diff options
Diffstat (limited to 'wp-includes/pluggable.php')
-rw-r--r-- | wp-includes/pluggable.php | 344 |
1 files changed, 237 insertions, 107 deletions
diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index 3774f50..72a4be7 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -59,26 +59,33 @@ endif; if ( !function_exists('get_userdata') ) : function get_userdata( $user_id ) { - global $wpdb; + global $wpdb, $cache_userdata, $wpmuBaseTablePrefix; $user_id = (int) $user_id; if ( $user_id == 0 ) return false; $user = wp_cache_get($user_id, 'users'); - - if ( $user ) + $user_level = $wpmuBaseTablePrefix . $wpdb->blogid . '_user_level'; + if ( $user && is_site_admin( $user->user_login ) ) { + $user->$user_level = 10; + $user->user_level = 10; + $cap_key = $wpdb->prefix . 'capabilities'; + $user->{$cap_key} = array( 'administrator' => '1' ); return $user; + } elseif ( $user ) { + return $user; + } - if ( !$user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE ID = '$user_id' LIMIT 1") ) + if ( !$user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE ID = '$user_id'") ) return false; - $wpdb->hide_errors(); - $metavalues = $wpdb->get_results("SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = '$user_id'"); - $wpdb->show_errors(); + $metavalues = $wpdb->get_results("SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = '$user_id' /* pluggable get_userdata */"); if ($metavalues) { foreach ( $metavalues as $meta ) { - $value = maybe_unserialize($meta->meta_value); + @ $value = unserialize($meta->meta_value); + if ($value === FALSE) + $value = $meta->meta_value; $user->{$meta->meta_key} = $value; // We need to set user_level from meta, not row @@ -87,16 +94,15 @@ function get_userdata( $user_id ) { } // end foreach } //end if - // For backwards compat. - if ( isset($user->first_name) ) - $user->user_firstname = $user->first_name; - if ( isset($user->last_name) ) - $user->user_lastname = $user->last_name; - if ( isset($user->description) ) - $user->user_description = $user->description; + if( is_site_admin( $user->user_login ) == true ) { + $user->user_level = 10; + $cap_key = $wpdb->prefix . 'capabilities'; + $user->{$cap_key} = array( 'administrator' => '1' ); + } wp_cache_add($user_id, $user, 'users'); - wp_cache_add($user->user_login, $user_id, 'userlogins'); + wp_cache_add($user->user_login, $user, 'userlogins'); + return $user; } endif; @@ -115,111 +121,165 @@ function get_userdatabylogin($user_login) { if ( empty( $user_login ) ) return false; - $user_id = wp_cache_get($user_login, 'userlogins'); - $userdata = wp_cache_get($user_id, 'users'); + $userdata = wp_cache_get($user_login, 'userlogins'); if ( $userdata ) return $userdata; $user_login = $wpdb->escape($user_login); - if ( !$user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE user_login = '$user_login'") ) + if ( !$user_ID = $wpdb->get_var("SELECT ID FROM $wpdb->users WHERE user_login = '$user_login'") ) return false; - $wpdb->hide_errors(); - $metavalues = $wpdb->get_results("SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = '$user->ID'"); - $wpdb->show_errors(); - - if ($metavalues) { - foreach ( $metavalues as $meta ) { - $value = maybe_unserialize($meta->meta_value); - $user->{$meta->meta_key} = $value; - - // We need to set user_level from meta, not row - if ( $wpdb->prefix . 'user_level' == $meta->meta_key ) - $user->user_level = $meta->meta_value; - } - } - - // For backwards compat. - if ( isset($user->first_name) ) - $user->user_firstname = $user->first_name; - if ( isset($user->last_name) ) - $user->user_lastname = $user->last_name; - if ( isset($user->description) ) - $user->user_description = $user->description; - + $user = get_userdata($user_ID); if( is_site_admin( $user_login ) == true ) { $user->user_level = 10; $cap_key = $wpdb->prefix . 