diff options
| -rw-r--r-- | wp-admin/admin-db.php | 4 | ||||
| -rw-r--r-- | wp-admin/admin-functions.php | 2 | ||||
| -rw-r--r-- | wp-admin/edit-comments.php | 2 | ||||
| -rw-r--r-- | wp-admin/link-import.php | 4 | ||||
| -rw-r--r-- | wp-admin/options.php | 11 | ||||
| -rw-r--r-- | wp-admin/upload-functions.php | 9 | ||||
| -rw-r--r-- | wp-includes/functions.php | 25 | ||||
| -rw-r--r-- | wp-includes/general-template.php | 3 | ||||
| -rw-r--r-- | wp-includes/theme.php | 1 | ||||
| -rw-r--r-- | wp-includes/widgets.php | 2 |
10 files changed, 40 insertions, 23 deletions
diff --git a/wp-admin/admin-db.php b/wp-admin/admin-db.php index 6d18c96..d296e74 100644 --- a/wp-admin/admin-db.php +++ b/wp-admin/admin-db.php @@ -423,9 +423,11 @@ function wp_delete_link($link_id) { } $wpdb->query("DELETE FROM $wpdb->link2cat WHERE link_id = '$link_id'"); - return $wpdb->query("DELETE FROM $wpdb->links WHERE link_id = '$link_id'"); + $wpdb->query("DELETE FROM $wpdb->links WHERE link_id = '$link_id'"); do_action('deleted_link', $link_id); + + return true; } function wp_get_link_cats($link_ID = 0) { diff --git a/wp-admin/admin-functions.php b/wp-admin/admin-functions.php index dce1350..f23f3ce 100644 --- a/wp-admin/admin-functions.php +++ b/wp-admin/admin-functions.php @@ -914,7 +914,7 @@ function user_row( $user_object, $style = '' ) { function _wp_get_comment_list( $s = false, $start, $num ) { global $wpdb; - $start = (int) $start; + $start = abs( (int) $start ); $num = (int) $num; if ( $s ) { diff --git a/wp-admin/edit-comments.php b/wp-admin/edit-comments.php index 85b2a6e..ea718b9 100644 --- a/wp-admin/edit-comments.php +++ b/wp-admin/edit-comments.php @@ -76,7 +76,7 @@ if ( !empty( $_POST['delete_comments'] ) ) : endif; if ( isset( $_GET['apage'] ) ) - $page = (int) $_GET['apage']; + $page = abs( (int) $_GET['apage'] ); else $page = 1; diff --git a/wp-admin/link-import.php b/wp-admin/link-import.php index 8502ed8..e20a464 100644 --- a/wp-admin/link-import.php +++ b/wp-admin/link-import.php @@ -73,8 +73,8 @@ foreach ($categories as $category) { <h2><?php _e('Importing...') ?></h2> <?php - $cat_id = $_POST['cat_id']; - if ( $cat_id == '' || $cat_id == 0 ) + $cat_id = abs( (int) $_POST['cat_id'] ); + if ( $cat_id < 1 ) $cat_id = 1; $opml_url = $_POST['opml_url']; diff --git a/wp-admin/options.php b/wp-admin/options.php index db3c88e..466c8be 100644 --- a/wp-admin/options.php +++ b/wp-admin/options.php @@ -146,10 +146,11 @@ $options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name foreach ( (array) $options as $option) : $disabled = ''; + $option->option_name = attribute_escape($option->option_name); if ( is_serialized($option->option_value) ) { if ( is_serialized_string($option->option_value) ) { // this is a serialized string, so we should display it - $value = wp_specialchars(maybe_unserialize($option->option_value), 'single'); + $value = maybe_unserialize($option->option_value); $options_to_update[] = $option->option_name; $class = 'all-options'; } else { @@ -158,7 +159,7 @@ foreach ( (array) $options as $option) : $class = 'all-options disabled'; } } else { - $value = wp_specialchars($option->option_value, 'single'); + $value = $option->option_value; $options_to_update[] = $option->option_name; $class = 'all-options'; } @@ -167,8 +168,8 @@ foreach ( (array) $options as $option) : <th scope='row'><label for='$option->option_name'>$option->option_name</label></th> <td>"; - if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>$value</textarea>"; - else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . $value . "'$disabled />"; + if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . wp_specialchars($value) . "</textarea>"; + else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . attribute_escape($value) . "'$disabled />"; echo "</td> <td>$option->option_description</td> @@ -177,7 +178,7 @@ endforeach; ?