashed values of
    1225  * common dictionary strings. The added values makes it harder to crack if given
    1226  * salt string is not weak.
    1227  *
    1228512 * @since 2.5
    1229513 * @link https://api.wordpress.org/secret-key/1.1/ Create a Secret Key for wp-config.php
    1230514 *
    1231515 * @return string Salt value from either 'SECRET_KEY' or 'secret' option
    1232516 */
    1233 function wp_salt($scheme = 'auth') {
    1234         global $wp_default_secret_key;
    1235         $secret_key = '';
    1236         if ( defined('SECRET_KEY') && ('' != SECRET_KEY) && ( $wp_default_secret_key != SECRET_KEY) )
    1237                 $secret_key = SECRET_KEY;
    1238 
    1239         if ( 'auth' == $scheme ) {
    1240                 if ( defined('AUTH_KEY') && ('' != AUTH_KEY) && ( $wp_default_secret_key != AUTH_KEY) )
    1241                         $secret_key = AUTH_KEY;
    1242 
    1243                 if ( defined('AUTH_SALT') ) {
    1244                         $salt = AUTH_SALT;
    1245                 } elseif ( defined('SECRET_SALT') ) {
    1246                         $salt = SECRET_SALT;
    1247                 } else {
    1248                         $salt = get_option('auth_salt');
    1249                         if ( empty($salt) ) {
    1250                                 $salt = wp_generate_password(64);
    1251                                 update_option('auth_salt', $salt);
    1252                         }
    1253                 }
    1254         } elseif ( 'secure_auth' == $scheme ) {
    1255                 if ( defined('SECURE_AUTH_KEY') && ('' != SECURE_AUTH_KEY) && ( $wp_default_secret_key != SECURE_AUTH_KEY) )
    1256                         $secret_key = SECURE_AUTH_KEY;
    1257 
    1258                 if ( defined('SECURE_AUTH_SALT') ) {
    1259                         $salt = SECURE_AUTH_SALT;
    1260                 } else {
    1261                         $salt = get_option('secure_auth_salt');
    1262                         if ( empty($salt) ) {
    1263                                 $salt = wp_generate_password(64);
    1264                                 update_option('secure_auth_salt', $salt);
    1265                         }
    1266                 }
    1267         } elseif ( 'logged_in' == $scheme ) {
    1268                 if ( defined('LOGGED_IN_KEY') && ('' != LOGGED_IN_KEY) && ( $wp_default_secret_key != LOGGED_IN_KEY) )
    1269                         $secret_key = LOGGED_IN_KEY;
    1270 
    1271                 if ( defined('LOGGED_IN_SALT') ) {
    1272                         $salt = LOGGED_IN_SALT;
    1273                 } else {
    1274                         $salt = get_option('logged_in_salt');
    1275                         if ( empty($salt) ) {
    1276                                 $salt = wp_generate_password(64);
    1277                                 update_option('logged_in_salt', $salt);
    1278                         }
    1279                 }
    1280         } elseif ( 'nonce' == $scheme ) {
    1281                 if ( defined('NONCE_KEY') && ('' != NONCE_KEY) && ( $wp_default_secret_key != NONCE_KEY) )
    1282                         $secret_key = NONCE_KEY;
    1283 
    1284                 if ( defined('NONCE_SALT') ) {
    1285                         $salt = NONCE_SALT;
    1286                 } else {
    1287                         $salt = get_option('nonce_salt');
    1288                         if ( empty($salt) ) {
    1289                                 $salt = wp_generate_password(64);
    1290                                 update_option('nonce_salt', $salt);
    1291                         }
    1292                 }
    1293         } else {
    1294                 // ensure each auth scheme has its own unique salt
    1295                 $salt = hash_hmac('md5', $scheme, $secret_key);
    1296         }
    1297 
    1298         return apply_filters('salt', $secret_key . $salt, $scheme);
     517function wp_salt( $scheme = 'auth' ) {
     518        return _wp_salt( $scheme );
    1299519}
    1300520endif;
    1301521
     
    1303523/**
    1304524 * Get hash of given string.
    1305525 *
     526 * @see _wp_hash()
     527 *
    1306528 * @since 2.0.3
    1307  * @uses wp_salt() Get WordPress salt
    1308529 *
    1309530 * @param string $data Plain text to hash
    1310531 * @return string Hash of $data
    1311532 */
    1312 function wp_hash($data, $scheme = 'auth') {
    1313         $salt = wp_salt($scheme);
    1314 
    1315         return hash_hmac('md5', $data, $salt);
     533function wp_hash( $data, $scheme = 'auth' ) {
     534        return _wp_hash( $data, $scheme );
    1316535}
    1317536endif;
    1318537
     
    1323542 * For integration with other applications, this function can be overwritten to
    1324543 * instead use the other package password checking algorithm.