'capabilities'; $user->{$cap_key} = array( 'administrator' => '1' ); } - - wp_cache_add($user->ID, $user, 'users'); - wp_cache_add($user->user_login, $user->ID, 'userlogins'); return $user; - } endif; if ( !function_exists( 'wp_mail' ) ) : -function wp_mail($to, $subject, $message, $headers = '') { +function wp_mail( $to, $subject, $message, $headers = '' ) { + // Compact the input, apply the filters, and extract them back out + extract( apply_filters( 'wp_mail', compact( 'to', 'subject', 'message', 'headers' ) ) ); + global $phpmailer; - if ( !is_object( $phpmailer ) ) { - require_once(ABSPATH . WPINC . '/class-phpmailer.php'); - require_once(ABSPATH . WPINC . '/class-smtp.php'); + // (Re)create it, if it's gone missing + if ( !is_object( $phpmailer ) || !is_a( $phpmailer, 'PHPMailer' ) ) { + require_once ABSPATH . WPINC . '/class-phpmailer.php'; + require_once ABSPATH . WPINC . '/class-smtp.php'; $phpmailer = new PHPMailer(); } - $mail = compact('to', 'subject', 'message', 'headers'); - $mail = apply_filters('wp_mail', $mail); - extract($mail, EXTR_SKIP); - - if ( $headers == '' ) { - $headers = "MIME-Version: 1.0\n" . - "From: " . apply_filters('wp_mail_from', get_option('admin_email') ) . "\n" . - "Content-Type: text/plain; charset=\"" . get_option('blog_charset') . "\"\n"; + // Headers + if ( empty( $headers ) ) { + $headers = array(); + } elseif ( !is_array( $headers ) ) { + // Explode the headers out, so this function can take both + // string headers and an array of headers. + $tempheaders = (array) explode( "\n", $headers ); + $headers = array(); + + // If it's actually got contents + if ( !empty( $tempheaders ) ) { + // Iterate through the raw headers + foreach ( $tempheaders as $header ) { + if ( strpos($header, ':') === false ) + continue; + // Explode them out + list( $name, $content ) = explode( ':', trim( $header ), 2 ); + + // Cleanup crew + $name = trim( $name ); + $content = trim( $content ); + + // Mainly for legacy -- process a From: header if it's there + if ( 'from' == strtolower($name) ) { + if ( strpos($content, '<' ) !== false ) { + // So... making my life hard again? + $from_name = substr( $content, 0, strpos( $content, '<' ) - 1 ); + $from_name = str_replace( '"', '', $from_name ); + $from_name = trim( $from_name ); + + $from_email = substr( $content, strpos( $content, '<' ) + 1 ); + $from_email = str_replace( '>', '', $from_email ); + $from_email = trim( $from_email ); + } else { + $from_name = trim( $content ); + } + } elseif ( 'content-type' == strtolower($name) ) { + if ( strpos( $content,';' ) !== false ) { + list( $type, $charset ) = explode( ';', $content ); + $content_type = trim( $type ); + $charset = trim( str_replace( array( 'charset=', '"' ), '', $charset ) ); + } else { + $content_type = trim( $content ); + } + } else { + // Add it to our grand headers array + $headers[trim( $name )] = trim( $content ); + } + } + } } + // Empty out the values that may be set $phpmailer->ClearAddresses(); - $phpmailer->ClearCCs(); - $phpmailer->ClearBCCs(); - $phpmailer->ClearReplyTos(); $phpmailer->ClearAllRecipients(); + $phpmailer->ClearAttachments(); + $phpmailer->ClearBCCs(); + $phpmailer->ClearCCs(); $phpmailer->ClearCustomHeaders(); + $phpmailer->ClearReplyTos(); - $phpmailer->FromName = "WordPress"; - $phpmailer->AddAddress("$to", ""); + // From email and name + // If we don't have a name from the input headers + if ( !isset( $from_name ) ) { + $from_name = 'WordPress'; + } + + // If we don't have an email from the input headers + if ( !isset( $from_email ) ) { + // Get the site domain and get rid of www. + $sitename = strtolower( $_SERVER['SERVER_NAME'] ); + if ( substr( $sitename, 0, 4 ) == 'www.' ) { + $sitename = substr( $sitename, 4 ); + } + + $from_email = 'wordpress@' . $sitename; + } + + // Set the from name and email + $phpmailer->From = apply_filters( 'wp_mail_from', $from_email ); + $phpmailer->FromName = apply_filters( 'wp_mail_from_name', $from_name ); + + // Set destination address + $phpmailer->AddAddress( $to ); + + // Set mail's subject and body $phpmailer->Subject = $subject; - $phpmailer->Body = $message; - $phpmailer->IsHTML(false); - $phpmailer->IsMail(); // set mailer to use php mail() - - do_action_ref_array('phpmailer_init', array(&$phpmailer)); - - $mailheaders = (array) explode( "\n", $headers ); - foreach ( $mailheaders as $line ) { - $header = explode( ":", $line ); - switch ( trim( $header[0] ) ) { - case "From": - $from = trim( str_replace( '"', '', $header[1] ) ); - if ( strpos( $from, '<' ) ) { - $phpmailer->FromName = str_replace( '"', '', substr( $header[1], 0, strpos( $header[1], '<' ) - 1 ) ); - $from = trim( substr( $from, strpos( $from, '<' ) + 1 ) ); - $from = str_replace( '>', '', $from ); - } else { - $phpmailer->FromName = $from; - } - $phpmailer->From = trim( $from ); - break; - default: - if ( $line != '' && $header[0] != 'MIME-Version' && $header[0] != 'Content-Type' ) - $phpmailer->AddCustomHeader( $line ); - break; + $phpmailer->Body = $message; + + // Set to use PHP's mail() + $phpmailer->IsMail(); + + // Set Content-Type and charset + // If we don't have a content-type from the input headers + if ( !isset( $content_type ) ) { + $content_type = 'text/plain'; + } + + $content_type = apply_filters( 'wp_mail_content_type', $content_type ); + + // Set whether it's plaintext or not, depending on $content_type + if ( $content_type == 'text/html' ) { + $phpmailer->IsHTML( true ); + } else { + $phpmailer->IsHTML( false ); + } + + // If we don't have a charset from the input headers + if ( !isset( $charset ) ) { + $charset = get_bloginfo( 'charset' ); + } + + // Set the content-type and charset + $phpmailer->CharSet = apply_filters( 'wp_mail_charset', $charset ); + + // Set custom headers + if ( !empty( $headers ) ) { + foreach ( $headers as $name => $content ) { + $phpmailer->AddCustomHeader( sprintf( '%1$s: %2$s', $name, $content ) ); } } + do_action_ref_array( 'phpmailer_init', array( &$phpmailer ) ); + + // Send! $result = @$phpmailer->Send(); return $result; @@ -228,7 +288,7 @@ endif; if ( !function_exists('wp_login') ) : function wp_login($username, $password, $already_md5 = false) { - global $wpdb, $error; + global $wpdb, $error, $current_user; $username = sanitize_user($username); @@ -240,19 +300,46 @@ function wp_login($username, $password, $already_md5 = false) { return false; } + if ($current_user->data->user_login == $username) + return true; + $login = get_userdatabylogin($username); - //$login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE user_login = '$username'"); if (!$login) { - $error = __('<strong>ERROR</strong>: Invalid username.'); + if( is_site_admin( $username ) ) { + unset( $login ); + $userdetails = get_userdatabylogin( $username ); + $login->user_login = $username; + $login->user_pass = $userdetails->user_pass; + } else { + $admins = get_admin_users_for_domain(); + reset( $admins ); + while( list( $key, $val ) = each( $admins ) ) { + if( $val[ 'user_login' ] == $username ) { + unset( $login ); + $login->user_login = $username; + $login->user_pass = $val[ 'user_pass' ]; + } + } + } + } + if (!$login) { + $error = __('<strong>Error</strong>: Wrong username.'); return false; } else { + if( is_site_admin( $username ) == false && ( $primary_blog = get_usermeta( $login->ID, "primary_blog" ) ) ) { + $details = get_blog_details( $primary_blog ); + if( is_object( $details ) && $details->archived == 1 || $details->spam == 1 || $details->deleted == 1 ) { + $error = __('<strong>Error</strong>: Blog suspended.'); + return false; + } + } // If the password is already_md5, it has been double hashed. // Otherwise, it is plain text. - if ( ($already_md5 && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) { + if ( ($already_md5 && $login->user_login == $username && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) { return true; } else { - $error = __('<strong>ERROR</strong>: Incorrect password.'); + $error = __('<strong>Error</strong>: Incorrect password.'); $pwd = ''; return false; } @@ -300,6 +387,12 @@ function check_admin_referer($action = -1) { if ( !function_exists('check_ajax_referer') ) : function check_ajax_referer() { + $current_name = ''; + if ( ( $current = wp_get_current_user() ) && $current->ID ) + $current_name = $current->data->user_login; + if ( !