Tagging 2.3.2

git-svn-id: http://svn.automattic.com/wordpress/tags/2.3.2@6528 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/admin.php

@@ -1,4 +1,6 @@
 <?php
+define('WP_ADMIN', TRUE);
+
 if ( defined('ABSPATH') )
 	require_once( ABSPATH . 'wp-config.php');
 else

wp-admin/edit-post-rows.php

@@ -1,3 +1,4 @@
+<?php if ( ! defined('ABSPATH') ) die(); ?>
 <table class="widefat">
 	<thead>
 	<tr>

wp-admin/import/mt.php

@@ -30,7 +30,7 @@ class MT_Import {
 	<input type="hidden" name="upload_type" value="ftp" />
 <?php _e('Or use <code>mt-export.txt</code> in your <code>/wp-content/</code> directory'); ?></p>
 <p class="submit">
-<input type="submit" value="<?php _e(sprintf('Import %s', 'mt-export.txt &raquo;')); ?>" />
+<input type="submit" value="<?php echo attribute_escape(__('Import mt-export.txt &raquo;')); ?>" />
 </p>
 </form>
 <p><?php _e('The importer is smart enough not to import duplicates, so you can run this multiple times without worry if&#8212;for whatever reason&#8212;it doesn\'t finish. If you get an <strong>out of memory</strong> error try splitting up the import file into pieces.'); ?> </p>

wp-admin/import/utw.php

@@ -157,7 +157,7 @@ class UTW_Import {
 		// run that funky magic!
 		$tags_added = $this->tag2post();
 
-		echo '<p>' . sprintf( __('Done! <strong>%s</strong> tags where added!'), $tags_added ) . '<br /></p>';
+		echo '<p>' . sprintf( __('Done! <strong>%s</strong> tags were added!'), $tags_added ) . '<br /></p>';
 
 		echo '<form action="admin.php?import=utw&amp;step=4" method="post">';
 		wp_nonce_field('import-utw');
@@ -273,4 +273,4 @@ $utw_import = new UTW_Import();
 // add it to the import page!
 register_importer('utw', 'Ultimate Tag Warrior', __('Import Ultimate Tag Warrior tags into the new native tagging structure.'), array($utw_import, 'dispatch'));
 
-?>
+?>

wp-admin/import/wp-cat2tag.php

@@ -63,7 +63,7 @@ class WP_Categories_to_Tags {
 
 		print '</ul>';
 
-		print '<p class="submit"><input type="submit" name="maybe_convert_all_cats" value="' . __('Convert All Categories') . '" /> <input type="submit" name="submit" value="' . __('Convert &raquo;') . '" /></p>';
+		print '<p class="submit"><input type="submit" name="submit" value="' . __('Convert &raquo;') . '" /></p>';
 		print '</form>';
 	}
 
@@ -140,11 +140,23 @@ class WP_Categories_to_Tags {
 					foreach ( $posts as $post ) {
 						if ( !$wpdb->get_var("SELECT object_id FROM $wpdb->term_relationships WHERE object_id = '$post' AND term_taxonomy_id = '$id'") )						
 							$wpdb->query("INSERT INTO $wpdb->term_relationships (object_id, term_taxonomy_id) VALUES ('$post', '$id')");
+						clean_post_cache($post);
 					}
 				} else {
+					$tt_ids = $wpdb->get_col("SELECT term_taxonomy_id FROM $wpdb->term_taxonomy WHERE term_id = '{$category->term_id}' AND taxonomy = 'category'");
+					if ( $tt_ids ) {
+						$posts = $wpdb->get_col("SELECT object_id FROM $wpdb->term_relationships WHERE term_taxonomy_id IN (" . join(',', $tt_ids) . ") GROUP BY object_id");
+						foreach ( (array) $posts as $post )
+							clean_post_cache($post);
+					}
+
 					// Change the category to a tag.
 					$wpdb->query("UPDATE $wpdb->term_taxonomy SET taxonomy = 'post_tag' WHERE term_id = '{$category->term_id}' AND taxonomy = 'category'");
 
+					$terms = $wpdb->get_col("SELECT term_id FROM $wpdb->term_taxonomy WHERE parent = '{$category->term_id}' AND taxonomy = 'category'");
+					foreach ( (array) $terms as $term )
+						clean_category_cache($term);
+
 					// Set all parents to 0 (root-level) if their parent was the converted tag
 					$wpdb->query("UPDATE $wpdb->term_taxonomy SET parent = 0 WHERE parent = '{$category->term_id}' AND taxonomy = 'category'");
 				}
@@ -160,41 +172,9 @@ class WP_Categories_to_Tags {
 		print '</ul>';
 	}
 
-	function convert_all_confirm() {
-		print '<div class="narrow">';
-
-		print '<h3>' . __('Confirm') . '</h3>';
-
-		print '<p>' . __('You are about to convert all categories to tags. Are you sure you want to continue?') . '</p>';
-
-		print '<form action="admin.php?import=wp-cat2tag" method="post">';
-		wp_nonce_field('import-cat2tag');
-		print '<p style="text-align:center" class="submit"><input type="submit" value="' . __('Yes') . '" name="yes_convert_all_cats" />&nbsp;&nbsp;&nbsp;&nbsp;<input type="submit" value="' . __('No') . '" name="no_dont_do_it" /></p>';
-		print '</form>';
-
-		print '</div>';
-	}
-
-	function convert_all() {
-		global $wpdb;
-
-		$this->populate_all_categories();
-		foreach ( $this->all_categories as $category )
-			$this->categories_to_convert[] = $category->term_id;
-		$this->convert_them();
-	}
-
 	function init() {
 
-		if (isset($_POST['maybe_convert_all_cats'])) {
-			$step = 3;
-		} elseif (isset($_POST['yes_convert_all_cats'])) {
-			$step = 4;
-		} elseif (isset($_POST['no_dont_do_it'])) {
-			die('no_dont_do_it');
-		} else {
-			$step = (isset($_GET['step'])) ? (int) $_GET['step'] : 1;
-		}
+		$step = (isset($_GET['step'])) ? (int) $_GET['step'] : 1;
 
 		$this->header();
 
@@ -214,14 +194,6 @@ class WP_Categories_to_Tags {
 				case 2 :
 					$this->convert_them();
 				break;
-
-				case 3 :
-					$this->convert_all_confirm();
-				break;
-
-				case 4 :
-					$this->convert_all();
-				break;
 			}
 		}
 

wp-admin/includes/file.php

@@ -43,6 +43,9 @@ function get_real_file_to_edit( $file ) {
 }
 
 function validate_file( $file, $allowed_files = '' ) {
+	if ( false !== strpos( $file, '..' ))
+		return 1;
+
 	if ( false !== strpos( $file, './' ))
 		return 1;
 

wp-admin/includes/template.php

@@ -38,6 +38,7 @@ function _cat_row( $category, $level, $name_override = false ) {
 	if ( current_user_can( 'manage_categories' ) ) {
 		$edit = "<a href='categories.php?action=edit&amp;cat_ID=$category->term_id' class='edit'>".__( 'Edit' )."</a></td>";
 		$default_cat_id = (int) get_option( 'default_category' );
+		$default_link_cat_id = (int) get_option( 'default_link_category' );
 
 		if ( $category->term_id != $default_cat_id )
 			$edit .= "<td><a href='" . wp_nonce_url( "categories.php?action=delete&amp;cat_ID=$category->term_id", 'delete-category_' . $category->term_id ) . "' onclick=\"return deleteSomething( 'cat', $category->term_id, '" . js_escape(sprintf( __("You are about to delete the category '%s'.\nAll posts that were only assigned to this category will be assigned to the '%s' category.\nAll links that were only assigned to this category will be assigned to the '%s' category.\n'OK' to delete, 'Cancel' to stop." ), $category->name, get_catname( $default_cat_id ), get_catname( $default_link_cat_id ) )) . "' );\" class='delete'>".__( 'Delete' )."</a>";
@@ -493,7 +494,7 @@ function parent_dropdown( $default = 0, $parent = 0, $level = 0 ) {
 			else
 				$current = '';
 
-			echo "\n\t<option value='$item->ID'$current>$pad $item->post_title</option>";
+			echo "\n\t<option value='$item->ID'$current>$pad " . wp_specialchars($item->post_title) . "</option>";
 			parent_dropdown( $default, $item->ID, $level +1 );
 		}
 	} else {

wp-admin/includes/upgrade.php

@@ -533,6 +533,7 @@ function upgrade_230() {
 
 	// Convert categories to terms.
 	$tt_ids = array();
+	$have_tags = false;
 	$categories = $wpdb->get_results("SELECT * FROM $wpdb->categories ORDER BY cat_ID");
 	foreach ($categories as $category) {
 		$term_id = (int) $category->cat_ID;
@@ -579,6 +580,7 @@ function upgrade_230() {
 		}
 
 		if ( !empty($category->tag_count) ) {
+			$have_tags = true;
 			$count = (int) $category->tag_count;
 			$taxonomy = 'post_tag';
 			$wpdb->query("INSERT INTO $wpdb->term_taxonomy (term_id, taxonomy, description, parent, count) VALUES ('$term_id', '$taxonomy', '$description', '$parent', '$count')");
@@ -593,7 +595,11 @@ function upgrade_230() {
 		}
 	}
 