    1325544 *
     545 * @see _wp_hash_password()
     546 *
    1326547 * @since 2.5
    1327548 * @global object $wp_hasher PHPass object
    1328549 * @uses PasswordHash::HashPassword
     
    1330551 * @param string $password Plain text user password to hash
    1331552 * @return string The hash string of the password
    1332553 */
    1333 function wp_hash_password($password) {
    1334         global $wp_hasher;
    1335 
    1336         if ( empty($wp_hasher) ) {
    1337                 require_once( ABSPATH . 'wp-includes/class-phpass.php');
    1338                 // By default, use the portable hash from phpass
    1339                 $wp_hasher = new PasswordHash(8, TRUE);
    1340         }
    1341 
    1342         return $wp_hasher->HashPassword($password);
     554function wp_hash_password( $password ) {
     555        return _wp_hash_password( $password );
    1343556}
    1344557endif;
    1345558
    1346559if ( !function_exists('wp_check_password') ) :
    1347560/**
    1348  * Checks the plaintext password against the encrypted Password.
     561 * Checks the plaintext password against the encrypted password.
    1349562 *
    1350  * Maintains compatibility between old version and the new cookie authentication
    1351  * protocol using PHPass library. The $hash parameter is the encrypted password
    1352  * and the function compares the plain text password when encypted similarly
    1353  * against the already encrypted password to see if they match.
    1354  *
    1355563 * For integration with other applications, this function can be overwritten to
    1356564 * instead use the other package password checking algorithm.
    1357565 *
     566 * @see _wp_check_password()
     567 *
    1358568 * @since 2.5
    1359569 * @global object $wp_hasher PHPass object used for checking the password
    1360570 *      against the $hash + $password
     
    1364574 * @param string $hash Hash of the user's password to check against.
    1365575 * @return bool False, if the $password does not match the hashed password
    1366576 */
    1367 function wp_check_password($password, $hash, $user_id = '') {
    1368         global $wp_hasher;
    1369 
    1370         // If the hash is still md5...
    1371         if ( strlen($hash) <= 32 ) {
    1372                 $check = ( $hash == md5($password) );
    1373                 if ( $check && $user_id ) {
    1374                         // Rehash using new hash.
    1375                         wp_set_password($password, $user_id);
    1376                         $hash = wp_hash_password($password);
    1377                 }
    1378 
    1379                 return apply_filters('check_password', $check, $password, $hash, $user_id);
    1380         }
    1381 
    1382         // If the stored hash is longer than an MD5, presume the
    1383         // new style phpass portable hash.
    1384         if ( empty($wp_hasher) ) {
    1385                 require_once( ABSPATH . 'wp-includes/class-phpass.php');
    1386                 // By default, use the portable hash from phpass
    1387                 $wp_hasher = new PasswordHash(8, TRUE);
    1388         }
    1389 
    1390         $check = $wp_hasher->CheckPassword($password, $hash);
    1391 
    1392         return apply_filters('check_password', $check, $password, $hash, $user_id);
     577function wp_check_password( $password, $hash, $user_id = '' ) {
     578        return _wp_check_password( $password, $hash, $user_id );
    1393579}
    1394580endif;
    1395581
    1396582if ( !function_exists('wp_generate_password') ) :
    1397583/**
    1398  * Generates a random password drawn from the defined set of characters.
     584 * Generates a random password.
    1399585 *
     586 * @see _wp_generate_password()
     587 *
    1400588 * @since 2.5
    1401589 *
    1402590 * @param int $length The length of password to generate
    1403591 * @param bool $special_chars Whether to include standard special characters
    1404592 * @return string The random password
    1405593 **/
    1406 function wp_generate_password($length = 12, $special_chars = true) {
    1407         $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    1408         if ( $special_chars )
    1409                 $chars .= '!@#$%^&*()';
    1410 
    1411         $password = '';
    1412         for ( $i = 0; $i < $length; $i++ )
    1413                 $password .= substr($chars, wp_rand(0, strlen($chars) - 1), 1);
    1414         return $password;
     594function wp_generate_password( $length = 12, $special_chars = true ) {
     595        return _wp_generate_password( $length, $special_chars );
    1415596}
    1416597endif;
    1417598
    1418599if ( !function_exists('wp_rand') ) :
    1419  /**
     600/**
    1420601 * Generates a random number
    1421602 *
     603 * @see _wp_rand()
     604 *
    1422605 * @since 2.6.2
    1423606 *
    1424607 * @param int $min Lower limit for the generated number (optional, default is 0)
     
    1426609 * @return int A random number between min and max
    1427610 */
    1428611function wp_rand( $min = 0, $max = 0 ) {
    1429         global $rnd_value;
    1430 
    1431         $seed = get_transient('random_seed');
    1432 
    1433         // Reset $rnd_value after 14 uses
    1434         // 32(md5) + 40(sha1) + 40(sha1) / 8 = 14 random numbers from $rnd_value
    1435         if ( strlen($rnd_value) < 8 ) {
    1436                 $rnd_value = md5( uniqid(microtime() . mt_rand(), true ) . $seed );
    1437                 $rnd_value .= sha1($rnd_value);
    1438                 $rnd_value .= sha1($rnd_value . $seed);
    1439                 $seed = md5($seed . $rnd_value);
    1440                 set_transient('random_seed', $seed);
    1441         }
    1442 
    1443         // Take the first 8 digits for our value
    1444         $value = substr($rnd_value, 0, 8);
    1445 
    1446         // Strip the first eight, leaving the remainder for the next call to wp_rand().
