Commit dde8528f authored by lechuck's avatar lechuck Committed by lucha

Upgraded wordpress to 3.9.2

parent 4ffe9185
......@@ -9,7 +9,7 @@
<body>
<h1 id="logo">
<a href="https://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" /></a>
<br /> Version 3.9.1
<br /> Version 3.9.2
</h1>
<p style="text-align: center">Semantic Personal Publishing Platform</p>
......
......@@ -39,7 +39,11 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
</h2>
<div class="changelog point-releases">
<h3><?php echo _n( 'Maintenance Release', 'Maintenance Releases', 1 ); ?></h3>
<h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 2 ); ?></h3>
<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
'<strong>Version %1$s</strong> addressed some security issues.', 6 ), '3.9.2', number_format_i18n( 6 ) ); ?>
<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'http://codex.wordpress.org/Version_3.9.2' ); ?>
</p>
<p><?php printf( _n( '<strong>Version %1$s</strong> addressed %2$s bug.',
'<strong>Version %1$s</strong> addressed %2$s bugs.', 34 ), '3.9.1', number_format_i18n( 34 ) ); ?>
<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'http://codex.wordpress.org/Version_3.9.1' ); ?>
......
Order Deny,Allow
Deny from all
<FilesMatch "^akismet\.(css|js)$">
<FilesMatch "^(form|akismet)\.(css|js)$">
Allow from all
</FilesMatch>
......
......@@ -75,8 +75,8 @@ h2.ak-header {
display: inline-block !important;
}
.checkforspam-spinner {
display: none;
margin-top: 10px;
display: inline-block;
margin-top: 7px;
}
.config-wrap {
......
......@@ -125,7 +125,7 @@ jQuery( function ( $ ) {
});
$('.checkforspam:not(.button-disabled)').click( function(e) {
$('.checkforspam:not(.button-disabled)').addClass('button-disabled');
$('.checkforspam-spinner').show();
$('.checkforspam-spinner').addClass( 'spinner' );
akismet_check_for_spam(0, 100);
e.preventDefault();
});
......
jQuery( function ( $ ) {
var ak_js = $( '#ak_js' );
var ak_js = document.getElementById( "ak_js" );
// If the form field already exists just use that
if ( ak_js.length == 0 ) {
ak_js = $( '<input type="hidden" id="ak_js" name="ak_js" />' );
}
else {
ak_js.remove();
}
if ( ! ak_js ) {
ak_js = document.createElement( 'input' );
ak_js.setAttribute( 'id', 'ak_js' );
ak_js.setAttribute( 'name', 'ak_js' );
ak_js.setAttribute( 'type', 'hidden' );
}
else {
ak_js.parentNode.removeChild( ak_js );
}
ak_js.setAttribute( 'value', ( new Date() ).getTime() );
ak_js.val( ( new Date() ).getTime() );
var commentForm = document.getElementById( 'commentform' );
// single page, front-end comment form
// inline comment reply, wp-admin
$( '#commentform, #replyrow td:first' ).append( ak_js );
} );
if ( commentForm ) {
commentForm.appendChild( ak_js );
}
else {
var replyRowContainer = document.getElementById( 'replyrow' );
if ( replyRowContainer ) {
var children = replyRowContainer.getElementsByTagName( 'td' );
if ( children.length > 0 ) {
children[0].appendChild( ak_js );
}
}
}
\ No newline at end of file
......@@ -6,7 +6,7 @@
Plugin Name: Akismet
Plugin URI: http://akismet.com/
Description: Used by millions, Akismet is quite possibly the best way in the world to <strong>protect your blog from comment and trackback spam</strong>. It keeps your site protected from spam even while you sleep. To get started: 1) Click the "Activate" link to the left of this description, 2) <a href="http://akismet.com/get/">Sign up for an Akismet API key</a>, and 3) Go to your Akismet configuration page, and save your API key.
Version: 3.0.0
Version: 3.0.1
Author: Automattic
Author URI: http://automattic.com/wordpress-plugins/
License: GPLv2 or later
......@@ -35,8 +35,8 @@ if ( !function_exists( 'add_action' ) ) {
exit;
}
define( 'AKISMET_VERSION', '3.0.0' );
define( 'AKISMET__MINIMUM_WP_VERSION', '3.0' );
define( 'AKISMET_VERSION', '3.0.1' );
define( 'AKISMET__MINIMUM_WP_VERSION', '3.1' );
define( 'AKISMET__PLUGIN_URL', plugin_dir_url( __FILE__ ) );
define( 'AKISMET__PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
define( 'AKISMET_DELETE_LIMIT', 100000 );
......
