Index: wp-includes/query.php =================================================================== --- wp-includes/query.php (.../2.3.1) (revision 6582) +++ wp-includes/query.php (.../2.3.2) (revision 6582) @@ -32,9 +32,9 @@ */ function is_admin () { - global $wp_query; - - return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false)); + if ( defined('WP_ADMIN') ) + return WP_ADMIN; + return false; } function is_archive () { @@ -642,7 +642,7 @@ if ('' != $qv['preview']) $this->is_preview = true; - if ( strpos($_SERVER['PHP_SELF'], 'wp-admin/') !== false ) + if ( is_admin() ) $this->is_admin = true; if ( false !== strpos($qv['feed'], 'comments-') ) { Index: wp-includes/wp-db.php =================================================================== --- wp-includes/wp-db.php (.../2.3.1) (revision 6582) +++ wp-includes/wp-db.php (.../2.3.2) (revision 6582) @@ -15,11 +15,12 @@ class wpdb { - var $show_errors = true; + var $show_errors = false; var $num_queries = 0; var $last_query; var $col_info; var $queries; + var $ready = false; // Our tables var $posts; @@ -56,6 +57,9 @@ function __construct($dbuser, $dbpassword, $dbname, $dbhost) { register_shutdown_function(array(&$this, "__destruct")); + if ( defined('WP_DEBUG') and WP_DEBUG == true ) + $this->show_errors(); + if ( defined('DB_CHARSET') ) $this->charset = DB_CHARSET; @@ -74,8 +78,11 @@

If you're unsure what these terms mean you should probably contact your host. If you still need help you can always visit the WordPress Support Forums.

"); + return; } + $this->ready = true; + if ( !empty($this->charset) && version_compare(mysql_get_server_info(), '4.1.0', '>=') ) $this->query("SET NAMES '$this->charset'"); @@ -92,14 +99,17 @@ */ function select($db) { if (!@mysql_select_db($db, $this->dbh)) { + $this->ready = false; $this->bail("

Can’t select database

We were able to connect to the database server (which means your username and password is okay) but not able to select the $db database.

If you don't know how to setup a database you should contact your host. If all else fails you may find help at the WordPress Support Forums.

"); + return; } } @@ -149,29 +159,36 @@ $EZSQL_ERROR[] = array ('query' => $this->last_query, 'error_str' => $str); + $error_str = "WordPress database error $str for query $this->last_query"; + error_log($error_str, 0); + + // Is error output turned on or not.. + if ( !$this->show_errors ) + return false; + $str = htmlspecialchars($str, ENT_QUOTES); $query = htmlspecialchars($this->last_query, ENT_QUOTES); - // Is error output turned on or not.. - if ( $this->show_errors ) { - // If there is an error then take note of it - print "
-

WordPress database error: [$str]
- $query

-
"; - } else { - return false; - } + + // If there is an error then take note of it + print "
+