    1447         $rnd_value = substr($rnd_value, 8);
    1448 
    1449         $value = abs(hexdec($value));
    1450 
    1451         // Reduce the value to be within the min - max range
    1452         // 4294967295 = 0xffffffff = max random number
    1453         if ( $max != 0 )
    1454                 $value = $min + (($max - $min + 1) * ($value / (4294967295 + 1)));
    1455 
    1456         return abs(intval($value));
     612        return _wp_rand( $min, $max );
    1457613}
    1458614endif;
    1459615
     
    1464620 * For integration with other applications, this function can be overwritten to
    1465621 * instead use the other package password checking algorithm.
    1466622 *
     623 * @see _wp_set_password()
     624 *
    1467625 * @since 2.5
    1468626 * @uses $wpdb WordPress database object for queries
    1469627 * @uses wp_hash_password() Used to encrypt the user's password before passing to the database
     
    1472630 * @param int $user_id User ID
    1473631 */
    1474632function wp_set_password( $password, $user_id ) {
    1475         global $wpdb;
    1476 
    1477         $hash = wp_hash_password($password);
    1478         $wpdb->update($wpdb->users, array('user_pass' => $hash, 'user_activation_key' => ''), array('ID' => $user_id) );
    1479 
    1480         wp_cache_delete($user_id, 'users');
     633        _wp_set_password( $password, $user_id );
    1481634}
    1482635endif;
    1483636
     
    1485638/**
    1486639 * Retrieve the avatar for a user who provided a user ID or email address.
    1487640 *
     641 * @see _get_avatar()
     642 *
    1488643 * @since 2.5
    1489644 * @param int|string|object $id_or_email A user ID,  email address, or comment object
    1490645 * @param int $size Size of the avatar image
     
    1493648 * @return string <img> tag for the user's avatar
    1494649*/
    1495650function get_avatar( $id_or_email, $size = '96', $default = '', $alt = false ) {
    1496         if ( ! get_option('show_avatars') )
    1497                 return false;
    1498 
    1499         if ( false === $alt)
    1500                 $safe_alt = '';
    1501         else
    1502                 $safe_alt = attribute_escape( $alt );
    1503 
    1504         if ( !is_numeric($size) )
    1505                 $size = '96';
    1506 
    1507         $email = '';
    1508         if ( is_numeric($id_or_email) ) {
    1509                 $id = (int) $id_or_email;
    1510                 $user = get_userdata($id);
    1511                 if ( $user )
    1512                         $email = $user->user_email;
    1513         } elseif ( is_object($id_or_email) ) {
    1514                 if ( isset($id_or_email->comment_type) && '' != $id_or_email->comment_type && 'comment' != $id_or_email->comment_type )
    1515                         return false; // No avatar for pingbacks or trackbacks
    1516 
    1517                 if ( !empty($id_or_email->user_id) ) {
    1518                         $id = (int) $id_or_email->user_id;
    1519                         $user = get_userdata($id);
    1520                         if ( $user)
    1521                                 $email = $user->user_email;
    1522                 } elseif ( !empty($id_or_email->comment_author_email) ) {
    1523                         $email = $id_or_email->comment_author_email;
    1524                 }
    1525         } else {
    1526                 $email = $id_or_email;
    1527         }
    1528 
    1529         if ( empty($default) ) {
    1530                 $avatar_default = get_option('avatar_default');
    1531                 if ( empty($avatar_default) )
    1532                         $default = 'mystery';
    1533                 else
    1534                         $default = $avatar_default;
    1535         }
    1536 
    1537         if ( is_ssl() )
    1538                 $host = 'https://secure.gravatar.com';
    1539         else
    1540                 $host = 'http://www.gravatar.com';
    1541 
    1542         if ( 'mystery' == $default )
    1543                 $default = "$host/avatar/ad516503a11cd5ca435acc9bb6523536?s={$size}"; // ad516503a11cd5ca435acc9bb6523536 == md5('unknown@gravatar.com')
    1544         elseif ( 'blank' == $default )
    1545                 $default = includes_url('images/blank.gif');
    1546         elseif ( !empty($email) && 'gravatar_default' == $default )
    1547                 $default = '';
    1548         elseif ( 'gravatar_default' == $default )
    1549                 $default = "$host/avatar/s={$size}";
    1550         elseif ( empty($email) )
    1551                 $default = "$host/avatar/?d=$default&amp;s={$size}";
    1552         elseif ( strpos($default, 'http://') === 0 )
    1553                 $default = add_query_arg( 's', $size, $default );
    1554 
    1555         if ( !empty($email) ) {
    1556                 $out = "$host/avatar/";
    1557                 $out .= md5( strtolower( $email ) );
    1558                 $out .= '?s='.$size;
    1559                 $out .= '&amp;d=' . urlencode( $default );
    1560 
    1561                 $rating = get_option('avatar_rating');
    1562                 if ( !empty( $rating ) )
    1563                         $out .= "&amp;r={$rating}";
    1564 
    1565                 $avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo' height='{$size}' width='{$size}' />";
    1566         } else {
    1567                 $avatar = "<img alt='{$safe_alt}' src='{$default}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
    1568         }
    1569 
    1570         return apply_filters('get_avatar', $avatar, $id_or_email, $size, $default, $alt);
     651        return _get_avatar( $id_or_email, $size, $default, $alt );
    1571652}
    1572653endif;
    1573654
     
    1666747 * HTML, so the primary use is for displaying the changes. If the two strings
    1667748 * are equivalent, then an empty string will be returned.
