Compare commits
20 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
4b573de83f | ||
|
3042245749 | ||
|
754a809bfb | ||
|
3c1876e6c5 | ||
|
d5a6676eb2 | ||
|
|
437f727e8f | ||
|
|
b4bf158d3a | ||
|
569f0c90fc | ||
|
0ba49c4a4c | ||
|
|
94306911e2 | ||
|
|
96731bcfb4 | ||
|
|
e35259b0bc | ||
|
|
0986b209ea | ||
|
|
6d9698863c | ||
|
|
a60f6eea61 | ||
|
|
1c4f8827a2 | ||
|
|
080ef55551 | ||
|
|
666b9f8558 | ||
|
|
c1769766f6 | ||
|
|
c30865a6b5 |
@@ -9,7 +9,7 @@
|
||||
<body>
|
||||
<h1 id="logo">
|
||||
<a href="https://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" /></a>
|
||||
<br /> Version 4.2.6
|
||||
<br /> Version 4.2.9
|
||||
</h1>
|
||||
<p style="text-align: center">Semantic Personal Publishing Platform</p>
|
||||
|
||||
|
||||
@@ -41,7 +41,19 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
|
||||
</h2>
|
||||
|
||||
<div class="changelog point-releases">
|
||||
<h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 6 ); ?></h3>
|
||||
<h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 9 ); ?></h3>
|
||||
<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
|
||||
'<strong>Version %1$s</strong> addressed some security issues.', 9 ), '4.2.9' ); ?>
|
||||
<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.2.9' ); ?>
|
||||
</p>
|
||||
<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
|
||||
'<strong>Version %1$s</strong> addressed some security issues.', 6 ), '4.2.8' ); ?>
|
||||
<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.2.8' ); ?>
|
||||
</p>
|
||||
<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
|
||||
'<strong>Version %1$s</strong> addressed some security issues.', 2 ), '4.2.7' ); ?>
|
||||
<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.2.7' ); ?>
|
||||
</p>
|
||||
<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
|
||||
'<strong>Version %1$s</strong> addressed some security issues.', 1 ), '4.2.6' ); ?>
|
||||
<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.2.6' ); ?>
|
||||
|
||||
@@ -18,9 +18,11 @@ if ( ! current_user_can( 'customize' ) ) {
|
||||
|
||||
wp_reset_vars( array( 'url', 'return' ) );
|
||||
$url = wp_unslash( $url );
|
||||
$url = esc_url_raw( $url );
|
||||
$url = wp_validate_redirect( $url, home_url( '/' ) );
|
||||
if ( $return ) {
|
||||
$return = wp_unslash( $return );
|
||||
$return = esc_url_raw( $return );
|
||||
$return = wp_validate_redirect( $return );
|
||||
}
|
||||
if ( ! $return ) {
|
||||
|
||||
@@ -2603,7 +2603,7 @@ function wp_ajax_get_revision_diffs() {
|
||||
if ( ! $post = get_post( (int) $_REQUEST['post_id'] ) )
|
||||
wp_send_json_error();
|
||||
|
||||
if ( ! current_user_can( 'read_post', $post->ID ) )
|
||||
if ( ! current_user_can( 'edit_post', $post->ID ) )
|
||||
wp_send_json_error();
|
||||
|
||||
// Really just pre-loading the cache here.