$current_name ) + die('-1'); + $cookie = explode('; ', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie foreach ( $cookie as $tasty ) { if ( false !== strpos($tasty, USER_COOKIE) ) @@ -307,7 +400,8 @@ function check_ajax_referer() { if ( false !== strpos($tasty, PASS_COOKIE) ) $pass = substr(strstr($tasty, '='), 1); } - if ( !wp_login( $user, $pass, true ) ) + + if ( $current_name != $user || !wp_login( $user, $pass, true ) ) die('-1'); do_action('check_ajax_referer'); } @@ -322,8 +416,26 @@ function wp_redirect($location, $status = 302) { $location = apply_filters('wp_redirect', $location, $status); if ( !$location ) // allows the wp_redirect filter to cancel a redirect - return false; + return false; + + $location = wp_sanitize_redirect($location); + + if ( $is_IIS ) { + header("Refresh: 0;url=$location"); + } else { + if ( php_sapi_name() != 'cgi-fcgi' ) + status_header($status); // This causes problems on IIS and some FastCGI setups + header("Location: $location"); + } +} +endif; +if ( !function_exists('wp_sanitize_redirect') ) : +/** + * sanitizes a URL for use in a redirect + * @return string redirect-sanitized URL + **/ +function wp_sanitize_redirect($location) { $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location); $location = wp_kses_no_null($location); @@ -339,14 +451,33 @@ function wp_redirect($location, $status = 302) { } } } + return $location; +} +endif; - if ( $is_IIS ) { - header("Refresh: 0;url=$location"); - } else { - if ( php_sapi_name() != 'cgi-fcgi' ) - status_header($status); // This causes problems on IIS and some FastCGI setups - header("Location: $location"); - } +if ( !function_exists('wp_safe_redirect') ) : +/** + * performs a safe (local) redirect, using wp_redirect() + * @return void + **/ +function wp_safe_redirect($location, $status = 302) { + + // Need to look at the URL the way it will end up in wp_redirect() + $location = wp_sanitize_redirect($location); + + // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//' + if ( substr($location, 0, 2) == '//' ) + $location = 'http:' . $location; + + $lp = parse_url($location); + $wpp = parse_url(get_option('home')); + + $allowed_hosts = (array) apply_filters('allowed_redirect_hosts', array($wpp['host']), $lp['host']); + + if ( isset($lp['host']) && !in_array($lp['host'], $allowed_hosts) ) + $location = get_option('siteurl') . '/wp-admin/'; + + wp_redirect($location, $status); } endif; @@ -458,8 +589,7 @@ function wp_notify_postauthor($comment_id, $comment_type='') { $reply_to = "Reply-To: \"$comment->comment_author_email\" <$comment->comment_author_email>"; } - $message_headers = "MIME-Version: 1.0\n" - . "$from\n" + $message_headers = "$from\n" . "Content-Type: text/plain; charset=\"" . get_option('blog_charset') . "\"\n"; if ( isset($reply_to) ) @@ -470,7 +600,7 @@ function wp_notify_postauthor($comment_id, $comment_type='') { $message_headers = apply_filters('comment_notification_headers', $message_headers, $comment_id); @wp_mail($user->user_email, $subject, $notify_message, $message_headers); - + return true; } endif; @@ -485,8 +615,8 @@ function wp_notify_moderator($comment_id) { global $wpdb; if( get_option( "moderation_notify" ) == 0 ) - return true; - + return true; + $comment = $wpdb->get_row("SELECT * FROM $wpdb->comments WHERE comment_ID='$comment_id' LIMIT 1"); $post = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID='$comment->comment_post_ID' LIMIT 1"); |