    1668749 *
    1669  * The arguments supported and can be changed are listed below.
     750 * @see _wp_text_diff()
    1670751 *
    1671  * 'title' : Default is an empty string. Titles the diff in a manner compatible
    1672  *              with the output.
    1673  * 'title_left' : Default is an empty string. Change the HTML to the left of the
    1674  *              title.
    1675  * 'title_right' : Default is an empty string. Change the HTML to the right of
    1676  *              the title.
    1677  *
    1678752 * @since 2.6
    1679753 * @see wp_parse_args() Used to change defaults to user defined settings.
    1680754 * @uses Text_Diff
     
    1686760 * @return string Empty string if strings are equivalent or HTML with differences.
    1687761 */
    1688762function wp_text_diff( $left_string, $right_string, $args = null ) {
    1689         $defaults = array( 'title' => '', 'title_left' => '', 'title_right' => '' );
    1690         $args = wp_parse_args( $args, $defaults );
    1691 
    1692         if ( !class_exists( 'WP_Text_Diff_Renderer_Table' ) )
    1693                 require( ABSPATH . WPINC . '/wp-diff.php' );
    1694 
    1695         $left_string  = normalize_whitespace($left_string);
    1696         $right_string = normalize_whitespace($right_string);
    1697 
    1698         $left_lines  = split("\n", $left_string);
    1699         $right_lines = split("\n", $right_string);
    1700 
    1701         $text_diff = new Text_Diff($left_lines, $right_lines);
    1702         $renderer  = new WP_Text_Diff_Renderer_Table();
    1703         $diff = $renderer->render($text_diff);
    1704 
    1705         if ( !$diff )
    1706                 return '';
    1707 
    1708         $r  = "<table class='diff'>\n";
    1709         $r .= "<col class='ltype' /><col class='content' /><col class='ltype' /><col class='content' />";
    1710 
    1711         if ( $args['title'] || $args['title_left'] || $args['title_right'] )
    1712                 $r .= "<thead>";
    1713         if ( $args['title'] )
    1714                 $r .= "<tr class='diff-title'><th colspan='4'>$args[title]</th></tr>\n";
    1715         if ( $args['title_left'] || $args['title_right'] ) {
    1716                 $r .= "<tr class='diff-sub-title'>\n";
    1717                 $r .= "\t<td></td><th>$args[title_left]</th>\n";
    1718                 $r .= "\t<td></td><th>$args[title_right]</th>\n";
    1719                 $r .= "</tr>\n";
    1720         }
    1721         if ( $args['title'] || $args['title_left'] || $args['title_right'] )
    1722                 $r .= "</thead>\n";
    1723 
    1724         $r .= "<tbody>\n$diff\n</tbody>\n";
    1725         $r .= "</table>";
    1726 
    1727         return $r;
     763        return _wp_text_diff( $left_string, $right_string, $args );
    1728764}
    1729765endif;
    1730766
  • wp-includes/user.php

     
    130130}
    131131
    132132/**
     133 * Changes the current user by ID or name.
     134 *
     135 * This function should not be used directly. Use the pluggable version instead.
     136.* @see wp_set_current_user()
     137 *
     138 * Set $id to null and specify a name if you do not know a user's ID.
     139 *
     140 * Some WordPress functionality is based on the current user and not based on
     141 * the signed in user. Therefore, it opens the ability to edit and perform
     142 * actions on users who aren't signed in.
     143 *
     144 * @since 2.8.0
     145 * @global object $current_user The current user object which holds the user data.
     146 * @uses do_action() Calls 'set_current_user' hook after setting the current user.
     147 *
     148 * @param int $id User ID
     149 * @param string $name User's username
     150 * @return WP_User Current user User object
     151 */
     152function _wp_set_current_user( $id, $name = '' ) {
     153        global $current_user;
     154
     155        if ( isset($current_user) && ($id == $current_user->ID) )
     156                return $current_user;
     157
     158        $current_user = new WP_User($id, $name);
     159
     160        setup_userdata($current_user->ID);
     161
     162        do_action('set_current_user');
     163
     164        return $current_user;
     165}
     166
     167/**
     168 * Retrieve the current user object.
     169 *
     170 * This function should not be used directly. Use the pluggable version instead.
     171.* @see wp_get_current_user()
     172 *
     173 * @since 2.8.0
     174.* @uses get_currentuserinfo() Populates the global user variables.
