Index: wp-login.php =================================================================== --- wp-login.php (.../2.0.9) (revision 5253) +++ wp-login.php (.../2.0.10) (revision 5253) @@ -166,7 +166,7 @@ $user_login = ''; $user_pass = ''; $using_cookie = false; - if ( !isset( $_REQUEST['redirect_to'] ) ) + if ( !isset( $_REQUEST['redirect_to'] ) || is_user_logged_in() ) $redirect_to = 'wp-admin/'; else $redirect_to = $_REQUEST['redirect_to']; Index: wp-comments-post.php =================================================================== --- wp-comments-post.php (.../2.0.9) (revision 5253) +++ wp-comments-post.php (.../2.0.10) (revision 5253) @@ -25,14 +25,20 @@ // If the user is logged in $user = wp_get_current_user(); -if ( $user->ID ) : +if ( $user->ID ) { $comment_author = $wpdb->escape($user->display_name); $comment_author_email = $wpdb->escape($user->user_email); $comment_author_url = $wpdb->escape($user->user_url); -else : + if ( current_user_can('unfiltered_html') ) { + if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) { + kses_remove_filters(); // start with a clean slate + kses_init_filters(); // set up the filters + } + } +} else { if ( get_option('comment_registration') ) die( __('Sorry, you must be logged in to post a comment.') ); -endif; +} $comment_type = ''; Index: wp-includes/default-filters.php =================================================================== --- wp-includes/default-filters.php (.../2.0.9) (revision 5253) +++ wp-includes/default-filters.php (.../2.0.10) (revision 5253) @@ -33,6 +33,8 @@ add_filter('pre_comment_author_email', 'wp_filter_kses'); add_filter('pre_comment_author_url', 'wp_filter_kses'); +add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce'); + // Default filters for these functions add_filter('comment_author', 'wptexturize'); add_filter('comment_author', 'convert_chars'); Index: wp-includes/template-functions-general.php =================================================================== --- wp-includes/template-functions-general.php (.../2.0.9) (revision 5253) +++ wp-includes/template-functions-general.php (.../2.0.10) (revision 5253) @@ -137,8 +137,7 @@ function wp_title($sep = '»', $display = true) { - global $wpdb; - global $m, $year, $monthnum, $day, $category_name, $month, $posts; + global $wpdb, $posts, $month; $cat = get_query_var('cat'); $p = get_query_var('p'); @@ -146,14 +145,18 @@ $category_name = get_query_var('category_name'); $author = get_query_var('author'); $author_name = get_query_var('author_name'); + $m = (int) get_query_var('m'); + $year = (int) get_query_var('year'); + $monthnum = (int) get_query_var('monthnum'); + $day = (int) get_query_var('day'); + $title = ''; // If there's a category if ( !empty($cat) ) { // category exclusion if ( !stristr($cat,'-') ) - $title = get_the_category_by_ID($cat); - } - if ( !empty($category_name) ) { + $title = apply_filters('single_cat_title', get_the_category_by_ID($cat)); + } elseif ( !empty($category_name) ) { if ( stristr($category_name,'/') ) { $category_name = explode('/',$category_name); if ( $category_name[count($category_name)-1] ) @@ -162,6 +165,7 @@ $category_name = $category_name[count($category_name)-2]; // there was a trailling slash } $title = $wpdb->get_var("SELECT cat_name FROM $wpdb->categories WHERE category_nicename = '$category_name'"); + $title = apply_filters('single_cat_title', $title); } // If there's an author @@ -196,7 +200,7 @@ } $prefix = ''; - if ( isset($title) ) + if ( !empty($title) ) $prefix = " $sep "; $title = $prefix . $title; @@ -244,7 +248,12 @@ function single_month_title($prefix = '', $display = true ) { - global $m, $monthnum, $month, $year; + global $month; + + $m = (int) get_query_var('m'); + $year = (int) get_query_var('year'); + $monthnum = (int) get_query_var('monthnum'); + if ( !empty($monthnum) && !empty($year) ) { $my_year = $year; $my_month = $month[str_pad($monthnum, 2, '0', STR_PAD_LEFT)]; Index: wp-includes/template-functions-category.php =================================================================== --- wp-includes/template-functions-category.php (.../2.0.9) (revision 5253) +++ wp-includes/template-functions-category.php (.../2.0.10) (revision 5253) @@ -3,8 +3,9 @@ function get_the_category($id = false) { global $post, $category_cache; + $id = (int) $id; if ( !$id ) - $id = $post->ID; + $id = (int) $post->ID; if ( !isset($category_cache[$id]) ) update_post_category_cache($id); Index: wp-includes/links.php =================================================================== --- wp-includes/links.php (.../2.0.9) (revision 5253) +++ wp-includes/links.php (.../2.0.10) (revision 5253) @@ -212,7 +212,7 @@ $the_link = '#'; if (!empty($row->link_url)) - $the_link = attribute_escape($row->link_url); + $the_link = clean_url($row->link_url); $rel = $row->link_rel; if ($rel != '') { Index: wp-includes/functions-formatting.php =================================================================== --- wp-includes/functions-formatting.php (.../2.0.9) (revision 5253) +++ wp-includes/functions-formatting.php (.../2.0.10) (revision 5253) @@ -1051,7 +1051,11 @@ $strip = array('%0d', '%0a'); $url = str_replace($strip, '', $url); $url = str_replace(';//', '://', $url); - $url = (!strstr($url, '://')) ? 'http://'.$url : $url; + // Append http unless a relative link starting with / or a php file. + if ( strpos($url, '://') === false && + substr( $url, 0, 1 ) != '/' && !preg_match('/^[a-z0-9]+?\.php/i', $url) ) + $url = 'http://' . $url; + $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); if ( !is_array($protocols) ) $protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet'); Index: wp-includes/version.php =================================================================== --- wp-includes/version.php (.../2.0.9) (revision 5253) +++ wp-includes/version.php (.../2.0.10) (revision 5253) @@ -2,7 +2,7 @@ // This just holds the version number, in a separate file so we can bump it without cluttering the SVN -$wp_version = '2.0.9'; +$wp_version = '2.0.10'; $wp_db_version = 3441; ?> Index: wp-includes/functions-post.php =================================================================== --- wp-includes/functions-post.php (.../2.0.9) (revision 5253) +++ wp-includes/functions-post.php (.../2.0.10) (revision 5253) @@ -47,7 +47,7 @@ // Get the post ID. if ( $update ) - $post_ID = $ID; + $post_ID = (int) $ID; // Create a valid post name. Drafts are allowed to have an empty // post name. @@ -406,6 +406,7 @@ global $wpdb; // Set the limit clause, if we got a limit + $num = (int) $num; if ($num) { $limit = "LIMIT $num"; } @@ -476,6 +477,9 @@ function wp_set_post_cats($blogid = '1', $post_ID = 0, $post_categories = array()) { global $wpdb; + + $post_ID = (int) $post_ID; + // If $post_categories isn't already an array, make it one: if (!is_array($post_categories) || 0 == count($post_categories)) $post_categories = array(get_option('default_category')); @@ -486,7 +490,7 @@ $old_categories = $wpdb->get_col(" SELECT category_id FROM $wpdb->post2cat - WHERE post_id = $post_ID"); + WHERE post_id = '$post_ID'"); if (!