Changeset 1924 for trunk

Timestamp:

05/29/2011 10:05:36 AM (12 months ago)

Author:

Xiping.Wang

Message:

[trunk]Upgrade wordpress 3.1.3

Location:

trunk/blogs

Files:

• readme.html (modified) (1 diff)
• wp-admin/admin-ajax.php (modified) (2 diffs)
• wp-admin/custom-background.php (modified) (1 diff)
• wp-admin/custom-header.php (modified) (2 diffs)
• wp-admin/includes/class-wp-plugins-list-table.php (modified) (2 diffs)
• wp-admin/includes/import.php (modified) (2 diffs)
• wp-admin/includes/media.php (modified) (1 diff)
• wp-admin/includes/post.php (modified) (8 diffs)
• wp-admin/includes/template.php (modified) (1 diff)
• wp-admin/includes/update-core.php (modified) (1 diff)
• wp-admin/ms-delete-site.php (modified) (2 diffs)
• wp-admin/plugins.php (modified) (1 diff)
• wp-admin/press-this.php (modified) (1 diff)
• wp-app.php (modified) (1 diff)
• wp-includes/canonical.php (modified) (1 diff)
• wp-includes/class-oembed.php (modified) (1 diff)
• wp-includes/default-filters.php (modified) (5 diffs)
• wp-includes/formatting.php (modified) (2 diffs)
• wp-includes/functions.php (modified) (1 diff)
• wp-includes/meta.php (modified) (3 diffs)
• wp-includes/post.php (modified) (4 diffs)
• wp-includes/query.php (modified) (2 diffs)
• wp-includes/taxonomy.php (modified) (2 diffs)
• wp-includes/theme.php (modified) (1 diff)
• wp-includes/version.php (modified) (1 diff)
• wp-login.php (modified) (1 diff)

trunk/blogs/readme.html

@@ -9 +9 @@
 <h1 id="logo">
         <a href="http://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" width="250" height="68" /></a>
-        <br /> Version 3.1.2
+        <br /> Version 3.1.3
 </h1>
 <p style="text-align: center">Semantic Personal Publishing Platform</p>

trunk/blogs/wp-admin/admin-ajax.php

@@ -397 +397 @@
                 die('1');
 
-        if ( !current_user_can( 'edit_post', $meta->post_id ) )
+        if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) )
                 die('-1');
         if ( delete_meta( $meta->meta_id ) )
@@ -856 +856 @@
                 if ( !current_user_can( 'edit_post', $meta->post_id ) )
                         die('-1');
+                if ( is_protected_meta( $meta->meta_key ) )
+                        die('-1');
                 if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
                         if ( !$u = update_meta( $mid, $key, $value ) )

trunk/blogs/wp-admin/custom-background.php

@@ -338 +338 @@
                         'post_content' => $url,
                         'post_mime_type' => $type,
-                        'guid' => $url
+                        'guid' => $url,
+                        'context' => 'custom-background'
                 );
 

trunk/blogs/wp-admin/custom-header.php

@@ -596 +596 @@
                 'post_content' => $url,
                 'post_mime_type' => $type,
-                'guid' => $url);
+                'guid' => $url,
+                'context' => 'custom-header');
 
                 // Save the data
@@ -688 +689 @@
                         'post_content' => $url,
                         'post_mime_type' => 'image/jpeg',
-                        'guid' => $url
+                        'guid' => $url,
+                        'context' => 'custom-header'
                 );
 

trunk/blogs/wp-admin/includes/class-wp-plugins-list-table.php

@@ -196 +196 @@
         }
 
-        function display_tablenav( $which ) {
-                global $status;
-
-                if ( !in_array( $status, array( 'mustuse', 'dropins' ) ) )
-                        parent::display_tablenav( $which );
-        }
-
         function get_views() {
                 global $totals, $status;
@@ -287 +280 @@
                 global $status;
 