     175 *
     176 * @return WP_User Current user WP_User object
     177 */
     178function _wp_get_current_user() {
     179        global $current_user;
     180
     181        get_currentuserinfo();
     182
     183        return $current_user;
     184}
     185
     186/**
     187 * Populate global variables with information about the currently logged in user.
     188 *
     189 * Will set the current user, if the current user is not set. The current user
     190 * will be set to the logged in person. If no user is logged in, then it will
     191 * set the current user to 0, which is invalid and won't have any permissions.
     192 *
     193 * This function should not be used directly. Use the pluggable version instead.
     194.* @see get_currentuserinfo()
     195 *
     196 * @since 2.8.0
     197 * @uses $current_user Checks if the current user is set
     198 * @uses wp_validate_auth_cookie() Retrieves current logged in user.
     199 *
     200 * @return bool|null False on XMLRPC Request and invalid auth cookie. Null when current user set.
     201 */
     202function _get_currentuserinfo() {
     203        global $current_user;
     204
     205        if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST )
     206                return false;
     207
     208        if ( !empty($current_user) )
     209                return;
     210
     211        if ( !$user = wp_validate_auth_cookie() ) {
     212                if ( empty($_COOKIE[LOGGED_IN_COOKIE]) || !$user = wp_validate_auth_cookie($_COOKIE[LOGGED_IN_COOKIE], 'logged_in') ) {
     213                        wp_set_current_user(0);
     214                        return false;
     215                }
     216        }
     217
     218        wp_set_current_user($user);
     219}
     220
     221/**
     222 * Retrieve user info by user ID.
     223 *
     224 * This function should not be used directly. Use the pluggable version instead.
     225.* @see get_userdata()
     226 *
     227 * @since 2.8.0
     228 *
     229 * @param int $user_id User ID
     230 * @return bool|object False on failure, User DB row object
     231 */
     232function _get_userdata( $user_id ) {
     233        global $wpdb;
     234
     235        $user_id = absint($user_id);
     236        if ( $user_id == 0 )
     237                return false;
     238
     239        $user = wp_cache_get($user_id, 'users');
     240
     241        if ( $user )
     242                return $user;
     243
     244        if ( !$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE ID = %d LIMIT 1", $user_id)) )
     245                return false;
     246
     247        _fill_user($user);
     248
     249        return $user;
     250}
     251
     252/**
     253 * Retrieve user info by a given field
     254 *
     255 * This function should not be used directly. Use the pluggable version instead.
     256.* @see get_user_by()
     257 *
     258 * @since 2.8.0
     259 *
     260 * @param string $field The field to retrieve the user with.  id | slug | email | login
     261 * @param int|string $value A value for $field.  A user ID, slug, email address, or login name.
     262 * @return bool|object False on failure, User DB row object
     263 */
     264function _get_user_by( $field, $value ) {
     265        global $wpdb;
     266
     267        switch ($field) {
     268                case 'id':
     269                        return get_userdata($value);
     270                        break;
     271                case 'slug':
     272                        $user_id = wp_cache_get($value, 'userslugs');
     273                        $field = 'user_nicename';
     274                        break;
     275                case 'email':
     276                        $user_id = wp_cache_get($value, 'useremail');
     277                        $field = 'user_email';
     278                        break;
     279                case 'login':
     280                        $value = sanitize_user( $value );
     281                        $user_id = wp_cache_get($value, 'userlogins');
     282                        $field = 'user_login';
     283                        break;
     284                default:
     285                        return false;
     286        }
     287
     288         if ( false !== $user_id )
     289                return get_userdata($user_id);
     290
     291        if ( !$user = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->users WHERE $field = %s", $value) ) )
     292                return false;
     293
     294        _fill_user($user);
     295
     296        return $user;
     297}
     298
     299/**
     300 * Checks a user's login information and logs them in if it checks out.
     301 *
     302 * This function should not be used directly. Use the pluggable version instead.
     303.* @see wp_authenticate()
     304 *
     305 * @since 2.8.0
     306 *
     307 * @param string $username User's username
     308 * @param string $password User's password
     309 * @return WP_Error|WP_User WP_User object if login successful, otherwise WP_Error object.
     310 */
     311function _wp_authenticate( $username, $password ) {
     312        $username = sanitize_user($username);
     313        $password = trim($password);
     314
     315        $user = apply_filters('authenticate', null, $username, $password);
     316
     317        if ( $user == null ) {
     318                // TODO what should the error message be? (Or would these even happen?)
     319                // Only needed if all authentication handlers fail to return anything.
     320                $user = new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Invalid username or incorrect password.'));
     321        }
     322
     323        $ignore_codes = array('empty_username', 'empty_password');
     324
     325        if ( is_wp_error($user) && !in_array($user->get_error_code(), $ignore_codes) ) {
     326                do_action('wp_login_failed', $username);
     327        }
     328
     329        return $user;
     330}
     331
     332/**
     333 * Log the current user out.
     334 *
     335 * This function should not be used directly. Use the pluggable version instead.
