Index: wp-login.php =================================================================== --- wp-login.php (.../2.0.6) (revision 5177) +++ wp-login.php (.../2.0.10) (revision 5177) @@ -166,7 +166,7 @@ $user_login = ''; $user_pass = ''; $using_cookie = false; - if ( !isset( $_REQUEST['redirect_to'] ) ) + if ( !isset( $_REQUEST['redirect_to'] ) || is_user_logged_in() ) $redirect_to = 'wp-admin/'; else $redirect_to = $_REQUEST['redirect_to']; Index: wp-comments-post.php =================================================================== --- wp-comments-post.php (.../2.0.6) (revision 5177) +++ wp-comments-post.php (.../2.0.10) (revision 5177) @@ -25,14 +25,20 @@ // If the user is logged in $user = wp_get_current_user(); -if ( $user->ID ) : +if ( $user->ID ) { $comment_author = $wpdb->escape($user->display_name); $comment_author_email = $wpdb->escape($user->user_email); $comment_author_url = $wpdb->escape($user->user_url); -else : + if ( current_user_can('unfiltered_html') ) { + if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) { + kses_remove_filters(); // start with a clean slate + kses_init_filters(); // set up the filters + } + } +} else { if ( get_option('comment_registration') ) die( __('Sorry, you must be logged in to post a comment.') ); -endif; +} $comment_type = ''; Index: wp-includes/default-filters.php =================================================================== --- wp-includes/default-filters.php (.../2.0.6) (revision 5177) +++ wp-includes/default-filters.php (.../2.0.10) (revision 5177) @@ -33,6 +33,8 @@ add_filter('pre_comment_author_email', 'wp_filter_kses'); add_filter('pre_comment_author_url', 'wp_filter_kses'); +add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce'); + // Default filters for these functions add_filter('comment_author', 'wptexturize'); add_filter('comment_author', 'convert_chars'); Index: wp-includes/template-functions-general.php =================================================================== --- wp-includes/template-functions-general.php (.../2.0.6) (revision 5177) +++ wp-includes/template-functions-general.php (.../2.0.10) (revision 5177) @@ -137,8 +137,7 @@ function wp_title($sep = '»', $display = true) { - global $wpdb; - global $m, $year, $monthnum, $day, $category_name, $month, $posts; + global $wpdb, $posts, $month; $cat = get_query_var('cat'); $p = get_query_var('p'); @@ -146,14 +145,18 @@ $category_name = get_query_var('category_name'); $author = get_query_var('author'); $author_name = get_query_var('author_name'); + $m = (int) get_query_var('m'); + $year = (int) get_query_var('year'); + $monthnum = (int) get_query_var('monthnum'); + $day = (int) get_query_var('day'); + $title = ''; // If there's a category if ( !empty($cat) ) { // category exclusion if ( !stristr($cat,'-') ) - $title = get_the_category_by_ID($cat); - } - if ( !empty($category_name) ) { + $title = apply_filters('single_cat_title', get_the_category_by_ID($cat)); + } elseif ( !empty($category_name) ) { if ( stristr($category_name,'/') ) { $category_name = explode('/',$category_name); if ( $category_name[count($category_name)-1] ) @@ -162,6 +165,7 @@ $category_name = $category_name[count($category_name)-2]; // there was a trailling slash } $title = $wpdb->get_var("SELECT cat_name FROM $wpdb->categories WHERE category_nicename = '$category_name'"); + $title = apply_filters('single_cat_title', $title); } // If there's an author @@ -196,7 +200,7 @@ } $prefix = ''; - if ( isset($title) ) + if ( !empty($title) ) $prefix = " $sep "; $title = $prefix . $title; @@ -244,7 +248,12 @@ function single_month_title($prefix = '', $display = true ) { - global $m, $monthnum, $month, $year; + global $month; + + $m = (int) get_query_var('m'); + $year = (int) get_query_var('year'); + $monthnum = (int) get_query_var('monthnum'); + if ( !empty($monthnum) && !empty($year) ) { $my_year = $year; $my_month = $month[str_pad($monthnum, 2, '0', STR_PAD_LEFT)]; Index: wp-includes/template-functions-category.php =================================================================== --- wp-includes/template-functions-category.php (.../2.0.6) (revision 5177) +++ wp-includes/template-functions-category.php (.../2.0.10) (revision 5177) @@ -3,8 +3,9 @@ function get_the_category($id = false) { global $post, $category_cache; + $id = (int) $id; if ( !$id ) - $id = $post->ID; + $id = (int) $post->ID; if ( !isset($category_cache[$id]) ) update_post_category_cache($id); Index: wp-includes/cache.php =================================================================== --- wp-includes/cache.php (.../2.0.6) (revision 5177) +++ wp-includes/cache.php (.../2.0.10) (revision 5177) @@ -8,6 +8,8 @@ function wp_cache_close() { global $wp_object_cache; + if ( ! isset($wp_object_cache) ) + return; return $wp_object_cache->save(); } @@ -402,8 +404,14 @@ } function WP_Object_Cache() { + return $this->__construct(); + } + + function __construct() { global $blog_id; + register_shutdown_function(array(&$this, "__destruct")); + if (defined('DISABLE_CACHE')) return; @@ -438,5 +446,10 @@ $this->blog_id = $this->hash($blog_id); } + + function __destruct() { + $this->save(); + return true; + } } ?> Index: wp-includes/wp-db.php =================================================================== --- wp-includes/wp-db.php (.../2.0.6) (revision 5177) +++ wp-includes/wp-db.php (.../2.0.10) (revision 5177) @@ -40,6 +40,12 @@ // DB Constructor - connects to the server and selects a database function wpdb($dbuser, $dbpassword, $dbname, $dbhost) { + return $this->__construct($dbuser, $dbpassword, $dbname, $dbhost); + } + + function __construct($dbuser, $dbpassword, $dbname, $dbhost) { + register_shutdown_function(array(&$this, "__destruct")); + $this->dbh = @mysql_connect($dbhost, $dbuser, $dbpassword); if (!$this->dbh) { $this->bail(" @@ -57,6 +63,10 @@ $this->select($dbname); } + function __destruct() { + return true; + } + // ================================================================== // Select a DB (if another one needs to be selected) Index: wp-includes/links.php =================================================================== --- wp-includes/links.php (.../2.0.6) (revision 5177) +++ wp-includes/links.php (.../2.0.10) (revision 5177) @@ -212,7 +212,7 @@ $the_link = '#'; if (!empty($row->link_url)) - $the_link = attribute_escape($row->link_url); + $the_link = clean_url($row->link_url); $rel = $row->link_rel; if ($rel != '') { Index: wp-includes/functions-formatting.php =================================================================== --- wp-includes/functions-formatting.php (.../2.0.6) (revision 5177) +++ wp-includes/functions-formatting.php (.../2.0.10) (revision 5177) @@ -1051,7 +1051,11 @@ $strip = array('%0d', '%0a'); $url = str_replace($strip, '', $url); $url = str_replace(';//', '://', $url); - $url = (!strstr($url, '://')) ? 'http://'.$url : $url; + // Append http unless a relative link starting with / or a php file. + if ( strpos($url, '://') === false && + substr( $url, 0, 1 ) != '/' && !preg_match('/^[a-z0-9]+?