-	$posts = $wpdb->get_results("SELECT * FROM $wpdb->post2cat");
+	$select = 'post_id, category_id';
+	if ( $have_tags )
+		$select .= ', rel_type';
+
+	$posts = $wpdb->get_results("SELECT $select FROM $wpdb->post2cat GROUP BY post_id, category_id");
 	foreach ( $posts as $post ) {
 		$post_id = (int) $post->post_id;
 		$term_id = (int) $post->category_id;
@@ -658,7 +664,7 @@ function upgrade_230() {
 		// Set default to the last category we grabbed during the upgrade loop.
 		update_option('default_link_category', $default_link_cat);
 	} else {
-		$links = $wpdb->get_results("SELECT * FROM $wpdb->link2cat");
+		$links = $wpdb->get_results("SELECT link_id, category_id FROM $wpdb->link2cat GROUP BY link_id, category_id");
 		foreach ( $links as $link ) {
 			$link_id = (int) $link->link_id;
 			$term_id = (int) $link->category_id;
@@ -1002,7 +1008,6 @@ function dbDelta($queries, $execute = true) {
 						}
 						// Add the column list to the index create string
 						$index_string .= ' ('.$index_columns.')';
-						error_log("Index string: $index_string", 0);
 						if(!(($aindex = array_search($index_string, $indices)) === false)) {
 							unset($indices[$aindex]);
 							//echo "<pre style=\"border:1px solid #ccc;margin-top:5px;\">{$table}:<br />Found index:".$index_string."</pre>\n";

wp-admin/includes/upload.php

@@ -31,6 +31,9 @@ function wp_upload_display( $dims = false, $href = '' ) {
 	$src = wp_make_link_relative( $src_base );
 	$src_base = str_replace($src, '', $src_base);
 
+	if ( !trim($post_title) )
+		$post_title = basename($src);
+
 	$r = '';
 
 	if ( $href )
@@ -39,7 +42,9 @@ function wp_upload_display( $dims = false, $href = '' ) {
 		$r .= "\t\t\t$innerHTML";
 	if ( $href )
 		$r .= "</a>\n";
-	$r .= "\t\t\t\t<span class='upload-file-size'>".size_format(filesize($filesystem_path))."</span>\n";
+	$size = @filesize($filesystem_path);
+	if ( !empty($size) )
+		$r .= "\t\t\t\t<span class='upload-file-size'>".size_format($size)."</span>\n";
 	$r .= "\n\t\t<div class='upload-file-data'>\n\t\t\t<p>\n";
 	$r .= "\t\t\t\t<input type='hidden' name='attachment-url-$id' id='attachment-url-$id' value='$src' />\n";
 	$r .= "\t\t\t\t<input type='hidden' name='attachment-url-base-$id' id='attachment-url-base-$id' value='$src_base' />\n";

wp-admin/install.php

@@ -13,6 +13,7 @@ if (isset($_GET['step']))
 	$step = $_GET['step'];
 else
 	$step = 0;
+function display_header(){
 header( 'Content-Type: text/html; charset=utf-8' );
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
@@ -24,13 +25,17 @@ header( 'Content-Type: text/html; charset=utf-8' );
 </head>
 <body>
 <h1 id="logo"><img alt="WordPress" src="images/wordpress-logo.png" /></h1>
+
 <?php
+}//end function display_header();
+
 // Let's check to make sure WP isn't already installed.
-if ( is_blog_installed() ) die('<h1>'.__('Already Installed').'</h1><p>'.__('You appear to have already installed WordPress. To reinstall please clear your old database tables first.').'</p></body></html>');
+if ( is_blog_installed() ) {display_header(); die('<h1>'.__('Already Installed').'</h1><p>'.__('You appear to have already installed WordPress. To reinstall please clear your old database tables first.').'</p></body></html>');}
 
 switch($step) {
 	case 0:
 	case 1: // in case people are directly linking to this
+	  display_header();
 ?>
 <h1><?php _e('Welcome'); ?></h1>
 <p><?php printf(__('Welcome to the famous five minute WordPress installation process! You may want to browse the <a href="%s">ReadMe documentation</a> at your leisure.  Otherwise, just fill in the information below and you\'ll be on your way to using the most extendable and powerful personal publishing platform in the world.'), '../readme.html'); ?></p>
@@ -61,6 +66,10 @@ switch($step) {
 <?php
 		break;
 	case 2:
+		if ( !empty($wpdb->error) )
+			wp_die($wpdb->error->get_error_message());
+
+		display_header();	
 		// Fill in the data we gathered
 		$weblog_title = stripslashes($_POST['weblog_title']);
 		$admin_email = stripslashes($_POST['admin_email']);
@@ -74,8 +83,9 @@ switch($step) {
 			die(__('<strong>ERROR</strong>: that isn\'t a valid e-mail address.  E-mail addresses look like: <code>username@example.com</code>'));
 		}
 
-	$result = wp_install($weblog_title, 'admin', $admin_email, $public);
-	extract($result, EXTR_SKIP);
+		$wpdb->show_errors();
+		$result = wp_install($weblog_title, 'admin', $admin_email, $public);
+		extract($result, EXTR_SKIP);
 ?>
 
 <h1><?php _e('Success!'); ?></h1>

wp-admin/link-import.php

@@ -45,10 +45,10 @@ switch ($step) {
 <p style="clear: both; margin-top: 1em;"><?php _e('Now select a category you want to put these links in.') ?><br />
 <?php _e('Category:') ?> <select name="cat_id">
 <?php
-$categories = get_categories('hide_empty=0');
+$categories = get_terms('link_category', 'get=all');
 foreach ($categories as $category) {
 ?>
-<option value="<?php echo $category->cat_ID; ?>"><?php echo wp_specialchars(apply_filters('link_category', $category->cat_name)); ?></option>
+<option value="<?php echo $category->term_id; ?>"><?php echo wp_specialchars(apply_filters('link_category', $category->name)); ?></option>
 <?php
 } // end foreach
 ?>

wp-admin/link.php

@@ -3,6 +3,9 @@ require_once ('admin.php');
 
 wp_reset_vars(array('action', 'cat_id', 'linkurl', 'name', 'image', 'description', 'visible', 'target', 'category', 'link_id', 'submit', 'order_by', 'links_show_cat_id', 'rating', 'rel', 'notes', 'linkcheck[]'));
 
+if ( ! current_user_can('manage_links') )
+	wp_die( __('You do not have sufficient permissions to edit the links for this blog.') );
+
 if ('' != $_POST['deletebookmarks'])
 	$action = 'deletebookmarks';
 if ('' != $_POST['move'])
@@ -13,13 +16,9 @@ if ('' != $_POST['linkcheck'])
 $this_file = 'link-manager.php';
 
 switch ($action) {
-		case 'deletebookmarks' :
+	case 'deletebookmarks' :
 		check_admin_referer('bulk-bookmarks');
 
-		// check the current user's level first.
-		if (!current_user_can('manage_links'))
-			wp_die(__('Cheatin’ uh?'));
-
 		//for each link id (in $linkcheck[]) change category to selected value
 		if (count($linkcheck) == 0) {
 			wp_redirect($this_file);
@@ -41,10 +40,6 @@ switch ($action) {
 	case 'move' :
 		check_admin_referer('bulk-bookmarks');
 
-		// check the current user's level first.
-		if (!current_user_can('manage_links'))
-			wp_die(__('Cheatin’ uh?'));
-
 		//for each link id (in $linkcheck[]) change category to selected value
 		if (count($linkcheck) == 0) {
 			wp_redirect($this_file);
@@ -63,7 +58,7 @@ switch ($action) {
 
 		add_link();
 
-		wp_redirect(wp_get_referer().'?added=true');
+		wp_redirect( wp_get_referer() . '?added=true' );
 		exit;
 		break;
 
@@ -81,9 +76,6 @@ switch ($action) {
 		$link_id = (int) $_GET['link_id'];
 		check_admin_referer('delete-bookmark_' . $link_id);
 
-		if (!current_user_can('manage_links'))
-			wp_die(__('Cheatin’ uh?'));
-
 		wp_delete_link($link_id);
 
 		wp_redirect($this_file);
@@ -97,21 +89,18 @@ switch ($action) {
 		$parent_file = 'link-manager.php';
 		$submenu_file = 'link-manager.php';
 		$title = __('Edit Link');
-		include_once ('admin-header.php');
-		if (!current_user_can('manage_links'))
-			wp_die(__('You do not have sufficient permissions to edit the links for this blog.'));
 
 		$link_id = (int) $_GET['link_id'];
 
 		if (!$link = get_link_to_edit($link_id))
 			wp_die(__('Link not found.'));
 
