Wordpres 4.9.1

db2090b5 · lucha · 7b700183 · db2090b5 · db2090b5 · db2090b5
Commit db2090b5 authored Nov 29, 2017 by lucha
18 changed files
--- a/wp-admin/about.php
+++ b/wp-admin/about.php
@@ -30,6 +30,28 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 			<a href="privacy.php" class="nav-tab"><?php _e( 'Privacy' ); ?></a>
 		</h2>

+		<div class="changelog point-releases">
+			<h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
+			<p>
+				<?php
+				printf(
+					/* translators: 1: WordPress version number, 2: plural number of bugs. */
+					_n(
+						'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+						'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.',
+						11
+					),
+					'4.9.1',
+					number_format_i18n( 11 )
+				);
+				?>
+				<?php
+				/* translators: %s: Codex URL */
+				printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.9.1' );
+				?>
+			</p>
+		</div>
+
 		<div class="feature-section one-col">
 			<div class="col">
 				<h2>

--- a/wp-admin/includes/class-wp-upgrader.php
+++ b/wp-admin/includes/class-wp-upgrader.php
@@ -342,7 +342,8 @@ class WP_Upgrader {
 			if ( ! empty( $details['files'] ) ) {
 				$children = $this->flatten_dirlist( $details['files'], $path . $name . '/' );

-				$files = array_merge( $files, $children );
+				// Merge keeping possible numeric keys, which array_merge() will reindex from 0..n
+				$files = $files + $children;
 			}
 		}


--- a/wp-admin/includes/file.php
+++ b/wp-admin/includes/file.php
@@ -445,7 +445,8 @@ function wp_edit_theme_plugin_file( $args ) {
 			}
 		}

-		if ( 0 !== validate_file( $real_file, $allowed_files ) ) {
+		// Compare based on relative paths
+		if ( 0 !== validate_file( $file, array_keys( $allowed_files ) ) ) {
 			return new WP_Error( 'disallowed_theme_file', __( 'Sorry, that file cannot be edited.' ) );
 		}


--- a/wp-admin/includes/meta-boxes.php
+++ b/wp-admin/includes/meta-boxes.php
@@ -903,7 +903,7 @@ $default_title = apply_filters( 'default_page_template_title',  __( 'Default Tem
 /**
 * Fires before the help hint text in the 'Page Attributes' meta box.
 *
- * @since 4.8.0
+ * @since 4.9.0
 *
 * @param WP_Post $post The current post.
 */

--- a/wp-admin/includes/misc.php
+++ b/wp-admin/includes/misc.php
@@ -77,12 +77,12 @@ function extract_from_markers( $filename, $marker ) {
 	foreach ( $markerdata as $markerline ) {
 		if ( false !== strpos( $markerline, '# END ' . $marker ) ) {
 			$state = false;
-			if ( $state ) {
-				$result[] = $markerline;
-			}
-			if ( false !== strpos( $markerline, '# BEGIN ' . $marker ) ) {
-				$state = true;
-			}
+		}
+		if ( $state ) {
+			$result[] = $markerline;
+		}
+		if ( false !== strpos( $markerline, '# BEGIN ' . $marker ) ) {
+			$state = true;
 		}
 	}


--- a/wp-admin/includes/plugin.php
+++ b/wp-admin/includes/plugin.php
@@ -194,17 +194,6 @@ function get_plugin_files( $plugin ) {
 	$plugin_file = WP_PLUGIN_DIR . '/' . $plugin;
 	$dir = dirname( $plugin_file );

-	$data = get_plugin_data( $plugin_file );
-	$label = isset( $data['Version'] )
-		? sanitize_key( 'files_' . $plugin . '-' . $data['Version'] )
-		: sanitize_key( 'files_' . $plugin );
-	$transient_key = substr( $label, 0, 29 ) . md5( $label );
-
-	$plugin_files = get_transient( $transient_key );
-	if ( false !== $plugin_files ) {
-		return $plugin_files;
-	}
-
 	$plugin_files = array( plugin_basename( $plugin_file ) );

 	if ( is_dir( $dir ) && WP_PLUGIN_DIR !== $dir ) {
@@ -225,8 +214,6 @@ function get_plugin_files( $plugin ) {
 		$plugin_files = array_values( array_unique( $plugin_files ) );
 	}

