Make WordPress Core


Ignore:
Location:
branches/3.1
Files:
26 edited

Legend:

Unmodified
Added
Removed
  • branches/3.1/readme.html

    r17716 r18044  
    99<h1 id="logo">
    1010    <a href="http://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" width="250" height="68" /></a>
    11     <br /> Version 3.1.2
     11    <br /> Version 3.1.3
    1212</h1>
    1313<p style="text-align: center">Semantic Personal Publishing Platform</p>
  • branches/3.1/wp-admin/admin-ajax.php

    r17716 r18044  
    397397        die('1');
    398398
    399     if ( !current_user_can( 'edit_post', $meta->post_id ) )
     399    if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) )
    400400        die('-1');
    401401    if ( delete_meta( $meta->meta_id ) )
     
    856856        if ( !current_user_can( 'edit_post', $meta->post_id ) )
    857857            die('-1');
     858        if ( is_protected_meta( $meta->meta_key ) )
     859            die('-1');
    858860        if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
    859861            if ( !$u = update_meta( $mid, $key, $value ) )
  • branches/3.1/wp-admin/custom-background.php

    r17716 r18044  
    338338            'post_content' => $url,
    339339            'post_mime_type' => $type,
    340             'guid' => $url
     340            'guid' => $url,
     341            'context' => 'custom-background'
    341342        );
    342343
  • branches/3.1/wp-admin/custom-header.php

    r17716 r18044  
    596596        'post_content' => $url,
    597597        'post_mime_type' => $type,
    598         'guid' => $url);
     598        'guid' => $url,
     599        'context' => 'custom-header');
    599600
    600601        // Save the data
     
    688689            'post_content' => $url,
    689690            'post_mime_type' => 'image/jpeg',
    690             'guid' => $url
     691            'guid' => $url,
     692            'context' => 'custom-header'
    691693        );
    692694
  • branches/3.1/wp-admin/includes/class-wp-plugins-list-table.php

    r17716 r18044  
    196196    }
    197197
    198     function display_tablenav( $which ) {
    199         global $status;
    200 
    201         if ( !in_array( $status, array( 'mustuse', 'dropins' ) ) )
    202             parent::display_tablenav( $which );
    203     }
    204 
    205198    function get_views() {
    206199        global $totals, $status;
     
    287280        global $status;
    288281
    289         if ( 'recently_activated' == $status ) { ?>
    290             <div class="alignleft actions">
    291                 <?php submit_button( __( 'Clear List' ), 'secondary', 'clear-recent-list', false ); ?>
    292             </div>
    293         <?php }
     282        if ( ! in_array($status, array('recently_activated', 'mustuse', 'dropins') ) )
     283            return;
     284
     285        echo '<div class="alignleft actions">';
     286
     287        if ( 'recently_activated' == $status )
     288            submit_button( __( 'Clear List' ), 'secondary', 'clear-recent-list', false );
     289        elseif ( 'top' == $which && 'mustuse' == $status )
     290            echo '<p>' . __( 'Files in the <code>/wp-content/mu-plugins</code> directory are executed automatically.' ) . '</p>';
     291        elseif ( 'top' == $which && 'dropins' == $status )
     292            echo '<p>' . __( 'Drop-ins are advanced plugins in the <code>/wp-content</code> directory that replace WordPress functionality when present.' ) . '</p>';
     293
     294        echo '</div>';
    294295    }
    295296
  • branches/3.1/wp-admin/includes/import.php

    r17716 r18044  
    8181        'post_content' => $url,
    8282        'post_mime_type' => $type,
    83         'guid' => $url
     83        'guid' => $url,
     84        'context' => 'import',
     85        'post_status' => 'private'
    8486    );
    8587
     
    8789    $id = wp_insert_attachment( $object, $file );
    8890
     91    // schedule a cleanup for one day from now in case of failed import or missing wp_import_cleanup() call
     92    wp_schedule_single_event( time() + 86400, 'importer_scheduled_cleanup', array( $id ) );
     93
    8994    return array( 'file' => $file, 'id' => $id );
    9095}
  • branches/3.1/wp-admin/includes/media.php

    r17716 r18044  
    11931193    $toggle_off = __( 'Hide' );
    11941194
    1195     $filename = basename( $post->guid );
     1195    $filename = esc_html( basename( $post->guid ) );
    11961196    $title = esc_attr( $post->post_title );
    11971197
  • branches/3.1/wp-admin/includes/post.php

    r17716 r18044  
    139139    $post = get_post( $post_ID );
    140140    $post_data['post_type'] = $post->post_type;
     141    $post_data['post_mime_type'] = $post->post_mime_type;
    141142
    142143    $ptype = get_post_type_object($post_data['post_type']);
     