$old_categories) { $old_categories = array(); @@ -501,8 +505,8 @@ foreach ($delete_cats as $del) { $wpdb->query(" DELETE FROM $wpdb->post2cat - WHERE category_id = $del - AND post_id = $post_ID + WHERE category_id = '$del' + AND post_id = '$post_ID' "); } } @@ -512,12 +516,14 @@ if ($add_cats) { foreach ($add_cats as $new_cat) { - $wpdb->query(" - INSERT INTO $wpdb->post2cat (post_id, category_id) - VALUES ($post_ID, $new_cat)"); + $new_cat = (int) $new_cat; + if ( !empty($new_cat) ) + $wpdb->query(" + INSERT INTO $wpdb->post2cat (post_id, category_id) + VALUES ('$post_ID', '$new_cat')"); } } - + // Update category counts. $all_affected_cats = array_unique(array_merge($post_categories, $old_categories)); foreach ( $all_affected_cats as $cat_id ) { Index: wp-includes/classes.php =================================================================== --- wp-includes/classes.php (.../2.0.9) (revision 5253) +++ wp-includes/classes.php (.../2.0.10) (revision 5253) @@ -1617,6 +1617,9 @@ $this->query_vars[$wpvar] = $query_vars[$wpvar]; else $this->query_vars[$wpvar] = ''; + + if ( !empty( $this->query_vars[$wpvar] ) ) + $this->query_vars[$wpvar] = (string) $this->query_vars[$wpvar]; } if ( isset($error) ) Index: wp-includes/template-functions-links.php =================================================================== --- wp-includes/template-functions-links.php (.../2.0.9) (revision 5253) +++ wp-includes/template-functions-links.php (.../2.0.10) (revision 5253) @@ -87,8 +87,9 @@ function get_page_link($id = false) { global $post, $wp_rewrite; + $id = (int) $id; if ( !$id ) - $id = $post->ID; + $id = (int) $post->ID; $pagestruct = $wp_rewrite->get_page_permastruct(); @@ -109,7 +110,7 @@ $link = false; if (! $id) { - $id = $post->ID; + $id = (int) $post->ID; } $object = get_post($id); @@ -378,7 +379,7 @@ function get_pagenum_link($pagenum = 1) { global $wp_rewrite; - $qstr = wp_specialchars($_SERVER['REQUEST_URI']); + $qstr = $_SERVER['REQUEST_URI']; $page_querystring = "paged"; $page_modstring = "page/"; @@ -445,7 +446,7 @@ return $qstr; } -function next_posts($max_page = 0) { // original by cfactor at cooltux.org +function get_next_posts_page_link($max_page = 0) { global $paged, $pagenow; if ( !is_single() ) { @@ -453,10 +454,14 @@ $paged = 1; $nextpage = intval($paged) + 1; if ( !$max_page || $max_page >= $nextpage ) - echo get_pagenum_link($nextpage); + return get_pagenum_link($nextpage); } } +function next_posts($max_page = 0) { + echo clean_url(get_next_posts_page_link($max_page)); +} + function next_posts_link($label='Next Page »', $max_page=0) { global $paged, $result, $request, $posts_per_page, $wpdb, $max_num_pages; if ( !$max_page ) { @@ -479,18 +484,20 @@ } } - -function previous_posts() { // original by cfactor at cooltux.org +function get_previous_posts_page_link() { global $paged, $pagenow; if ( !is_single() ) { $nextpage = intval($paged) - 1; if ( $nextpage < 1 ) $nextpage = 1; - echo get_pagenum_link($nextpage); + return get_pagenum_link($nextpage); } } +function previous_posts() { + echo clean_url(get_previous_posts_page_link()); +} function previous_posts_link($label='« Previous Page') { global $paged; Index: wp-includes/pluggable-functions.php =================================================================== --- wp-includes/pluggable-functions.php (.../2.0.9) (revision 5253) +++ wp-includes/pluggable-functions.php (.../2.0.10) (revision 5253) @@ -466,7 +466,7 @@ if ( !function_exists('wp_verify_nonce') ) : function wp_verify_nonce($nonce, $action = -1) { $user = wp_get_current_user(); - $uid = $user->id; + $uid = (int) $user->id; $i = ceil(time() / 43200); @@ -480,7 +480,7 @@ if ( !function_exists('wp_create_nonce') ) : function wp_create_nonce($action = -1) { $user = wp_get_current_user(); - $uid = $user->id; + $uid = (int) $user->id; $i = ceil(time() / 