tags 606657 + patch
tags 606657 + pending
thanks
Dear maintainer,
I've prepared an NMU for wordpress (versioned as 3.0.3-0.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
I have also worked in your git tree, so if you like I will push the changes
direct to collab-maint.
--
Jonathan Wiltshire (jmw)
diff -Nru wordpress-3.0.2/debian/changelog wordpress-3.0.3/debian/changelog
--- wordpress-3.0.2/debian/changelog 2010-12-07 07:44:04.000000000 +0000
+++ wordpress-3.0.3/debian/changelog 2010-12-14 09:26:30.000000000 +0000
@@ -1,3 +1,11 @@
+wordpress (3.0.3-0.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * [d46a19b] Imported Upstream version 3.0.3. This is just a
+ security fix (Closes: #606657)
+
+ -- Jonathan Wiltshire <j...@debian.org> Tue, 14 Dec 2010 09:20:13 +0000
+
wordpress (3.0.2-1) unstable; urgency=high
[ Raphaël Hertzog ]
diff -Nru wordpress-3.0.2/readme.html wordpress-3.0.3/readme.html
--- wordpress-3.0.2/readme.html 2010-11-30 20:18:36.000000000 +0000
+++ wordpress-3.0.3/readme.html 2010-12-08 17:50:05.000000000 +0000
@@ -8,7 +8,7 @@
<body>
<h1 id="logo">
<a href="http://wordpress.org/";><img alt="WordPress"
src="wp-admin/images/wordpress-logo.png" width="250" height="68" /></a>
- <br /> Version 3.0.2
+ <br /> Version 3.0.3
</h1>
<p style="text-align: center">Semantic Personal Publishing Platform</p>
diff -Nru wordpress-3.0.2/wp-admin/includes/update-core.php
wordpress-3.0.3/wp-admin/includes/update-core.php
--- wordpress-3.0.2/wp-admin/includes/update-core.php 2010-11-30
20:18:36.000000000 +0000
+++ wordpress-3.0.3/wp-admin/includes/update-core.php 2010-12-08
17:50:05.000000000 +0000
@@ -274,7 +274,7 @@
$mysql_version = $wpdb->db_version();
$required_php_version = '4.3';
$required_mysql_version = '4.1.2';
- $wp_version = '3.0.2';
+ $wp_version = '3.0.3';
$php_compat = version_compare( $php_version, $required_php_version,
'>=' );
$mysql_compat = version_compare( $mysql_version,
$required_mysql_version, '>=' ) || file_exists( WP_CONTENT_DIR . '/db.php' );
diff -Nru wordpress-3.0.2/wp-includes/version.php
wordpress-3.0.3/wp-includes/version.php
--- wordpress-3.0.2/wp-includes/version.php 2010-11-30 23:14:45.000000000
+0000
+++ wordpress-3.0.3/wp-includes/version.php 2010-12-08 17:50:05.000000000
+0000
@@ -8,7 +8,7 @@
*
* @global string $wp_version
*/
-$wp_version = '3.0.2';
+$wp_version = '3.0.3';
/**
* Holds the WordPress DB revision, increments when changes are made to the
WordPress DB schema.
diff -Nru wordpress-3.0.2/xmlrpc.php wordpress-3.0.3/xmlrpc.php
--- wordpress-3.0.2/xmlrpc.php 2010-07-14 15:13:17.000000000 +0100
+++ wordpress-3.0.3/xmlrpc.php 2010-12-08 17:58:35.000000000 +0000
@@ -1156,9 +1156,12 @@
do_action('xmlrpc_call', 'wp.deleteComment');
- if ( ! get_comment($comment_ID) )
+ if ( !$comment = get_comment( $comment_ID ) )
return new IXR_Error( 404, __( 'Invalid comment ID.' )
);
+ if ( !current_user_can( 'edit_post', $comment->comment_post_ID
) )
+ return new IXR_Error( 403, __( 'You are not allowed to
moderate comments on this site.' ) );
+
return wp_delete_comment($comment_ID);
}
@@ -1185,11 +1188,14 @@
if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 403, __( 'You are not allowed to
moderate comments on this site.' ) );
- do_action('xmlrpc_call', 'wp.editComment');
-
- if ( ! get_comment($comment_ID) )
+ if ( !$comment = get_comment( $comment_ID ) )
return new IXR_Error( 404, __( 'Invalid comment ID.' )
);
+ if ( !current_user_can( 'edit_post', $comment->comment_post_ID
) )
+ return new IXR_Error( 403, __( 'You are not allowed to
moderate comments on this site.' ) );
+
+ do_action('xmlrpc_call', 'wp.editComment');
+
if ( isset($content_struct['status']) ) {
$statuses = get_comment_statuses();
$statuses = array_keys($statuses);
@@ -1417,7 +1423,7 @@
if ( !$user = $this->login($username, $password) )
return $this->error;
- if ( !current_user_can( 'edit_posts' ) )
+ if ( !current_user_can( 'edit_pages' ) )