=== Akismet ===
Contributors: matt, ryan, andy, mdawaffe, tellyworth, josephscott, lessbloat, eoigal, cfinke, automattic
Tags: akismet, comments, spam
Requires at least: 3.0
Tested up to: 3.9
Stable tag: 3.0.0
Requires at least: 3.1
Tested up to: 3.9.1
Stable tag: 3.0.1
License: GPLv2 or later
Akismet checks your comments against the Akismet web service to see if they look like spam or not.
Akismet checks your comments against the Akismet Web service to see if they look like spam or not.
== Description ==
Akismet checks your comments against the Akismet web service to see if they look like spam or not and lets you
review the spam it catches under your blog's "Comments" admin screen.
Akismet checks your comments against the Akismet Web service to see if they look like spam or not and lets you review the spam it catches under your blog's "Comments" admin screen.
Major new features in Akismet 2.5 include:
Major features in Akismet include:
* A comment status history, so you can easily see which comments were caught or cleared by Akismet, and which were spammed or unspammed by a moderator
* Links are highlighted in the comment body, to reveal hidden or misleading links
* If your web host is unable to reach Akismet's servers, the plugin will automatically retry when your connection is back up
* Moderators can see the number of approved comments for each user
* Spam and Unspam reports now include more information, to help improve accuracy
* Automatically checks all comments and filters out the ones that look like spam.
* Each comment has a status history, so you can easily see which comments were caught or cleared by Akismet and which were spammed or unspammed by a moderator.
* URLs are shown in the comment body to reveal hidden or misleading links.
* Moderators can see the number of approved comments for each user.
* A discard feature that outright blocks the worst spam, saving you disk space and speeding up your site.
PS: You'll need an [Akismet.com API key](http://akismet.com/get/) to use it. Keys are free for personal blogs, with paid subscriptions available for businesses and commercial sites.
PS: You'll need an [Akismet.com API key](http://akismet.com/get/) to use it. Keys are free for personal blogs; paid subscriptions are available for businesses and commercial sites.
== Installation ==
......@@ -31,6 +30,13 @@ Upload the Akismet plugin to your blog, Activate it, then enter your [Akismet.co
== Changelog ==
= 3.0.1 =
* Removed dependency on PHP's fsockopen function
* Fix spam/ham reports to work when reported outside of the WP dashboard, e.g., from Notifications or the WP app
* Remove jQuery dependency for comment form JavaScript
* Remove unnecessary data from some Akismet comment meta
* Suspended keys will now result in all comments being put in moderation, not spam.
= 3.0.0 =
* Move Akismet to Settings menu
* Drop Akismet Stats menu
......@@ -38,7 +44,7 @@ Upload the Akismet plugin to your blog, Activate it, then enter your [Akismet.co
* Add Akismet subscription details and status to Akismet settings
* Add contextual help for each page
* Improve Akismet setup to use Jetpack to automate plugin setup
* Fix Update Check for Spam to use ajax to avoid page timing out
* Fix "Check for Spam" to use AJAX to avoid page timing out
* Fix Akismet settings page to be responsive
* Drop legacy code
* Tidy up CSS and Javascript
......
......@@ -34,7 +34,7 @@
<?php elseif ( $type == 'missing-functions' ) :?>
<div class="wrap alert critical">
<h3 class="key-status failed"><?php esc_html_e('Network functions are disabled.', 'akismet'); ?></h3>
<p class="description"><?php printf( __('Your web host or server administrator has disabled PHP&#8217;s <code>fsockopen</code> or <code>gethostbynamel</code> functions. <strong>Akismet cannot work correctly until this is fixed.</strong> Please contact your web host or firewall administrator and give them <a href="%s" target="_blank">this information about Akismet&#8217;s system requirements</a>.', 'akismet'), 'https://blog.akismet.com/akismet-hosting-faq/'); ?></p>
<p class="description"><?php printf( __('Your web host or server administrator has disabled PHP&#8217;s <code>gethostbynamel</code> functions. <strong>Akismet cannot work correctly until this is fixed.</strong> Please contact your web host or firewall administrator and give them <a href="%s" target="_blank">this information about Akismet&#8217;s system requirements</a>.', 'akismet'), 'https://blog.akismet.com/akismet-hosting-faq/'); ?></p>
</div>
<?php elseif ( $type == 'servers-be-down' ) :?>
<div class="wrap alert critical">
......