+		include_once ('admin-header.php');
 		include ('edit-link-form.php');
+		include ('admin-footer.php');
 		break;
 
 	default :
 		break;
 }
-
-include ('admin-footer.php');
-?>
+?>

wp-admin/setup-config.php

@@ -3,6 +3,7 @@ define('WP_INSTALLING', true);
 
 require_once('../wp-includes/compat.php');
 require_once('../wp-includes/functions.php');
+require_once('../wp-includes/classes.php');
 
 if (!file_exists('../wp-config-sample.php'))
 	wp_die('Sorry, I need a wp-config-sample.php file to work from. Please re-upload this file from your WordPress installation.');
@@ -161,6 +162,9 @@ switch($step) {
 
 	// We'll fail here if the values are no good.
 	require_once('../wp-includes/wp-db.php');
+	if ( !empty($wpdb->error) )
+		wp_die($wpdb->error->get_error_message());
+
 	$handle = fopen('../wp-config.php', 'w');
 
 	foreach ($configFile as $line_num => $line) {

wp-app.php

@@ -159,6 +159,10 @@ class AtomServer {
 
 	function get_service() {
 		log_app('function','get_service()');
+
+		if( !current_user_can( 'edit_posts' ) ) 
+			$this->auth_required( __( 'Sorry, you do not have the right to access this blog.' ) );
+
 		$entries_url = attribute_escape($this->get_entries_url());
 		$categories_url = attribute_escape($this->get_categories_url());
 		$media_url = attribute_escape($this->get_attachments_url());
@@ -188,8 +192,11 @@ EOD;
 	}
 
 	function get_categories_xml() {
-
 		log_app('function','get_categories_xml()');
+
+		if( !current_user_can( 'edit_posts' ) ) 
+			$this->auth_required( __( 'Sorry, you do not have the right to access this blog.' ) );
+
 		$home = attribute_escape(get_bloginfo_rss('home'));
 
 		$categories = "";
@@ -282,8 +289,11 @@ EOD;
 	}
 
 	function get_post($postID) {
-
 		global $entry;
+
+		if( !current_user_can( 'edit_post', $postID ) )
+			$this->auth_required( __( 'Sorry, you do not have the right to access this post.' ) ); 
+
 		$this->set_current_entry($postID);
 		$output = $this->get_entry($postID);
 		log_app('function',"get_post($postID)");
@@ -372,8 +382,9 @@ EOD;
 	}
 
 	function get_attachment($postID = NULL) {
+		if( !current_user_can( 'upload_files' ) )
+			$this->auth_required( __( 'Sorry, you do not have the right to file uploads on this blog.' ) );
 
-		global $entry;
 		if (!isset($postID)) {
 			$this->get_attachments();
 		} else {
@@ -494,6 +505,10 @@ EOD;
 		}
 
 		$location = get_post_meta($entry['ID'], '_wp_attached_file', true);
+		$filetype = wp_check_filetype($location);
+
+		if(!isset($location) || 'attachment' != $entry['post_type'] || empty($filetype['ext']))
+			$this->internal_error(__('Error ocurred while accessing post metadata for file location.'));
 
 		// delete file
 		@unlink($location);
@@ -795,7 +810,6 @@ EOD;
 	</app:control>
 	<author>
 		<name><?php the_author()?></name>
-		<email><?php the_author_email()?></email>
 <?php if (get_the_author_url() && get_the_author_url() != 'http://') { ?>
 		<uri><?php the_author_url()?></uri>
 <?php } ?>

wp-includes/bookmark.php

@@ -113,7 +113,7 @@ function get_bookmarks($args = '') {
 	}
 	if (!empty($category_query)) {
 		$category_query .= ") AND taxonomy = 'link_category'";
-		$join = " LEFT JOIN $wpdb->term_relationships AS tr ON ($wpdb->links.link_id = tr.object_id) LEFT JOIN $wpdb->term_taxonomy as tt ON tt.term_taxonomy_id = tr.term_taxonomy_id";
+		$join = " INNER JOIN $wpdb->term_relationships AS tr ON ($wpdb->links.link_id = tr.object_id) INNER JOIN $wpdb->term_taxonomy as tt ON tt.term_taxonomy_id = tr.term_taxonomy_id";
 	}
 
 	if (get_option('links_recently_updated_time')) {

wp-includes/canonical.php

@@ -4,7 +4,7 @@
 function redirect_canonical($requested_url=NULL, $do_redirect=true) {
 	global $wp_rewrite, $posts, $is_IIS;
 
-	if ( is_feed() || is_trackback() || is_search() || is_comments_popup() || is_admin() || $is_IIS || ( isset($_POST) && count($_POST) ) )
+	if ( is_feed() || is_trackback() || is_search() || is_comments_popup() || is_admin() || $is_IIS || ( isset($_POST) && count($_POST) ) || is_preview() )
 		return;
 
 	if ( !$requested_url ) {

wp-includes/default-filters.php

@@ -25,9 +25,18 @@ foreach ( $filters as $filter ) {
 	add_filter($filter, 'wp_filter_kses');
 }
 
-// URL
+// Save URL
 $filters = array('pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
-	'pre_link_rss', 'comment_url');
+	'pre_link_rss');
+foreach ( $filters as $filter ) {
+	add_filter($filter, 'strip_tags');
+	add_filter($filter, 'trim');
+	add_filter($filter, 'sanitize_url');
+	add_filter($filter, 'wp_filter_kses');
+}
+
+// Display URL
+$filters = array('user_url', 'link_url', 'link_image', 'link_rss', 'comment_url');
 foreach ( $filters as $filter ) {
 	add_filter($filter, 'strip_tags');
 	add_filter($filter, 'trim');
@@ -127,6 +136,7 @@ add_filter('comment_email', 'antispambot');
 
 // Actions
 add_action('wp_head', 'rsd_link');
+add_action('wp_head', 'wlwmanifest_link');
 add_action('wp_head', 'locale_stylesheet');
 add_action('publish_future_post', 'wp_publish_post', 10, 1);
 add_action('wp_head', 'noindex', 1);
@@ -156,4 +166,4 @@ add_action('template_redirect', 'wp_old_slug_redirect');
 add_action('edit_post', 'wp_check_for_changed_slugs');
 add_action('edit_form_advanced', 'wp_remember_old_slug');
 
-?>
+?>

wp-includes/formatting.php

@@ -622,18 +622,35 @@ function antispambot($emailaddy, $mailto=0) {
 	return $emailNOSPAMaddy;
 }
 
+function _make_url_clickable_cb($matches) {
+	$url = $matches[2];
+	$url = clean_url($url);
+	if ( empty($url) )
+		return $matches[0];
+	return $matches[1] . "<a href=\"$url\" rel=\"nofollow\">$url</a>";
+}
+
+function _make_web_ftp_clickable_cb($matches) {
+	$dest = $matches[2];
+	$dest = 'http://' . $dest;
+	$dest = clean_url($dest);
+	if ( empty($dest) )
+		return $matches[0];
+
+	return $matches[1] . "<a href=\"$dest\" rel=\"nofollow\">$dest</a>";
+}
+
+function _make_email_clickable_cb($matches) {
+	$email = $matches[2] . '@' . $matches[3];
+	return $matches[1] . "<a href=\"mailto:$email\">$email</a>";
+}
+
 function make_clickable($ret) {
 	$ret = ' ' . $ret;
 	// in testing, using arrays here was found to be faster
-	$ret = preg_replace(
-		array(
-			'#([\s>])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is',
-			'#([\s>])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is',
-			'#([\s>])([a-z0-9\-_.]+)@([^,< \n\r]+)#i'),
-		array(
-			'$1<a href="$2" rel="nofollow">$2</a>',
-			'$1<a href="http://$2" rel="nofollow">$2</a>',
-			'$1<a href="mailto:$2@$3">$2@$3</a>'),$ret);
+	$ret = preg_replace_callback('#([\s>])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is', '_make_url_clickable_cb', $ret);
+	$ret = preg_replace_callback('#([\s>])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is', '_make_web_ftp_clickable_cb', $ret);
+	$ret = preg_replace_callback('#([\s>])([.0-9a-z_+-]+)@(([0-9a-z-]+\.)+[0-9a-z]{2,})#i', '_make_email_clickable_cb', $ret);
 	// this one is not in an array because we need it to run last, for cleanup of accidental links within links
 	$ret = preg_replace("#(<a( [^>]+?>|>))<a [^>]+?>([^>]+?)</a></a>#i", "$1$3</a>", $ret);
 	$ret = trim($ret);
@@ -1087,7 +1104,7 @@ function wp_richedit_pre($text) {
 	return apply_filters('richedit_pre', $output);
 }
 
-function clean_url( $url, $protocols = null ) {
+function clean_url( $url, $protocols = null, $context = 'display' ) {
 	$original_url = $url;
 
 	if ('' == $url) return $url;
@@ -1103,13 +1120,20 @@ function clean_url( $url, $protocols = null ) {
 		substr( $url, 0, 1 ) != '/' && !preg_match('/^[a-z0-9-]+?\.php/i', $url) )
 		$url = 'http://' . $url;
 