return new IXR_Error( 403, __( 'You are not allowed
access to details about this site.' ) );
do_action('xmlrpc_call', 'wp.getPageStatusList');
@@ -1957,7 +1963,7 @@
if ( !$actual_post || $actual_post['post_type'] != 'post' )
return new IXR_Error(404, __('Sorry, no such post.'));
- if ( !current_user_can('edit_post', $post_ID) )
+ if ( !current_user_can('delete_post', $post_ID) )
return new IXR_Error(401, __('Sorry, you do not have
the right to delete this post.'));
$result = wp_delete_post($post_ID);
@@ -1987,30 +1993,42 @@
$username = $args[1];
$password = $args[2];
$content_struct = $args[3];
- $publish = $args[4];
+ $publish = isset( $args[4] ) ? $args[4] : 0;
if ( !$user = $this->login($username, $password) )
return $this->error;
do_action('xmlrpc_call', 'metaWeblog.newPost');
- $cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
- $error_message = __( 'Sorry, you are not allowed to publish
posts on this site.' );
- $post_type = 'post';
$page_template = '';
if ( !empty( $content_struct['post_type'] ) ) {
if ( $content_struct['post_type'] == 'page' ) {
- $cap = ( $publish ) ? 'publish_pages' :
'edit_pages';
+ if ( $publish || 'publish' ==
$content_struct['page_status'])
+ $cap = 'publish_pages';
+ else
+ $cap = 'edit_pages';
$error_message = __( 'Sorry, you are not
allowed to publish pages on this site.' );
$post_type = 'page';
if ( !empty(
$content_struct['wp_page_template'] ) )
$page_template =
$content_struct['wp_page_template'];
} elseif ( $content_struct['post_type'] == 'post' ) {
- // This is the default, no changes needed
+ if ( $publish || 'publish' ==
$content_struct['post_status'])
+ $cap = 'publish_posts';
+ else
+ $cap = 'edit_posts';
+ $error_message = __( 'Sorry, you are not
allowed to publish posts on this site.' );
+ $post_type = 'post';
} else {
// No other post_type values are allowed here
return new IXR_Error( 401, __( 'Invalid post
type.' ) );
}
+ } else {
+ if ( $publish || 'publish' ==
$content_struct['post_status'])
+ $cap = 'publish_posts';
+ else
+ $cap = 'edit_posts';
+ $error_message = __( 'Sorry, you are not allowed to
publish posts on this site.' );
+ $post_type = 'post';
}
if ( !current_user_can( $cap ) )
@@ -2275,17 +2293,32 @@
$page_template = '';
if ( !empty( $content_struct['post_type'] ) ) {
if ( $content_struct['post_type'] == 'page' ) {
- $cap = ( $publish ) ? 'publish_pages' :
'edit_pages';
+ if ( $publish || 'publish' ==
$content_struct['page_status'] )
+ $cap = 'publish_pages';
+ else
+ $cap = 'edit_pages';
$error_message = __( 'Sorry, you are not
allowed to publish pages on this site.' );
$post_type = 'page';
if ( !empty(
$content_struct['wp_page_template'] ) )
$page_template =
$content_struct['wp_page_template'];
} elseif ( $content_struct['post_type'] == 'post' ) {
- // This is the default, no changes needed
+ if ( $publish || 'publish' ==
$content_struct['post_status'] )
+ $cap = 'publish_posts';
+ else
+ $cap = 'edit_posts';
+ $error_message = __( 'Sorry, you are not
allowed to publish posts on this site.' );
+ $post_type = 'post';
} else {
// No other post_type values are allowed here
return new IXR_Error( 401, __( 'Invalid post
type.' ) );
}
+ } else {
+ if ( $publish || 'publish' ==
$content_struct['post_status'] )
+ $cap = 'publish_posts';
+ else
+ $cap = 'edit_posts';
+ $error_message = __( 'Sorry, you are not allowed to
publish posts on this site.' );
+ $post_type = 'post';
}
if ( !current_user_can( $cap ) )
@@ -3101,7 +3134,7 @@
do_action('xmlrpc_call', 'mt.publishPost');
- if ( !current_user_can('edit_post', $post_ID) )
+ if ( !current_user_can('publish_posts') ||
!current_user_can('edit_post', $post_ID) )
return new IXR_Error(401, __('Sorry, you cannot edit
this post.'));
$postdata = wp_get_single_post($post_ID,ARRAY_A);
@@ -3339,4 +3372,4 @@
$wp_xmlrpc_server = new wp_xmlrpc_server();
$wp_xmlrpc_server->serve_request();
-?>
+?>
\ No newline at end of file
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