     336.* @see wp_logout()
     337 *
     338 * @since 2.5.0
     339 */
     340function _wp_logout() {
     341        wp_clear_auth_cookie();
     342        do_action('wp_logout');
     343}
     344
     345/**
     346 * Validates authentication cookie.
     347 *
     348 * The checks include making sure that the authentication cookie is set and
     349 * pulling in the contents (if $cookie is not used).
     350 *
     351 * Makes sure the cookie is not expired. Verifies the hash in cookie is what is
     352 * should be and compares the two.
     353 *
     354 * This function should not be used directly. Use the pluggable version instead.
     355.* @see wp_validate_auth_cookie()
     356 *
     357 * @since 2.8.0
     358 *
     359 * @param string $cookie Optional. If used, will validate contents instead of cookie's
     360 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
     361 * @return bool|int False if invalid cookie, User ID if valid.
     362 */
     363function _wp_validate_auth_cookie( $cookie = '', $scheme = '' ) {
     364        if ( ! $cookie_elements = wp_parse_auth_cookie( $cookie, $scheme ) ) {
     365                do_action('auth_cookie_malformed', $cookie, $scheme);
     366                return false;
     367        }
     368
     369        extract($cookie_elements, EXTR_OVERWRITE);
     370
     371        $expired = $expiration;
     372
     373        // Allow a grace period for POST and AJAX requests
     374        if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] )
     375                $expired += 3600;
     376
     377        // Quick check to see if an honest cookie has expired
     378        if ( $expired < time() ) {
     379                do_action('auth_cookie_expired', $cookie_elements);
     380                return false;
     381        }
     382
     383        $user = get_userdatabylogin($username);
     384        if ( ! $user ) {
     385                do_action('auth_cookie_bad_username', $cookie_elements);
     386                return false;
     387        }
     388
     389        $pass_frag = substr($user->user_pass, 8, 4);
     390
     391        $key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);
     392        $hash = hash_hmac('md5', $username . '|' . $expiration, $key);
     393
     394        if ( $hmac != $hash ) {
     395                do_action('auth_cookie_bad_hash', $cookie_elements);
     396                return false;
     397        }
     398
     399        do_action('auth_cookie_valid', $cookie_elements, $user);
     400
     401        return $user->ID;
     402}
     403
     404/**
     405 * Generate authentication cookie contents.
     406 *
     407 * This function should not be used directly. Use the pluggable version instead.
     408.* @see wp_generate_auth_cookie()
     409 *
     410 * @since 2.8.0
     411 * @uses apply_filters() Calls 'auth_cookie' hook on $cookie contents, User ID
     412 *              and expiration of cookie.
     413 *
     414 * @param int $user_id User ID
     415 * @param int $expiration Cookie expiration in seconds
     416 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
     417 * @return string Authentication cookie contents
     418 */
     419function _wp_generate_auth_cookie( $user_id, $expiration, $scheme = 'auth' ) {
     420        $user = get_userdata($user_id);
     421
     422        $pass_frag = substr($user->user_pass, 8, 4);
     423
     424        $key = wp_hash($user->user_login . $pass_frag . '|' . $expiration, $scheme);
     425        $hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);
     426
     427        $cookie = $user->user_login . '|' . $expiration . '|' . $hash;
     428
     429        return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $scheme);
     430}
     431
     432/**
     433 * Parse a cookie into its components
     434 *
     435 * This function should not be used directly. Use the pluggable version instead.
     436.* @see wp_parse_auth_cookie()
     437 *
     438 * @since 2.8.0
     439 *
     440 * @param string $cookie
     441 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
     442 * @return array Authentication cookie components
     443 */
     444function _wp_parse_auth_cookie( $cookie = '', $scheme = '' ) {
     445        if ( empty($cookie) ) {
     446                switch ($scheme) {
     447                        case 'auth':
     448                                $cookie_name = AUTH_COOKIE;
     449                                break;
     450                        case 'secure_auth':
     451                                $cookie_name = SECURE_AUTH_COOKIE;
     452                                break;
     453                        case "logged_in":
     454                                $cookie_name = LOGGED_IN_COOKIE;
     455                                break;
     456                        default:
     457                                if ( is_ssl() ) {
     458                                        $cookie_name = SECURE_AUTH_COOKIE;
     459                                        $scheme = 'secure_auth';
     460                                } else {
     461                                        $cookie_name = AUTH_COOKIE;
     462                                        $scheme = 'auth';
     463                                }
     464                }
     465
     466                if ( empty($_COOKIE[$cookie_name]) )
     467                        return false;
     468                $cookie = $_COOKIE[$cookie_name];
     469        }
     470
     471        $cookie_elements = explode('|', $cookie);
     472        if ( count($cookie_elements) != 3 )
     473                return false;
     474
     475        list($username, $expiration, $hmac) = $cookie_elements;
     476
     477        return compact('username', 'expiration', 'hmac', 'scheme');
     478}
     479
     480/**
     481 * Sets the authentication cookies based User ID.
     482 *
     483 * The $remember parameter increases the time that the cookie will be kept. The
     484 * default the cookie is kept without remembering is two days. When $remember is
     485 * set, the cookies will be kept for 14 days or two weeks.