-	$url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&#038;$1', $url);
+	// Replace ampersands ony when displaying.
+	if ( 'display' == $context )
+		$url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&#038;$1', $url);
+
 	if ( !is_array($protocols) )
 		$protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet');
 	if ( wp_kses_bad_protocol( $url, $protocols ) != $url )
 		return '';
 
-	return apply_filters('clean_url', $url, $original_url);
+	return apply_filters('clean_url', $url, $original_url, $context);
+}
+
+function sanitize_url( $url, $protocols = null ) {
+	return clean_url( $url, $protocols, 'db');
 }
 
 // Borrowed from the PHP Manual user notes. Convert entities, while

wp-includes/functions.php

@@ -198,10 +198,10 @@ function get_option($setting) {
 
 		if ( false === $value ) {
 			if ( defined('WP_INSTALLING') )
-				$wpdb->hide_errors();
+				$show = $wpdb->hide_errors();
 			$row = $wpdb->get_row("SELECT option_value FROM $wpdb->options WHERE option_name = '$setting' LIMIT 1");
 			if ( defined('WP_INSTALLING') )
-				$wpdb->show_errors();
+				$wpdb->show_errors($show);
 
 			if( is_object( $row) ) { // Has to be get_row instead of get_var because of funkiness with 0, false, null values
 				$value = $row->option_value;
@@ -236,11 +236,11 @@ function form_option($option) {
 
 function get_alloptions() {
 	global $wpdb, $wp_queries;
-	$wpdb->hide_errors();
+	$show = $wpdb->hide_errors();
 	if ( !$options = $wpdb->get_results("SELECT option_name, option_value FROM $wpdb->options WHERE autoload = 'yes'") ) {
 		$options = $wpdb->get_results("SELECT option_name, option_value FROM $wpdb->options");
 	}
-	$wpdb->show_errors();
+	$wpdb->show_errors($show);
 
 	foreach ($options as $option) {
 		// "When trying to design a foolproof system,
@@ -263,10 +263,10 @@ function wp_load_alloptions() {
 	$alloptions = wp_cache_get('alloptions', 'options');
 
 	if ( !$alloptions ) {
-		$wpdb->hide_errors();
+		$show = $wpdb->hide_errors();
 		if ( !$alloptions_db = $wpdb->get_results("SELECT option_name, option_value FROM $wpdb->options WHERE autoload = 'yes'") )
 			$alloptions_db = $wpdb->get_results("SELECT option_name, option_value FROM $wpdb->options");
-		$wpdb->show_errors();
+		$wpdb->show_errors($show);
 		$alloptions = array();
 		foreach ( (array) $alloptions_db as $o )
 			$alloptions[$o->option_name] = $o->option_value;
@@ -726,9 +726,12 @@ function wp_remote_fopen( $uri ) {
 }
 
 function wp($query_vars = '') {
-	global $wp;
+	global $wp, $wp_query, $wp_the_query;
 
 	$wp->main($query_vars);
+
+	if( !isset($wp_the_query) )
+		$wp_the_query = $wp_query;
 }
 
 function get_status_header_desc( $code ) {
@@ -889,9 +892,9 @@ function do_robots() {
 
 function is_blog_installed() {
 	global $wpdb;
-	$wpdb->hide_errors();
+	$show = $wpdb->hide_errors();
 	$installed = $wpdb->get_var("SELECT option_value FROM $wpdb->options WHERE option_name = 'siteurl'");
-	$wpdb->show_errors();
+	$wpdb->show_errors($show);
 
 	$install_status = !empty( $installed ) ? TRUE : FALSE;
 	return $install_status;
@@ -1416,4 +1419,36 @@ function wp_ob_end_flush_all()
 	while ( @ob_end_flush() );
 }
 
+function dead_db() {
+	global $wpdb;
+
+	// Load custom DB error template, if present.
+	if ( file_exists( ABSPATH . 'wp-content/db-error.php' ) ) {
+		require_once( ABSPATH . 'wp-content/db-error.php' );
+		die();
+	}
+
+	// If installing or in the admin, provide the verbose message.
+	if ( defined('WP_INSTALLING') || defined('WP_ADMIN') )
+		wp_die($wpdb->error);
+
+	// Otherwise, be terse.
+	status_header( 500 );
+	nocache_headers();
+	header( 'Content-Type: text/html; charset=utf-8' );
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" <?php if ( function_exists( 'language_attributes' ) ) language_attributes(); ?>>
+<head>
+	<title>Database Error</title>
+	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+</head>
+<body>
+	<h1>Error establishing a database connection</h1>
+</body>
+</html>
+<?php
+	die();
+}
+
 ?>

wp-includes/general-template.php

@@ -829,6 +829,11 @@ function rsd_link() {
 	echo '	<link rel="EditURI" type="application/rsd+xml" title="RSD" href="' . get_bloginfo('wpurl') . "/xmlrpc.php?rsd\" />\n";
 }
 
+function wlwmanifest_link() {
+	echo ' <link rel="wlwmanifest" type="application/wlwmanifest+xml" href="'
+		. get_bloginfo('wpurl') . '/wp-includes/wlwmanifest.xml" /> ';
+}
+
 function noindex() {
 	// If the blog is not public, tell robots to go away.
 	if ( '0' == get_option('blog_public') )

wp-includes/pluggable.php

@@ -72,9 +72,9 @@ function get_userdata( $user_id ) {
 	if ( !$user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE ID = '$user_id' LIMIT 1") )
 		return false;
 
-	$wpdb->hide_errors();
+	$show = $wpdb->hide_errors();
 	$metavalues = $wpdb->get_results("SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = '$user_id'");
-	$wpdb->show_errors();
+	$wpdb->show_errors($show);
 
 	if ($metavalues) {
 		foreach ( $metavalues as $meta ) {
@@ -225,6 +225,7 @@ function wp_mail( $to, $subject, $message, $headers = '' ) {
 
 	// Set the from name and email
 	$phpmailer->From = apply_filters( 'wp_mail_from', $from_email );
+	$phpmailer->Sender = apply_filters( 'wp_mail_from', $from_email );
 	$phpmailer->FromName = apply_filters( 'wp_mail_from_name', $from_name );
 
 	// Set destination address
@@ -436,7 +437,7 @@ function wp_safe_redirect($location, $status = 302) {
 
 	$allowed_hosts = (array) apply_filters('allowed_redirect_hosts', array($wpp['host']), $lp['host']);
 
-	if ( isset($lp['host']) && !in_array($lp['host'], $allowed_hosts) )
+	if ( isset($lp['host']) && ( !in_array($lp['host'], $allowed_hosts) && $lp['host'] != strtolower($wpp['host'])) )
 		$location = get_option('siteurl') . '/wp-admin/';
 
 	wp_redirect($location, $status);

wp-includes/post.php

@@ -102,7 +102,7 @@ function &get_post(&$post, $output = OBJECT, $filter = 'raw') {
 			$_post = null;
 	} elseif ( is_object($post) ) {
 		if ( 'page' == $post->post_type )
-			return get_page($post, $output);
+			return get_page($post, $output, $filter);
 		if ( !isset($post_cache[$blog_id][$post->ID]) )
 			$post_cache[$blog_id][$post->ID] = &$post;
 		$_post = & $post_cache[$blog_id][$post->ID];
@@ -111,12 +111,12 @@ function &get_post(&$post, $output = OBJECT, $filter = 'raw') {
 		if ( isset($post_cache[$blog_id][$post]) )
 			$_post = & $post_cache[$blog_id][$post];
 		elseif ( $_post = wp_cache_get($post, 'pages') )
-			return get_page($_post, $output);
+			return get_page($_post, $output, $filter);
 		else {
 			$query = "SELECT * FROM $wpdb->posts WHERE ID = '$post' LIMIT 1";
 			$_post = & $wpdb->get_row($query);
 			if ( 'page' == $_post->post_type )
-				return get_page($_post, $output);
+				return get_page($_post, $output, $filter);
 			$post_cache[$blog_id][$post] = & $_post;
 		}
 	}
@@ -428,6 +428,10 @@ function get_post_custom_values( $key = '', $post_id = 0 ) {
 }
 
 function sanitize_post($post, $context = 'display') {
+
+	if ( 'raw' == $context )
+		return $post;
+
 	// TODO: Use array keys instead of hard coded list
 	$fields = array('post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_date', 'post_date_gmt', 'post_parent', 'menu_order', 'post_mime_type', 'post_category');
 