-	set_transient( $transient_key, $plugin_files, HOUR_IN_SECONDS );
-
 	return $plugin_files;
 }


--- a/wp-admin/includes/upgrade.php
+++ b/wp-admin/includes/upgrade.php
@@ -435,11 +435,11 @@ function wp_upgrade() {
 	if ( is_multisite() ) {
 		$site_id = get_current_blog_id();

-		if ( $wpdb->get_row( $wpdb->prepare( 'SELECT blog_id FROM %s WHERE blog_id = %d', $wpdb->blog_versions, $site_id ) ) ) {
-			$wpdb->query( $wpdb->prepare( 'UPDATE %s SET db_version = %d WHERE blog_id = %d', $wpdb->blog_versions, $wp_db_version, $site_id ) );
- 	    } else {
-			$wpdb->query( $wpdb->prepare( 'INSERT INTO %s ( `blog_id` , `db_version` , `last_updated` ) VALUES ( %d, %d, %s);', $wpdb->blog_versions, $site_id, $wp_db_version, NOW() ) );
- 	    }
+		if ( $wpdb->get_row( $wpdb->prepare( "SELECT blog_id FROM {$wpdb->blog_versions} WHERE blog_id = %d", $site_id ) ) ) {
+			$wpdb->query( $wpdb->prepare( "UPDATE {$wpdb->blog_versions} SET db_version = %d WHERE blog_id = %d", $wp_db_version, $site_id ) );
+		} else {
+			$wpdb->query( $wpdb->prepare( "INSERT INTO {$wpdb->blog_versions} ( `blog_id` , `db_version` , `last_updated` ) VALUES ( %d, %d, NOW() );", $site_id, $wp_db_version ) );
+		}
 	}

 	/**

--- a/wp-admin/js/theme.js
+++ b/wp-admin/js/theme.js
@@ -102,7 +102,7 @@ themes.view.Appearance = wp.Backbone.View.extend({
 			collection: self.collection,
 			parent: this
 		});
-		self.searchView = view;
+		self.SearchView = view;

 		// Render and append after screen title
 		view.render();
@@ -1448,7 +1448,7 @@ themes.Run = {
 		this.render();

 		// Start debouncing user searches after Backbone.history.start().
-		this.view.searchView.doSearch = _.debounce( this.view.searchView.doSearch, 500 );
+		this.view.SearchView.doSearch = _.debounce( this.view.SearchView.doSearch, 500 );
 	},

 	render: function() {
@@ -1924,7 +1924,7 @@ themes.RunInstaller = {
 		this.render();

 		// Start debouncing user searches after Backbone.history.start().
-		this.view.searchView.doSearch = _.debounce( this.view.searchView.doSearch, 500 );
+		this.view.SearchView.doSearch = _.debounce( this.view.SearchView.doSearch, 500 );
 	},

 	render: function() {

--- a/wp-admin/js/theme.min.js
+++ b/wp-admin/js/theme.min.js
--- a/wp-admin/theme-editor.php
+++ b/wp-admin/theme-editor.php
@@ -322,7 +322,7 @@ if ( ! in_array( 'theme_editor_notice', $dismissed_pointers, true ) ) :
 					echo sprintf(
 						/* translators: %s: Codex URL */
 						__( 'You appear to be making direct edits to your theme in the WordPress dashboard. We recommend that you don&#8217;t! Editing your theme directly could break your site and your changes may be lost in future updates. If you need to tweak more than your theme&#8217;s CSS, you might want to try <a href="%s">making a child theme</a>.' ),
-						esc_url( 'https://codex.wordpress.org/Child_Themes' )
+						esc_url( __( 'https://codex.wordpress.org/Child_Themes' ) )
 					);
 					?>
 				</p>

--- a/wp-admin/user-new.php
+++ b/wp-admin/user-new.php
@@ -75,7 +75,7 @@ if ( isset($_REQUEST['action']) && 'adduser' == $_REQUEST['action'] ) {
 				$redirect = add_query_arg( array( 'update' => 'could_not_add' ), 'user-new.php' );
 			}
 		} else {
-			$newuser_key = substr( md5( $user_id ), 0, 5 );
+			$newuser_key = wp_generate_password( 20, false );
 			add_option( 'new_user_' . $newuser_key, array( 'user_id' => $user_id, 'email' => $user_details->user_email, 'role' => $_REQUEST[ 'role' ] ) );