43200); Index: wp-includes/comment-functions.php =================================================================== --- wp-includes/comment-functions.php (.../2.0.9) (revision 5253) +++ wp-includes/comment-functions.php (.../2.0.10) (revision 5253) @@ -2,6 +2,12 @@ // Template functions +function wp_comment_form_unfiltered_html_nonce() { + global $post; + if ( current_user_can('unfiltered_html') ) + wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false); +} + function comments_template( $file = '/comments.php' ) { global $wp_query, $withcomments, $post, $wpdb, $id, $comment, $user_login, $user_ID, $user_identity; @@ -84,7 +90,7 @@ ('$comment_post_ID', '$comment_author', '$comment_author_email', '$comment_author_url', '$comment_author_IP', '$comment_date', '$comment_date_gmt', '$comment_content', '$comment_approved', '$comment_agent', '$comment_type', '$comment_parent', '$user_id') "); - $id = $wpdb->insert_id; + $id = (int) $wpdb->insert_id; if ( $comment_approved == 1) { $count = $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_approved = '1'"); @@ -218,7 +224,7 @@ $post_id = (int) $post_id; if ( !$post_id ) - $post_id = $id; + $post_id = (int) $id; if ( !isset($comment_count_cache[$post_id]) ) $comment_count_cache[$id] = $wpdb->get_var("SELECT comment_count FROM $wpdb->posts WHERE ID = '$post_id'"); Index: wp-includes/functions.php =================================================================== --- wp-includes/functions.php (.../2.0.9) (revision 5253) +++ wp-includes/functions.php (.../2.0.10) (revision 5253) @@ -171,6 +171,7 @@ function get_usernumposts($userid) { global $wpdb; + $userid = (int) $userid; return $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->posts WHERE post_author = '$userid' AND post_status = 'publish'"); } @@ -606,6 +607,7 @@ $post_cache[$post->ID] = &$post; $_post = & $post_cache[$post->ID]; } else { + $post = (int) $post; if ( $_post = wp_cache_get($post, 'pages') ) return get_page($_post, $output); elseif ( isset($post_cache[$post]) ) @@ -709,6 +711,7 @@ wp_cache_add($page->ID, $page, 'pages'); $_page = $page; } else { + $page = (int) $page; if ( isset($GLOBALS['page']) && ($page == $GLOBALS['page']->ID) ) { $_page = & $GLOBALS['page']; wp_cache_add($_page->ID, $_page, 'pages'); @@ -767,6 +770,7 @@ wp_cache_add($category->cat_ID, $category, 'category'); $_category = $category; } else { + $category = (int) $category; if ( ! $_category = wp_cache_get($category, 'category') ) { $_category = $wpdb->get_row("SELECT * FROM $wpdb->categories WHERE cat_ID = '$category' LIMIT 1"); wp_cache_add($category, $_category, 'category'); @@ -804,6 +808,7 @@ $comment_cache[$comment->comment_ID] = &$comment; $_comment = & $comment_cache[$comment->comment_ID]; } else { + $comment = (int) $comment; if ( !isset($comment_cache[$comment]) ) { $_comment = $wpdb->get_row("SELECT * FROM $wpdb->comments WHERE comment_ID = '$comment' LIMIT 1"); $comment_cache[$comment->comment_ID] = & $_comment; @@ -2019,7 +2024,7 @@ function get_page_template() { global $wp_query; - $id = $wp_query->post->ID; + $id = (int) $wp_query->post->ID; $template = get_post_meta($id, '_wp_page_template', true); if ( 'default' == $template ) @@ -2369,9 +2374,11 @@ return wp_specialchars(add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl)); } -function wp_nonce_field($action = -1) { - echo ''; - wp_referer_field(); +function wp_nonce_field($action = -1, $name = "_wpnonce", $referer = true) { + $name = attribute_escape($name); + echo ''; + if ( $referer ) + wp_referer_field(); } function wp_referer_field() { @@ -2486,7 +2493,7 @@ $html .= "\t\t\n"; $html .= "\t\t
\n\t\t