WordPress database error: [$str]
+ $query

+
"; } // ================================================================== // Turn error handling on or off.. - function show_errors() { - $this->show_errors = true; + function show_errors( $show = true ) { + $errors = $this->show_errors; + $this->show_errors = $show; + return $errors; } function hide_errors() { + $show = $this->show_errors; $this->show_errors = false; + return $show; } // ================================================================== @@ -187,6 +204,9 @@ // Basic Query - see docs for more detail function query($query) { + if ( ! $this->ready ) + return false; + // filter the query, if filters are available // NOTE: some queries are made before the plugins have been loaded, and thus cannot be filtered with this method if ( function_exists('apply_filters') ) @@ -399,12 +419,17 @@ * @param string $message */ function bail($message) { // Just wraps errors in a nice header and footer - if ( !$this->show_errors ) + if ( !$this->show_errors ) { + if ( class_exists('WP_Error') ) + $this->error = new WP_Error('500', $message); + else + $this->error = $message; return false; + } wp_die($message); } } if ( ! isset($wpdb) ) $wpdb = new wpdb(DB_USER, DB_PASSWORD, DB_NAME, DB_HOST); -?> \ No newline at end of file +?> Index: wp-includes/formatting.php =================================================================== --- wp-includes/formatting.php (.../2.3.1) (revision 6582) +++ wp-includes/formatting.php (.../2.3.2) (revision 6582) @@ -622,18 +622,35 @@ return $emailNOSPAMaddy; } +function _make_url_clickable_cb($matches) { + $url = $matches[2]; + $url = clean_url($url); + if ( empty($url) ) + return $matches[0]; + return $matches[1] . "$url"; +} + +function _make_web_ftp_clickable_cb($matches) { + $dest = $matches[2]; + $dest = 'http://' . $dest; + $dest = clean_url($dest); + if ( empty($dest) ) + return $matches[0]; + + return $matches[1] . "$dest"; +} + +function _make_email_clickable_cb($matches) { + $email = $matches[2] . '@' . $matches[3]; + return $matches[1] . "$email"; +} + function make_clickable($ret) { $ret = ' ' . $ret; // in testing, using arrays here was found to be faster - $ret = preg_replace( - array( - '#([\s>])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is', - '#([\s>])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is', - '#([\s>])([a-z0-9\-_.]+)@([^,< \n\r]+)#i'), - array( - '$1$2', - '$1$2', - '$1$2@$3'),$ret); + $ret = preg_replace_callback('#([\s>])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is', '_make_url_clickable_cb', $ret); + $ret = preg_replace_callback('#([\s>])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is', '_make_web_ftp_clickable_cb', $ret); + $ret = preg_replace_callback('#([\s>])([.0-9a-z_+-]+)@(([0-9a-z-]+\.)+[0-9a-z]{2,})#i', '_make_email_clickable_cb', $ret); // this one is not in an array because we need it to run last, for cleanup of accidental links within links $ret = preg_replace("#(]+?>|>))]+?>([^>]+?)#i", "$1$3", $ret); $ret = trim($ret); Index: wp-includes/taxonomy.php =================================================================== --- wp-includes/taxonomy.php (.../2.3.1) (revision 6582) +++ wp-includes/taxonomy.php (.../2.3.2) (revision 6582) @@ -663,6 +663,10 @@ * @return array|object Term with all fields sanitized */ function sanitize_term($term, $taxonomy, $context = 'display') { + + if ( 'raw' == $context ) + return $term; + $fields = array('term_id', 'name', 'description', 'slug', 'count', 'parent', 'term_group'); $do_object = false; Index: wp-includes/post.php =================================================================== --- wp-includes/post.php (.../2.3.1) (revision 6582) +++ wp-includes/post.php (.../2.3.2) (revision 6582) @@ -428,6 +428,10 @@ } function sanitize_post($post, $context = 'display') { + + if ( 'raw' == $context ) + return $post; + // TODO: Use array keys instead of hard coded list $fields = array('post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_date', 'post_date_gmt', 'post_parent', 'menu_order', 'post_mime_type', 'post_category'); @@ -1139,6 +1143,7 @@ $exclude = ''; $meta_key = ''; $meta_value = ''; + $hierarchical = false; $incpages = preg_split('/[\s,]+/',$include); if ( count($incpages) ) { foreach ( $incpages as $incpage ) { Index: wp-includes/version.php =================================================================== --- wp-includes/version.php (.../2.3.1) (revision 6582) +++ wp-includes/version.php (.../2.3.2) (revision 6582) @@ -2,7 +2,7 @@ // This holds the version number in a separate file so we can bump it without cluttering the SVN -$wp_version = '2.3.1'; +$wp_version = '2.3.2'; $wp_db_version = 6124; ?> Index: wp-includes/pluggable.php =================================================================== --- wp-includes/pluggable.php (.../2.3.1) (revision 6582) +++ wp-includes/pluggable.php (.../2.3.2) (revision 6582) @@ -72,9 +72,9 @@ if ( !$user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE ID = '$user_id' LIMIT 1") ) return false; - $wpdb->hide_errors(); + $show = $wpdb->hide_errors(); $metavalues = $wpdb->get_results("SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = '$user_id'"); - $wpdb->show_errors(); + $wpdb->show_errors($show); if ($metavalues) { foreach ( $metavalues as $meta ) { Index: wp-includes/functions.php =================================================================== --- wp-includes/functions.php (.../2.3.1) (revision 6582) +++ wp-includes/functions.php (.../2.3.2) (revision 6582) @@ -198,10 +198,10 @@ if ( false === $value ) { if ( defined('WP_INSTALLING') ) - $wpdb->hide_errors(); + $show = $wpdb->hide_errors(); $row = $wpdb->get_row("SELECT option_value FROM $wpdb->options WHERE option_name = '$setting' LIMIT 1"); if ( defined('WP_INSTALLING') ) - $wpdb->show_errors(); + $wpdb->show_errors($show); if( is_object( $row) ) { // Has to be get_row instead of get_var because of funkiness with 0, false, null values $value = $row->option_value; @@ -236,11 +236,11 @@ function get_alloptions() { global $wpdb, $wp_queries; - $wpdb->hide_errors(); + $show = $wpdb->hide_errors(); if ( !$options = $wpdb->get_results("SELECT option_name, option_value FROM $wpdb->options WHERE autoload = 'yes'") ) { $options = $wpdb->get_results("SELECT option_name, option_value FROM $wpdb->options"); } - $wpdb->show_errors(); + $wpdb->show_errors($show); foreach ($options as $option) { // "When trying to design a foolproof system, @@ -263,10 +263,10 @@ $alloptions = wp_cache_get('alloptions', 'options'); if ( !$alloptions ) { - $wpdb->hide_errors(); + $show = $wpdb->hide_errors(); if ( !$alloptions_db = $wpdb->get_results("SELECT option_name, option_value FROM $wpdb->options WHERE autoload = 'yes'") ) $alloptions_db = $wpdb->get_results("SELECT option_name, option_value FROM $wpdb->options"); - $wpdb->show_errors(); + $wpdb->show_errors($show); $alloptions = array(); foreach ( (array) $alloptions_db as $o ) $alloptions[$o->option_name] = $o->option_value; @@ -892,9 +892,9 @@ function is_blog_installed() { global $wpdb; - $wpdb->hide_errors(); + $show = $wpdb->hide_errors(); $installed = $wpdb->get_var("SELECT option_value FROM $wpdb->options WHERE option_name = 'siteurl'"); - $wpdb->show_errors(); + $wpdb->show_errors($show); $install_status = !empty( $installed ) ? TRUE : FALSE; return $install_status; @@ -1419,4 +1419,36 @@ while ( @ob_end_flush() ); } +function dead_db() { + global $wpdb; + + // Load custom DB error template, if present. + if ( file_exists( ABSPATH . 'wp-content/db-error.php' ) ) { + require_once( ABSPATH . 'wp-content/db-error.php' ); + die(); + } + + // If installing or in the admin, provide the verbose message. + if ( defined('WP_INSTALLING') || defined('WP_ADMIN') ) + wp_die($wpdb->error); + + // Otherwise, be terse. + status_header( 500 ); + nocache_headers(); + header( 'Content-Type: text/html; charset=utf-8' ); ?> + +> + + Database Error + + + +