|
||||
|
||||
@@ -341,7 +341,7 @@ foreach ( $columns as $column_name => $column_display_name ) {
|
||||
<?php echo $att_title; ?></a>
|
||||
<?php };
|
||||
_media_states( $post ); ?></strong>
|
||||
<p class="filename"><?php echo wp_basename( $post->guid ); ?></p>
|
||||
<p class="filename"><?php echo esc_html( wp_basename( $post->guid ) ); ?></p>
|
||||
<?php
|
||||
echo $this->row_actions( $this->_get_row_actions( $post, $att_title ) );
|
||||
?>
|
||||
|
||||
@@ -165,6 +165,13 @@ function _wp_translate_postdata( $update = false, $post_data = null ) {
|
||||
$post_data['post_date_gmt'] = get_gmt_from_date( $post_data['post_date'] );
|
||||
}
|
||||
|
||||
if ( isset( $post_data['post_category'] ) ) {
|
||||
$category_object = get_taxonomy( 'category' );
|
||||
if ( ! current_user_can( $category_object->cap->assign_terms ) ) {
|
||||
unset( $post_data['post_category'] );
|
||||
}
|
||||
}
|
||||
|
||||
return $post_data;
|
||||
}
|
||||
|
||||
@@ -1292,15 +1299,15 @@ function get_sample_permalink_html( $id, $new_title = null, $new_slug = null ) {
|
||||
}
|
||||
}
|
||||
|
||||
$post_name_html = '<span id="editable-post-name" title="' . $title . '">' . $post_name_abridged . '</span>';
|
||||
$display_link = str_replace( array( '%pagename%', '%postname%' ), $post_name_html, urldecode( $permalink ) );
|
||||
$post_name_html = '<span id="editable-post-name" title="' . $title . '">' . esc_html( $post_name_abridged ) . '</span>';
|
||||
$display_link = str_replace( array( '%pagename%', '%postname%' ), $post_name_html, esc_html( urldecode( $permalink ) ) );
|
||||
$pretty_permalink = str_replace( array( '%pagename%', '%postname%' ), $post_name, urldecode( $permalink ) );
|
||||
|
||||
$return = '<strong>' . __( 'Permalink:' ) . "</strong>\n";
|
||||
$return .= '<span id="sample-permalink" tabindex="-1">' . $display_link . "</span>\n";
|
||||
$return .= '‎'; // Fix bi-directional text display defect in RTL languages.
|
||||
$return .= '<span id="edit-slug-buttons"><a href="#post_name" class="edit-slug button button-small hide-if-no-js" onclick="editPermalink(' . $id . '); return false;">' . __( 'Edit' ) . "</a></span>\n";
|
||||
$return .= '<span id="editable-post-name-full">' . $post_name . "</span>\n";
|
||||
$return .= '<span id="editable-post-name-full">' . esc_html( $post_name ) . "</span>\n";
|
||||
}
|
||||
|
||||
if ( isset( $view_post ) ) {
|
||||
@@ -1314,7 +1321,7 @@ function get_sample_permalink_html( $id, $new_title = null, $new_slug = null ) {
|
||||
$pretty_permalink = $permalink;
|
||||
}
|
||||
|
||||
$return .= "<span id='view-post-btn'><a href='" . $pretty_permalink . "' class='button button-small'>$view_post</a></span>\n";
|
||||
$return .= "<span id='view-post-btn'><a href='" . esc_url( $pretty_permalink ) . "' class='button button-small'>$view_post</a></span>\n";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -273,7 +273,7 @@ if ( isset( $_GET['updated'] ) ) {
|
||||
<tr>
|
||||
<th scope="row"><label for="first_comment_author"><?php _e( 'First Comment Author' ) ?></label></th>
|
||||
<td>
|
||||
<input type="text" size="40" name="first_comment_author" id="first_comment_author" aria-describedby="first-comment-author-desc" value="<?php echo get_site_option('first_comment_author') ?>" />
|
||||
<input type="text" size="40" name="first_comment_author" id="first_comment_author" aria-describedby="first-comment-author-desc" value="<?php echo esc_attr( get_site_option('first_comment_author') ); ?>" />
|
||||
<p class="description" id="first-comment-author-desc">
|
||||
<?php _e( 'The author of the first comment on a new site.' ) ?>
|
||||
</p>
|
||||
|
||||
@@ -63,7 +63,7 @@ default :
|
||||
if ( ! $post = get_post( $revision->post_parent ) )
|
||||
break;
|
||||
|
||||
if ( ! current_user_can( 'read_post', $revision->ID ) || ! current_user_can( 'read_post', $post->ID ) )
|
||||
if ( ! current_user_can( 'read_post', $revision->ID ) || ! current_user_can( 'edit_post', $revision->post_parent ) )
|
||||
break;
|
||||
|
||||
// Revisions disabled and we're not looking at an autosave
|
||||
|
||||
@@ -99,7 +99,7 @@ if ( is_multisite()
|
||||
// Execute confirmed email change. See send_confirmation_on_profile_email().