> </table> <?php $options_to_update = implode(',', $options_to_update); ?> -<p class="submit"><input type="hidden" name="page_options" value="<?php echo attribute_escape($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options »') ?>" /></p> +<p class="submit"><input type="hidden" name="page_options" value="<?php echo $options_to_update; ?>" /><input type="submit" name="Update" value="<?php _e('Update Options »') ?>" /></p> </form> </div> diff --git a/wp-admin/upload-functions.php b/wp-admin/upload-functions.php index 31965bc..e2d734d 100644 --- a/wp-admin/upload-functions.php +++ b/wp-admin/upload-functions.php @@ -105,8 +105,9 @@ function wp_upload_form() { $id = get_the_ID(); global $post_id, $tab, $style; $enctype = $id ? '' : ' enctype="multipart/form-data"'; + $post_id = (int) $post_id; ?> - <form<?php echo $enctype; ?> id="upload-file" method="post" action="<?php echo get_option('siteurl') . "/wp-admin/upload.php?style=$style&tab=upload&post_id=$post_id"; ?>"> + <form<?php echo $enctype; ?> id="upload-file" method="post" action="<?php echo get_option('siteurl') . '/wp-admin/upload.php?style=' . attribute_escape($style . '&tab=upload&post_id=' . $post_id); ?>"> <?php if ( $id ) : $attachment = get_post_to_edit( $id ); @@ -201,7 +202,7 @@ function wp_upload_tab_upload_action() { if ( !current_user_can( 'upload_files' ) ) wp_die( __('You are not allowed to upload files.') - . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=$style&tab=browse-all&post_id=$post_id'>" + . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=" . attribute_escape($style . "&tab=browse-all&post_id=$post_id") . "'>" . __('Browse Files') . '</a>' ); @@ -211,7 +212,7 @@ function wp_upload_tab_upload_action() { if ( isset($file['error']) ) wp_die($file['error'] . "<br /><a href='" . get_option('siteurl') - . "/wp-admin/upload.php?style=$style&tab=$from_tab&post_id=$post_id'>" . __('Back to Image Uploading') . '</a>' + . "/wp-admin/upload.php?style=" . attribute_escape($style . "&tab=$from_tab&post_id=$post_id") . "'>" . __('Back to Image Uploading') . '</a>' ); $url = $file['url']; @@ -258,7 +259,7 @@ function wp_upload_tab_upload_action() { if ( !current_user_can('edit_post', (int) $ID) ) wp_die( __('You are not allowed to delete this attachment.') - . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=$style&tab=$from_tab&post_id=$post_id'>" + . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=" . attribute_escape($style . "&tab=$from_tab&post_id=$post_id") . "'>" . __('Go back') . '</a>' ); diff --git a/wp-includes/functions.php b/wp-includes/functions.php index 67787e1..60a5730 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -203,6 +203,7 @@ function is_serialized_string($data) { /* Options functions */ +// expects $setting to already be SQL-escaped function get_option($setting) { global $wpdb, $switched, $current_blog; @@ -311,16 +312,19 @@ function wp_load_alloptions() { return $alloptions; } +// expects $option_name to NOT be SQL-escaped function update_option($option_name, $newvalue) { global $wpdb; wp_protect_special_option($option_name); + $safe_option_name = $wpdb->escape($option_name); + if ( is_string($newvalue) ) $newvalue = trim($newvalue); // If the new and old values are the same, no need to update. - $oldvalue = get_option($option_name); + $oldvalue = get_option($safe_option_name); if ( $newvalue === $oldvalue ) { return false; } @@ -358,21 +362,21 @@ function update_option($option_name, $newvalue) { } // thx Alex Stapleton, http://alex.vort-x.net/blog/ +// expects $name to NOT be SQL-escaped function add_option($name, $value = '', $description = '', $autoload = 'yes') { global $wpdb; wp_protect_special_option($name); + $safe_name = $wpdb->escape($name); - // Make sure the option doesn't already exist we can check the cache before we ask for a db query + // Make sure the option doesn't already exist. We can check the 'notoptions' cache before we ask for a db query $notoptions = wp_cache_get('notoptions', 'options'); - if ( is_array($notoptions) && isset($notoptions[$name]) ) { - unset($notoptions[$name]); - wp_cache_set('notoptions', $notoptions, 'options'); - } elseif ( false !== get_option($name) ) { + if ( !is_array($notoptions) || !isset($notoptions[$name]) ) + if ( false !== get_option($safe_name) ) return; - } $value = maybe_serialize($value); + $autoload = ( 'no' === $autoload ) ? 'no' : 'yes'; if ( 'yes' == $autoload ) { $alloptions = wp_load_alloptions(); @@ -382,6 +386,13 @@ function add_option($name, $value = '', $description = '', $autoload = 'yes') { wp_cache_set($name, $value, 'options'); } + // This option exists now + $notoptions = wp_cache_get('notoptions', 'options'); // yes, again... we need it to be fresh + if ( is_array($notoptions) && isset($notoptions[$name]) ) { + unset($notoptions[$name]); + wp_cache_set('notoptions', $notoptions, 'options'); + } + $name = $wpdb->escape($name); $value = $wpdb->escape($value); $description = $wpdb->escape($description); diff --git a/wp-includes/general-template.php b/wp-includes/general-template.php index bdc5b04..7c3c5f3 100644 --- a/wp-includes/general-template.php +++ b/wp-includes/general-template.php @@ -814,7 +814,8 @@ function user_can_richedit() { if ( !isset( $wp_rich_edit) ) { if ( get_user_option( 'rich_editing' ) == 'true' && ( ( preg_match( '!AppleWebKit/(\d+)!', $_SERVER['HTTP_USER_AGENT'], $match ) && intval($match[1]) >= 420 ) || - !preg_match( '!opera[ /][2-8]|konqueror|safari!i', $_SERVER['HTTP_USER_AGENT'] ) ) ) { + !preg_match( '!opera[ /][2-8]|konqueror|safari!i', $_SERVER['HTTP_USER_AGENT'] ) ) + && 'comment.php' != $pagenow ) { $wp_rich_edit = true; } else { $wp_rich_edit = false; diff --git a/wp-includes/theme.php b/wp-includes/theme.php index e561e23..f20ae68 100644 --- a/wp-includes/theme.php +++ b/wp-includes/theme.php @@ -79,6 +79,7 @@ function get_theme_data( $theme_file ) { $name = trim( $name ); $theme = $name; $theme_uri = trim( $theme_uri[1] ); + $template = trim( $template[1] ); if ( '' == $author_uri[1] ) { $author = trim( $author_name[1] ); diff --git a/wp-includes/widgets.php b/wp-includes/widgets.php index 25027d3..52f0a0e 100644 --- a/wp-includes/widgets.php +++ b/wp-includes/widgets.php @@ -630,7 +630,7 @@ function wp_widget_categories($args) { var dropdown = document.getElementById("cat"); function onCatChange() { if ( dropdown.options[dropdown.selectedIndex].value > 0 ) { - location.href = "<?php echo get_option('siteurl'); ?>/?cat="+dropdown.options[dropdown.selectedIndex].value; + location.href = "<?php echo get_option('home'); ?>/?cat="+dropdown.options[dropdown.selectedIndex].value; } } dropdown.onchange = onCatChange; |