\.php/i', $url) ) + $url = 'http://' . $url; + $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); if ( !is_array($protocols) ) $protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet'); Index: wp-includes/version.php =================================================================== --- wp-includes/version.php (.../2.0.6) (revision 5177) +++ wp-includes/version.php (.../2.0.10) (revision 5177) @@ -2,7 +2,7 @@ // This just holds the version number, in a separate file so we can bump it without cluttering the SVN -$wp_version = '2.0.6'; +$wp_version = '2.0.10'; $wp_db_version = 3441; ?> Index: wp-includes/js/tinymce/wp-mce-help.php =================================================================== --- wp-includes/js/tinymce/wp-mce-help.php (.../2.0.6) (revision 5177) +++ wp-includes/js/tinymce/wp-mce-help.php (.../2.0.10) (revision 5177) @@ -1,6 +1,7 @@ Index: wp-includes/js/tinymce/tiny_mce_gzip.php =================================================================== --- wp-includes/js/tinymce/tiny_mce_gzip.php (.../2.0.6) (revision 5177) +++ wp-includes/js/tinymce/tiny_mce_gzip.php (.../2.0.10) (revision 5177) @@ -59,7 +59,7 @@ gzip_compression(); // Output rest of headers - header("Content-type: text/javascript; charset: UTF-8"); + header("Content-Type: text/javascript; charset=".get_bloginfo('charset')); header("Vary: Accept-Encoding"); // Handle proxies header("Expires: " . gmdate("D, d M Y H:i:s", time() + $expiresOffset) . " GMT"); Index: wp-includes/functions-post.php =================================================================== --- wp-includes/functions-post.php (.../2.0.6) (revision 5177) +++ wp-includes/functions-post.php (.../2.0.10) (revision 5177) @@ -47,7 +47,7 @@ // Get the post ID. if ( $update ) - $post_ID = $ID; + $post_ID = (int) $ID; // Create a valid post name. Drafts are allowed to have an empty // post name. @@ -406,6 +406,7 @@ global $wpdb; // Set the limit clause, if we got a limit + $num = (int) $num; if ($num) { $limit = "LIMIT $num"; } @@ -476,6 +477,9 @@ function wp_set_post_cats($blogid = '1', $post_ID = 0, $post_categories = array()) { global $wpdb; + + $post_ID = (int) $post_ID; + // If $post_categories isn't already an array, make it one: if (!is_array($post_categories) || 0 == count($post_categories)) $post_categories = array(get_option('default_category')); @@ -486,7 +490,7 @@ $old_categories = $wpdb->get_col(" SELECT category_id FROM $wpdb->post2cat - WHERE post_id = $post_ID"); + WHERE post_id = '$post_ID'"); if (!$old_categories) { $old_categories = array(); @@ -501,8 +505,8 @@ foreach ($delete_cats as $del) { $wpdb->query(" DELETE FROM $wpdb->post2cat - WHERE category_id = $del - AND post_id = $post_ID + WHERE category_id = '$del' + AND post_id = '$post_ID' "); } } @@ -512,12 +516,14 @@ if ($add_cats) { foreach ($add_cats as $new_cat) { - $wpdb->query(" - INSERT INTO $wpdb->post2cat (post_id, category_id) - VALUES ($post_ID, $new_cat)"); + $new_cat = (int) $new_cat; + if ( !empty($new_cat) ) + $wpdb->query(" + INSERT INTO $wpdb->post2cat (post_id, category_id) + VALUES ('$post_ID', '$new_cat')"); } } - + // Update category counts. $all_affected_cats = array_unique(array_merge($post_categories, $old_categories)); foreach ( $all_affected_cats as $cat_id ) { Index: wp-includes/classes.php =================================================================== --- wp-includes/classes.php (.../2.0.6) (revision 5177) +++ wp-includes/classes.php (.../2.0.10) (revision 5177) @@ -1319,7 +1319,15 @@ if (empty($this->permalink_structure)) { return $rewrite; } + //Default Feed rules - These are require to allow for the direct access files to work with permalink structure starting with %category% + $default_feeds = array( 'wp-atom.php$' => $this->index .'