 			$roles = get_editable_roles();

--- a/wp-includes/class-wp-theme.php
+++ b/wp-includes/class-wp-theme.php
@@ -984,34 +984,10 @@ final class WP_Theme implements ArrayAccess {
 	 *               being absolute paths.
 	 */
 	public function get_files( $type = null, $depth = 0, $search_parent = false ) {
-		// get and cache all theme files to start with.
-		$label = sanitize_key( 'files_' . $this->cache_hash . '-' . $this->get( 'Version' ) );
-		$transient_key = substr( $label, 0, 29 ) . md5( $label );
+		$files = (array) self::scandir( $this->get_stylesheet_directory(), $type, $depth );

-		$all_files = get_transient( $transient_key );
-		if ( false === $all_files ) {
-			$all_files = (array) self::scandir( $this->get_stylesheet_directory(), null, -1 );
-
-			if ( $search_parent && $this->parent() ) {
-				$all_files += (array) self::scandir( $this->get_template_directory(), null, -1 );
-			}
-
-			set_transient( $transient_key, $all_files, HOUR_IN_SECONDS );
-		}
-
-		// Filter $all_files by $type & $depth.
-		$files = array();
-		if ( $type ) {
-			$type = (array) $type;
-			$_extensions = implode( '|', $type );
-		}
-		foreach ( $all_files as $key => $file ) {
-			if ( $depth >= 0 && substr_count( $key, '/' ) > $depth ) {
-				continue; // Filter by depth.
-			}
-			if ( ! $type || preg_match( '~\.(' . $_extensions . ')$~', $file ) ) { // Filter by type.
-				$files[ $key ] = $file;
-			}
+		if ( $search_parent && $this->parent() ) {
+			$files += (array) self::scandir( $this->get_template_directory(), $type, $depth );
 		}

 		return $files;

--- a/wp-includes/feed.php
+++ b/wp-includes/feed.php
@@ -476,7 +476,7 @@ function rss_enclosure() {
 				 *
 				 * @param string $html_link_tag The HTML link tag with a URI and other attributes.
 				 */
-				echo apply_filters( 'rss_enclosure', '<enclosure url="' . trim( htmlspecialchars( $enclosure[0] ) ) . '" length="' . trim( $enclosure[1] ) . '" type="' . $type . '" />' . "\n" );
+				echo apply_filters( 'rss_enclosure', '<enclosure url="' . esc_url( trim( $enclosure[0] ) ) . '" length="' . absint( trim( $enclosure[1] ) ) . '" type="' . esc_attr( $type ) . '" />' . "\n" );
 			}
 		}
 	}
@@ -510,7 +510,7 @@ function atom_enclosure() {
 				 *
 				 * @param string $html_link_tag The HTML link tag with a URI and other attributes.
 				 */
-				echo apply_filters( 'atom_enclosure', '<link href="' . trim( htmlspecialchars( $enclosure[0] ) ) . '" rel="enclosure" length="' . trim( $enclosure[1] ) . '" type="' . trim( $enclosure[2] ) . '" />' . "\n" );
+				echo apply_filters( 'atom_enclosure', '<link href="' . esc_url( trim( $enclosure[0] ) ) . '" rel="enclosure" length="' . absint( trim( $enclosure[1] ) ) . '" type="' . esc_attr( trim( $enclosure[2] ) ) . '" />' . "\n" );
 			}
 		}
 	}

--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -2561,8 +2561,9 @@ function get_allowed_mime_types( $user = null ) {
 	if ( function_exists( 'current_user_can' ) )
 		$unfiltered = $user ? user_can( $user, 'unfiltered_html' ) : current_user_can( 'unfiltered_html' );

-	if ( empty( $unfiltered ) )
-		unset( $t['htm|html'] );
+	if ( empty( $unfiltered ) ) {
+		unset( $t['htm|html'], $t['js'] );
+	}

 	/**
 	 * Filters list of allowed mime types and file extensions.