Error establishing a database connection

+ + + Index: wp-app.php =================================================================== --- wp-app.php (.../2.3.1) (revision 6582) +++ wp-app.php (.../2.3.2) (revision 6582) @@ -159,6 +159,10 @@ function get_service() { log_app('function','get_service()'); + + if( !current_user_can( 'edit_posts' ) ) + $this->auth_required( __( 'Sorry, you do not have the right to access this blog.' ) ); + $entries_url = attribute_escape($this->get_entries_url()); $categories_url = attribute_escape($this->get_categories_url()); $media_url = attribute_escape($this->get_attachments_url()); @@ -188,8 +192,11 @@ } function get_categories_xml() { + log_app('function','get_categories_xml()'); - log_app('function','get_categories_xml()'); + if( !current_user_can( 'edit_posts' ) ) + $this->auth_required( __( 'Sorry, you do not have the right to access this blog.' ) ); + $home = attribute_escape(get_bloginfo_rss('home')); $categories = ""; @@ -282,8 +289,11 @@ } function get_post($postID) { + global $entry; - global $entry; + if( !current_user_can( 'edit_post', $postID ) ) + $this->auth_required( __( 'Sorry, you do not have the right to access this post.' ) ); + $this->set_current_entry($postID); $output = $this->get_entry($postID); log_app('function',"get_post($postID)"); @@ -372,8 +382,9 @@ } function get_attachment($postID = NULL) { + if( !current_user_can( 'upload_files' ) ) + $this->auth_required( __( 'Sorry, you do not have the right to file uploads on this blog.' ) ); - global $entry; if (!isset($postID)) { $this->get_attachments(); } else { @@ -494,7 +505,11 @@ } $location = get_post_meta($entry['ID'], '_wp_attached_file', true); + $filetype = wp_check_filetype($location); + if(!isset($location) || 'attachment' != $entry['post_type'] || empty($filetype['ext'])) + $this->internal_error(__('Error ocurred while accessing post metadata for file location.')); + // delete file @unlink($location); @@ -795,7 +810,6 @@ - Index: xmlrpc.php =================================================================== --- xmlrpc.php (.../2.3.1) (revision 6582) +++ xmlrpc.php (.../2.3.2) (revision 6582) @@ -187,6 +187,12 @@ return($this->error); } + set_current_user( 0, $username ); + if( !current_user_can( 'edit_page', $page_id ) ) + return new IXR_Error( 401, __( 'Sorry, you can not edit this page.' ) ); + + do_action('xmlrpc_call', 'wp.getPage'); + // Lookup page info. $page = get_page($page_id); @@ -268,6 +274,12 @@ return($this->error); } + set_current_user( 0, $username ); + if( !current_user_can( 'edit_pages' ) ) + return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) ); + + do_action('xmlrpc_call', 'wp.getPages'); + // Lookup info on pages. $pages = get_pages(); $num_pages = count($pages); @@ -426,6 +438,12 @@ return($this->error); } + set_current_user( 0, $username ); + if( !current_user_can( 'edit_pages' ) ) + return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) ); + + do_action('xmlrpc_call', 'wp.getPageList'); + // Get list of pages ids and titles $page_list = $wpdb->get_results(" SELECT ID page_id, @@ -459,7 +477,6 @@ * wp_getAuthors */ function wp_getAuthors($args) { - global $wpdb; $this->escape($args); @@ -471,7 +488,23 @@ return($this->error); } - return(get_users_of_blog()); + set_current_user(0, $username); + if(!current_user_can("edit_posts")) { + return(new IXR_Error(401, __("Sorry, you can not edit posts on this blog."))); + } + + do_action('xmlrpc_call', 'wp.getAuthors'); + + $authors = array(); + foreach( (array) get_users_of_blog() as $row ) { + $authors[] = array( + "user_id" => $row->user_id, + "user_login" => $row->user_login, + "display_name" => $row->display_name + ); + } + + return($authors); } /** @@ -493,7 +526,7 @@ // Set the user context and make sure they are // allowed to add a category. set_current_user(0, $username); - if(!current_user_can("manage_categories", $page_id)) { + if(!current_user_can("manage_categories")) { return(new IXR_Error(401, __("Sorry, you do not have the right to add a category."))); } @@ -547,6 +580,12 @@ return($this->error); } + set_current_user(0, $username); + if( !current_user_can( 