|
||||
if ( is_multisite() && IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $current_user->ID ) {
|
||||
$new_email = get_option( $current_user->ID . '_new_email' );
|
||||
if ( $new_email[ 'hash' ] == $_GET[ 'newuseremail' ] ) {
|
||||
if ( $new_email && hash_equals( $new_email[ 'hash' ], $_GET[ 'newuseremail' ] ) ) {
|
||||
$user = new stdClass;
|
||||
$user->ID = $current_user->ID;
|
||||
$user->user_email = esc_html( trim( $new_email[ 'newemail' ] ) );
|
||||
@@ -110,7 +110,8 @@ if ( is_multisite() && IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $c
|
||||
wp_redirect( add_query_arg( array('updated' => 'true'), self_admin_url( 'profile.php' ) ) );
|
||||
die();
|
||||
}
|
||||
} elseif ( is_multisite() && IS_PROFILE_PAGE && !empty( $_GET['dismiss'] ) && $current_user->ID . '_new_email' == $_GET['dismiss'] ) {
|
||||
} elseif ( is_multisite() && IS_PROFILE_PAGE && !empty( $_GET['dismiss'] ) && $current_user->ID . '_new_email' === $_GET['dismiss'] ) {
|
||||
check_admin_referer( 'dismiss-' . $current_user->ID . '_new_email' );
|
||||
delete_option( $current_user->ID . '_new_email' );
|
||||
wp_redirect( add_query_arg( array('updated' => 'true'), self_admin_url( 'profile.php' ) ) );
|
||||
die();
|
||||
@@ -402,7 +403,7 @@ if ( is_multisite() && is_network_admin() && ! IS_PROFILE_PAGE && current_user_c
|
||||
$new_email = get_option( $current_user->ID . '_new_email' );
|
||||
if ( $new_email && $new_email['newemail'] != $current_user->user_email && $profileuser->ID == $current_user->ID ) : ?>
|
||||
<div class="updated inline">
|
||||
<p><?php printf( __('There is a pending change of your e-mail to <code>%1$s</code>. <a href="%2$s">Cancel</a>'), $new_email['newemail'], esc_url( self_admin_url( 'profile.php?dismiss=' . $current_user->ID . '_new_email' ) ) ); ?></p>
|
||||
<p><?php printf( __('There is a pending change of your e-mail to <code>%1$s</code>. <a href="%2$s">Cancel</a>'), esc_html( $new_email['newemail'] ), esc_url( wp_nonce_url( self_admin_url( 'profile.php?dismiss=' . $current_user->ID . '_new_email' ), 'dismiss-' . $current_user->ID . '_new_email' ) ) ); ?></p>
|
||||
</div>
|
||||
<?php endif; ?>
|
||||
</td>
|
||||
|
||||
@@ -999,20 +999,23 @@ class Snoopy
|
||||
if(!empty($this->user) || !empty($this->pass))
|
||||
$headers[] = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass);
|
||||
|
||||
for($curr_header = 0; $curr_header < count($headers); $curr_header++) {
|
||||
$safer_header = strtr( $headers[$curr_header], "\"", " " );
|
||||
$cmdline_params .= " -H \"".$safer_header."\"";
|
||||
$headerfile = tempnam( $this->temp_dir, "sno" );
|
||||
$cmdline_params = '-k -D ' . escapeshellarg( $headerfile );
|
||||
|
||||
foreach ( $headers as $header ) {
|
||||
$cmdline_params .= ' -H ' . escapeshellarg( $header );
|
||||
}
|
||||
|
||||
if(!empty($body))
|
||||
$cmdline_params .= " -d \"$body\"";
|
||||
if ( ! empty( $body ) ) {
|
||||
$cmdline_params .= ' -d ' . escapeshellarg( $body );
|
||||
}
|
||||
|
||||
if($this->read_timeout > 0)
|
||||
$cmdline_params .= " -m ".$this->read_timeout;
|
||||
if ( $this->read_timeout > 0 ) {
|
||||
$cmdline_params .= ' -m ' . escapeshellarg( $this->read_timeout );
|
||||
}
|
||||
|
||||
$headerfile = tempnam($this->temp_dir, "sno");
|
||||
|
||||
exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return);
|
||||
exec( $this->curl_path . ' ' . $cmdline_params . ' ' . escapeshellarg( $URI ), $results, $return );
|
||||
|
||||
if($return)
|
||||
{
|
||||
|
||||
@@ -1208,7 +1208,8 @@ function remove_accents($string) {
|
||||
* operating systems and special characters requiring special escaping
|
||||
* to manipulate at the command line. Replaces spaces and consecutive
|
||||
* dashes with a single dash. Trims period, dash and underscore from beginning
|
||||
* and end of filename.