    200201            if ( $meta->post_id != $post_ID )
    201202                continue;
     203            if ( is_protected_meta( $value['key'] ) )
     204                continue;
    202205            update_meta( $key, $value['key'], $value['value'] );
    203206        }
     
    209212                continue;
    210213            if ( $meta->post_id != $post_ID )
     214                continue;
     215            if ( is_protected_meta( $meta->meta_key ) )
    211216                continue;
    212217            delete_meta( $key );
     
    528533    }
    529534
     535    $_POST['post_mime_type'] = '';
     536
    530537    // Check for autosave collisions
    531538    // Does this need to be updated? ~ Mark
     
    633640    $post_ID = (int) $post_ID;
    634641
    635     $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
    636 
    637642    $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
    638643    $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
     
    651656            $metakey = $metakeyinput; // default
    652657
    653         if ( in_array($metakey, $protected) )
     658        if ( is_protected_meta( $metakey ) )
    654659            return false;
    655660
     
    757762    global $wpdb;
    758763
    759     $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
    760 
    761764    $meta_key = stripslashes($meta_key);
    762765
    763     if ( in_array($meta_key, $protected) )
     766    if ( is_protected_meta( $meta_key ) )
    764767        return false;
    765768
     
    994997    $q['cat'] = isset( $q['cat'] ) ? (int) $q['cat'] : 0;
    995998    $q['post_type'] = 'attachment';
    996     $q['post_status'] = isset( $q['status'] ) && 'trash' == $q['status'] ? 'trash' : 'inherit';
     999    $post_type = get_post_type_object( 'attachment' );
     1000    $states = array( 'inherit' );
     1001    if ( current_user_can( $post_type->cap->read_private_posts ) )
     1002        $states[] = 'private';
     1003
     1004    $q['post_status'] = isset( $q['status'] ) && 'trash' == $q['status'] ? 'trash' : $states;
    9971005    $media_per_page = (int) get_user_option( 'upload_per_page' );
    9981006    if ( empty( $media_per_page ) || $media_per_page < 1 )
  • branches/3.1/wp-admin/includes/template.php

    r17716 r18044  
    466466function _list_meta_row( $entry, &$count ) {
    467467    static $update_nonce = false;
     468
     469    if ( is_protected_meta( $entry['meta_key'] ) )
     470        return;
     471
    468472    if ( !$update_nonce )
    469473        $update_nonce = wp_create_nonce( 'add-meta' );
  • branches/3.1/wp-admin/includes/update-core.php

    r17716 r18044  
    295295    $required_php_version = '4.3';
    296296    $required_mysql_version = '4.1.2';
    297     $wp_version = '3.1.2';
     297    $wp_version = '3.1.3';
    298298    $php_compat     = version_compare( $php_version, $required_php_version, '>=' );
    299299    $mysql_compat   = version_compare( $mysql_version, $required_mysql_version, '>=' ) || file_exists( WP_CONTENT_DIR . '/db.php' );
  • branches/3.1/wp-admin/ms-delete-site.php

    r17716 r18044  
    3535
    3636if ( isset( $_POST['action'] ) && $_POST['action'] == 'deleteblog' && isset( $_POST['confirmdelete'] ) && $_POST['confirmdelete'] == '1' ) {
     37    check_admin_referer( 'delete-blog' );
     38
    3739    $hash = wp_generate_password( 20, false );
    3840    update_option( 'delete_blog_hash', $hash );
     