     486 *
     487 * This function should not be used directly. Use the pluggable version instead.
     488.* @see wp_set_auth_cookie()
     489 *
     490 * @since 2.8.0
     491 *
     492 * @param int $user_id User ID
     493 * @param bool $remember Whether to remember the user or not
     494 */
     495function _wp_set_auth_cookie( $user_id, $remember = false, $secure = '' ) {
     496        if ( $remember ) {
     497                $expiration = $expire = time() + apply_filters('auth_cookie_expiration', 1209600, $user_id, $remember);
     498        } else {
     499                $expiration = time() + apply_filters('auth_cookie_expiration', 172800, $user_id, $remember);
     500                $expire = 0;
     501        }
     502
     503        if ( '' === $secure )
     504                $secure = is_ssl() ? true : false;
     505
     506        if ( $secure ) {
     507                $auth_cookie_name = SECURE_AUTH_COOKIE;
     508                $scheme = 'secure_auth';
     509        } else {
     510                $auth_cookie_name = AUTH_COOKIE;
     511                $scheme = 'auth';
     512        }
     513
     514        $auth_cookie = wp_generate_auth_cookie($user_id, $expiration, $scheme);
     515        $logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in');
     516
     517        do_action('set_auth_cookie', $auth_cookie, $expire, $expiration, $user_id, $scheme);
     518        do_action('set_logged_in_cookie', $logged_in_cookie, $expire, $expiration, $user_id, 'logged_in');
     519
     520        // Set httponly if the php version is >= 5.2.0
     521        if ( version_compare(phpversion(), '5.2.0', 'ge') ) {
     522                setcookie($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
     523                setcookie($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
     524                setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, false, true);
     525                if ( COOKIEPATH != SITECOOKIEPATH )
     526                        setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, false, true);
     527        } else {
     528                $cookie_domain = COOKIE_DOMAIN;
     529                if ( !empty($cookie_domain) )
     530                        $cookie_domain .= '; HttpOnly';
     531                setcookie($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, $cookie_domain, $secure);
     532                setcookie($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, $cookie_domain, $secure);
     533                setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, $cookie_domain);
     534                if ( COOKIEPATH != SITECOOKIEPATH )
     535                        setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, $cookie_domain);
     536        }
     537}
     538
     539/**
     540 * Removes all of the cookies associated with authentication.
     541 *
     542 * This function should not be used directly. Use the pluggable version instead.
     543.* @see wp_clear_auth_cookie()
     544 *
     545 * @since 2.8.0
     546 */
     547function _wp_clear_auth_cookie() {
     548        do_action('clear_auth_cookie');
     549
     550        setcookie(AUTH_COOKIE, ' ', time() - 31536000, ADMIN_COOKIE_PATH, COOKIE_DOMAIN);
     551        setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, ADMIN_COOKIE_PATH, COOKIE_DOMAIN);
     552        setcookie(AUTH_COOKIE, ' ', time() - 31536000, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN);
     553        setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN);
     554        setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
     555        setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
     556
     557        // Old cookies
     558        setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
     559        setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
     560        setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
     561        setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
     562
     563        // Even older cookies
     564        setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
     565        setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
     566        setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
     567        setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
     568}
     569
     570/**
     571 * Checks if the current visitor is a logged in user.
     572 *
     573 * This function should not be used directly. Use the pluggable version instead.
     574.* @see is_user_logged_in()
     575 *
     576 * @since 2.8.0
     577 *
     578 * @return bool True if user is logged in, false if not logged in.
     579 */
     580function _is_user_logged_in() {
     581        $user = wp_get_current_user();
     582
     583        if ( $user->id == 0 )
     584                return false;
     585
     586        return true;
     587}
     588
     589/**
     590 * Checks if a user is logged in, if not it redirects them to the login page.
     591 *
     592 * This function should not be used directly. Use the pluggable version instead.
     593.* @see auth_redirect()
     594 *
     595 * @since 2.8.0
     596 */
     597function _auth_redirect() {
     598        if ( is_ssl() || force_ssl_admin() )
     599                $secure = true;
     600        else
     601                $secure = false;
     602
     603        // If https is required and request is http, redirect
     604        if ( $secure && !is_ssl() && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin') ) {
     605                if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
     606                        wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
     607                        exit();
     608                } else {
     609                        wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
     610                        exit();
     611                }
     612        }
     613
     614        if ( $user_id = wp_validate_auth_cookie() ) {
     615                do_action('auth_redirect', $user_id);
     616
     617                // If the user wants ssl but the session is not ssl, redirect.
     618                if ( !$secure && get_user_option('use_ssl', $user_id) && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin') ) {
     619                        if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
     620                                wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
     621                                exit();
     622                        } else {
     623                                wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
     624                                exit();
     625                        }
     626                }
     627
     628                return;  // The cookie is good so we're done
     629        }
     630
     631        // The cookie is no good so force login
     632        nocache_headers();
     633
     634        if ( is_ssl() )
     635                $proto = 'https://';
     636        else
     637                $proto = 'http://';
     638
     639        $redirect = ( strpos($_SERVER['REQUEST_URI'], '/options.php') && wp_get_referer() ) ? wp_get_referer() : $proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
     640
     641        $login_url = wp_login_url($redirect);
     642
     643        wp_redirect($login_url);
     644        exit();
     645}
     646
     647/**
    133648 * Retrieve user data based on field.