-                if ( 'recently_activated' == $status ) { ?>
-                        <div class="alignleft actions">
-                                <?php submit_button( __( 'Clear List' ), 'secondary', 'clear-recent-list', false ); ?>
-                        </div>
-                <?php }
+                if ( ! in_array($status, array('recently_activated', 'mustuse', 'dropins') ) )
+                        return;
+
+                echo '<div class="alignleft actions">';
+
+                if ( 'recently_activated' == $status )
+                        submit_button( __( 'Clear List' ), 'secondary', 'clear-recent-list', false );
+                elseif ( 'top' == $which && 'mustuse' == $status )
+                        echo '<p>' . __( 'Files in the <code>/wp-content/mu-plugins</code> directory are executed automatically.' ) . '</p>';
+                elseif ( 'top' == $which && 'dropins' == $status )
+                        echo '<p>' . __( 'Drop-ins are advanced plugins in the <code>/wp-content</code> directory that replace WordPress functionality when present.' ) . '</p>';
+
+                echo '</div>';
         }
 

trunk/blogs/wp-admin/includes/import.php

@@ -81 +81 @@
                 'post_content' => $url,
                 'post_mime_type' => $type,
-                'guid' => $url
+                'guid' => $url,
+                'context' => 'import',
+                'post_status' => 'private'
         );
 
@@ -87 +89 @@
         $id = wp_insert_attachment( $object, $file );
 
+        // schedule a cleanup for one day from now in case of failed import or missing wp_import_cleanup() call
+        wp_schedule_single_event( time() + 86400, 'importer_scheduled_cleanup', array( $id ) );
+
         return array( 'file' => $file, 'id' => $id );
 }

trunk/blogs/wp-admin/includes/media.php

@@ -1193 +1193 @@
         $toggle_off = __( 'Hide' );
 
-        $filename = basename( $post->guid );
+        $filename = esc_html( basename( $post->guid ) );
         $title = esc_attr( $post->post_title );
 

trunk/blogs/wp-admin/includes/post.php

@@ -139 +139 @@
         $post = get_post( $post_ID );
         $post_data['post_type'] = $post->post_type;
+        $post_data['post_mime_type'] = $post->post_mime_type;
 
         $ptype = get_post_type_object($post_data['post_type']);
@@ -200 +201 @@
                         if ( $meta->post_id != $post_ID )
                                 continue;
+                        if ( is_protected_meta( $value['key'] ) )
+                                continue;
                         update_meta( $key, $value['key'], $value['value'] );
                 }
@@ -209 +212 @@
                                 continue;
                         if ( $meta->post_id != $post_ID )
+                                continue;
+                        if ( is_protected_meta( $meta->meta_key ) )
                                 continue;
                         delete_meta( $key );
@@ -528 +533 @@
         }
 
+        $_POST['post_mime_type'] = '';
+
         // Check for autosave collisions
         // Does this need to be updated? ~ Mark
@@ -633 +640 @@
         $post_ID = (int) $post_ID;
 
-        $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
-
         $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
         $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
@@ -651 +656 @@
                         $metakey = $metakeyinput; // default
 
-                if ( in_array($metakey, $protected) )
+                if ( is_protected_meta( $metakey ) )
                         return false;
 
@@ -757 +762 @@
         global $wpdb;
 
-        $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
-
         $meta_key = stripslashes($meta_key);
 
-        if ( in_array($meta_key, $protected) )
+        if ( is_protected_meta( $meta_key ) )
                 return false;
 
@@ -994 +997 @@
         $q['cat'] = isset( $q['cat'] ) ? (int) $q['cat'] : 0;
         $q['post_type'] = 'attachment';
-        $q['post_status'] = isset( $q['status'] ) && 'trash' == $q['status'] ? 'trash' : 'inherit';
+        $post_type = get_post_type_object( 'attachment' );
+        $states = array( 'inherit' );
+        if ( current_user_can( $post_type->cap->read_private_posts ) )
+                $states[] = 'private';
+
+        $q['post_status'] = isset( $q['status'] ) && 'trash' == $q['status'] ? 'trash' : $states;
         $media_per_page = (int) get_user_option( 'upload_per_page' );
         if ( empty( $media_per_page ) || $media_per_page < 1 )

trunk/blogs/wp-admin/includes/template.php

@@ -466 +466 @@
 function _list_meta_row( $entry, &$count ) {
         static $update_nonce = false;
+
+        if ( is_protected_meta( $entry['meta_key'] ) )
+                return;
+
         if ( !$update_nonce )
                 $update_nonce = wp_create_nonce( 'add-meta' );

trunk/blogs/wp-admin/includes/update-core.php

@@ -295 +295 @@
         $required_php_version = '4.3';
         $required_mysql_version = '4.1.2';
-        $wp_version = '3.1.2';
+        $wp_version = '3.1.3';
         $php_compat     = version_compare( $php_version, $required_php_version, '>=' );
         $mysql_compat   = version_compare( $mysql_version, $required_mysql_version, '>=' ) || file_exists( WP_CONTENT_DIR . '/db.php' );

trunk/blogs/wp-admin/ms-delete-site.php

@@ -35 +35 @@
 
 if ( isset( $_POST['action'] ) && $_POST['action'] == 'deleteblog' && isset( $_POST['confirmdelete'] ) && $_POST['confirmdelete'] == '1' ) {
+        check_admin_referer( 'delete-blog' );
+
         $hash = wp_generate_password( 20, false );
         update_option( 'delete_blog_hash', $hash );
@@ -69 +71 @@
 