    6971
    7072    <form method="post" name="deletedirect">
     73        <?php wp_nonce_field( 'delete-blog' ) ?>
    7174        <input type="hidden" name="action" value="deleteblog" />
    7275        <p><input id="confirmdelete" type="checkbox" name="confirmdelete" value="1" /> <label for="confirmdelete"><strong><?php printf( __( "I'm sure I want to permanently disable my site, and I am aware I can never get it back or use %s again." ), is_subdomain_install() ? $current_blog->domain : $current_blog->domain . $current_blog->path ); ?></strong></label></p>
    7376        <?php submit_button( __( 'Delete My Site Permanently' ) ); ?>
    7477    </form>
    75     <?php
     78    <?php
    7679}
    7780echo '</div>';
  • branches/3.1/wp-admin/plugins.php

    r17716 r18044  
    408408<input type="hidden" name="paged" value="<?php echo esc_attr($page) ?>" />
    409409
    410 <?php
    411 if ( 'mustuse' == $status )
    412     echo '<br class="clear" /><p>' . __( 'Files in the <code>/wp-content/mu-plugins</code> directory are executed automatically.' ) . '</p>';
    413 elseif ( 'dropins' == $status )
    414     echo '<br class="clear" /><p>' . __( 'Drop-ins are advanced plugins in the <code>/wp-content</code> directory that replace WordPress functionality when present.' ) . '</p>';
    415 ?>
    416 
    417410<?php $wp_list_table->display(); ?>
    418411</form>
  • branches/3.1/wp-admin/press-this.php

    r17716 r18044  
    226226                    else
    227227                        $src = 'http://'.str_replace('//','/', $host['host'].'/'.dirname($host['path']).'/'.$src);
    228                 $sources[] = esc_attr($src);
     228                $sources[] = esc_url($src);
    229229            }
    230230            return "'" . implode("','", $sources) . "'";
  • branches/3.1/wp-app.php

    r17716 r18044  
    608608        $slug = '';
    609609        if ( isset( $_SERVER['HTTP_SLUG'] ) )
    610             $slug = sanitize_file_name( $_SERVER['HTTP_SLUG'] );
     610            $slug = $_SERVER['HTTP_SLUG'];
    611611        elseif ( isset( $_SERVER['HTTP_TITLE'] ) )
    612             $slug = sanitize_file_name( $_SERVER['HTTP_TITLE'] );
     612            $slug = $_SERVER['HTTP_TITLE'];
    613613        elseif ( empty( $slug ) ) // just make a random name
    614614            $slug = substr( md5( uniqid( microtime() ) ), 0, 7);
    615615        $ext = preg_replace( '|.*/([a-z0-9]+)|', '$1', $_SERVER['CONTENT_TYPE'] );
    616         $slug = "$slug.$ext";
     616        $slug = sanitize_file_name( "$slug.$ext" );
    617617        $file = wp_upload_bits( $slug, NULL, $bits);
    618618
  • branches/3.1/wp-includes/canonical.php

    r17716 r18044  
    142142        } elseif ( is_author() && !empty($_GET['author']) && preg_match( '|^[0-9]+$|', $_GET['author'] ) ) {
    143143            $author = get_userdata(get_query_var('author'));
    144             if ( false !== $author && $redirect_url = get_author_posts_url($author->ID, $author->user_nicename) )
    145                 $redirect['query'] = remove_query_arg('author', $redirect['query']);
     144            if ( ( false !== $author ) && $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE $wpdb->posts.post_author = %d AND $wpdb->posts.post_status = 'publish' LIMIT 1", $author->ID ) ) ) {
     145                if ( $redirect_url = get_author_posts_url($author->ID, $author->user_nicename) )
     146                    $redirect['query'] = remove_query_arg('author', $redirect['query']);
     147            }
    146148        } elseif ( is_category() || is_tag() || is_tax() ) { // Terms (Tags/categories)
    147149
  • branches/3.1/wp-includes/class-oembed.php

    r17716 r18044  
    166166        $args = wp_parse_args( $args, wp_embed_defaults() );
    167167
    168         $provider = add_query_arg( 'maxwidth', $args['width'], $provider );
    169         $provider = add_query_arg( 'maxheight', $args['height'], $provider );
     168        $provider = add_query_arg( 'maxwidth', (int) $args['width'], $provider );
     169        $provider = add_query_arg( 'maxheight', (int) $args['height'], $provider );
    170170        $provider = add_query_arg( 'url', urlencode($url), $provider );
    171171
  • branches/3.1/wp-includes/default-filters.php

    r17716 r18044  
    5959// Save URL
    6060foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
    61     'pre_link_rss' ) as $filter ) {
     61    'pre_link_rss', 'pre_post_guid' ) as $filter ) {
    6262    add_filter( $filter, 'wp_strip_all_tags' );
    6363    add_filter( $filter, 'esc_url_raw'       );
     