......@@ -15,7 +15,7 @@ function akismet_test_mode() {
function akismet_http_post( $request, $host, $path, $port = 80, $ip = null ) {
_deprecated_function( __FUNCTION__, '3.0', 'Akismet::http_post()' );
$path = str_ireplace( '/1.1/', '', $path );
$path = str_replace( '/1.1/', '', $path );
return Akismet::http_post( $request, $path, $ip );
}
......@@ -120,19 +120,19 @@ function akismet_check_for_spam_button( $comment_status ) {
return Akismet_Admin::check_for_spam_button( $comment_status );
}
function akismet_submit_nonspam_comment( $comment_id ) {
_deprecated_function( __FUNCTION__, '3.0', 'Akismet_Admin::submit_nonspam_comment()' );
_deprecated_function( __FUNCTION__, '3.0', 'Akismet::submit_nonspam_comment()' );
return Akismet_Admin::submit_nonspam_comment( $comment_id );
return Akismet::submit_nonspam_comment( $comment_id );
}
function akismet_submit_spam_comment( $comment_id ) {
_deprecated_function( __FUNCTION__, '3.0', 'Akismet_Admin::submit_spam_comment()' );
_deprecated_function( __FUNCTION__, '3.0', 'Akismet::submit_spam_comment()' );
return Akismet_Admin::submit_spam_comment( $comment_id );
return Akismet::submit_spam_comment( $comment_id );
}
function akismet_transition_comment_status( $new_status, $old_status, $comment ) {
_deprecated_function( __FUNCTION__, '3.0', 'Akismet_Admin::transition_comment_status()' );
_deprecated_function( __FUNCTION__, '3.0', 'Akismet::transition_comment_status()' );
return Akismet_Admin::transition_comment_status( $new_status, $old_status, $comment );
return Akismet::transition_comment_status( $new_status, $old_status, $comment );
}
function akismet_spam_count( $type = false ) {
_deprecated_function( __FUNCTION__, '3.0', 'Akismet_Admin::get_spam_count()' );
......@@ -290,4 +290,4 @@ function akismet_kill_proxy_check( $option ) {
_deprecated_function( __FUNCTION__, '3.0' );
return 0;
}
}
\ No newline at end of file
......@@ -519,11 +519,12 @@ class getid3_lib
}
public static function XML2array($XMLstring) {
if (function_exists('simplexml_load_string')) {
if (function_exists('get_object_vars')) {
$XMLobject = simplexml_load_string($XMLstring);
return self::SimpleXMLelement2array($XMLobject);
}
if ( function_exists( 'simplexml_load_string' ) && function_exists( 'libxml_disable_entity_loader' ) ) {
$loader = libxml_disable_entity_loader( true );
$XMLobject = simplexml_load_string( $XMLstring, 'SimpleXMLElement', LIBXML_NOENT );
$return = self::SimpleXMLelement2array( $XMLobject );
libxml_disable_entity_loader( $loader );
return $return;
}
return false;
}
......