         <form method="post" name="deletedirect">
+                <?php wp_nonce_field( 'delete-blog' ) ?>
                 <input type="hidden" name="action" value="deleteblog" />
                 <p><input id="confirmdelete" type="checkbox" name="confirmdelete" value="1" /> <label for="confirmdelete"><strong><?php printf( __( "I'm sure I want to permanently disable my site, and I am aware I can never get it back or use %s again." ), is_subdomain_install() ? $current_blog->domain : $current_blog->domain . $current_blog->path ); ?></strong></label></p>
                 <?php submit_button( __( 'Delete My Site Permanently' ) ); ?>
         </form>
-        <?php
+        <?php
 }
 echo '</div>';

trunk/blogs/wp-admin/plugins.php

@@ -408 +408 @@
 <input type="hidden" name="paged" value="<?php echo esc_attr($page) ?>" />
 
-<?php
-if ( 'mustuse' == $status )
-        echo '<br class="clear" /><p>' . __( 'Files in the <code>/wp-content/mu-plugins</code> directory are executed automatically.' ) . '</p>';
-elseif ( 'dropins' == $status )
-        echo '<br class="clear" /><p>' . __( 'Drop-ins are advanced plugins in the <code>/wp-content</code> directory that replace WordPress functionality when present.' ) . '</p>';
-?>
-
 <?php $wp_list_table->display(); ?>
 </form>

trunk/blogs/wp-admin/press-this.php

@@ -226 +226 @@
                                         else
                                                 $src = 'http://'.str_replace('//','/', $host['host'].'/'.dirname($host['path']).'/'.$src);
-                                $sources[] = esc_attr($src);
+                                $sources[] = esc_url($src);
                         }
                         return "'" . implode("','", $sources) . "'";

trunk/blogs/wp-app.php

@@ -608 +608 @@
                 $slug = '';
                 if ( isset( $_SERVER['HTTP_SLUG'] ) )
-                        $slug = sanitize_file_name( $_SERVER['HTTP_SLUG'] );
+                        $slug = $_SERVER['HTTP_SLUG'];
                 elseif ( isset( $_SERVER['HTTP_TITLE'] ) )
-                        $slug = sanitize_file_name( $_SERVER['HTTP_TITLE'] );
+                        $slug = $_SERVER['HTTP_TITLE'];
                 elseif ( empty( $slug ) ) // just make a random name
                         $slug = substr( md5( uniqid( microtime() ) ), 0, 7);
                 $ext = preg_replace( '|.*/([a-z0-9]+)|', '$1', $_SERVER['CONTENT_TYPE'] );
-                $slug = "$slug.$ext";
+                $slug = sanitize_file_name( "$slug.$ext" );
                 $file = wp_upload_bits( $slug, NULL, $bits);
 

trunk/blogs/wp-includes/canonical.php

@@ -142 +142 @@
                 } elseif ( is_author() && !empty($_GET['author']) && preg_match( '|^[0-9]+$|', $_GET['author'] ) ) {
                         $author = get_userdata(get_query_var('author'));
-                        if ( false !== $author && $redirect_url = get_author_posts_url($author->ID, $author->user_nicename) )
-                                $redirect['query'] = remove_query_arg('author', $redirect['query']);
+                        if ( ( false !== $author ) && $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE $wpdb->posts.post_author = %d AND $wpdb->posts.post_status = 'publish' LIMIT 1", $author->ID ) ) ) {
+                                if ( $redirect_url = get_author_posts_url($author->ID, $author->user_nicename) )
+                                        $redirect['query'] = remove_query_arg('author', $redirect['query']);
+                        }
                 } elseif ( is_category() || is_tag() || is_tax() ) { // Terms (Tags/categories)
 

trunk/blogs/wp-includes/class-oembed.php

@@ -166 +166 @@
                 $args = wp_parse_args( $args, wp_embed_defaults() );
 