" . wp_specialchars(wp_explain_nonce($action)) . "

\n\t\t

" . __('No') . "

\n\t\t
\n\t\n"; } else { - $html .= "\t
\n\t

" . wp_specialchars(wp_explain_nonce($action)) . "

\n\t

" . __('No') . " " . __('Yes') . "

\n\t
\n"; + $html .= "\t
\n\t

" . wp_specialchars(wp_explain_nonce($action)) . "

\n\t

" . __('No') . " " . __('Yes') . "

\n\t
\n"; } $html .= "\n"; wp_die($html, $title); Index: wp-includes/registration-functions.php =================================================================== --- wp-includes/registration-functions.php (.../2.0.9) (revision 5253) +++ wp-includes/registration-functions.php (.../2.0.10) (revision 5253) @@ -77,7 +77,7 @@ $query = "UPDATE $wpdb->users SET user_pass='$user_pass', user_email='$user_email', user_url='$user_url', user_nicename = '$user_nicename', display_name = '$display_name' WHERE ID = '$ID'"; $query = apply_filters('update_user_query', $query); $wpdb->query( $query ); - $user_id = $ID; + $user_id = (int) $ID; } else { $query = "INSERT INTO $wpdb->users (user_login, user_pass, user_email, user_url, user_registered, user_nicename, display_name) @@ -85,7 +85,7 @@ ('$user_login', '$user_pass', '$user_email', '$user_url', '$user_registered', '$user_nicename', '$display_name')"; $query = apply_filters('create_user_query', $query); $wpdb->query( $query ); - $user_id = $wpdb->insert_id; + $user_id = (int) $wpdb->insert_id; } update_usermeta( $user_id, 'first_name', $first_name); Index: wp-includes/template-functions-author.php =================================================================== --- wp-includes/template-functions-author.php (.../2.0.9) (revision 5253) +++ wp-includes/template-functions-author.php (.../2.0.10) (revision 5253) @@ -136,7 +136,7 @@ function get_author_link($echo = false, $author_id, $author_nicename = '') { global $wpdb, $wp_rewrite, $post, $cache_userdata; - $auth_ID = $author_id; + $auth_ID = (int) $author_id; $link = $wp_rewrite->get_author_permastruct(); if ( empty($link) ) { Index: xmlrpc.php =================================================================== --- xmlrpc.php (.../2.0.9) (revision 5253) +++ xmlrpc.php (.../2.0.10) (revision 5253) @@ -208,9 +208,9 @@ $this->escape($args); - $post_ID = $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; + $post_ID = (int) $args[1]; + $user_login = $args[2]; + $user_pass = $args[3]; if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; @@ -243,10 +243,10 @@ $this->escape($args); - $blog_ID = $args[1]; /* though we don't use it yet */ - $user_login = $args[2]; - $user_pass = $args[3]; - $num_posts = $args[4]; + $blog_ID = (int) $args[1]; /* though we don't use it yet */ + $user_login = $args[2]; + $user_pass = $args[3]; + $num_posts = $args[4]; if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; @@ -291,7 +291,7 @@ $this->escape($args); - $blog_ID = $args[1]; + $blog_ID = (int) $args[1]; $user_login = $args[2]; $user_pass = $args[3]; $template = $args[4]; /* could be 'main' or 'archiveIndex', but we don't use it */ @@ -325,7 +325,7 @@ $this->escape($args); - $blog_ID = $args[1]; + $blog_ID = (int) $args[1]; $user_login = $args[2]; $user_pass = $args[3]; $content = $args[4]; @@ -362,7 +362,7 @@ $this->escape($args); - $blog_ID = $args[1]; /* though we don't use it yet */ + $blog_ID = (int) $args[1]; /* though we don't use it yet */ $user_login = $args[2]; $user_pass = $args[3]; $content = $args[4]; @@ -409,7 +409,7 @@ $this->escape($args); - $post_ID = $args[1]; + $post_ID = (int) $args[1]; $user_login = $args[2]; $user_pass = $args[3]; $content = $args[4]; @@ -433,6 +433,9 @@ extract($actual_post); + if ( ('publish' == $post_status) && !current_user_can('publish_posts') ) + return new IXR_Error(401, 'Sorry, you do not have the right to publish this post.'); + $post_title = xmlrpc_getposttitle($content); $post_category = xmlrpc_getpostcategory($content); $post_content = xmlrpc_removepostdata($content); @@ -456,7 +459,7 @@ $this->escape($args); - $post_ID = $args[1]; + $post_ID = (int) $args[1]; $user_login = $args[2]; $user_pass = $args[3]; $publish = $args[4]; @@ -497,7 +500,7 @@ $this->escape($args); - $blog_ID = $args[0]; // we will support this in the near future + $blog_ID = (int) $args[0]; // we will support this in the near future $user_login = $args[1]; $user_pass = $args[2]; $content_struct = $args[3]; @@ -532,7 +535,9 @@ $post_content = $post_content . "\n\n" . $post_more; } - $to_ping = $content_struct['mt_tb_ping_urls']; + $to_ping = $content_struct['mt_tb_ping_urls']; + if ( is_array($to_ping) ) + $to_ping = implode(' ', $to_ping); // Do some timestamp voodoo $dateCreatedd = $content_struct['dateCreated']; @@ -577,7 +582,7 @@ $this->escape($args); - $post_ID = $args[0]; + $post_ID = (int) $args[0]; $user_login = $args[1]; $user_pass = $args[2]; $content_struct = $args[3]; @@ -611,12 +616,18 @@ $post_more = $content_struct['mt_text_more']; $post_status = $publish ? 