'edit_posts' ) ) + return new IXR_Error( 401, __( 'Sorry, you must be able to publish to this blog in order to view categories.' ) ); + + do_action('xmlrpc_call', 'wp.suggestCategories'); + $args = array('get' => 'all', 'number' => $max_results, 'name__like' => $category); $category_suggestions = get_categories($args); @@ -597,13 +636,18 @@ return $this->error; } + set_current_user( 0, $user_login ); + if( !current_user_can( 'edit_posts' ) ) + return new IXR_Error( 401, __( 'Sorry, you do not have access to user data on this blog.' ) ); + + do_action('xmlrpc_call', 'blogger.getUserInfo'); + $user_data = get_userdatabylogin($user_login); $struct = array( 'nickname' => $user_data->nickname, 'userid' => $user_data->ID, 'url' => $user_data->user_url, - 'email' => $user_data->user_email, 'lastname' => $user_data->last_name, 'firstname' => $user_data->first_name ); @@ -625,7 +669,12 @@ return $this->error; } - $user_data = get_userdatabylogin($user_login); + set_current_user( 0, $user_login ); + if( !current_user_can( 'edit_post', $post_ID ) ) + return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); + + do_action('xmlrpc_call', 'blogger.getPost'); + $post_data = wp_get_single_post($post_ID, ARRAY_A); $categories = implode(',', wp_get_post_categories($post_ID)); @@ -663,12 +712,16 @@ $posts_list = wp_get_recent_posts($num_posts); + set_current_user( 0, $user_login ); + if (!$posts_list) { $this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.')); return $this->error; } foreach ($posts_list as $entry) { + if( !current_user_can( 'edit_post', $entry['ID'] ) ) + continue; $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); $categories = implode(',', wp_get_post_categories($entry['ID'])); @@ -1328,78 +1381,83 @@ /* metaweblog.getPost ...returns a post */ function mw_getPost($args) { - global $wpdb; + global $wpdb; $this->escape($args); - $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $post_ID = (int) $args[0]; + $user_login = $args[1]; + $user_pass = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { - return $this->error; - } + if (!$this->login_pass_ok($user_login, $user_pass)) { + return $this->error; + } - $postdata = wp_get_single_post($post_ID, ARRAY_A); + set_current_user( 0, $user_login ); + if( !current_user_can( 'edit_post', $post_ID ) ) + return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); - if ($postdata['post_date'] != '') { + do_action('xmlrpc_call', 'metaWeblog.getPost'); - $post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date']); - $post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']); + $postdata = wp_get_single_post($post_ID, ARRAY_A); - $categories = array(); - $catids = wp_get_post_categories($post_ID); - foreach($catids as $catid) { - $categories[] = get_cat_name($catid); - } + if ($postdata['post_date'] != '') { + $post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date']); + $post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']); - $tagnames = array(); - $tags = wp_get_post_tags( $post_ID ); - if ( !empty( $tags ) ) { - foreach ( $tags as $tag ) { - $tagnames[] = $tag->name; + $categories = array(); + $catids = wp_get_post_categories($post_ID); + foreach($catids as $catid) { + $categories[] = get_cat_name($catid); } - $tagnames = implode( ', ', $tagnames ); - } else { - $tagnames = ''; - } - $post = get_extended($postdata['post_content']); - $link = post_permalink($postdata['ID']); + $tagnames = array(); + $tags = wp_get_post_tags( $post_ID ); + if ( !empty( $tags ) ) { + foreach ( $tags as $tag ) { + $tagnames[] = $tag->name; + } + $tagnames = implode( ', ', $tagnames ); + } else { + $tagnames = ''; + } - // Get the author info. - $author = get_userdata($postdata['post_author']); + $post = get_extended($postdata['post_content']); + $link = post_permalink($postdata['ID']); - $allow_comments = ('open' == $postdata['comment_status']) ? 1 : 0; - $allow_pings = ('open' == $postdata['ping_status']) ? 