......@@ -203,11 +203,37 @@ class IXR_Message
{
// first remove the XML declaration
// merged from WP #10698 - this method avoids the RAM usage of preg_replace on very large messages
$header = preg_replace( '/<\?xml.*?\?'.'>/', '', substr($this->message, 0, 100), 1);
$this->message = substr_replace($this->message, $header, 0, 100);
if (trim($this->message) == '') {
$header = preg_replace( '/<\?xml.*?\?'.'>/s', '', substr( $this->message, 0, 100 ), 1 );
$this->message = trim( substr_replace( $this->message, $header, 0, 100 ) );
if ( '' == $this->message ) {
return false;
}
// Then remove the DOCTYPE
$header = preg_replace( '/^<!DOCTYPE[^>]*+>/i', '', substr( $this->message, 0, 200 ), 1 );
$this->message = trim( substr_replace( $this->message, $header, 0, 200 ) );
if ( '' == $this->message ) {
return false;
}
// Check that the root tag is valid
$root_tag = substr( $this->message, 0, strcspn( substr( $this->message, 0, 20 ), "> \t\r\n" ) );
if ( '<!DOCTYPE' === strtoupper( $root_tag ) ) {
return false;
}
if ( ! in_array( $root_tag, array( '<methodCall', '<methodResponse', '<fault' ) ) ) {
return false;
}
// Bail if there are too many elements to parse
$element_limit = 30000;
if ( function_exists( 'apply_filters' ) ) {
$element_limit = apply_filters( 'xmlrpc_element_limit', $element_limit );
}
if ( $element_limit && 2 * $element_limit < substr_count( $this->message, '<' ) ) {
return false;
}
$this->_parser = xml_parser_create();
// Set XML parser to take the case of tags in to account
xml_parser_set_option($this->_parser, XML_OPTION_CASE_FOLDING, false);
......
......@@ -1119,22 +1119,19 @@ final class WP_Customize_Widgets {
}
/**
* Get a widget instance's hash key.
* Get MAC for a serialized widget instance string.
*
* Serialize an instance and hash it with the AUTH_KEY; when a JS value is
* posted back to save, this instance hash key is used to ensure that the
* serialized_instance was not tampered with, but that it had originated
* from WordPress and so is sanitized.
* Allows values posted back from JS to be rejected if any tampering of the
* data has occurred.
*
* @since 3.9.0
* @access protected
*
* @param array $instance Widget instance.
* @return string Widget instance's hash key.
* @param string $serialized_instance Widget instance.
* @return string MAC for serialized widget instance.
*/
protected function get_instance_hash_key( $instance ) {
$hash = md5( AUTH_KEY . serialize( $instance ) );
return $hash;
protected function get_instance_hash_key( $serialized_instance ) {
return wp_hash( $serialized_instance );
}
/**
......@@ -1162,18 +1159,19 @@ final class WP_Customize_Widgets {
}
$decoded = base64_decode( $value['encoded_serialized_instance'], true );
if ( false === $decoded ) {
return null;
}
$instance = unserialize( $decoded );
if ( false === $instance ) {
if ( $this->get_instance_hash_key( $decoded ) !== $value['instance_hash_key'] ) {
return null;
}
if ( $this->get_instance_hash_key( $instance ) !== $value['instance_hash_key'] ) {
$instance = unserialize( $decoded );
if ( false === $instance ) {
return null;
}
return $instance;
}
......@@ -1194,7 +1192,7 @@ final class WP_Customize_Widgets {
'encoded_serialized_instance' => base64_encode( $serialized ),
'title' => empty( $value['title'] ) ? '' : $value['title'],
'is_widget_customizer_js_value' => true,
'instance_hash_key' => $this->get_instance_hash_key( $value ),
'instance_hash_key' => $this->get_instance_hash_key( $serialized ),
);
}
return $value;
......
......@@ -94,3 +94,32 @@ if ( !function_exists('json_decode') ) {
return is_array($data) ? array_map(__FUNCTION__, $data) : $data;
}
}
if ( ! function_exists( 'hash_equals' ) ) :
/**
* Compare two strings in constant time.
*
* This function was added in PHP 5.6.
* It can leak the length of a string.
*
* @since 3.9.2
*
* @param string $a Expected string.
* @param string $b Actual string.
* @return bool Whether strings are equal.
*/
function hash_equals( $a, $b ) {
$a_length = strlen( $a );
if ( $a_length !== strlen( $b ) ) {
return false;
}
$result = 0;
// Do not attempt to "optimize" this.
for ( $i = 0; $i < $a_length; $i++ ) {
$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
}
return $result === 0;
}
endif;
\ No newline at end of file
......@@ -647,7 +647,7 @@ function wp_validate_auth_cookie($cookie = '', $scheme = '') {
$key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);
$hash = hash_hmac('md5', $username . '|' . $expiration, $key);
if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) {
if ( ! hash_equals( $hash, $hmac ) ) {
/**
* Fires if a bad authentication cookie hash is encountered.