?feed=atom', + 'wp-rdf.php$' => $this->index .'?feed=rdf', + 'wp-rss.php$' => $this->index .'?feed=rss', + 'wp-rss2.php$' => $this->index .'?feed=rss2', + 'wp-feed.php$' => $this->index .'?feed=feed', + 'wp-commentsrss2.php$' => $this->index . '?feed=rss2&withcomments=1'); + // Post $post_rewrite = $this->generate_rewrite_rules($this->permalink_structure); $post_rewrite = apply_filters('post_rewrite_rules', $post_rewrite); @@ -1354,7 +1362,7 @@ $page_rewrite = apply_filters('page_rewrite_rules', $page_rewrite); // Put them together. - $this->rules = array_merge($page_rewrite, $root_rewrite, $comments_rewrite, $search_rewrite, $category_rewrite, $author_rewrite, $date_rewrite, $post_rewrite); + $this->rules = array_merge($default_feeds, $page_rewrite, $root_rewrite, $comments_rewrite, $search_rewrite, $category_rewrite, $author_rewrite, $date_rewrite, $post_rewrite); do_action('generate_rewrite_rules', array(&$this)); $this->rules = apply_filters('rewrite_rules_array', $this->rules); @@ -1609,6 +1617,9 @@ $this->query_vars[$wpvar] = $query_vars[$wpvar]; else $this->query_vars[$wpvar] = ''; + + if ( !empty( $this->query_vars[$wpvar] ) ) + $this->query_vars[$wpvar] = (string) $this->query_vars[$wpvar]; } if ( isset($error) ) @@ -1637,7 +1648,8 @@ @header("ETag: $wp_etag"); // Support for Conditional GET - if (isset($_SERVER['HTTP_IF_NONE_MATCH'])) $client_etag = stripslashes($_SERVER['HTTP_IF_NONE_MATCH']); + if (isset($_SERVER['HTTP_IF_NONE_MATCH'])) + $client_etag = stripslashes(stripslashes($_SERVER['HTTP_IF_NONE_MATCH'])); else $client_etag = false; $client_last_modified = trim( $_SERVER['HTTP_IF_MODIFIED_SINCE']); @@ -1662,6 +1674,8 @@ foreach ($this->public_query_vars as $wpvar) { if (isset($this->query_vars[$wpvar]) && '' != $this->query_vars[$wpvar]) { $this->query_string .= (strlen($this->query_string) < 1) ? '' : '&'; + if ( !is_scalar($this->query_vars[$wpvar]) ) // Discard non-scalars. + continue; $this->query_string .= $wpvar . '=' . rawurlencode($this->query_vars[$wpvar]); } } Index: wp-includes/template-functions-links.php =================================================================== --- wp-includes/template-functions-links.php (.../2.0.6) (revision 5177) +++ wp-includes/template-functions-links.php (.../2.0.10) (revision 5177) @@ -87,8 +87,9 @@ function get_page_link($id = false) { global $post, $wp_rewrite; + $id = (int) $id; if ( !$id ) - $id = $post->ID; + $id = (int) $post->ID; $pagestruct = $wp_rewrite->get_page_permastruct(); @@ -109,7 +110,7 @@ $link = false; if (! $id) { - $id = $post->ID; + $id = (int) $post->ID; } $object = get_post($id); @@ -378,7 +379,7 @@ function get_pagenum_link($pagenum = 1) { global $wp_rewrite; - $qstr = wp_specialchars($_SERVER['REQUEST_URI']); + $qstr = $_SERVER['REQUEST_URI']; $page_querystring = "paged"; $page_modstring = "page/"; @@ -445,7 +446,7 @@ return $qstr; } -function next_posts($max_page = 0) { // original by cfactor at cooltux.org +function get_next_posts_page_link($max_page = 0) { global $paged, $pagenow; if ( !is_single() ) { @@ -453,10 +454,14 @@ $paged = 1; $nextpage = intval($paged) + 1; if ( !$max_page || $max_page >= $nextpage ) - echo get_pagenum_link($nextpage); + return get_pagenum_link($nextpage); } } +function next_posts($max_page = 0) { + echo clean_url(get_next_posts_page_link($max_page)); +} + function next_posts_link($label='Next Page »', $max_page=0) { global $paged, $result, $request, $posts_per_page, $wpdb, $max_num_pages; if ( !