'publish' : 'draft'; + + if ( ('publish' == $post_status) && !current_user_can('publish_posts') ) + return new IXR_Error(401, 'Sorry, you do not have the right to publish this post.'); + if ($post_more) { $post_content = $post_content . "\n\n" . $post_more; } - $to_ping = $content_struct['mt_tb_ping_urls']; - + $to_ping = $content_struct['mt_tb_ping_urls']; + if ( is_array($to_ping) ) + $to_ping = implode(' ', $to_ping); + $comment_status = (empty($content_struct['mt_allow_comments'])) ? get_settings('default_comment_status') : $content_struct['mt_allow_comments']; @@ -657,7 +668,7 @@ $this->escape($args); - $post_ID = $args[0]; + $post_ID = (int) $args[0]; $user_login = $args[1]; $user_pass = $args[2]; @@ -712,10 +723,10 @@ $this->escape($args); - $blog_ID = $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; - $num_posts = $args[3]; + $blog_ID = (int) $args[0]; + $user_login = $args[1]; + $user_pass = $args[2]; + $num_posts = (int) $args[3]; if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; @@ -778,9 +789,9 @@ $this->escape($args); - $blog_ID = $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $blog_ID = (int) $args[0]; + $user_login = $args[1]; + $user_pass = $args[2]; if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; @@ -812,7 +823,7 @@ global $wpdb; - $blog_ID = $wpdb->escape($args[0]); + $blog_ID = (int) $args[0]; $user_login = $wpdb->escape($args[1]); $user_pass = $wpdb->escape($args[2]); $data = $args[3]; @@ -852,10 +863,10 @@ $this->escape($args); - $blog_ID = $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; - $num_posts = $args[3]; + $blog_ID = (int) $args[0]; + $user_login = $args[1]; + $user_pass = $args[2]; + $num_posts = (int) $args[3]; if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; @@ -897,9 +908,9 @@ $this->escape($args); - $blog_ID = $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $blog_ID = (int) $args[0]; + $user_login = $args[1]; + $user_pass = $args[2]; if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; @@ -926,9 +937,9 @@ $this->escape($args); - $post_ID = $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $post_ID = (int) $args[0]; + $user_login = $args[1]; + $user_pass = $args[2]; if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; @@ -956,10 +967,10 @@ $this->escape($args); - $post_ID = $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; - $categories = $args[3]; + $post_ID = (int) $args[0]; + $user_login = $args[1]; + $user_pass = $args[2]; + $categories = $args[3]; if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; @@ -1039,9 +1050,9 @@ $this->escape($args); - $post_ID = $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $post_ID = (int) $args[0]; + $user_login = $args[1]; + $user_pass = $args[2]; if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; @@ -1101,18 +1112,18 @@ } elseif (preg_match('#p/[0-9]{1,}#', $urltest['path'], $match)) { // the path defines the post_ID (archives/p/XXXX) $blah = explode('/', $match[0]); - $post_ID = $blah[1]; + $post_ID = (int) $blah[1]; $way = 'from the path'; } elseif (preg_match('#p=[0-9]{1,}#', $urltest['query'], $match)) { // the querystring defines the post_ID (?p=XXXX) $blah = explode('=', $match[0]); - $post_ID = $blah[1]; + $post_ID = (int) $blah[1]; $way = 'from the querystring'; } elseif (isset($urltest['fragment'])) { // an #anchor is there, it's either... if (intval($urltest['fragment'])) { // ...an integer #XXXX (simpliest case) - $post_ID = $urltest['fragment']; + $post_ID = (int) $urltest['fragment']; $way = 'from the fragment (numeric)'; } elseif (preg_match('/post-[0-9]+/',$urltest['fragment'])) { // ...a post id in the form 'post-###' Index: wp-trackback.php =================================================================== --- wp-trackback.php (.../2.0.9) (revision 5253) +++ wp-trackback.php (.../2.0.10) (revision 5253) @@ -84,7 +84,7 @@ $title = (strlen($title) > 250) ? substr($title, 0, 250) . '...' : $title; } - $comment_post_ID = $tb_id; + $comment_post_ID = (int) $tb_id; $comment_author = $blog_name; $comment_author_email = ''; $comment_author_url = $tb_url; Index: wp-admin/edit-comments.php =================================================================== --- wp-admin/edit-comments.php (.../2.0.9) (revision 5253) +++ wp-admin/edit-comments.php (.../2.0.10) (revision 5253) @@ -44,7 +44,7 @@ $i = 0; foreach ($_POST['delete_comments'] as $comment) : // Check the permissions on each $comment = (int) $comment; - $post_id = $wpdb->get_var("SELECT comment_post_ID FROM $wpdb->comments WHERE comment_ID = $comment"); + $post_id = (int) $wpdb->get_var("SELECT comment_post_ID FROM $wpdb->comments WHERE comment_ID = $comment"); $authordata = get_userdata( $wpdb->get_var("SELECT post_author FROM $wpdb->posts WHERE ID = $post_id") ); if ( current_user_can('edit_post', $post_id) ) : wp_set_comment_status($comment, "delete"); Index: wp-admin/post.php =================================================================== --- wp-admin/post.php (.../2.0.9) (revision 5253) +++ wp-admin/post.php (.../2.0.10) (revision 5253) @@ -81,7 +81,7 @@ ?>