|
||||
* and end of filename. It is not guaranteed that this function will return a
|
||||
* filename that is allowed to be uploaded.
|
||||
*
|
||||
* @since 2.1.0
|
||||
*
|
||||
@@ -1233,6 +1234,14 @@ function sanitize_file_name( $filename ) {
|
||||
$filename = preg_replace( '/[\r\n\t -]+/', '-', $filename );
|
||||
$filename = trim( $filename, '.-_' );
|
||||
|
||||
if ( false === strpos( $filename, '.' ) ) {
|
||||
$mime_types = wp_get_mime_types();
|
||||
$filetype = wp_check_filetype( 'test.' . $filename, $mime_types );
|
||||
if ( $filetype['ext'] === $filename ) {
|
||||
$filename = 'unnamed-file.' . $filetype['ext'];
|
||||
}
|
||||
}
|
||||
|
||||
// Split the filename into a base and extension[s]
|
||||
$parts = explode('.', $filename);
|
||||
|
||||
|
||||
@@ -466,7 +466,7 @@ function wp_http_validate_url( $url ) {
|
||||
|
||||
if ( ! $same_host ) {
|
||||
$host = trim( $parsed_url['host'], '.' );
|
||||
if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) {
|
||||
if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) {
|
||||
$ip = $host;
|
||||
} else {
|
||||
$ip = gethostbyname( $host );
|
||||
@@ -475,7 +475,7 @@ function wp_http_validate_url( $url ) {
|
||||
}
|
||||
if ( $ip ) {
|
||||
$parts = array_map( 'intval', explode( '.', $ip ) );
|
||||
if ( 127 === $parts[0] || 10 === $parts[0]
|
||||
if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0]
|
||||
|| ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
|
||||
|| ( 192 === $parts[0] && 168 === $parts[1] )
|
||||
) {
|
||||
|
||||
Binary file not shown.
File diff suppressed because one or more lines are too long
Binary file not shown.
@@ -1014,18 +1014,14 @@ function auth_redirect() {
|
||||
}
|
||||
}
|
||||
|
||||
if ( is_user_admin() ) {
|
||||
$scheme = 'logged_in';
|
||||
} else {
|
||||
/**
|
||||
* Filter the authentication redirect scheme.
|
||||
*
|
||||
* @since 2.9.0
|
||||
*
|
||||
* @param string $scheme Authentication redirect scheme. Default empty.
|
||||
*/
|
||||
$scheme = apply_filters( 'auth_redirect_scheme', '' );
|
||||
}
|
||||
/**
|
||||
* Filters the authentication redirect scheme.
|
||||
*
|
||||
* @since 2.9.0
|
||||
*
|
||||
* @param string $scheme Authentication redirect scheme. Default empty.
|
||||
*/
|
||||
$scheme = apply_filters( 'auth_redirect_scheme', '' );
|
||||
|
||||
if ( $user_id = wp_validate_auth_cookie( '', $scheme) ) {
|
||||
/**
|
||||
@@ -1296,7 +1292,8 @@ function wp_validate_redirect($location, $default = '') {
|
||||
// In php 5 parse_url may fail if the URL query part contains http://, bug #38143
|
||||
$test = ( $cut = strpos($location, '?') ) ? substr( $location, 0, $cut ) : $location;
|
||||
|
||||
$lp = parse_url($test);
|
||||
// @-operator is used to prevent possible warnings in PHP < 5.3.3.
|
||||
$lp = @parse_url($test);
|
||||
|
||||
// Give up if malformed URL
|
||||
if ( false === $lp )
|
||||
@@ -1306,9 +1303,17 @@ function wp_validate_redirect($location, $default = '') {
|
||||
if ( isset($lp['scheme']) && !('http' == $lp['scheme'] || 'https' == $lp['scheme']) )
|
||||
return $default;
|
||||
|
||||
// Reject if scheme is set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
|
||||
if ( isset($lp['scheme']) && !isset($lp['host']) )
|
||||
// Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
|
||||
if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) {
|
||||
return $default;
|
||||
}
|
||||
|
||||
// Reject malformed components parse_url() can return on odd inputs.