    6666
    6767// Display URL
    68 foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url' ) as $filter ) {
     68foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) {
    6969    if ( is_admin() )
    7070        add_filter( $filter, 'wp_strip_all_tags' );
     
    8686    add_filter( $filter, 'sanitize_key' );
    8787}
     88
     89// Mime types
     90add_filter( 'pre_post_mime_type', 'sanitize_mime_type' );
     91add_filter( 'post_mime_type', 'sanitize_mime_type' );
    8892
    8993// Places to balance tags on input
     
    219223add_action( 'login_head',          'wp_print_head_scripts',         9     );
    220224add_action( 'login_footer',        'wp_print_footer_scripts'              );
     225add_action( 'login_init',          'send_frame_options_header',     10, 0 );
    221226
    222227// Feed Generator Tags
     
    250255add_action( 'comment_form', 'wp_comment_form_unfiltered_html_nonce'        );
    251256add_action( 'wp_scheduled_delete',        'wp_scheduled_delete'            );
     257add_action( 'admin_init',                 'send_frame_options_header', 10, 0 );
     258add_action( 'importer_scheduled_cleanup', 'wp_delete_attachment'           );
    252259
    253260// Navigation menu actions
  • branches/3.1/wp-includes/formatting.php

    r17716 r18044  
    719719            $allowed = false;
    720720            foreach ( $mimes as $ext_preg => $mime_match ) {
    721                 $ext_preg = '!(^' . $ext_preg . ')$!i';
     721                $ext_preg = '!^(' . $ext_preg . ')$!i';
    722722                if ( preg_match( $ext_preg, $part ) ) {
    723723                    $allowed = true;
     
    29042904}
    29052905
     2906/**
     2907 * Sanitize a mime type
     2908 *
     2909 * @since 3.1.3
     2910 *
     2911 * @param string $mime_type Mime type
     2912 * @return string Sanitized mime type
     2913 */
     2914function sanitize_mime_type( $mime_type ) {
     2915    $sani_mime_type = preg_replace( '/[^-*.a-zA-Z0-9\/]/', '', $mime_type );
     2916    return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
     2917}
     2918
    29062919?>
  • branches/3.1/wp-includes/functions.php

    r17716 r18044  
    44834483}
    44844484
     4485/**
     4486 * Send a HTTP header to limit rendering of pages to same origin iframes.
     4487 *
     4488 * @link https://developer.mozilla.org/en/the_x-frame-options_response_header
     4489 *
     4490 * @since 3.1.3
     4491 * @return none
     4492 */
     4493function send_frame_options_header() {
     4494    @header( 'X-Frame-Options: SAMEORIGIN' );
     4495}
     4496
    44854497?>
  • branches/3.1/wp-includes/meta.php

    r17716 r18044  
    4646    $meta_key = stripslashes($meta_key);
    4747    $meta_value = stripslashes_deep($meta_value);
     48    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
    4849
    4950    $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
     
    114115    $meta_key = stripslashes($meta_key);
    115116    $meta_value = stripslashes_deep($meta_value);
     117    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
    116118
    117119    $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
     
    489491    return $wpdb->$table_name;
    490492}
     493
     494/**
     495 * Determine whether a meta key is protected
     496 *
     497 * @since 3.1.3
     498 *
     499 * @param string $meta_key Meta key
     500 * @return bool True if the key is protected, false otherwise.
     501 */
     502function is_protected_meta( $meta_key, $meta_type = null ) {
     503    $protected = (  '_' == $meta_key[0] );
     504
     505    return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
     506}
     507
     508/**
     509 * Sanitize meta value
     510 *
     511 * @since 3.1.3
     512 *
     513 * @param string $meta_key Meta key
     514 * @param mixed $meta_value Meta value to sanitize
     515 * @param string $meta_type Type of meta
     516 * @return mixed Sanitized $meta_value
     517 */
     518function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) {
     519    return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );
     520}
     521
    491522?>
  • branches/3.1/wp-includes/post.php

    r17716 r18044  
    558558        return false;
    559559
    560     // Unattached attachments are assumed to be published.
    561     if ( ('attachment' == $post->post_type) && ('inherit' == $post->post_status) && ( 0 == $post->post_parent) )
    562         return 'publish';
    563 
    564     if ( ('attachment' == $post->post_type) && $post->post_parent && ($post->ID != $post->post_parent) )
    565         return get_post_status($post->post_parent);
     560    if ( 'attachment' == $post->post_type ) {
     561        if ( 'private' == $post->post_status )
     562            return 'private';
     563
     564        // Unattached attachments are assumed to be published
     565        if ( ( 'inherit' == $post->post_status ) && ( 0 == $post->post_parent) )
     566            return 'publish';
     567
     568        // Inherit status from the parent
     569        if ( $post->post_parent && ( $post->ID != $post->post_parent ) )
     570            return get_post_status($post->post_parent);
     571    }
    566572
    567573    return $post->post_status;
     