$max_page ) { @@ -479,18 +484,20 @@ } } - -function previous_posts() { // original by cfactor at cooltux.org +function get_previous_posts_page_link() { global $paged, $pagenow; if ( !is_single() ) { $nextpage = intval($paged) - 1; if ( $nextpage < 1 ) $nextpage = 1; - echo get_pagenum_link($nextpage); + return get_pagenum_link($nextpage); } } +function previous_posts() { + echo clean_url(get_previous_posts_page_link()); +} function previous_posts_link($label='« Previous Page') { global $paged; Index: wp-includes/pluggable-functions.php =================================================================== --- wp-includes/pluggable-functions.php (.../2.0.6) (revision 5177) +++ wp-includes/pluggable-functions.php (.../2.0.10) (revision 5177) @@ -466,7 +466,7 @@ if ( !function_exists('wp_verify_nonce') ) : function wp_verify_nonce($nonce, $action = -1) { $user = wp_get_current_user(); - $uid = $user->id; + $uid = (int) $user->id; $i = ceil(time() / 43200); @@ -480,7 +480,7 @@ if ( !function_exists('wp_create_nonce') ) : function wp_create_nonce($action = -1) { $user = wp_get_current_user(); - $uid = $user->id; + $uid = (int) $user->id; $i = ceil(time() / 43200); Index: wp-includes/comment-functions.php =================================================================== --- wp-includes/comment-functions.php (.../2.0.6) (revision 5177) +++ wp-includes/comment-functions.php (.../2.0.10) (revision 5177) @@ -2,6 +2,12 @@ // Template functions +function wp_comment_form_unfiltered_html_nonce() { + global $post; + if ( current_user_can('unfiltered_html') ) + wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false); +} + function comments_template( $file = '/comments.php' ) { global $wp_query, $withcomments, $post, $wpdb, $id, $comment, $user_login, $user_ID, $user_identity; @@ -84,7 +90,7 @@ ('$comment_post_ID', '$comment_author', '$comment_author_email', '$comment_author_url', '$comment_author_IP', '$comment_date', '$comment_date_gmt', '$comment_content', '$comment_approved', '$comment_agent', '$comment_type', '$comment_parent', '$user_id') "); - $id = $wpdb->insert_id; + $id = (int) $wpdb->insert_id; if ( $comment_approved == 1) { $count = $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_approved = '1'"); @@ -218,7 +224,7 @@ $post_id = (int) $post_id; if ( !$post_id ) - $post_id = $id; + $post_id = (int) $id; if ( !isset($comment_count_cache[$post_id]) ) $comment_count_cache[$id] = $wpdb->get_var("SELECT comment_count FROM $wpdb->posts WHERE ID = '$post_id'"); Index: wp-includes/functions.php =================================================================== --- wp-includes/functions.php (.../2.0.6) (revision 5177) +++ wp-includes/functions.php (.../2.0.10) (revision 5177) @@ -171,6 +171,7 @@ function get_usernumposts($userid) { global $wpdb; + $userid = (int) $userid; return $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->posts WHERE post_author = '$userid' AND post_status = 'publish'"); } @@ -606,6 +607,7 @@ $post_cache[$post->ID] = &$post; $_post = & $post_cache[$post->ID]; } else { + $post = (int) $post; if ( $_post = wp_cache_get($post, 'pages') ) return get_page($_post, $output); elseif ( isset($post_cache[$post]) ) @@ -709,6 +711,7 @@ wp_cache_add($page->ID, $page, 'pages'); $_page = $page; } else { + $page = (int) $page; if ( isset($GLOBALS['page']) && ($page == $GLOBALS['page']->ID) ) { $_page = & $GLOBALS['page']; wp_cache_add($_page->ID, $_page, 'pages'); @@ -767,6 +770,7 @@ wp_cache_add($category->cat_ID, $category, 'category'); $_category = $category; } else { + $category = (int) $category; if ( ! $_category = wp_cache_get($category, 'category') ) { $_category = $wpdb->get_row("SELECT * FROM $wpdb->categories