|
||||
foreach ( array( 'user', 'pass', 'host' ) as $component ) {
|
||||
if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) {
|
||||
return $default;
|
||||
}
|
||||
}
|
||||
|
||||
$wpp = parse_url(home_url());
|
||||
|
||||
|
||||
@@ -1562,7 +1562,7 @@ function wp_get_attachment_link( $id = 0, $size = 'thumbnail', $permalink = fals
|
||||
* @param bool $icon Whether to include an icon. Default false.
|
||||
* @param string|bool $text If string, will be link text. Default false.
|
||||
*/
|
||||
return apply_filters( 'wp_get_attachment_link', "<a href='$url'>$link_text</a>", $id, $size, $permalink, $icon, $text );
|
||||
return apply_filters( 'wp_get_attachment_link', "<a href='" . esc_url( $url ) . "'>$link_text</a>", $id, $size, $permalink, $icon, $text );
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -310,7 +310,7 @@ function wp_default_scripts( &$scripts ) {
|
||||
|
||||
$scripts->add( 'imgareaselect', "/wp-includes/js/imgareaselect/jquery.imgareaselect$suffix.js", array('jquery'), '0.9.10', 1 );
|
||||
|
||||
$scripts->add( 'mediaelement', "/wp-includes/js/mediaelement/mediaelement-and-player.min.js", array('jquery'), '2.16.2', 1 );
|
||||
$scripts->add( 'mediaelement', "/wp-includes/js/mediaelement/mediaelement-and-player.min.js", array('jquery'), '2.16.4-a', 1 );
|
||||
did_action( 'init' ) && $scripts->localize( 'mediaelement', 'mejsL10n', array(
|
||||
'language' => get_bloginfo( 'language' ),
|
||||
'strings' => array(
|
||||
|
||||
@@ -602,7 +602,7 @@ function get_objects_in_term( $term_ids, $taxonomies, $args = array() ) {
|
||||
|
||||
$term_ids = array_map('intval', $term_ids );
|
||||
|
||||
$taxonomies = "'" . implode( "', '", $taxonomies ) . "'";
|
||||
$taxonomies = "'" . implode( "', '", array_map( 'esc_sql', $taxonomies ) ) . "'";
|
||||
$term_ids = "'" . implode( "', '", $term_ids ) . "'";
|
||||
|
||||
$object_ids = $wpdb->get_col("SELECT tr.object_id FROM $wpdb->term_relationships AS tr INNER JOIN $wpdb->term_taxonomy AS tt ON tr.term_taxonomy_id = tt.term_taxonomy_id WHERE tt.taxonomy IN ($taxonomies) AND tt.term_id IN ($term_ids) ORDER BY tr.object_id $order");
|
||||
@@ -1776,7 +1776,7 @@ function get_terms( $taxonomies, $args = '' ) {
|
||||
$order = 'ASC';
|
||||
}
|
||||
|
||||
$where = "tt.taxonomy IN ('" . implode("', '", $taxonomies) . "')";
|
||||
$where = "tt.taxonomy IN ('" . implode("', '", array_map( 'esc_sql', $taxonomies ) ) . "')";
|
||||
|
||||
$exclude = $args['exclude'];
|
||||
$exclude_tree = $args['exclude_tree'];
|
||||
@@ -2702,7 +2702,7 @@ function wp_get_object_terms($object_ids, $taxonomies, $args = array()) {
|
||||
|
||||
$taxonomy_array = $taxonomies;
|
||||
$object_id_array = $object_ids;
|
||||
$taxonomies = "'" . implode("', '", $taxonomies) . "'";
|
||||
$taxonomies = "'" . implode("', '", array_map( 'esc_sql', $taxonomies ) ) . "'";
|
||||
$object_ids = implode(', ', $object_ids);
|
||||
|
||||
$select_this = '';
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
*
|
||||
* @global string $wp_version
|
||||
*/
|
||||
$wp_version = '4.2.6';
|
||||
$wp_version = '4.2.9';
|
||||
|
||||
/**
|
||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||
|
||||
Reference in New Issue
Block a user