@@ -972,7 +976,7 @@ function get_all_page_ids() {
 
 // Retrieves page data given a page ID or page object.
 // Handles page caching.
-function &get_page(&$page, $output = OBJECT) {
+function &get_page(&$page, $output = OBJECT, $filter = 'raw') {
 	global $wpdb, $blog_id;
 
 	if ( empty($page) ) {
@@ -985,7 +989,7 @@ function &get_page(&$page, $output = OBJECT) {
 		}
 	} elseif ( is_object($page) ) {
 		if ( 'post' == $page->post_type )
-			return get_post($page, $output);
+			return get_post($page, $output, $filter);
 		wp_cache_add($page->ID, $page, 'pages');
 		$_page = $page;
 	} else {
@@ -998,12 +1002,12 @@ function &get_page(&$page, $output = OBJECT) {
 				$_page = & $GLOBALS['page'];
 				wp_cache_add($_page->ID, $_page, 'pages');
 			} elseif ( isset($GLOBALS['post_cache'][$blog_id][$page]) ) { // it's actually a page, and is cached
-				return get_post($page, $output);
+				return get_post($page, $output, $filter);
 			} else { // it's not in any caches, so off to the DB we go
 				// Why are we using assignment for this query?
 				$_page = & $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID= '$page' LIMIT 1");
 				if ( 'post' == $_page->post_type )
-					return get_post($_page, $output);
+					return get_post($_page, $output, $filter);
 				// Potential issue: we're not checking to see if the post_type = 'page'
 				// So all non-'post' posts will get cached as pages.
 				wp_cache_add($_page->ID, $_page, 'pages');
@@ -1011,6 +1015,8 @@ function &get_page(&$page, $output = OBJECT) {
 		}
 	}
 
+	$_page = sanitize_post($_page, $filter);
+
 	// at this point, one way or another, $_post contains the page object
 
 	if ( $output == OBJECT ) {
@@ -1137,6 +1143,7 @@ function &get_pages($args = '') {
 		$exclude = '';
 		$meta_key = '';
 		$meta_value = '';
+		$hierarchical = false;
 		$incpages = preg_split('/[\s,]+/',$include);
 		if ( count($incpages) ) {
 			foreach ( $incpages as $incpage ) {
@@ -1201,7 +1208,7 @@ function &get_pages($args = '') {
 	$pages = $wpdb->get_results($query);
 
 	if ( empty($pages) )
-		return array();
+		return apply_filters('get_pages', array(), $r);
 
 	// Update cache.
 	update_page_cache($pages);

wp-includes/query.php

@@ -32,9 +32,9 @@ function wp_reset_query() {
  */
 
 function is_admin () {
-	global $wp_query;
-
-	return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false));
+	if ( defined('WP_ADMIN') ) 
+		return WP_ADMIN;
+	return false;
 }
 
 function is_archive () {
@@ -642,7 +642,7 @@ class WP_Query {
 		if ('' != $qv['preview'])
 			$this->is_preview = true;
 
-		if ( strpos($_SERVER['PHP_SELF'], 'wp-admin/') !== false )
+		if ( is_admin() )
 			$this->is_admin = true;
 
 		if ( false !== strpos($qv['feed'], 'comments-') ) {
@@ -932,7 +932,7 @@ class WP_Query {
 		}
 
 		if ( !empty($q['category__in']) ) {
-			$join = " LEFT JOIN $wpdb->term_relationships ON ($wpdb->posts.ID = $wpdb->term_relationships.object_id) LEFT JOIN $wpdb->term_taxonomy ON ($wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id) ";
+			$join = " INNER JOIN $wpdb->term_relationships ON ($wpdb->posts.ID = $wpdb->term_relationships.object_id) INNER JOIN $wpdb->term_taxonomy ON ($wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id) ";
 			$whichcat .= " AND $wpdb->term_taxonomy.taxonomy = 'category' ";
 			$include_cats = "'" . implode("', '", $q['category__in']) . "'";
 			$whichcat .= " AND $wpdb->term_taxonomy.term_id IN ($include_cats) ";
@@ -948,15 +948,6 @@ class WP_Query {
 			}
 		}
 
-		if ( !empty($q['category__and']) ) {
-			$count = 0;
-			foreach ( $q['category__and'] as $category_and ) {
-				$join .= " LEFT JOIN $wpdb->term_relationships AS tr$count ON ($wpdb->posts.ID = tr$count.object_id) LEFT JOIN $wpdb->term_taxonomy AS tt$count ON (tr$count.term_taxonomy_id = tt$count.term_taxonomy_id) ";
-				$whichcat .= " AND tt$count.term_id = '$category_and' ";
-				$count++;
-			}
-		}
-
 		// Category stuff for nice URLs
 		if ( '' != $q['category_name'] ) {
 			$reqcat = get_category_by_path($q['category_name']);
@@ -982,7 +973,7 @@ class WP_Query {
 
 			$q['cat'] = $reqcat;
 
-			$join = " LEFT JOIN $wpdb->term_relationships ON ($wpdb->posts.ID = $wpdb->term_relationships.object_id) LEFT JOIN $wpdb->term_taxonomy ON ($wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id) ";
+			$join = " INNER JOIN $wpdb->term_relationships ON ($wpdb->posts.ID = $wpdb->term_relationships.object_id) INNER JOIN $wpdb->term_taxonomy ON ($wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id) ";
 			$whichcat = " AND $wpdb->term_taxonomy.taxonomy = 'category' ";
 			$in_cats = array($q['cat']);
 			$in_cats = array_merge($in_cats, get_term_children($q['cat'], 'category'));
@@ -1024,7 +1015,7 @@ class WP_Query {
 		}
 
 		if ( !empty($q['tag__in']) ) {
-			$join = " LEFT JOIN $wpdb->term_relationships ON ($wpdb->posts.ID = $wpdb->term_relationships.object_id) LEFT JOIN $wpdb->term_taxonomy ON ($wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id) ";
+			$join = " INNER JOIN $wpdb->term_relationships ON ($wpdb->posts.ID = $wpdb->term_relationships.object_id) INNER JOIN $wpdb->term_taxonomy ON ($wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id) ";
 			$whichcat .= " AND $wpdb->term_taxonomy.taxonomy = 'post_tag' ";
 			$include_tags = "'" . implode("', '", $q['tag__in']) . "'";
 			$whichcat .= " AND $wpdb->term_taxonomy.term_id IN ($include_tags) ";
@@ -1034,7 +1025,7 @@ class WP_Query {
 		}
 
 		if ( !empty($q['tag_slug__in']) ) {
-			$join = " LEFT JOIN $wpdb->term_relationships ON ($wpdb->posts.ID = $wpdb->term_relationships.object_id) LEFT JOIN $wpdb->term_taxonomy ON ($wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id) LEFT JOIN $wpdb->terms ON ($wpdb->term_taxonomy.term_id = $wpdb->terms.term_id) ";
+			$join = " INNER JOIN $wpdb->term_relationships ON ($wpdb->posts.ID = $wpdb->term_relationships.object_id) INNER JOIN $wpdb->term_taxonomy ON ($wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id) INNER JOIN $wpdb->terms ON ($wpdb->term_taxonomy.term_id = $wpdb->terms.term_id) ";
 			$whichcat .= " AND $wpdb->term_taxonomy.taxonomy = 'post_tag' ";
 			$include_tags = "'" . implode("', '", $q['tag_slug__in']) . "'";
 			$whichcat .= " AND $wpdb->terms.slug IN ($include_tags) ";
@@ -1051,28 +1042,32 @@ class WP_Query {
 			}
 		}
 
-		if ( !empty($q['tag__and']) ) {
-			$count = 0;
-			foreach ( $q['tag__and'] as $tag_and ) {
-				$join .= " LEFT JOIN $wpdb->term_relationships AS tr$count ON ($wpdb->posts.ID = tr$count.object_id) LEFT JOIN $wpdb->term_taxonomy AS tt$count ON (tr$count.term_taxonomy_id = tt$count.term_taxonomy_id) ";
-				$whichcat .= " AND tt$count.term_id = '$tag_and' ";
-				$count++;
-			}
-			$reqtag = is_term( $q['tag__and'][0], 'post_tag' );
-			if ( !empty($reqtag) )
-				$q['tag_id'] = $reqtag['term_id'];
-		}
+		// Tag and slug intersections.
+		$intersections = array('category__and' => 'category', 'tag__and' => 'post_tag', 'tag_slug__and' => 'post_tag');
+		foreach ($intersections as $item => $taxonomy) {
+			if ( empty($q[$item]) ) continue;
 
-		if ( !empty($q['tag_slug__and']) ) {
-			$count = 0;
-			foreach ( $q['tag_slug__and'] as $tag_and ) {
-				$join .= " LEFT JOIN $wpdb->term_relationships AS tr$count ON ($wpdb->posts.ID = tr$count.object_id) LEFT JOIN $wpdb->term_taxonomy AS tt$count ON (tr$count.term_taxonomy_id = tt$count.term_taxonomy_id) LEFT JOIN $wpdb->terms AS term$count ON (tt$count.term_id = term$count.term_id) ";
-				$whichcat .= " AND term$count.slug = '$tag_and' ";
-				$count++;
+			if ( $item != 'category__and' ) {
+				$reqtag = is_term( $q[$item][0], 'post_tag' );
+				if ( !empty($reqtag) )
+					$q['tag_id'] = $reqtag['term_id'];
+			}
+
+			$taxonomy_field = $item == 'tag_slug__and' ? 'slug' : 'term_id';
+
+			$q[$item] = array_unique($q[$item]);
+			$tsql = "SELECT p.ID FROM $wpdb->posts p INNER JOIN $wpdb->term_relationships tr ON (p.ID = tr.object_id) INNER JOIN $wpdb->term_taxonomy tt ON (tr.term_taxonomy_id = tt.term_taxonomy_id) INNER JOIN $wpdb->terms t ON (tt.term_id = t.term_id)";
+			$tsql .= " WHERE tt.taxonomy = '$taxonomy' AND t.$taxonomy_field IN ('" . implode("', '", $q[$item]) . "')";
+			$tsql .= " GROUP BY p.ID HAVING count(p.ID) = " . count($q[$item]);
+
+			$post_ids = $wpdb->get_col($tsql);
+
+			if ( count($post_ids) )
+				$whichcat .= " AND $wpdb->posts.ID IN (" . implode(', ', $post_ids) . ") ";
+			else {
+				$whichcat = " AND 0 = 1";
+				break;
 			}
-			$reqtag = is_term( $q['tag_slug__and'][0], 'post_tag' );
-			if ( !empty($reqtag) )
-				$q['tag_id'] = $reqtag['term_id'];
 		}
 