-                $provider = add_query_arg( 'maxwidth', $args['width'], $provider );
-                $provider = add_query_arg( 'maxheight', $args['height'], $provider );
+                $provider = add_query_arg( 'maxwidth', (int) $args['width'], $provider );
+                $provider = add_query_arg( 'maxheight', (int) $args['height'], $provider );
                 $provider = add_query_arg( 'url', urlencode($url), $provider );
 

trunk/blogs/wp-includes/default-filters.php

@@ -59 +59 @@
 // Save URL
 foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
-        'pre_link_rss' ) as $filter ) {
+        'pre_link_rss', 'pre_post_guid' ) as $filter ) {
         add_filter( $filter, 'wp_strip_all_tags' );
         add_filter( $filter, 'esc_url_raw'       );
@@ -66 +66 @@
 
 // Display URL
-foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url' ) as $filter ) {
+foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) {
         if ( is_admin() )
                 add_filter( $filter, 'wp_strip_all_tags' );
@@ -86 +86 @@
         add_filter( $filter, 'sanitize_key' );
 }
+
+// Mime types
+add_filter( 'pre_post_mime_type', 'sanitize_mime_type' );
+add_filter( 'post_mime_type', 'sanitize_mime_type' );
 
 // Places to balance tags on input
@@ -219 +223 @@
 add_action( 'login_head',          'wp_print_head_scripts',         9     );
 add_action( 'login_footer',        'wp_print_footer_scripts'              );
+add_action( 'login_init',          'send_frame_options_header',     10, 0 );
 
 // Feed Generator Tags
@@ -250 +255 @@
 add_action( 'comment_form', 'wp_comment_form_unfiltered_html_nonce'        );
 add_action( 'wp_scheduled_delete',        'wp_scheduled_delete'            );
+add_action( 'admin_init',                 'send_frame_options_header', 10, 0 );
+add_action( 'importer_scheduled_cleanup', 'wp_delete_attachment'           );
 
 // Navigation menu actions

trunk/blogs/wp-includes/formatting.php

@@ -719 +719 @@
                         $allowed = false;
                         foreach ( $mimes as $ext_preg => $mime_match ) {
-                                $ext_preg = '!(^' . $ext_preg . ')$!i';
+                                $ext_preg = '!^(' . $ext_preg . ')$!i';
                                 if ( preg_match( $ext_preg, $part ) ) {
                                         $allowed = true;
@@ -2904 +2904 @@
 }
 
+/**
+ * Sanitize a mime type
+ *
+ * @since 3.1.3
+ *
+ * @param string $mime_type Mime type
+ * @return string Sanitized mime type
+ */
+function sanitize_mime_type( $mime_type ) {
+        $sani_mime_type = preg_replace( '/[^-*.a-zA-Z0-9\/]/', '', $mime_type );
+        return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
+}
+
 ?>

trunk/blogs/wp-includes/functions.php

@@ -4483 +4483 @@
 }
 
+/**
+ * Send a HTTP header to limit rendering of pages to same origin iframes.
+ *
+ * @link https://developer.mozilla.org/en/the_x-frame-options_response_header
+ *
+ * @since 3.1.3
+ * @return none
+ */
+function send_frame_options_header() {
+        @header( 'X-Frame-Options: SAMEORIGIN' );
+}
+
 ?>

trunk/blogs/wp-includes/meta.php

@@ -46 +46 @@
         $meta_key = stripslashes($meta_key);
         $meta_value = stripslashes_deep($meta_value);
+        $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
 
         $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
@@ -114 +115 @@
         $meta_key = stripslashes($meta_key);
         $meta_value = stripslashes_deep($meta_value);
+        $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
 
         $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
@@ -489 +491 @@
         return $wpdb->$table_name;
 }
+
+/**
+ * Determine whether a meta key is protected
+ *
+ * @since 3.1.3
+ *
+ * @param string $meta_key Meta key
+ * @return bool True if the key is protected, false otherwise.
+ */
+function is_protected_meta( $meta_key, $meta_type = null ) {
+        $protected = (  '_' == $meta_key[0] );
+
+        return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
+}
+
+/**
+ * Sanitize meta value
+ *
+ * @since 3.1.3
+ *
+ * @param string $meta_key Meta key
+ * @param mixed $meta_value Meta value to sanitize
+ * @param string $meta_type Type of meta
+ * @return mixed Sanitized $meta_value
+ */
+function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) {
+        return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );
+}
+
 ?>

trunk/blogs/wp-includes/post.php

@@ -558 +558 @@
                 return false;
 
-        // Unattached attachments are assumed to be published.
-        if ( ('attachment' == $post->post_type) && ('inherit' == $post->post_status) && ( 0 == $post->post_parent) )
-                return 'publish';
-
-        if ( ('attachment' == $post->post_type) && $post->post_parent && ($post->ID != $post->post_parent) )
-                return get_post_status($post->post_parent);
+        if ( 'attachment' == $post->post_type ) {
+                if ( 'private' == $post->post_status )
+                        return 'private';
+
+                // Unattached attachments are assumed to be published
+                if ( ( 'inherit' == $post->post_status ) && ( 0 == $post->post_parent) )
+                        return 'publish';
+
+                // Inherit status from the parent
+                if ( $post->post_parent && ( $post->ID != $post->post_parent ) )
+                        return get_post_status($post->post_parent);
+        }
 
         return $post->post_status;
@@ -3533 +3539 @@
         global $wpdb, $user_ID;
 
-        $defaults = array('post_status' => 'draft', 'post_type' => 'post', 'post_author' => $user_ID,
+        $defaults = array('post_status' => 'inherit', 'post_type' => 'post', 'post_author' => $user_ID,
                 'ping_status' => get_option('default_ping_status'), 'post_parent' => 0,
                 'menu_order' => 0, 'to_ping' =>  '', 'pinged' => '', 'post_password' => '',
-                'guid' => '', 'post_content_filtered' => '', 'post_excerpt' => '', 'import_id' => 0);
+                'guid' => '', 'post_content_filtered' => '', 'post_excerpt' => '', 'import_id' => 0, 'context' => '');
 
         $object = wp_parse_args($object, $defaults);
@@ -3551 +3557 @@
 
         $post_type = 'attachment';
-        $post_status = 'inherit';
+
+        if ( ! in_array( $post_status, array( 'inherit', 'private' ) ) )
+                $post_status = 'inherit';
 
         // Make sure we set a valid category.
@@ -3653 +3661 @@
         if ( isset($post_parent) && $post_parent < 0 )
                 add_post_meta($post_ID, '_wp_attachment_temp_parent', $post_parent, true);
+
+        if ( ! empty( $context ) )
+                add_post_meta( $post_ID, '_wp_attachment_context', $context, true );
 
         if ( $update) {

trunk/blogs/wp-includes/query.php

@@ -2232 +2232 @@
                 }
 
-                if ( !empty( $this->tax_query->queries ) || !empty( $q['meta_key'] ) ) {
-                        $groupby = "{$wpdb->posts}.ID";
-                }
-
                 // Author/user stuff
 
@@ -2479 +2475 @@
                         $join .= $clauses['join'];
                         $where .= $clauses['where'];
+                }
+
+                if ( ! empty( $this->tax_query->queries ) || ! empty( $q['meta_query'] ) ) {
+                        $groupby = "{$wpdb->posts}.ID";
                 }
 

trunk/blogs/wp-includes/taxonomy.php

@@ -1256 +1256 @@
         }
 
-        if ( !empty($name__like) )
-                $where .= " AND t.name LIKE '" . like_escape( $name__like ) . "%'";
+        if ( !empty($name__like) ) {
+                $name__like = like_escape( $name__like );
+                $where .= $wpdb->prepare( " AND t.name LIKE %s", $name__like . '%' );
+        }
 
         if ( '' !== $parent ) {
@@ -1279 +1281 @@
         if ( !empty($search) ) {
                 $search = like_escape($search);
-                $where .= " AND (t.name LIKE '%$search%')";
+                $where .= $wpdb->prepare( " AND (t.name LIKE %s)", '%' . $search . '%');
         }
 

trunk/blogs/wp-includes/theme.php

@@ -1436 +1436 @@
                 $url = str_replace( 'https://', 'http://', $url );
 
-        return $url;
+        return esc_url_raw( $url );
 }
 

trunk/blogs/wp-includes/version.php

@@ -23 +23 @@
  * @global string $wp_version
  */
-$wp_version = '3.1.2';
+$wp_version = '3.1.3';
 
 /**

trunk/blogs/wp-login.php

@@ -369 +369 @@
 
 // allow plugins to override the default actions, and to add extra actions if they want
-do_action('login_form_' . $action);
+do_action( 'login_init' );
+do_action( 'login_form_' . $action );
 
 $http_post = ('POST' == $_SERVER['REQUEST_METHOD']);