1 : 0; + // Get the author info. + $author = get_userdata($postdata['post_author']); - $resp = array( - 'dateCreated' => new IXR_Date($post_date), - 'userid' => $postdata['post_author'], - 'postid' => $postdata['ID'], - 'description' => $post['main'], - 'title' => $postdata['post_title'], - 'link' => $link, - 'permaLink' => $link, -// commented out because no other tool seems to use this -// 'content' => $entry['post_content'], - 'categories' => $categories, - 'mt_excerpt' => $postdata['post_excerpt'], - 'mt_text_more' => $post['extended'], - 'mt_allow_comments' => $allow_comments, - 'mt_allow_pings' => $allow_pings, - 'mt_keywords' => $tagnames, - 'wp_slug' => $postdata['post_name'], - 'wp_password' => $postdata['post_password'], - 'wp_author_id' => $author->ID, - 'wp_author_display_name' => $author->display_name, - 'date_created_gmt' => new IXR_Date($post_date_gmt) - ); + $allow_comments = ('open' == $postdata['comment_status']) ? 1 : 0; + $allow_pings = ('open' == $postdata['ping_status']) ? 1 : 0; - return $resp; - } else { - return new IXR_Error(404, __('Sorry, no such post.')); - } + $resp = array( + 'dateCreated' => new IXR_Date($post_date), + 'userid' => $postdata['post_author'], + 'postid' => $postdata['ID'], + 'description' => $post['main'], + 'title' => $postdata['post_title'], + 'link' => $link, + 'permaLink' => $link, + // commented out because no other tool seems to use this + // 'content' => $entry['post_content'], + 'categories' => $categories, + 'mt_excerpt' => $postdata['post_excerpt'], + 'mt_text_more' => $post['extended'], + 'mt_allow_comments' => $allow_comments, + 'mt_allow_pings' => $allow_pings, + 'mt_keywords' => $tagnames, + 'wp_slug' => $postdata['post_name'], + 'wp_password' => $postdata['post_password'], + 'wp_author_id' => $author->ID, + 'wp_author_display_name' => $author->display_name, + 'date_created_gmt' => new IXR_Date($post_date_gmt) + ); + + return $resp; + } else { + return new IXR_Error(404, __('Sorry, no such post.')); + } } @@ -1424,7 +1482,11 @@ return $this->error; } + set_current_user( 0, $user_login ); + foreach ($posts_list as $entry) { + if( !current_user_can( 'edit_post', $entry['ID'] ) ) + continue; $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']); @@ -1504,6 +1566,12 @@ return $this->error; } + set_current_user( 0, $user_login ); + if( !current_user_can( 'edit_posts' ) ) + return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) ); + + do_action('xmlrpc_call', 'metaWeblog.getCategories'); + $categories_struct = array(); if ( $cats = get_categories('get=all') ) { @@ -1623,7 +1691,11 @@ return $this->error; } + set_current_user( 0, $user_login ); + foreach ($posts_list as $entry) { + if( !current_user_can( 'edit_post', $entry['ID'] ) ) + continue; $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']); @@ -1662,9 +1734,14 @@ return $this->error; } + set_current_user( 0, $user_login ); + if( !current_user_can( 'edit_posts' ) ) + return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) ); + + do_action('xmlrpc_call', 'mt.getCategoryList'); + $categories_struct = array(); - // FIXME: can we avoid using direct SQL there? if ( $cats = get_categories('hide_empty=0&hierarchical=0') ) { foreach ($cats as $cat) { $struct['categoryId'] = $cat->term_id; @@ -1691,6 +1768,12 @@ return $this->error; } + set_current_user( 0, $user_login ); + if( !current_user_can( 'edit_post', $post_ID ) ) + return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); + + do_action('xmlrpc_call', 'mt.getPostCategories'); + $categories = array(); $catids = wp_get_post_categories(intval($post_ID)); // first listed category will be the primary category Index: wp-mail.php =================================================================== --- wp-mail.php (.../2.3.1) (revision 6582) +++ wp-mail.php (.../2.3.2) (revision 6582) @@ -12,7 +12,7 @@ $pop3 = new POP3(); if (!$pop3->connect(get_option('mailserver_url'), get_option('mailserver_port'))) - wp_die($pop3->ERROR); + wp_die(wp_specialchars($pop3->ERROR)); $count = $pop3->login(get_option('mailserver_login'), get_option('mailserver_pass')); if (0 == $count) wp_die(__('There doesn’t seem to be any new mail.')); @@ -129,9 +129,6 @@ $content = explode($phone_delim, $content); $content[1] ? $content = $content[1] : $content = $content[0]; - echo "