 		// Author/user stuff

wp-includes/script-loader.php

@@ -421,4 +421,24 @@ function wp_enqueue_script( $handle, $src = false, $deps = array(), $ver = false
 	}
 	$wp_scripts->enqueue( $handle );
 }
+
+function wp_prototype_before_jquery( $js_array ) {
+	if ( false === $jquery = array_search( 'jquery', $js_array ) )
+		return $js_array;
+
+	if ( false === $prototype = array_search( 'prototype', $js_array ) )
+		return $js_array;
+
+	if ( $prototype < $jquery )
+		return $js_array;
+
+	unset($js_array[$prototype]);
+
+	array_splice( $js_array, $jquery, 0, 'prototype' );
+
+	return $js_array;
+}
+
+add_filter( 'print_scripts_array', 'wp_prototype_before_jquery' );
+
 ?>

wp-includes/taxonomy.php

@@ -663,6 +663,10 @@ function is_term($term, $taxonomy = '') {
  * @return array|object Term with all fields sanitized
  */
 function sanitize_term($term, $taxonomy, $context = 'display') {
+
+	if ( 'raw' == $context )
+		return $term;
+
 	$fields = array('term_id', 'name', 'description', 'slug', 'count', 'parent', 'term_group');
 
 	$do_object = false;
@@ -1357,7 +1361,7 @@ function _pad_term_counts(&$terms, $taxonomy) {
 	}
 
 	// Get the object and term ids and stick them in a lookup table
-	$results = $wpdb->get_results("SELECT object_id, term_taxonomy_id FROM $wpdb->term_relationships LEFT JOIN $wpdb->posts ON object_id = ID WHERE term_taxonomy_id IN (".join(',', array_keys($term_ids)).") AND post_type = 'post' AND post_status = 'publish'");
+	$results = $wpdb->get_results("SELECT object_id, term_taxonomy_id FROM $wpdb->term_relationships INNER JOIN $wpdb->posts ON object_id = ID WHERE term_taxonomy_id IN (".join(',', array_keys($term_ids)).") AND post_type = 'post' AND post_status = 'publish'");
 	foreach ( $results as $row ) {
 		$id = $term_ids[$row->term_taxonomy_id];
 		++$term_items[$id][$row->object_id];

wp-includes/version.php

@@ -2,7 +2,7 @@
 
 // This holds the version number in a separate file so we can bump it without cluttering the SVN
 
-$wp_version = '2.3';
+$wp_version = '2.3.2';
 $wp_db_version = 6124;
 
 ?>

wp-includes/widgets.php

@@ -786,7 +786,7 @@ function wp_widget_categories_register() {
 	}
 
 	$dims = array( 'width' => 350, 'height' => 170 );
-	$class = array( 'classname' => 'widget_catgories' );
+	$class = array( 'classname' => 'widget_categories' );
 
 	for ( $i = 1; $i <= 9; $i++ ) {
 		$name = sprintf( __( 'Categories %d' ), $i );
@@ -1001,7 +1001,7 @@ function wp_widget_rss_control($number) {
 	$options = $newoptions = get_option('widget_rss');
 	if ( $_POST["rss-submit-$number"] ) {
 		$newoptions[$number]['items'] = (int) $_POST["rss-items-$number"];
-		$url = clean_url(strip_tags(stripslashes($_POST["rss-url-$number"])));
+		$url = sanitize_url(strip_tags(stripslashes($_POST["rss-url-$number"])));
 		$newoptions[$number]['title'] = trim(strip_tags(stripslashes($_POST["rss-title-$number"])));
 		if ( $url !== $options[$number]['url'] ) {
 			require_once(ABSPATH . WPINC . '/rss.php');

wp-includes/wlwmanifest.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="utf-8" ?>
+
+<manifest xmlns="http://schemas.microsoft.com/wlw/manifest/weblog">
+
+  <options>
+    <clientType>WordPress</clientType>
+	<supportsKeywords>Yes</supportsKeywords>
+  </options>
+  
+  <weblog>
+    <serviceName>WordPress</serviceName>
+    <imageUrl>images/wlw/wp-icon.png</imageUrl>
+    <watermarkImageUrl>images/wlw/wp-watermark.png</watermarkImageUrl>
+    <homepageLinkText>View site</homepageLinkText>
+    <adminLinkText>Dashboard</adminLinkText>
+    <adminUrl>
+      <![CDATA[ 
+			{blog-postapi-url}/../wp-admin/ 
+		]]>
+    </adminUrl>
+    <postEditingUrl>
+      <![CDATA[ 
+			{blog-postapi-url}/../wp-admin/post.php?action=edit&post={post-id} 
+		]]>
+    </postEditingUrl>
+  </weblog>
+
+  <buttons>
+    <button>
+      <id>0</id>
+      <text>Manage Comments</text>
+      <imageUrl>images/wlw/wp-comments.png</imageUrl>
+      <clickUrl>
+        <![CDATA[ 
+				{blog-postapi-url}/../wp-admin/edit-comments.php
+			]]>
+      </clickUrl>
+    </button>
+
+  </buttons>
+
+</manifest>
+

wp-includes/wp-db.php

@@ -15,11 +15,12 @@ if (!defined('SAVEQUERIES'))
 
 class wpdb {
 
-	var $show_errors = true;
+	var $show_errors = false;
 	var $num_queries = 0;
 	var $last_query;
 	var $col_info;
 	var $queries;
+	var $ready = false;
 
 	// Our tables
 	var $posts;
@@ -56,6 +57,9 @@ class wpdb {
 	function __construct($dbuser, $dbpassword, $dbname, $dbhost) {
 		register_shutdown_function(array(&$this, "__destruct"));
 
+		if ( defined('WP_DEBUG') and WP_DEBUG == true )
+			$this->show_errors();
+
 		if ( defined('DB_CHARSET') )
 			$this->charset = DB_CHARSET;
 
@@ -74,8 +78,11 @@ class wpdb {
 </ul>
 <p>If you're unsure what these terms mean you should probably contact your host. If you still need help you can always visit the <a href='http://wordpress.org/support/'>WordPress Support Forums</a>.</p>
 ");
+			return;
 		}
 
+		$this->ready = true;
+
 		if ( !empty($this->charset) && version_compare(mysql_get_server_info(), '4.1.0', '>=') )
  			$this->query("SET NAMES '$this->charset'");
 
@@ -92,14 +99,17 @@ class wpdb {
 	 */
 	function select($db) {
 		if (!@mysql_select_db($db, $this->dbh)) {
+			$this->ready = false;
 			$this->bail("
 <h1>Can&#8217;t select database</h1>
 <p>We were able to connect to the database server (which means your username and password is okay) but not able to select the <code>$db</code> database.</p>
 <ul>
 <li>Are you sure it exists?</li>
+<li>Does the user <code>".DB_USER."</code> have permission to use the <code>$db</code> database?</li>
 <li>On some systems the name of your database is prefixed with your username, so it would be like username_wordpress. Could that be the problem?</li>
 </ul>
 <p>If you don't know how to setup a database you should <strong>contact your host</strong>. If all else fails you may find help at the <a href='http://wordpress.org/support/'>WordPress Support Forums</a>.</p>");
+			return;
 		}
 	}
 
@@ -149,29 +159,36 @@ class wpdb {
 		$EZSQL_ERROR[] =
 		array ('query' => $this->last_query, 'error_str' => $str);
 
+		$error_str = "WordPress database error $str for query $this->last_query";
+		error_log($error_str, 0);
+
+		// Is error output turned on or not..
+		if ( !$this->show_errors )
+			return false;
+
 		$str = htmlspecialchars($str, ENT_QUOTES);
 		$query = htmlspecialchars($this->last_query, ENT_QUOTES);
-		// Is error output turned on or not..
-		if ( $this->show_errors ) {
-			// If there is an error then take note of it
-			print "<div id='error'>
-			<p class='wpdberror'><strong>WordPress database error:</strong> [$str]<br />
-			<code>$query</code></p>
-			</div>";
-		} else {
-			return false;
-		}
+
+		// If there is an error then take note of it
+		print "<div id='error'>
+		<p class='wpdberror'><strong>WordPress database error:</strong> [$str]<br />
+		<code>$query</code></p>
+		</div>";
 	}
 
 	// ==================================================================
 	//	Turn error handling on or off..
 