- +

@@ -86,7 +86,7 @@ if ( empty( $_GET['backto'] ) ) $backto = __get_option('home'); else - $backto = attribute_escape(stripslashes($_GET['backto'])); + $backto = clean_url(stripslashes($_GET['backto'])); ?>

Have fun!"), $backto); ?>

Index: wp-admin/admin-functions.php =================================================================== --- wp-admin/admin-functions.php (.../2.0.9) (revision 5253) +++ wp-admin/admin-functions.php (.../2.0.10) (revision 5253) @@ -289,7 +289,7 @@ else if ( !empty($post_title) ) { $text = wp_specialchars(stripslashes(urldecode($_REQUEST['text']))); $text = funky_javascript_fix($text); - $popupurl = attribute_escape(stripslashes($_REQUEST['popupurl'])); + $popupurl = clean_url(stripslashes($_REQUEST['popupurl'])); $post_content = ''.$post_title.''."\n$text"; } @@ -339,7 +339,7 @@ $user = new WP_User($user_id); $user->user_login = attribute_escape($user->user_login); $user->user_email = attribute_escape($user->user_email); - $user->user_url = attribute_escape($user->user_url); + $user->user_url = clean_url($user->user_url); $user->first_name = attribute_escape($user->first_name); $user->last_name = attribute_escape($user->last_name); $user->display_name = attribute_escape($user->display_name); @@ -363,7 +363,7 @@ if ($user_id != 0) { $update = true; - $user->ID = $user_id; + $user->ID = (int) $user_id; $userdata = get_userdata($user_id); $user->user_login = $wpdb->escape($userdata->user_login); } else { @@ -388,7 +388,7 @@ if (isset ($_POST['email'])) $user->user_email = wp_specialchars(trim($_POST['email'])); if (isset ($_POST['url'])) { - $user->user_url = wp_specialchars(trim($_POST['url'])); + $user->user_url = clean_url(trim($_POST['url'])); $user->user_url = preg_match('/^(https?|ftps?|mailto|news|gopher):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url; } if (isset ($_POST['first_name'])) @@ -467,11 +467,11 @@ function get_link_to_edit($link_id) { $link = get_link($link_id); - $link->link_url = attribute_escape($link->link_url); + $link->link_url = clean_url($link->link_url); $link->link_name = attribute_escape($link->link_name); $link->link_image = attribute_escape($link->link_image); $link->link_description = attribute_escape($link->link_description); - $link->link_rss = attribute_escape($link->link_rss); + $link->link_rss = clean_url($link->link_rss); $link->link_rel = attribute_escape($link->link_rel); $link->link_notes = wp_specialchars($link->link_notes); $link->post_category = $link->link_category; @@ -481,7 +481,7 @@ function get_default_link_to_edit() { if ( isset($_GET['linkurl']) ) - $link->link_url = attribute_escape($_GET['linkurl']); + $link->link_url = clean_url($_GET['linkurl']); else $link->link_url = ''; @@ -502,10 +502,10 @@ die(__("Cheatin' uh ?")); $_POST['link_url'] = wp_specialchars($_POST['link_url']); - $_POST['link_url'] = preg_match('/^(https?|ftps?|mailto|news|gopher):/is', $_POST['link_url']) ? $_POST['link_url'] : 'http://' . $_POST['link_url']; + $_POST['link_url'] = clean_url($_POST['link_url']); $_POST['link_name'] = wp_specialchars($_POST['link_name']); $_POST['link_image'] = wp_specialchars($_POST['link_image']); - $_POST['link_rss'] = wp_specialchars($_POST['link_rss']); + $_POST['link_rss'] = clean_url($_POST['link_rss']); $auto_toggle = get_autotoggle($_POST['link_category']); // if we are in an auto toggle category and this one is visible then we @@ -866,8 +866,8 @@ -
- +
+ "; } @@ -931,6 +931,7 @@ function add_meta($post_ID) { global $wpdb; + $post_ID = (int) $post_ID; $metakeyselect = $wpdb->escape(stripslashes(trim($_POST['metakeyselect']))); $metakeyinput = $wpdb->escape(stripslashes(trim($_POST['metakeyinput']))); @@ -957,6 +958,7 @@ function delete_meta($mid) { global $wpdb; + $mid = (int) $mid; $result = $wpdb->query("DELETE FROM $wpdb->postmeta WHERE meta_id = '$mid'"); } @@ -1810,7 +1812,7 @@ o.submit(); } -
+