Content-type: $content_type, Content-Transfer-Encoding: $content_transfer_encoding, boundary: $boundary

\n"; - echo "

Raw content:

".$content.'

'; - $content = trim($content); $post_content = apply_filters('phone_content', $content); @@ -161,12 +158,11 @@ do_action('publish_phone', $post_ID); - echo "\n

Author: $post_author

"; - echo "\n

Posted title: $post_title
"; - echo "\nPosted content:

".$content.'

'; + echo "\n

Author: " . wp_specialchars($post_author) . "

"; + echo "\n

Posted title: " . wp_specialchars($post_title) . "
"; if(!$pop3->delete($i)) { - echo '

Oops '.$pop3->ERROR.'

'; + echo '

Oops '.wp_specialchars($pop3->ERROR).'

'; $pop3->reset(); exit; } else { Index: wp-settings.php =================================================================== --- wp-settings.php (.../2.3.1) (revision 6582) +++ wp-settings.php (.../2.3.2) (revision 6582) @@ -122,6 +122,9 @@ else require_once (ABSPATH . WPINC . '/wp-db.php'); +if ( !empty($wpdb->error) ) + dead_db(); + // $table_prefix is deprecated as of 2.1 $wpdb->prefix = $table_prefix; Index: wp-admin/includes/file.php =================================================================== --- wp-admin/includes/file.php (.../2.3.1) (revision 6582) +++ wp-admin/includes/file.php (.../2.3.2) (revision 6582) @@ -43,6 +43,9 @@ } function validate_file( $file, $allowed_files = '' ) { + if ( false !== strpos( $file, '..' )) + return 1; + if ( false !== strpos( $file, './' )) return 1; Index: wp-admin/admin.php =================================================================== --- wp-admin/admin.php (.../2.3.1) (revision 6582) +++ wp-admin/admin.php (.../2.3.2) (revision 6582) @@ -1,4 +1,6 @@ error) ) + wp_die($wpdb->error->get_error_message()); + $handle = fopen('../wp-config.php', 'w'); foreach ($configFile as $line_num => $line) { Index: wp-admin/install.php =================================================================== --- wp-admin/install.php (.../2.3.1) (revision 6582) +++ wp-admin/install.php (.../2.3.2) (revision 6582) @@ -13,6 +13,7 @@ $step = $_GET['step']; else $step = 0; +function display_header(){ header( 'Content-Type: text/html; charset=utf-8' ); ?> @@ -24,13 +25,17 @@

WordPress

+ '.__('Already Installed').'

'.__('You appear to have already installed WordPress. To reinstall please clear your old database tables first.').'

'); +if ( is_blog_installed() ) {display_header(); die('

'.__('Already Installed').'

'.__('You appear to have already installed WordPress. To reinstall please clear your old database tables first.').'

');} switch($step) { case 0: case 1: // in case people are directly linking to this + display_header(); ?>

ReadMe documentation at your leisure. Otherwise, just fill in the information below and you\'ll be on your way to using the most extendable and powerful personal publishing platform in the world.'), '../readme.html'); ?>

@@ -61,6 +66,10 @@ error) ) + wp_die($wpdb->error->get_error_message()); + + display_header(); // Fill in the data we gathered $weblog_title = stripslashes($_POST['weblog_title']); $admin_email = stripslashes($_POST['admin_email']); @@ -74,8 +83,9 @@ die(__('ERROR: that isn\'t a valid e-mail address. E-mail addresses look like: username@example.com')); } - $result = wp_install($weblog_title, 'admin', $admin_email, $public); - extract($result, EXTR_SKIP); + $wpdb->show_errors(); + $result = wp_install($weblog_title, 'admin', $admin_email, $public); + extract($result, EXTR_SKIP); ?>