    35333539    global $wpdb, $user_ID;
    35343540
    3535     $defaults = array('post_status' => 'draft', 'post_type' => 'post', 'post_author' => $user_ID,
     3541    $defaults = array('post_status' => 'inherit', 'post_type' => 'post', 'post_author' => $user_ID,
    35363542        'ping_status' => get_option('default_ping_status'), 'post_parent' => 0,
    35373543        'menu_order' => 0, 'to_ping' =>  '', 'pinged' => '', 'post_password' => '',
    3538         'guid' => '', 'post_content_filtered' => '', 'post_excerpt' => '', 'import_id' => 0);
     3544        'guid' => '', 'post_content_filtered' => '', 'post_excerpt' => '', 'import_id' => 0, 'context' => '');
    35393545
    35403546    $object = wp_parse_args($object, $defaults);
     
    35513557
    35523558    $post_type = 'attachment';
    3553     $post_status = 'inherit';
     3559
     3560    if ( ! in_array( $post_status, array( 'inherit', 'private' ) ) )
     3561        $post_status = 'inherit';
    35543562
    35553563    // Make sure we set a valid category.
     
    36533661    if ( isset($post_parent) && $post_parent < 0 )
    36543662        add_post_meta($post_ID, '_wp_attachment_temp_parent', $post_parent, true);
     3663
     3664    if ( ! empty( $context ) )
     3665        add_post_meta( $post_ID, '_wp_attachment_context', $context, true );
    36553666
    36563667    if ( $update) {
  • branches/3.1/wp-includes/query.php

    r17716 r18044  
    22322232        }
    22332233
    2234         if ( !empty( $this->tax_query->queries ) || !empty( $q['meta_key'] ) ) {
    2235             $groupby = "{$wpdb->posts}.ID";
    2236         }
    2237 
    22382234        // Author/user stuff
    22392235
     
    24792475            $join .= $clauses['join'];
    24802476            $where .= $clauses['where'];
     2477        }
     2478
     2479        if ( ! empty( $this->tax_query->queries ) || ! empty( $q['meta_query'] ) ) {
     2480            $groupby = "{$wpdb->posts}.ID";
    24812481        }
    24822482
  • branches/3.1/wp-includes/taxonomy.php

    r17716 r18044  
    12561256    }
    12571257
    1258     if ( !empty($name__like) )
    1259         $where .= " AND t.name LIKE '" . like_escape( $name__like ) . "%'";
     1258    if ( !empty($name__like) ) {
     1259        $name__like = like_escape( $name__like );
     1260        $where .= $wpdb->prepare( " AND t.name LIKE %s", $name__like . '%' );
     1261    }
    12601262
    12611263    if ( '' !== $parent ) {
     
    12791281    if ( !empty($search) ) {
    12801282        $search = like_escape($search);
    1281         $where .= " AND (t.name LIKE '%$search%')";
     1283        $where .= $wpdb->prepare( " AND (t.name LIKE %s)", '%' . $search . '%');
    12821284    }
    12831285
  • branches/3.1/wp-includes/theme.php

    r17716 r18044  
    14361436        $url = str_replace( 'https://', 'http://', $url );
    14371437
    1438     return $url;
     1438    return esc_url_raw( $url );
    14391439}
    14401440
  • branches/3.1/wp-includes/version.php

    r17716 r18044  
    2323 * @global string $wp_version
    2424 */
    25 $wp_version = '3.1.2';
     25$wp_version = '3.1.3';
    2626
    2727/**
  • branches/3.1/wp-login.php

    r17716 r18044  
    369369
    370370// allow plugins to override the default actions, and to add extra actions if they want
    371 do_action('login_form_' . $action);
     371do_action( 'login_init' );
     372do_action( 'login_form_' . $action );
    372373
    373374$http_post = ('POST' == $_SERVER['REQUEST_METHOD']);
Note: See TracChangeset for help on using the changeset viewer.