-	function show_errors() {
-		$this->show_errors = true;
+	function show_errors( $show = true ) {
+		$errors = $this->show_errors;
+		$this->show_errors = $show;
+		return $errors;
 	}
 
 	function hide_errors() {
+		$show = $this->show_errors;
 		$this->show_errors = false;
+		return $show;
 	}
 
 	// ==================================================================
@@ -187,6 +204,9 @@ class wpdb {
 	//	Basic Query	- see docs for more detail
 
 	function query($query) {
+		if ( ! $this->ready )
+			return false;
+
 		// filter the query, if filters are available
 		// NOTE: some queries are made before the plugins have been loaded, and thus cannot be filtered with this method
 		if ( function_exists('apply_filters') )
@@ -399,12 +419,17 @@ class wpdb {
 	 * @param string $message
 	 */
 	function bail($message) { // Just wraps errors in a nice header and footer
-		if ( !$this->show_errors )
+		if ( !$this->show_errors ) {
+			if ( class_exists('WP_Error') )
+				$this->error = new WP_Error('500', $message);
+			else
+				$this->error = $message;
 			return false;
+		}
 		wp_die($message);
 	}
 }
 
 if ( ! isset($wpdb) )
 	$wpdb = new wpdb(DB_USER, DB_PASSWORD, DB_NAME, DB_HOST);
-?>
+?>

wp-login.php

@@ -22,6 +22,8 @@ if ( defined('RELOCATE') ) { // Move flag is set
 
 //Set a cookie now to see if they are supported by the browser.
 setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN);
+if ( SITECOOKIEPATH != COOKIEPATH )
+	setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
 
 // Rather than duplicating this HTML all over the place, we'll stick it in function
 function login_header($title = 'Login', $message = '') {

wp-mail.php

@@ -12,7 +12,7 @@ $phone_delim = '::';
 $pop3 = new POP3();
 
 if (!$pop3->connect(get_option('mailserver_url'), get_option('mailserver_port')))
-	wp_die($pop3->ERROR);
+	wp_die(wp_specialchars($pop3->ERROR));
 
 $count = $pop3->login(get_option('mailserver_login'), get_option('mailserver_pass'));
 if (0 == $count) wp_die(__('There doesn’t seem to be any new mail.'));
@@ -60,12 +60,15 @@ for ($i=1; $i <= $count; $i++) :
 				$subject = $subject[0];
 			}
 
-			// Set the author using the email address (To or Reply-To, the last used)
+			// Set the author using the email address (From or Reply-To, the last used)
 			// otherwise use the site admin
-			if (preg_match('/From: /', $line) | preg_match('/Reply-To: /', $line))  {
-				$author=trim($line);
-				if ( ereg("([a-zA-Z0-9\_\-\.]+@[\a-zA-z0-9\_\-\.]+)", $author , $regs) ) {
-					$author = $regs[1];
+			if ( preg_match('/(From|Reply-To): /', $line) )  {
+				if ( preg_match('|[a-z0-9_.-]+@[a-z0-9_.-]+(?!.*<)|i', $line, $matches) )
+					$author = $matches[0];
+				else
+					$author = trim($line);
+				$author = sanitize_email($author);
+				if ( is_email($author) ) {
 					echo "Author = {$author} <p>";
 					$author = $wpdb->escape($author);
 					$result = $wpdb->get_row("SELECT ID FROM $wpdb->users WHERE user_email='$author' LIMIT 1");
@@ -126,9 +129,6 @@ for ($i=1; $i <= $count; $i++) :
 	$content = explode($phone_delim, $content);
 	$content[1] ? $content = $content[1] : $content = $content[0];
 
-	echo "<p><b>Content-type:</b> $content_type, <b>Content-Transfer-Encoding:</b> $content_transfer_encoding, <b>boundary:</b> $boundary</p>\n";
-	echo "<p><b>Raw content:</b><br /><pre>".$content.'</pre></p>';
-
 	$content = trim($content);
 
 	$post_content = apply_filters('phone_content', $content);
@@ -158,12 +158,11 @@ for ($i=1; $i <= $count; $i++) :
 
 	do_action('publish_phone', $post_ID);
 
-	echo "\n<p><b>Author:</b> $post_author</p>";
-	echo "\n<p><b>Posted title:</b> $post_title<br />";
-	echo "\n<b>Posted content:</b><br /><pre>".$content.'</pre></p>';
+	echo "\n<p><b>Author:</b> " . wp_specialchars($post_author) . "</p>";
+	echo "\n<p><b>Posted title:</b> " . wp_specialchars($post_title) . "<br />";
 
 	if(!$pop3->delete($i)) {
-		echo '<p>Oops '.$pop3->ERROR.'</p></div>';
+		echo '<p>Oops '.wp_specialchars($pop3->ERROR).'</p></div>';
 		$pop3->reset();
 		exit;
 	} else {

wp-settings.php

@@ -122,6 +122,9 @@ if ( file_exists(ABSPATH . 'wp-content/db.php') )
 else
 	require_once (ABSPATH . WPINC . '/wp-db.php');
 
+if ( !empty($wpdb->error) )
+	dead_db();
+
 // $table_prefix is deprecated as of 2.1
 $wpdb->prefix = $table_prefix;
 

xmlrpc.php

@@ -187,6 +187,12 @@ class wp_xmlrpc_server extends IXR_Server {
 			return($this->error);
 		}
 
+		set_current_user( 0, $username );
+		if( !current_user_can( 'edit_page', $page_id ) )
+			return new IXR_Error( 401, __( 'Sorry, you can not edit this page.' ) );
+
+		do_action('xmlrpc_call', 'wp.getPage');
+
 		// Lookup page info.
 		$page = get_page($page_id);
 
@@ -268,6 +274,12 @@ class wp_xmlrpc_server extends IXR_Server {
 			return($this->error);
 		}
 
+		set_current_user( 0, $username );
+		if( !current_user_can( 'edit_pages' ) )
+			return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) );
+
+		do_action('xmlrpc_call', 'wp.getPages');
+
 		// Lookup info on pages.
 		$pages = get_pages();
 		$num_pages = count($pages);
@@ -426,6 +438,12 @@ class wp_xmlrpc_server extends IXR_Server {
 			return($this->error);
 		}
 
+		set_current_user( 0, $username );
+		if( !current_user_can( 'edit_pages' ) )
+			return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) );
+
+		do_action('xmlrpc_call', 'wp.getPageList');
+
 		// Get list of pages ids and titles
 		$page_list = $wpdb->get_results("
 			SELECT ID page_id,
@@ -459,7 +477,6 @@ class wp_xmlrpc_server extends IXR_Server {
 	 * wp_getAuthors
 	 */
 	function wp_getAuthors($args) {
-		global $wpdb;
 
 		$this->escape($args);
 
@@ -471,7 +488,23 @@ class wp_xmlrpc_server extends IXR_Server {
 			return($this->error);
 		}
 
-		return(get_users_of_blog());
+		set_current_user(0, $username);
+		if(!current_user_can("edit_posts")) {
+			return(new IXR_Error(401, __("Sorry, you can not edit posts on this blog.")));
+        }
+
+		do_action('xmlrpc_call', 'wp.getAuthors');
+
+		$authors = array();
+		foreach( (array) get_users_of_blog() as $row ) {
+			$authors[] = array(
+				"user_id"       => $row->user_id,
+				"user_login"    => $row->user_login,
+				"display_name"  => $row->display_name
+			);
+		}
+
+		return($authors);
 	}
 
 	/**
@@ -493,7 +526,7 @@ class wp_xmlrpc_server extends IXR_Server {
 		// Set the user context and make sure they are
 		// allowed to add a category.
 		set_current_user(0, $username);
-		if(!current_user_can("manage_categories", $page_id)) {
+		if(!current_user_can("manage_categories")) {
 			return(new IXR_Error(401, __("Sorry, you do not have the right to add a category.")));
 		}
 
@@ -547,6 +580,12 @@ class wp_xmlrpc_server extends IXR_Server {
 			return($this->error);
 		}
 
+		set_current_user(0, $username);
+		if( !current_user_can( 'edit_posts' ) ) 
+			return new IXR_Error( 401, __( 'Sorry, you must be able to publish to this blog in order to view categories.' ) );
+
+		do_action('xmlrpc_call', 'wp.suggestCategories');
+
 		$args = array('get' => 'all', 'number' => $max_results, 'name__like' => $category);
 		$category_suggestions = get_categories($args);
 
@@ -597,13 +636,18 @@ class wp_xmlrpc_server extends IXR_Server {
 			return $this->error;
 		}
 