--- a/wp-includes/general-template.php
+++ b/wp-includes/general-template.php
@@ -703,7 +703,7 @@ function get_bloginfo( $show = '', $filter = 'raw' ) {
 			 */
 			$output = __( 'html_lang_attribute' );
 			if ( 'html_lang_attribute' === $output || preg_match( '/[^a-zA-Z0-9-]/', $output ) ) {
-				$output = get_locale();
+				$output = is_admin() ? get_user_locale() : get_locale();
 				$output = str_replace( '_', '-', $output );
 			}
 			break;
@@ -3568,12 +3568,14 @@ function get_language_attributes( $doctype = 'html' ) {
 	if ( function_exists( 'is_rtl' ) && is_rtl() )
 		$attributes[] = 'dir="rtl"';

-	if ( $lang = get_bloginfo('language') ) {
-		if ( get_option('html_type') == 'text/html' || $doctype == 'html' )
-			$attributes[] = "lang=\"$lang\"";
+	if ( $lang = get_bloginfo( 'language' ) ) {
+		if ( get_option( 'html_type' ) == 'text/html' || $doctype == 'html' ) {
+			$attributes[] = 'lang="' . esc_attr( $lang ) . '"';
+		}

-		if ( get_option('html_type') != 'text/html' || $doctype == 'xhtml' )
-			$attributes[] = "xml:lang=\"$lang\"";
+		if ( get_option( 'html_type' ) != 'text/html' || $doctype == 'xhtml' ) {
+			$attributes[] = 'xml:lang="' . esc_attr( $lang ) . '"';
+		}
 	}

 	$output = implode(' ', $attributes);

--- a/wp-includes/script-loader.php
+++ b/wp-includes/script-loader.php
@@ -357,7 +357,7 @@ function wp_default_scripts( &$scripts ) {
 	$scripts->add( 'mediaelement-migrate', "/wp-includes/js/mediaelement/mediaelement-migrate$suffix.js", array(), false, 1);

 	did_action( 'init' ) && $scripts->add_inline_script( 'mediaelement-core', sprintf( 'var mejsL10n = %s;', wp_json_encode( array(
-		'language' => strtolower( str_replace( '_', '-', is_admin() ? get_user_locale() : get_locale() ) ),
+		'language' => strtolower( strtok( is_admin() ? get_user_locale() : get_locale(), '_-' ) ),
 		'strings'  => array(
 			'mejs.install-flash'       => __( 'You are using a browser that does not have Flash player enabled or installed. Please turn on your Flash player plugin or download the latest version from https://get.adobe.com/flashplayer/' ),
 			'mejs.fullscreen-off'      => __( 'Turn off Fullscreen' ),

--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '4.9';
+$wp_version = '4.9.1';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

--- a/wp-includes/wp-db.php
+++ b/wp-includes/wp-db.php
@@ -1643,14 +1643,21 @@ class wpdb {
 		$socket  = null;
 		$is_ipv6 = false;

+		// First peel off the socket parameter from the right, if it exists.
+		$socket_pos = strpos( $host, ':/' );
+		if ( $socket_pos !== false ) {
+			$socket = substr( $host, $socket_pos + 1 );
+			$host = substr( $host, 0, $socket_pos );
+		}
+
 		// We need to check for an IPv6 address first.
 		// An IPv6 address will always contain at least two colons.
 		if ( substr_count( $host, ':' ) > 1 ) {
-			$pattern = '#^(?:\[)?(?<host>[0-9a-fA-F:]+)(?:\]:(?<port>[\d]+))?(?:/(?<socket>.+))?#';
+			$pattern = '#^(?:\[)?(?<host>[0-9a-fA-F:]+)(?:\]:(?<port>[\d]+))?#';
 			$is_ipv6 = true;
 		} else {
 			// We seem to be dealing with an IPv4 address.
-			$pattern = '#^(?<host>[^:/]*)(?::(?<port>[\d]+))?(?::(?<socket>.+))?#';
+			$pattern = '#^(?<host>[^:/]*)(?::(?<port>[\d]+))?#';
 		}

 		$matches = array();
@@ -1662,7 +1669,7 @@ class wpdb {
 		}

 		$host = '';
-		foreach ( array( 'host', 'port', 'socket' ) as $component ) {
+		foreach ( array( 'host', 'port' ) as $component ) {
 			if ( ! empty( $matches[ $component ] ) ) {
 				$$component = $matches[ $component ];
 			}