Index: wp-admin/bookmarklet.php =================================================================== --- wp-admin/bookmarklet.php (.../2.0.9) (revision 5253) +++ wp-admin/bookmarklet.php (.../2.0.10) (revision 5253) @@ -37,7 +37,7 @@ $content = wp_specialchars($_REQUEST['content']); -$popupurl = attribute_escape(stripslashes($_REQUEST['popupurl'])); +$popupurl = clean_url(stripslashes($_REQUEST['popupurl'])); if ( !empty($content) ) { $post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) ); } else { Index: wp-admin/admin-db.php =================================================================== --- wp-admin/admin-db.php (.../2.0.9) (revision 5253) +++ wp-admin/admin-db.php (.../2.0.10) (revision 5253) @@ -110,7 +110,7 @@ if (!$update) { $wpdb->query("INSERT INTO $wpdb->categories (cat_ID, cat_name, category_nicename, category_description, category_parent) VALUES ('0', '$cat_name', '$category_nicename', '$category_description', '$category_parent')"); - $cat_ID = $wpdb->insert_id; + $cat_ID = (int) $wpdb->insert_id; } else { $wpdb->query ("UPDATE $wpdb->categories SET cat_name = '$cat_name', category_nicename = '$category_nicename', category_description = '$category_description', category_parent = '$category_parent' WHERE cat_ID = '$cat_ID'"); } @@ -207,7 +207,7 @@ if (!$category_nicename = sanitize_title($cat_name)) return 0; - return $wpdb->get_var("SELECT cat_ID FROM $wpdb->categories WHERE category_nicename = '$category_nicename'"); + return (int) $wpdb->get_var("SELECT cat_ID FROM $wpdb->categories WHERE category_nicename = '$category_nicename'"); } function wp_delete_user($id, $reassign = 'novalue') { @@ -270,6 +270,8 @@ if ( !empty($link_id) ) $update = true; + $link_id = (int) $link_id; + if( trim( $link_name ) == '' ) return 0; $link_name = apply_filters('pre_link_name', $link_name); @@ -326,7 +328,7 @@ WHERE link_id='$link_id'"); } else { $wpdb->query("INSERT INTO $wpdb->links (link_url, link_name, link_image, link_target, link_category, link_description, link_visible, link_owner, link_rating, link_rel, link_notes, link_rss) VALUES('$link_url','$link_name', '$link_image', '$link_target', '$link_category', '$link_description', '$link_visible', '$link_owner', '$link_rating', '$link_rel', '$link_notes', '$link_rss')"); - $link_id = $wpdb->insert_id; + $link_id = (int) $wpdb->insert_id; } if ( $update ) Index: wp-admin/import/livejournal.php =================================================================== --- wp-admin/import/livejournal.php (.../2.0.9) (revision 5253) +++ wp-admin/import/livejournal.php (.../2.0.10) (revision 5253) @@ -80,7 +80,7 @@ $comments = $comments[1]; if ( $comments ) { - $comment_post_ID = $post_id; + $comment_post_ID = (int) $post_id; $num_comments = 0; foreach ($comments as $comment) { preg_match('|(.*?)|is', $comment, $comment_content); Index: wp-admin/import/dotclear.php =================================================================== --- wp-admin/import/dotclear.php (.../2.0.9) (revision 5253) +++ wp-admin/import/dotclear.php (.../2.0.10) (revision 5253) @@ -430,8 +430,8 @@ extract($comment); // WordPressify Data - $comment_ID = ltrim($comment_id, '0'); - $comment_post_ID = $postarr[$post_id]; + $comment_ID = (int) ltrim($comment_id, '0'); + $comment_post_ID = (int) $postarr[$post_id]; $comment_approved = "$comment_pub"; $name = $wpdb->escape(csc ($comment_auteur)); $email = $wpdb->escape($comment_email); Index: wp-admin/import/mt.php =================================================================== --- wp-admin/import/mt.php (.../2.0.9) (revision 5253) +++ wp-admin/import/mt.php (.../2.0.10) (revision 5253) @@ -169,7 +169,7 @@ return; } $this->file = $file['file']; - $this->id = $file['id']; + $this->id = (int) $file['id']; $this->get_entries(); $this->mt_authors_form(); @@ -293,7 +293,7 @@ } } - $comment_post_ID = $post_id; + $comment_post_ID = (int) $post_id; $comment_approved = 1; // Now for comments