    134649 *
    135650 * Use get_profile() will make a database query to get the value of the table
     
    191706        return true;
    192707}
    193708
     709/**
     710 * Updates the user's password with a new encrypted one.
     711 *
     712 * This function should not be used directly. Use the pluggable version instead.
     713.* @see wp_set_password()
     714 *
     715 * @since 2.8.0
     716 * @uses $wpdb WordPress database object for queries
     717 * @uses wp_hash_password() Used to encrypt the user's password before passing to the database
     718 *
     719 * @param string $password The plaintext new user password
     720 * @param int $user_id User ID
     721 */
     722function _wp_set_password( $password, $user_id ) {
     723        global $wpdb;
     724
     725        $hash = wp_hash_password($password);
     726        $wpdb->update($wpdb->users, array('user_pass' => $hash, 'user_activation_key' => ''), array('ID' => $user_id) );
     727
     728        wp_cache_delete($user_id, 'users');
     729}
     730
     731/**
     732 * Retrieve the avatar for a user who provided a user ID or email address.
     733 *
     734 * This function should not be used directly. Use the pluggable version instead.
     735.* @see get_avatar()
     736 *
     737 * @since 2.8.0
     738 * @param int|string|object $id_or_email A user ID,  email address, or comment object
     739 * @param int $size Size of the avatar image
     740 * @param string $default URL to a default image to use if no avatar is available
     741 * @param string $alt Alternate text to use in image tag. Defaults to blank
     742 * @return string <img> tag for the user's avatar
     743*/
     744function _get_avatar( $id_or_email, $size = '96', $default = '', $alt = false ) {
     745        if ( ! get_option('show_avatars') )
     746                return false;
     747
     748        if ( false === $alt)
     749                $safe_alt = '';
     750        else
     751                $safe_alt = attribute_escape( $alt );
     752
     753        if ( !is_numeric($size) )
     754                $size = '96';
     755
     756        $email = '';
     757        if ( is_numeric($id_or_email) ) {
     758                $id = (int) $id_or_email;
     759                $user = get_userdata($id);
     760                if ( $user )
     761                        $email = $user->user_email;
     762        } elseif ( is_object($id_or_email) ) {
     763                if ( isset($id_or_email->comment_type) && '' != $id_or_email->comment_type && 'comment' != $id_or_email->comment_type )
     764                        return false; // No avatar for pingbacks or trackbacks
     765
     766                if ( !empty($id_or_email->user_id) ) {
     767                        $id = (int) $id_or_email->user_id;
     768                        $user = get_userdata($id);
     769                        if ( $user)
     770                                $email = $user->user_email;
     771                } elseif ( !empty($id_or_email->comment_author_email) ) {
     772                        $email = $id_or_email->comment_author_email;
     773                }
     774        } else {
     775                $email = $id_or_email;
     776        }
     777
     778        if ( empty($default) ) {
     779                $avatar_default = get_option('avatar_default');
     780                if ( empty($avatar_default) )
     781                        $default = 'mystery';
     782                else
     783                        $default = $avatar_default;
     784        }
     785
     786        if ( is_ssl() )
     787                $host = 'https://secure.gravatar.com';
     788        else
     789                $host = 'http://www.gravatar.com';
     790
     791        if ( 'mystery' == $default )
     792                $default = "$host/avatar/ad516503a11cd5ca435acc9bb6523536?s={$size}"; // ad516503a11cd5ca435acc9bb6523536 == md5('unknown@gravatar.com')
     793        elseif ( 'blank' == $default )
     794                $default = includes_url('images/blank.gif');
     795        elseif ( !empty($email) && 'gravatar_default' == $default )
     796                $default = '';
     797        elseif ( 'gravatar_default' == $default )
     798                $default = "$host/avatar/s={$size}";
     799        elseif ( empty($email) )
     800                $default = "$host/avatar/?d=$default&amp;s={$size}";
     801        elseif ( strpos($default, 'http://') === 0 )
     802                $default = add_query_arg( 's', $size, $default );
     803
     804        if ( !empty($email) ) {
     805                $out = "$host/avatar/";
     806                $out .= md5( strtolower( $email ) );
     807                $out .= '?s='.$size;
     808                $out .= '&amp;d=' . urlencode( $default );
     809
     810                $rating = get_option('avatar_rating');
     811                if ( !empty( $rating ) )
     812                        $out .= "&amp;r={$rating}";
     813
     814                $avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo' height='{$size}' width='{$size}' />";
     815        } else {
     816                $avatar = "<img alt='{$safe_alt}' src='{$default}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
     817        }
     818
     819        return apply_filters('get_avatar', $avatar, $id_or_email, $size, $default, $alt);
     820}
     821
    194822//
    195823// User option functions
    196824//