+		set_current_user( 0, $user_login );
+		if( !current_user_can( 'edit_posts' ) ) 
+			return new IXR_Error( 401, __( 'Sorry, you do not have access to user data on this blog.' ) );
+
+		do_action('xmlrpc_call', 'blogger.getUserInfo');
+
 		$user_data = get_userdatabylogin($user_login);
 
 		$struct = array(
 			'nickname'  => $user_data->nickname,
 			'userid'    => $user_data->ID,
 			'url'       => $user_data->user_url,
-			'email'     => $user_data->user_email,
 			'lastname'  => $user_data->last_name,
 			'firstname' => $user_data->first_name
 		);
@@ -625,7 +669,12 @@ class wp_xmlrpc_server extends IXR_Server {
 			return $this->error;
 		}
 
-		$user_data = get_userdatabylogin($user_login);
+		set_current_user( 0, $user_login );
+		if( !current_user_can( 'edit_post', $post_ID ) ) 
+			return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
+
+		do_action('xmlrpc_call', 'blogger.getPost');
+
 		$post_data = wp_get_single_post($post_ID, ARRAY_A);
 
 		$categories = implode(',', wp_get_post_categories($post_ID));
@@ -663,12 +712,16 @@ class wp_xmlrpc_server extends IXR_Server {
 
 		$posts_list = wp_get_recent_posts($num_posts);
 
+		set_current_user( 0, $user_login );
+
 		if (!$posts_list) {
 			$this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.'));
 			return $this->error;
 		}
 
 		foreach ($posts_list as $entry) {
+			if( !current_user_can( 'edit_post', $entry['ID'] ) )
+				continue;
 
 			$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
 			$categories = implode(',', wp_get_post_categories($entry['ID']));
@@ -1328,78 +1381,83 @@ class wp_xmlrpc_server extends IXR_Server {
 	/* metaweblog.getPost ...returns a post */
 	function mw_getPost($args) {
 
-	  global $wpdb;
+		global $wpdb;
 
 		$this->escape($args);
 
-	  $post_ID     = (int) $args[0];
-	  $user_login  = $args[1];
-	  $user_pass   = $args[2];
+		$post_ID     = (int) $args[0];
+		$user_login  = $args[1];
+		$user_pass   = $args[2];
 
-	  if (!$this->login_pass_ok($user_login, $user_pass)) {
-	    return $this->error;
-	  }
-
-	  $postdata = wp_get_single_post($post_ID, ARRAY_A);
-
-	  if ($postdata['post_date'] != '') {
-
-	    $post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date']);
-	    $post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']);
-
-	    $categories = array();
-	    $catids = wp_get_post_categories($post_ID);
-	    foreach($catids as $catid) {
-	      $categories[] = get_cat_name($catid);
-	    }
-
-		$tagnames = array();
-		$tags = wp_get_post_tags( $post_ID );
-		if ( !empty( $tags ) ) {
-			foreach ( $tags as $tag ) {
-				$tagnames[] = $tag->name;
-			}
-			$tagnames = implode( ', ', $tagnames );
-		} else {
-			$tagnames = '';
+		if (!$this->login_pass_ok($user_login, $user_pass)) {
+			return $this->error;
 		}
 
-	    $post = get_extended($postdata['post_content']);
-	    $link = post_permalink($postdata['ID']);
+		set_current_user( 0, $user_login );
+		if( !current_user_can( 'edit_post', $post_ID ) )
+			return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
 
-		// Get the author info.
-		$author = get_userdata($postdata['post_author']);
+		do_action('xmlrpc_call', 'metaWeblog.getPost');
 
-	    $allow_comments = ('open' == $postdata['comment_status']) ? 1 : 0;
-	    $allow_pings = ('open' == $postdata['ping_status']) ? 1 : 0;
+		$postdata = wp_get_single_post($post_ID, ARRAY_A);
 
-	    $resp = array(
-	      'dateCreated' => new IXR_Date($post_date),
-	      'userid' => $postdata['post_author'],
-	      'postid' => $postdata['ID'],
-	      'description' => $post['main'],
-	      'title' => $postdata['post_title'],
-	      'link' => $link,
-	      'permaLink' => $link,
-// commented out because no other tool seems to use this
-//	      'content' => $entry['post_content'],
-	      'categories' => $categories,
-	      'mt_excerpt' => $postdata['post_excerpt'],
-	      'mt_text_more' => $post['extended'],
-	      'mt_allow_comments' => $allow_comments,
-	      'mt_allow_pings' => $allow_pings,
-		  'mt_keywords' => $tagnames,
-          'wp_slug' => $postdata['post_name'],
-          'wp_password' => $postdata['post_password'],
-          'wp_author_id' => $author->ID,
-          'wp_author_display_name'	=> $author->display_name,
-          'date_created_gmt' => new IXR_Date($post_date_gmt)
-	    );
+		if ($postdata['post_date'] != '') {
+			$post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date']);
+			$post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']);
 
-	    return $resp;
-	  } else {
-	  	return new IXR_Error(404, __('Sorry, no such post.'));
-	  }
+			$categories = array();
+			$catids = wp_get_post_categories($post_ID);
+			foreach($catids as $catid) {
+				$categories[] = get_cat_name($catid);
+			}
+
+			$tagnames = array();
+			$tags = wp_get_post_tags( $post_ID );
+			if ( !empty( $tags ) ) {
+				foreach ( $tags as $tag ) {
+					$tagnames[] = $tag->name;
+				}
+				$tagnames = implode( ', ', $tagnames );
+			} else {
+				$tagnames = '';
+			}
+
+			$post = get_extended($postdata['post_content']);
+			$link = post_permalink($postdata['ID']);
+
+			// Get the author info.
+			$author = get_userdata($postdata['post_author']);
+
+			$allow_comments = ('open' == $postdata['comment_status']) ? 1 : 0;
+			$allow_pings = ('open' == $postdata['ping_status']) ? 1 : 0;
+
+			$resp = array(
+	      		'dateCreated' => new IXR_Date($post_date),
+				'userid' => $postdata['post_author'],
+				'postid' => $postdata['ID'],
+				'description' => $post['main'],
+				'title' => $postdata['post_title'],
+				'link' => $link,
+				'permaLink' => $link,
+				// commented out because no other tool seems to use this
+				//	      'content' => $entry['post_content'],
+				'categories' => $categories,
+				'mt_excerpt' => $postdata['post_excerpt'],
+				'mt_text_more' => $post['extended'],
+				'mt_allow_comments' => $allow_comments,
+				'mt_allow_pings' => $allow_pings,
+				'mt_keywords' => $tagnames,
+				'wp_slug' => $postdata['post_name'],
+				'wp_password' => $postdata['post_password'],
+				'wp_author_id' => $author->ID,
+				'wp_author_display_name'	=> $author->display_name,
+				'date_created_gmt' => new IXR_Date($post_date_gmt)
+			);
+
+			return $resp;
+		} else {
+			return new IXR_Error(404, __('Sorry, no such post.'));
+		}
 	}
 
 
@@ -1424,7 +1482,11 @@ class wp_xmlrpc_server extends IXR_Server {
 			return $this->error;
 		}
 
+		set_current_user( 0, $user_login );
+
 		foreach ($posts_list as $entry) {
+			if( !current_user_can( 'edit_post', $entry['ID'] ) )
+				continue;
 
 			$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
 			$post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']);
@@ -1504,6 +1566,12 @@ class wp_xmlrpc_server extends IXR_Server {
 			return $this->error;
 		}
 
+		set_current_user( 0, $user_login );
+		if( !current_user_can( 'edit_posts' ) )
+			return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) );
+
+		do_action('xmlrpc_call', 'metaWeblog.getCategories');
+
 		$categories_struct = array();
 
 		if ( $cats = get_categories('get=all') ) {
@@ -1623,7 +1691,11 @@ class wp_xmlrpc_server extends IXR_Server {
 			return $this->error;
 		}
 
+		set_current_user( 0, $user_login );
+
 		foreach ($posts_list as $entry) {
+			if( !current_user_can( 'edit_post', $entry['ID'] ) ) 
+				continue;
 
 			$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
 			$post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']);
@@ -1662,9 +1734,14 @@ class wp_xmlrpc_server extends IXR_Server {
 			return $this->error;
 		}
 
+		set_current_user( 0, $user_login );
+		if( !current_user_can( 'edit_posts' ) )
+			return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) );
+
+		do_action('xmlrpc_call', 'mt.getCategoryList');
+
 		$categories_struct = array();
 
-		// FIXME: can we avoid using direct SQL there?
 		if ( $cats = get_categories('hide_empty=0&hierarchical=0') ) {
 			foreach ($cats as $cat) {
 				$struct['categoryId'] = $cat->term_id;
@@ -1691,6 +1768,12 @@ class wp_xmlrpc_server extends IXR_Server {
 			return $this->error;
 		}
 
+		set_current_user( 0, $user_login );
+		if( !current_user_can( 'edit_post', $post_ID ) )
+			return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
+
+		do_action('xmlrpc_call', 'mt.getPostCategories');
+
 		$categories = array();
 		$catids = wp_get_post_categories(intval($post_ID));
 		// first listed category will be the primary category