WHERE cat_ID = '$category' LIMIT 1"); wp_cache_add($category, $_category, 'category'); @@ -804,6 +808,7 @@ $comment_cache[$comment->comment_ID] = &$comment; $_comment = & $comment_cache[$comment->comment_ID]; } else { + $comment = (int) $comment; if ( !isset($comment_cache[$comment]) ) { $_comment = $wpdb->get_row("SELECT * FROM $wpdb->comments WHERE comment_ID = '$comment' LIMIT 1"); $comment_cache[$comment->comment_ID] = & $_comment; @@ -2019,7 +2024,7 @@ function get_page_template() { global $wp_query; - $id = $wp_query->post->ID; + $id = (int) $wp_query->post->ID; $template = get_post_meta($id, '_wp_page_template', true); if ( 'default' == $template ) @@ -2167,7 +2172,8 @@ global $posts, $post, $wp_did_header, $wp_did_template_redirect, $wp_query, $wp_rewrite, $wpdb; - extract($wp_query->query_vars, EXTR_SKIP); + if ( is_array($wp_query->query_vars) ) + extract($wp_query->query_vars, EXTR_SKIP); require_once($_template_file); } @@ -2186,10 +2192,21 @@ } function wp_remote_fopen( $uri ) { + $timeout = 10; + $parsed_url = @parse_url($uri); + + if ( !$parsed_url || !is_array($parsed_url) ) + return false; + + if ( !isset($parsed_url['scheme']) || !in_array($parsed_url['scheme'], array('http','https')) ) + $uri = 'http://' . $uri; + if ( ini_get('allow_url_fopen') ) { $fp = @fopen( $uri, 'r' ); if ( !$fp ) return false; + + //stream_set_timeout($fp, $timeout); // Requires php 4.3 $linea = ''; while( $remote_read = fread($fp, 4096) ) $linea .= $remote_read; @@ -2200,6 +2217,7 @@ curl_setopt ($handle, CURLOPT_URL, $uri); curl_setopt ($handle, CURLOPT_CONNECTTIMEOUT, 1); curl_setopt ($handle, CURLOPT_RETURNTRANSFER, 1); + curl_setopt ($handle, CURLOPT_TIMEOUT, $timeout); $buffer = curl_exec($handle); curl_close($handle); return $buffer; @@ -2228,10 +2246,10 @@ elseif ( 410 == $header ) $text = 'Gone'; - if ( substr(php_sapi_name(), 0, 3) == 'cgi' ) - @header("HTTP/1.1 $header $text"); - else - @header("Status: $header $text"); + if ( version_compare(phpversion(), '4.3.0', '>=') ) + @header("HTTP/1.1 $header $text", true, $header); + else + @header("HTTP/1.1 $header $text"); } function nocache_headers() { @@ -2356,9 +2374,11 @@ return wp_specialchars(add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl)); } -function wp_nonce_field($action = -1) { - echo ''; - wp_referer_field(); +function wp_nonce_field($action = -1, $name = "_wpnonce", $referer = true) { + $name = attribute_escape($name); + echo ''; + if ( $referer ) + wp_referer_field(); } function wp_referer_field() { @@ -2471,9 +2491,9 @@ $html .= "\t\t\n"; } $html .= "\t\t\n"; - $html .= "\t\t
\n\t\t

" . wp_explain_nonce($action) . "

\n\t\t

" . __('No') . "

\n\t\t
\n\t\n"; + $html .= "\t\t
\n\t\t

" . wp_specialchars(wp_explain_nonce($action)) . "

\n\t\t

" . __('No') . "

\n\t\t
\n\t\n"; } else { - $html .= "\t
\n\t

" . wp_explain_nonce($action) . "

\n\t

" . __('No') . " " . __('Yes') . "

\n\t
\n"; + $html .= "\t
\n\t

" . wp_specialchars(wp_explain_nonce($action)) . "

\n\t

" . __('No') . " " . __('Yes') . "

\n\t
\n"; } $html .= "\n"; wp_die($html, $title); Index: wp-includes/rss-functions.php =================================================================== --- wp-includes/rss-functions.php (.../2.0.6) (revision 5177) +++ wp-includes/rss-functions.php (.../2.0.10) (revision 5177) @@ -816,9 +816,8 @@ return -1; } } -function wp_rss ($url, $num) { +function wp_rss ($url, $num_items) { //ini_set("display_errors", false); uncomment to suppress php errors thrown if the feed is not returned. - $num_items = $num; $rss = fetch_rss($url); if ( $rss ) { echo "