*
......@@ -1658,11 +1658,17 @@ function wp_verify_nonce($nonce, $action = -1) {
$i = wp_nonce_tick();
// Nonce generated 0-12 hours ago
if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) === $nonce )
$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid, 'nonce'), -12, 10 );
if ( hash_equals( $expected, $nonce ) ) {
return 1;
}
// Nonce generated 12-24 hours ago
if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) === $nonce )
$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid, 'nonce' ), -12, 10 );
if ( hash_equals( $expected, $nonce ) ) {
return 2;
}
// Invalid nonce
return false;
}
......@@ -1687,7 +1693,7 @@ function wp_create_nonce($action = -1) {
$i = wp_nonce_tick();
return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10);
return substr(wp_hash($i . '|' . $action . '|' . $uid, 'nonce'), -12, 10);
}
endif;
......@@ -2107,7 +2113,8 @@ function get_avatar( $id_or_email, $size = '96', $default = '', $alt = false ) {
$out = str_replace( '&#038;', '&amp;', esc_url( $out ) );
$avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo' height='{$size}' width='{$size}' />";
} else {
$avatar = "<img alt='{$safe_alt}' src='{$default}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
$out = esc_url( $default );
$avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
}
/**
......@@ -2200,3 +2207,35 @@ function wp_text_diff( $left_string, $right_string, $args = null ) {
}
endif;
if ( ! function_exists( 'hash_equals' ) ) :
/**
* Compare two strings in constant time.
*
* This function is NOT pluggable. It is in this file (in addition to
* compat.php) to prevent errors if, during an update, pluggable.php
* copies over but compat.php does not.
*
* This function was added in PHP 5.6.
* It can leak the length of a string.
*
* @since 3.9.2
*
* @param string $a Expected string.
* @param string $b Actual string.
* @return bool Whether strings are equal.
*/
function hash_equals( $a, $b ) {
$a_length = strlen( $a );
if ( $a_length !== strlen( $b ) ) {
return false;
}
$result = 0;
// Do not attempt to "optimize" this.
for ( $i = 0; $i < $a_length; $i++ ) {
$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
}
return $result === 0;
}
endif;
......@@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '3.9.1';
$wp_version = '3.9.2';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
......
......@@ -562,10 +562,25 @@ break;
case 'resetpass' :
case 'rp' :
$user = check_password_reset_key($_GET['key'], $_GET['login']);
list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
$rp_cookie = 'wp-resetpass-' . COOKIEHASH;
if ( isset( $_GET['key'] ) ) {
$value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) );
setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) );
exit;
}
if ( isset( $_COOKIE[ $rp_cookie ] ) && 0 < strpos( $_COOKIE[ $rp_cookie ], ':' ) ) {
list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
$user = check_password_reset_key( $rp_key, $rp_login );
} else {
$user = false;
}
if ( is_wp_error($user) ) {
if ( $user->get_error_code() === 'expired_key' )
if ( ! $user || is_wp_error( $user ) ) {
setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
if ( $user && $user->get_error_code() === 'expired_key' )
wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) );
else
wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) );
......@@ -589,6 +604,7 @@ case 'rp' :
if ( ( ! $errors->get_error_code() ) && isset( $_POST['pass1'] ) && !empty( $_POST['pass1'] ) ) {
reset_password($user, $_POST['pass1']);
setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
login_header( __( 'Password Reset' ), '<p class="message reset-pass">' . __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a></p>' );
login_footer();
exit;
......@@ -600,8 +616,8 @@ case 'rp' :
login_header(__('Reset Password'), '<p class="message reset-pass">' . __('Enter your new password below.') . '</p>', $errors );
?>
<form name="resetpassform" id="resetpassform" action="<?php echo esc_url( site_url( 'wp-login.php?action=resetpass&key=' . urlencode( $_GET['key'] ) . '&login=' . urlencode( $_GET['login'] ), 'login_post' ) ); ?>" method="post" autocomplete="off">
<input type="hidden" id="user_login" value="<?php echo esc_attr( $_GET['login'] ); ?>" autocomplete="off" />
<form name="resetpassform" id="resetpassform" action="<?php echo esc_url( site_url( 'wp-login.php?action=resetpass', 'login_post' ) ); ?>" method="post" autocomplete="off">
<input type="hidden" id="user_login" value="<?php echo esc_attr( $rp_login ); ?>" autocomplete="off" />
<p>
<label for="pass1"><?php _e('New password') ?><br />
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment