#! /bin/sh /usr/share/dpatch/dpatch-run
## 2.0.12 backport.dpatch by  <andrea.de.iacovo@gmail.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: 2.0.12 backport: this is the base to many security fixes

@DPATCH@

diff -Nru wordpress/wp-admin/admin-functions.php wordpress-etch/wp-admin/admin-functions.php
--- wordpress-etch/wp-admin/admin-functions.php	2007-03-28 01:47:02.000000000 +0200
+++ wordpress-etch/wp-admin/admin-functions.php	2008-04-22 11:42:10.000000000 +0200
@@ -319,11 +319,15 @@
 
 	$comment = get_comment($id);
 
-	$comment->comment_content = format_to_edit($comment->comment_content, $richedit);
+	$comment->comment_ID = (int) $comment->comment_ID;
+	$comment->comment_post_ID = (int) $comment->comment_post_ID;
+
+	$comment->comment_content = format_to_edit($comment->comment_content);
 	$comment->comment_content = apply_filters('comment_edit_pre', $comment->comment_content);
 
 	$comment->comment_author = format_to_edit($comment->comment_author);
 	$comment->comment_author_email = format_to_edit($comment->comment_author_email);
+	$comment->comment_author_url = clean_url($comment->comment_author_url);
 	$comment->comment_author_url = format_to_edit($comment->comment_author_url);
 
 	return $comment;
@@ -862,6 +866,7 @@
 
 		$entry['meta_key'] = attribute_escape( $entry['meta_key']);
 		$entry['meta_value'] = attribute_escape( $entry['meta_value']);
+		$entry['meta_id'] = (int) $entry['meta_id'];
 		echo "
 			<tr class='$style'>
 				<td valign='top'><input name='meta[{$entry['meta_id']}][key]' tabindex='6' type='text' size='20' value='{$entry['meta_key']}' /></td>
@@ -933,6 +938,8 @@
 	global $wpdb;
 	$post_ID = (int) $post_ID;
 
+	$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
+
 	$metakeyselect = $wpdb->escape(stripslashes(trim($_POST['metakeyselect'])));
 	$metakeyinput = $wpdb->escape(stripslashes(trim($_POST['metakeyinput'])));
 	$metavalue = maybe_serialize(stripslashes((trim($_POST['metavalue']))));
@@ -948,6 +955,9 @@
 		if ($metakeyinput)
 			$metakey = $metakeyinput; // default
 
+		if ( in_array($metakey, $protected) )
+			return false;
+
 		$result = $wpdb->query("
 						INSERT INTO $wpdb->postmeta 
 						(post_id,meta_key,meta_value) 
@@ -965,6 +975,12 @@
 
 function update_meta($mid, $mkey, $mvalue) {
 	global $wpdb;
+
+	$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
+
+	if ( in_array($mkey, $protected) )
+		return false;
+
 	$mvalue = maybe_serialize(stripslashes($mvalue));
 	$mvalue = $wpdb->escape($mvalue);
 	$mid = (int) $mid;
@@ -1813,6 +1829,7 @@
 }
 </script>
 <form enctype="multipart/form-data" id="uploadForm" method="post" action="<?php echo attribute_escape($action) ?>">
+<?php wp_nonce_field('import-upload'); ?>
 <label for="upload"><?php _e('File:'); ?></label><input type="file" id="upload" name="import" />
 <input type="hidden" name="action" value="save" />
 <div id="buttons">
diff -Nru wordpress/wp-admin/edit-form-advanced.php wordpress-etch/wp-admin/edit-form-advanced.php
--- wordpress-etch/wp-admin/edit-form-advanced.php	2007-01-30 20:14:50.000000000 +0100
+++ wordpress-etch/wp-admin/edit-form-advanced.php	2008-04-22 11:42:10.000000000 +0200
@@ -1,10 +1,12 @@
 <?php
+if ( isset($_GET['message']) )
+	$_GET['message'] = (int) $_GET['message'];
 $messages[1] = __('Post updated');
 $messages[2] = __('Custom field updated');
 $messages[3] = __('Custom field deleted.');
 ?>
 <?php if (isset($_GET['message'])) : ?>
-<div id="message" class="updated fade"><p><?php echo $messages[$_GET['message']]; ?></p></div>
+<div id="message" class="updated fade"><p><?php echo wp_specialchars($messages[$_GET['message']]); ?></p></div>
 <?php endif; ?>
 
 <form name="post" action="post.php" method="post" id="post">
@@ -24,16 +26,17 @@
 	$form_extra = "<input type='hidden' name='temp_ID' value='$temp_ID' />";
 	wp_nonce_field('add-post');
 } else {
+	$post_ID = (int) $post_ID;
 	$form_action = 'editpost';
 	$form_extra = "<input type='hidden' name='post_ID' value='$post_ID' />";
 	wp_nonce_field('update-post_' .  $post_ID);
 }
 
-$form_pingback = '<input type="hidden" name="post_pingback" value="' . get_option('default_pingback_flag') . '" id="post_pingback" />';
+$form_pingback = '<input type="hidden" name="post_pingback" value="' . (int) get_option('default_pingback_flag') . '" id="post_pingback" />'; 
 
-$form_prevstatus = '<input type="hidden" name="prev_status" value="' . $post->post_status . '" />';
+$form_prevstatus = '<input type="hidden" name="prev_status" value="' . attribute_escape( $post->post_status ) . '" />'; 
 
-$form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. str_replace("\n", ' ', $post->to_ping) .'" />';
+$form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. attribute_escape( str_replace("\n", ' ', $post->to_ping) ) .'" />';
 
 if ('' != $post->pinged) {
 	$pings = '<p>'. __('Already pinged:') . '</p><ul>';
@@ -44,15 +47,15 @@
 	$pings .= '</ul>';
 }
 
-$saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . __('Save and Continue Editing') . '" />';
+$saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . attribute_escape(__('Save and Continue Editing')) . '" />';
 
 if (empty($post->post_status)) $post->post_status = 'draft';
 
 ?>
 
-<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
+<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
 <input type="hidden" name="action" value="<?php echo $form_action ?>" />
-<input type="hidden" name="post_author" value="<?php echo $post->post_author ?>" />
+<input type="hidden" name="post_author" value="<?php echo attribute_escape($post->post_author) ?>" />
 
 <?php echo $form_extra ?>
 <?php if (isset($_GET['message']) && 2 > $_GET['message']) : ?>
@@ -82,12 +85,12 @@
 
 <fieldset id="passworddiv" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Password-Protect Post') ?></h3> 
-<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div>
+<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo attribute_escape($post->post_password) ?>" /></div>
 </fieldset>
 
 <fieldset id="slugdiv" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Post slug') ?></h3> 
-<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div>
+<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape($post->post_name) ?>" /></div>
 </fieldset>
 
 <fieldset id="categorydiv" class="dbx-box">
@@ -123,7 +126,7 @@
 $o = get_userdata( $o->ID );
 if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"';
 else $selected = '';
-echo "<option value='$o->ID' $selected>$o->display_name</option>";
+echo "<option value='" . (int) $o->ID . "' $selected>" . wp_specialchars($o->display_name) . "</option>";
 endforeach;
 ?>
 </select>
@@ -138,7 +141,7 @@
 
 <fieldset id="titlediv">
   <legend><?php _e('Title') ?></legend> 
-  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
+  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape($post->post_title); ?>" id="title" /></div>
 </fieldset>
 
 <fieldset id="<?php echo user_can_richedit() ? 'postdivrich' : 'postdiv'; ?>">
@@ -221,7 +224,7 @@
 
 <?php
 if (current_user_can('upload_files')) {
-	$uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID);
+	$uploading_iframe_ID = (int) (0 == $post_ID ? $temp_ID : $post_ID);
 	$uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&amp;post=$uploading_iframe_ID", 'inlineuploading');
 	$uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);
 	if ( false != $uploading_iframe_src )
diff -Nru wordpress/wp-admin/edit-form-comment.php wordpress-etch/wp-admin/edit-form-comment.php
--- wordpress-etch/wp-admin/edit-form-comment.php	2006-06-24 23:37:24.000000000 +0200
+++ wordpress-etch/wp-admin/edit-form-comment.php	2008-04-22 11:42:10.000000000 +0200
@@ -8,7 +8,7 @@
 <form name="post" action="post.php" method="post" id="post">
 <?php wp_nonce_field('update-comment_' . $comment->comment_ID) ?>
 <div class="wrap">
-<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
+<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
 <input type="hidden" name="action" value='<?php echo $form_action . $form_extra ?>' />
 
 <script type="text/javascript">
@@ -20,19 +20,19 @@
 <fieldset id="namediv">
     <legend><?php _e('Name:') ?></legend>
 	<div>
-	  <input type="text" name="newcomment_author" size="22" value="<?php echo $comment->comment_author ?>" tabindex="1" id="name" />
+	  <input type="text" name="newcomment_author" size="22" value="<?php echo attribute_escape($comment->comment_author); ?>" tabindex="1" id="name" />
     </div>
 </fieldset>
 <fieldset id="emaildiv">
         <legend><?php _e('E-mail:') ?></legend>
 		<div>
-		  <input type="text" name="newcomment_author_email" size="30" value="<?php echo $comment->comment_author_email ?>" tabindex="2" id="email" />
+		  <input type="text" name="newcomment_author_email" size="30" value="<?php echo attribute_escape($comment->comment_author_email); ?>" tabindex="2" id="email" />
     </div>
 </fieldset>
 <fieldset id="uridiv">
         <legend><?php _e('URI:') ?></legend>
 		<div>
-		  <input type="text" id="newcomment_author_url" name="newcomment_author_url" size="35" value="<?php echo $comment->comment_author_url ?>" tabindex="3" id="URL" />
+		  <input type="text" id="newcomment_author_url" name="newcomment_author_url" size="35" value="<?php echo attribute_escape($comment->comment_author_url); ?>" tabindex="3" id="URL" />
     </div>
 </fieldset>
 
diff -Nru wordpress/wp-admin/edit-form.php wordpress-etch/wp-admin/edit-form.php
--- wordpress-etch/wp-admin/edit-form.php	2006-07-01 00:17:07.000000000 +0200
+++ wordpress-etch/wp-admin/edit-form.php	2008-04-22 11:42:10.000000000 +0200
@@ -6,7 +6,7 @@
 <?php if (isset($mode) && 'bookmarklet' == $mode) : ?>
 <input type="hidden" name="mode" value="bookmarklet" />
 <?php endif; ?>
-<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
+<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
 <input type="hidden" name="action" value='post' />
 
 <script type="text/javascript">
@@ -21,7 +21,7 @@
 <div id="poststuff">
     <fieldset id="titlediv">
       <legend><a href="http://wordpress.org/docs/reference/post/#title" title="<?php _e('Help on titles') ?>"><?php _e('Title') ?></a></legend> 
-	  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
+	  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape($post->post_title); ?>" id="title" /></div>
     </fieldset>
 
     <fieldset id="categorydiv">
@@ -49,7 +49,7 @@
 //-->
 </script>
 
-<input type="hidden" name="post_pingback" value="<?php echo get_option('default_pingback_flag') ?>" id="post_pingback" />
+<input type="hidden" name="post_pingback" value="<?php echo (int) get_option('default_pingback_flag') ?>" id="post_pingback" />
 
 <p><label for="trackback"> <?php printf(__('<a href="%s" title="Help on trackbacks"><strong>TrackBack</strong> a <abbr title="Universal Resource Identifier">URI</abbr></a>:</label> (Separate multiple <abbr title="Universal Resource Identifier">URI</abbr>s with spaces.)<br />'), 'http://wordpress.org/docs/reference/post/#trackback') ?>
 	<input type="text" name="trackback_url" style="width: 360px" id="trackback" tabindex="7" /></p>
@@ -64,7 +64,7 @@
 <?php if ('bookmarklet' != $mode) {
       echo '<input name="advanced" type="submit" id="advancededit" tabindex="7" value="' .  __('Advanced Editing &raquo;') . '" />';
   } ?>
-  <input name="referredby" type="hidden" id="referredby" value="<?php if ( wp_get_referer() ) echo urlencode(wp_get_referer()); ?>" />
+  <input name="referredby" type="hidden" id="referredby" value="<?php if ( $refby = wp_get_referer() ) echo urlencode($refby); ?>" />
 </p>
 
 <?php do_action('simple_edit_form', ''); ?>
diff -Nru wordpress/wp-admin/edit-page-form.php wordpress-etch/wp-admin/edit-page-form.php
--- wordpress-etch/wp-admin/edit-page-form.php	2006-12-21 11:10:04.000000000 +0100
+++ wordpress-etch/wp-admin/edit-page-form.php	2008-04-22 11:42:10.000000000 +0200
@@ -9,11 +9,15 @@
 	$temp_ID = -1 * time();
 	$form_extra = "<input type='hidden' name='temp_ID' value='$temp_ID' />";
 } else {
+	$post_ID = (int) $post_ID;
 	$form_action = 'editpost';
 	$nonce_action = 'update-post_' . $post_ID;
 	$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
 }
 
+$temp_ID = (int) $temp_ID;
+$user_ID = (int) $user_ID;
+
 $sendto = attribute_escape(wp_get_referer());
 
 if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )
@@ -60,7 +64,7 @@
 
 <fieldset id="passworddiv" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Password-Protect Post') ?></h3> 
-<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div>
+<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo attribute_escape($post->post_password); ?>" /></div>
 </fieldset>
 
 <fieldset id="pageparent" class="dbx-box">
@@ -85,7 +89,7 @@
 
 <fieldset id="slugdiv" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Post slug') ?></h3> 
-<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div>
+<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape($post->post_name); ?>" /></div>
 </fieldset>
 
 <?php if ( $authors = get_editable_authors( $current_user->id ) ) : // TODO: ROLE SYSTEM ?>
@@ -98,6 +102,8 @@
 $o = get_userdata( $o->ID );
 if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"';
 else $selected = '';
+$o->ID = (int) $o->ID;
+$o->display_name = wp_specialchars( $o->display_name );
 echo "<option value='$o->ID' $selected>$o->display_name</option>";
 endforeach;
 ?>
@@ -118,7 +124,7 @@
 
 <fieldset id="titlediv">
   <legend><?php _e('Page Title') ?></legend> 
-  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
+  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape($post->post_title); ?>" id="title" /></div>
 </fieldset>
 
 

diff -Nru wordpress/wp-admin/options.php wordpress-etch/wp-admin/options.php
--- wordpress-etch/wp-admin/options.php	2006-12-21 11:10:04.000000000 +0100
+++ wordpress-etch/wp-admin/options.php	2008-04-22 11:42:10.000000000 +0200
@@ -151,10 +151,11 @@
 
 foreach ( (array) $options as $option) :
 	$disabled = '';
+	$option->option_name = attribute_escape($option->option_name);
 	if ( is_serialized($option->option_value) ) {
 		if ( is_serialized_string($option->option_value) ) {
 			// this is a serialized string, so we should display it
-			$value = wp_specialchars(maybe_unserialize($option->option_value), 'single');
+			$value = maybe_unserialize($option->option_value);
 			$options_to_update[] = $option->option_name;
 			$class = 'all-options';
 		} else {
@@ -163,7 +164,7 @@
 			$class = 'all-options disabled';
 		}
 	} else {
-		$value = wp_specialchars($option->option_value, 'single');
+		$value = $option->option_value;
 		$options_to_update[] = $option->option_name;
 		$class = 'all-options';
 	}
@@ -172,8 +173,8 @@
 	<th scope='row'><label for='$option->option_name'>$option->option_name</label></th>
 <td>";
 
-	if (stristr($value, "\n")) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>$value</textarea>";
-	else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . $value . "'$disabled />";
+	if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . wp_specialchars($value) . "</textarea>";
+	else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . attribute_escape($value) . "'$disabled />";
 	
 	echo "</td>
 	<td>$option->option_description</td>
@@ -182,7 +183,7 @@
 ?>
   </table>
 <?php $options_to_update = implode(',', $options_to_update); ?>
-<p class="submit"><input type="hidden" name="page_options" value="<?php echo attribute_escape($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
+<p class="submit"><input type="hidden" name="page_options" value="<?php echo $options_to_update; ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
   </form>
 </div>
 
diff -Nru wordpress/wp-admin/post.php wordpress-etch/wp-admin/post.php
--- wordpress-etch/wp-admin/post.php	2007-03-17 10:04:56.000000000 +0100
+++ wordpress-etch/wp-admin/post.php	2008-04-22 11:42:10.000000000 +0200
@@ -194,7 +194,7 @@
 	$comment = (int) $_GET['comment'];
 	$p = (int) $_GET['p'];
 
-	if ( ! $comment = get_comment($comment) )
+	if ( ! $comment = get_comment_to_edit($comment) )
 		die(sprintf(__('Oops, no comment with this ID. <a href="%s">Go back</a>!'), 'edit.php'));
 
 	if ( !current_user_can('edit_post', $comment->comment_post_ID) )	
diff -Nru wordpress/wp-content/plugins/wp-db-backup.php wordpress-etch/wp-content/plugins/wp-db-backup.php
--- wordpress-etch/wp-content/plugins/wp-db-backup.php	2006-09-25 20:51:54.000000000 +0200
+++ wordpress-etch/wp-content/plugins/wp-db-backup.php	1970-01-01 01:00:00.000000000 +0100
@@ -1,910 +0,0 @@
-<?php
-/*
-Plugin Name: WordPress Database Backup
-Plugin URI: http://www.skippy.net/blog/plugins/
-Description: On-demand backup of your WordPress database.
-Author: Scott Merrill
-Version: 1.8
-Author URI: http://www.skippy.net/
-
-Much of this was modified from Mark Ghosh's One Click Backup, which
-in turn was derived from phpMyAdmin.
-
-Many thanks to Owen (http://asymptomatic.net/wp/) for his patch
-   http://dev.wp-plugins.org/ticket/219
-*/
-
-// CHANGE THIS IF YOU WANT TO USE A 
-// DIFFERENT BACKUP LOCATION
-
-$rand = substr( md5( md5( DB_PASSWORD ) ), -5 );
-
-define('WP_BACKUP_DIR', 'wp-content/backup-' . $rand);
-
-define('ROWS_PER_SEGMENT', 100);
-
-class wpdbBackup {
-
-	var $backup_complete = false;
-	var $backup_file = '';
-	var $backup_dir = WP_BACKUP_DIR;
-	var $backup_errors = array();
-	var $basename;
-
-	function gzip() {
-		return function_exists('gzopen');
-	}
-
-	function wpdbBackup() {
-		add_action('wp_cron_daily', array(&$this, 'wp_cron_daily'));
-
-		$this->backup_dir = trailingslashit($this->backup_dir);
-		$this->basename = preg_replace('/^.*wp-content[\\\\\/]plugins[\\\\\/]/', '', __FILE__);
-	
-		if (isset($_POST['do_backup'])) {
-			if ( !current_user_can('import') ) die(__('You are not allowed to perform backups.'));
-			switch($_POST['do_backup']) {
-			case 'backup':
-				$this->perform_backup();
-				break;
-			case 'fragments':
-				add_action('admin_menu', array(&$this, 'fragment_menu'));
-				break;				
-			}
-		} elseif (isset($_GET['fragment'] )) {
-			if ( !current_user_can('import') ) die(__('You are not allowed to perform backups.'));
-			add_action('init', array(&$this, 'init'));
-		} elseif (isset($_GET['backup'] )) {
-			if ( !current_user_can('import') ) die(__('You are not allowed to perform backups.'));
-			add_action('init', array(&$this, 'init'));
-		} else {
-			add_action('admin_menu', array(&$this, 'admin_menu'));
-		}
-	}
-	
-	function init() {
-		if ( !current_user_can('import') ) die(__('You are not allowed to perform backups.'));
-
-		if (isset($_GET['backup'])) {
-			$via = isset($_GET['via']) ? $_GET['via'] : 'http';
-			
-			$this->backup_file = $_GET['backup'];
-			$this->validate_file($this->backup_file);
-
-			switch($via) {
-			case 'smtp':
-			case 'email':
-				$this->deliver_backup ($this->backup_file, 'smtp', $_GET['recipient']);
-				echo '
-					<!-- ' . $via . ' -->
-					<script type="text/javascript"><!--\\
-				';
-				if($this->backup_errors) {
-					foreach($this->backup_errors as $error) {
-						echo "window.parent.addError('$error');\n";
-					}
-				}
-				echo '
-					alert("' . __('Backup Complete!') . '");
-					</script>
-				';
-				break;
-			default:
-				$this->deliver_backup ($this->backup_file, $via);
-			}
-			die();
-		}
-		if (isset($_GET['fragment'] )) {
-			list($table, $segment, $filename) = explode(':', $_GET['fragment']);
-			$this->validate_file($filename);
-			$this->backup_fragment($table, $segment, $filename);
-		}
-
-		die();
-	}
-	
-	function build_backup_script() {
-		global $table_prefix, $wpdb;
-	
-		$datum = date("Ymd_B");
-		$backup_filename = DB_NAME . "_$table_prefix$datum.sql";
-		if ($this->gzip()) $backup_filename .= '.gz';
-		
-		echo "<div class='wrap'>";
-		//echo "<pre>" . print_r($_POST, 1) . "</pre>";
-		echo '<h2>' . __('Backup') . '</h2>
-			<fieldset class="options"><legend>' . __('Progress') . '</legend>
-			<p><strong>' .
-				__('DO NOT DO THE FOLLOWING AS IT WILL CAUSE YOUR BACKUP TO FAIL:').
-			'</strong></p>
-			<ol>
-				<li>'.__('Close this browser').'</li>
-				<li>'.__('Reload this page').'</li>
-				<li>'.__('Click the Stop or Back buttons in your browser').'</li>
-			</ol>
-			<p><strong>' . __('Progress:') . '</strong></p>
-			<div id="meterbox" style="height:11px;width:80%;padding:3px;border:1px solid #659fff;"><div id="meter" style="height:11px;background-color:#659fff;width:0%;text-align:center;font-size:6pt;">&nbsp;</div></div>
-			<div id="progress_message"></div>
-			<div id="errors"></div>
-			</fieldset>
-			<iframe id="backuploader" src="about:blank" style="border:0px solid white;height:1em;width:1em;"></iframe>
-			<script type="text/javascript"><!--//
-			function setMeter(pct) {
-				var meter = document.getElementById("meter");
-				meter.style.width = pct + "%";
-				meter.innerHTML = Math.floor(pct) + "%";
-			}
-			function setProgress(str) {
-				var progress = document.getElementById("progress_message");
-				progress.innerHTML = str;
-			}
-			function addError(str) {
-				var errors = document.getElementById("errors");
-				errors.innerHTML = errors.innerHTML + str + "<br />";
-			}
-
-			function backup(table, segment) {
-				var fram = document.getElementById("backuploader");				
-				fram.src = "' . $_SERVER['REQUEST_URI'] . '&fragment=" + table + ":" + segment + ":' . $backup_filename . '";
-			}
-			
-			var curStep = 0;
-			
-			function nextStep() {
-				backupStep(curStep);
-				curStep++;
-			}
-			
-			function finishBackup() {
-				var fram = document.getElementById("backuploader");				
-				setMeter(100);
-		';
-
-		$this_basename = preg_replace('/^.*wp-content[\\\\\/]plugins[\\\\\/]/', '', __FILE__);
-		$download_uri = get_settings('siteurl') . "/wp-admin/edit.php?page={$this_basename}&backup={$backup_filename}";
-		switch($_POST['deliver']) {
-		case 'http':
-			echo '
-				setProgress("' . sprintf(__("Backup complete, preparing <a href=\\\"%s\\\">backup</a> for download..."), $download_uri) . '");
-				fram.src = "' . $download_uri . '";
-			';
-			break;
-		case 'smtp':
-			echo '
-				setProgress("' . sprintf(__("Backup complete, sending <a href=\\\"%s\\\">backup</a> via email..."), $download_uri) . '");
-				fram.src = "' . $download_uri . '&via=email&recipient=' . $_POST['backup_recipient'] . '";
-			';
-			break;
-		default:
-			echo '
-				setProgress("' . sprintf(__("Backup complete, download <a href=\\\"%s\\\">here</a>."), $download_uri) . '");
-			';
-		}
-		
-		echo '
-			}
-			
-			function backupStep(step) {
-				switch(step) {
-				case 0: backup("", 0); break;
-		';
-		
-		$also_backup = array();
-		if (isset($_POST['other_tables'])) {
-			$also_backup = $_POST['other_tables'];
-		} else {
-			$also_backup = array();
-		}
-		$core_tables = $_POST['core_tables'];
-		$tables = array_merge($core_tables, $also_backup);
-		$step_count = 1;
-		foreach ($tables as $table) {
-			$rec_count = $wpdb->get_var("SELECT count(*) FROM {$table}");
-			$rec_segments = ceil($rec_count / ROWS_PER_SEGMENT);
-			$table_count = 0;
-			do {
-				echo "case {$step_count}: backup(\"{$table}\", {$table_count}); break;\n";
-				$step_count++;
-				$table_count++;
-			} while($table_count < $rec_segments);
-			echo "case {$step_count}: backup(\"{$table}\", -1); break;\n";
-			$step_count++;
-		}
-		echo "case {$step_count}: finishBackup(); break;";
-		
-		echo '
-				}
-				if(step != 0) setMeter(100 * step / ' . $step_count . ');
-			}
-
-			nextStep();
-			//--></script>
-	</div>
-		';
-	}
-
-	function backup_fragment($table, $segment, $filename) {
-		global $table_prefix, $wpdb;
-			
-		echo "$table:$segment:$filename";
-		
-		if($table == '') {
-			$msg = __('Creating backup file...');
-		} else {
-			if($segment == -1) {
-				$msg = sprintf(__('Finished backing up table \\"%s\\".'), $table);
-			} else {
-				$msg = sprintf(__('Backing up table \\"%s\\"...'), $table);
-			}
-		}
-		
-		echo '<script type="text/javascript"><!--//
-		var msg = "' . $msg . '";
-		window.parent.setProgress(msg);
-		';
-			
-		if (is_writable(ABSPATH . $this->backup_dir)) {
-			$this->fp = $this->open(ABSPATH . $this->backup_dir . $filename, 'a');
-			if(!$this->fp) {
-				$this->backup_error(__('Could not open the backup file for writing!'));
-				$this->fatal_error = __('The backup file could not be saved.  Please check the permissions for writing to your backup directory and try again.');
-			}
-			else {
-				if($table == '') {		
-					//Begin new backup of MySql
-					$this->stow("# WordPress MySQL database backup\n");
-					$this->stow("#\n");
-					$this->stow("# Generated: " . date("l j. F Y H:i T") . "\n");
-					$this->stow("# Hostname: " . DB_HOST . "\n");
-					$this->stow("# Database: " . $this->backquote(DB_NAME) . "\n");
-					$this->stow("# --------------------------------------------------------\n");
-				} else {
-					if($segment == 0) {
-						// Increase script execution time-limit to 15 min for every table.
-						if ( !ini_get('safe_mode')) @set_time_limit(15*60);
-						//ini_set('memory_limit', '16M');
-						// Create the SQL statements
-						$this->stow("# --------------------------------------------------------\n");
-						$this->stow("# Table: " . $this->backquote($table) . "\n");
-						$this->stow("# --------------------------------------------------------\n");
-					}			
-					$this->backup_table($table, $segment);
-				}
-			}
-		} else {
-			$this->backup_error(__('The backup directory is not writeable!'));
-			$this->fatal_error = __('The backup directory is not writeable!  Please check the permissions for writing to your backup directory and try again.');
-		}
-
-		if($this->fp) $this->close($this->fp);
-		
-		if($this->backup_errors) {
-			foreach($this->backup_errors as $error) {
-				echo "window.parent.addError('$error');\n";
-			}
-		}
-		if($this->fatal_error) {
-			echo '
-				alert("' . addslashes($this->fatal_error) . '");
-				//--></script>
-			';
-		}
-		else {
-			echo '
-				window.parent.nextStep();
-				//--></script>
-			';
-		}
-		
-		die();
-	}
-
-	function perform_backup() {
-		// are we backing up any other tables?
-		$also_backup = array();
-		if (isset($_POST['other_tables'])) {
-			$also_backup = $_POST['other_tables'];
-		}
-		
-		$core_tables = $_POST['core_tables'];
-		$this->backup_file = $this->db_backup($core_tables, $also_backup);
-		if (FALSE !== $this->backup_file) {
-			if ('smtp' == $_POST['deliver']) {
-				$this->deliver_backup ($this->backup_file, $_POST['deliver'], $_POST['backup_recipient']);
-			} elseif ('http' == $_POST['deliver']) {
-				$this_basename = preg_replace('/^.*wp-content[\\\\\/]plugins[\\\\\/]/', '', __FILE__);
-				header('Refresh: 3; ' . get_settings('siteurl') . "/wp-admin/edit.php?page={$this_basename}&backup={$this->backup_file}");
-			}
-			// we do this to say we're done.
-			$this->backup_complete = true;
-		}
-	}
-	
-	///////////////////////////////
-	function admin_menu() {
-		add_management_page(__('Backup'), __('Backup'), 'import', basename(__FILE__), array(&$this, 'backup_menu'));
-	}
-
-	function fragment_menu() {
-		add_management_page(__('Backup'), __('Backup'), 'import', basename(__FILE__), array(&$this, 'build_backup_script'));
-	}
-
-	/////////////////////////////////////////////////////////
-	function sql_addslashes($a_string = '', $is_like = FALSE)
-	{
-	        /*
-	                Better addslashes for SQL queries.
-	                Taken from phpMyAdmin.
-	        */
-	    if ($is_like) {
-	        $a_string = str_replace('\\', '\\\\\\\\', $a_string);
-	    } else {
-	        $a_string = str_replace('\\', '\\\\', $a_string);
-	    }
-	    $a_string = str_replace('\'', '\\\'', $a_string);
-
-	    return $a_string;
-	} // function sql_addslashes($a_string = '', $is_like = FALSE)
-
-	///////////////////////////////////////////////////////////
-	function backquote($a_name)
-	{
-	        /*
-	                Add backqouotes to tables and db-names in
-	                SQL queries. Taken from phpMyAdmin.
-	        */
-	    if (!empty($a_name) && $a_name != '*') {
-	        if (is_array($a_name)) {
-	             $result = array();
-	             reset($a_name);
-	             while(list($key, $val) = each($a_name)) {
-	                 $result[$key] = '`' . $val . '`';
-	             }
-	             return $result;
-	        } else {
-	            return '`' . $a_name . '`';
-	        }
-	    } else {
-	        return $a_name;
-	    }
-	} // function backquote($a_name, $do_it = TRUE)
-
-	/////////////
-	function open($filename = '', $mode = 'w') {
-		if ('' == $filename) return false;
-		if ($this->gzip()) {
-			$fp = @gzopen($filename, $mode);
-		} else {
-			$fp = @fopen($filename, $mode);
-		}
-		return $fp;
-	}
-
-	//////////////
-	function close($fp) {
-		if ($this->gzip()) {
-			gzclose($fp);
-		} else {
-			fclose($fp);
-		}
-	}
-	
-	//////////////
-	function stow($query_line) {
-		if ($this->gzip()) {
-			if(@gzwrite($this->fp, $query_line) === FALSE) {
-				backup_error(__('There was an error writing a line to the backup script:'));
-				backup_error('&nbsp;&nbsp;' . $query_line);
-			}
-		} else {
-			if(@fwrite($this->fp, $query_line) === FALSE) {
-				backup_error(__('There was an error writing a line to the backup script:'));
-				backup_error('&nbsp;&nbsp;' . $query_line);
-			}
-		}
-	}
-	
-	function backup_error($err) {
-		if(count($this->backup_errors) < 20) {
-			$this->backup_errors[] = $err;
-		} elseif(count($this->backup_errors) == 20) {
-			$this->backup_errors[] = __('Subsequent errors have been omitted from this log.');
-		}
-	}
-	
-	/////////////////////////////
-	function backup_table($table, $segment = 'none') {
-		global $wpdb;
-		
-		/*
-		Taken partially from phpMyAdmin and partially from
-		Alain Wolf, Zurich - Switzerland
-		Website: http://restkultur.ch/personal/wolf/scripts/db_backup/
-		
-		Modified by Scott Merril (http://www.skippy.net/) 
-		to use the WordPress $wpdb object
-		*/
-
-		$table_structure = $wpdb->get_results("DESCRIBE $table");
-		if (! $table_structure) {
-			backup_errors(__('Error getting table details') . ": $table");
-			return FALSE;
-		}
-	
-		if(($segment == 'none') || ($segment == 0)) {
-			//
-			// Add SQL statement to drop existing table
-			$this->stow("\n\n");
-			$this->stow("#\n");
-			$this->stow("# Delete any existing table " . $this->backquote($table) . "\n");
-			$this->stow("#\n");
-			$this->stow("\n");
-			$this->stow("DROP TABLE IF EXISTS " . $this->backquote($table) . ";\n");
-			
-			// 
-			//Table structure
-			// Comment in SQL-file
-			$this->stow("\n\n");
-			$this->stow("#\n");
-			$this->stow("# Table structure of table " . $this->backquote($table) . "\n");
-			$this->stow("#\n");
-			$this->stow("\n");
-			
-			$create_table = $wpdb->get_results("SHOW CREATE TABLE $table", ARRAY_N);
-			if (FALSE === $create_table) {
-				$this->backup_error(sprintf(__("Error with SHOW CREATE TABLE for %s."), $table));
-				$this->stow("#\n# Error with SHOW CREATE TABLE for $table!\n#\n");
-			}
-			$this->stow($create_table[0][1] . ' ;');
-			
-			if (FALSE === $table_structure) {
-				$this->backup_error(sprintf(__("Error getting table structure of %s"), $table));
-				$this->stow("#\n# Error getting table structure of $table!\n#\n");
-			}
-		
-			//
-			// Comment in SQL-file
-			$this->stow("\n\n");
-			$this->stow("#\n");
-			$this->stow('# Data contents of table ' . $this->backquote($table) . "\n");
-			$this->stow("#\n");
-		}
-		
-		if(($segment == 'none') || ($segment >= 0)) {
-			$ints = array();
-			foreach ($table_structure as $struct) {
-				if ( (0 === strpos($struct->Type, 'tinyint')) ||
-					(0 === strpos(strtolower($struct->Type), 'smallint')) ||
-					(0 === strpos(strtolower($struct->Type), 'mediumint')) ||
-					(0 === strpos(strtolower($struct->Type), 'int')) ||
-					(0 === strpos(strtolower($struct->Type), 'bigint')) ||
-					(0 === strpos(strtolower($struct->Type), 'timestamp')) ) {
-						$ints[strtolower($struct->Field)] = "1";
-				}
-			}
-			
-			
-			// Batch by $row_inc
-			
-			if($segment == 'none') {
-				$row_start = 0;
-				$row_inc = ROWS_PER_SEGMENT;
-			} else {
-				$row_start = $segment * ROWS_PER_SEGMENT;
-				$row_inc = ROWS_PER_SEGMENT;
-			}
-			
-			do {	
-				if ( !ini_get('safe_mode')) @set_time_limit(15*60);
-				$table_data = $wpdb->get_results("SELECT * FROM $table LIMIT {$row_start}, {$row_inc}", ARRAY_A);
-
-				/*
-				if (FALSE === $table_data) {
-					$wp_backup_error .= "Error getting table contents from $table\r\n";
-					fwrite($fp, "#\n# Error getting table contents fom $table!\n#\n");
-				}
-				*/
-					
-				$entries = 'INSERT INTO ' . $this->backquote($table) . ' VALUES (';	
-				//    \x08\\x09, not required
-				$search = array("\x00", "\x0a", "\x0d", "\x1a");
-				$replace = array('\0', '\n', '\r', '\Z');
-				if($table_data) {
-					foreach ($table_data as $row) {
-						$values = array();
-						foreach ($row as $key => $value) {
-							if ($ints[strtolower($key)]) {
-								$values[] = $value;
-							} else {
-								$values[] = "'" . str_replace($search, $replace, $this->sql_addslashes($value)) . "'";
-							}
-						}
-						$this->stow(" \n" . $entries . implode(', ', $values) . ') ;');
-					}
-					$row_start += $row_inc;
-				}
-			} while((count($table_data) > 0) and ($segment=='none'));
-		}
-		
-		
-		if(($segment == 'none') || ($segment < 0)) {
-			// Create footer/closing comment in SQL-file
-			$this->stow("\n");
-			$this->stow("#\n");
-			$this->stow("# End of data contents of table " . $this->backquote($table) . "\n");
-			$this->stow("# --------------------------------------------------------\n");
-			$this->stow("\n");
-		}
-		
-	} // end backup_table()
-	
-	function return_bytes($val) {
-	   $val = trim($val);
-	   $last = strtolower($val{strlen($val)-1});
-	   switch($last) {
-	       // The 'G' modifier is available since PHP 5.1.0
-	       case 'g':
-	           $val *= 1024;
-	       case 'm':
-	           $val *= 1024;
-	       case 'k':
-	           $val *= 1024;
-	   }
-	
-	   return $val;
-	}
-	
-	////////////////////////////
-	function db_backup($core_tables, $other_tables) {
-		global $table_prefix, $wpdb;
-		
-		$datum = date("Ymd_B");
-		$wp_backup_filename = DB_NAME . "_$table_prefix$datum.sql";
-			if ($this->gzip()) {
-				$wp_backup_filename .= '.gz';
-			}
-		
-		if (is_writable(ABSPATH . $this->backup_dir)) {
-			$this->fp = $this->open(ABSPATH . $this->backup_dir . $wp_backup_filename);
-			if(!$this->fp) {
-				$this->backup_error(__('Could not open the backup file for writing!'));
-				return false;
-			}
-		} else {
-			$this->backup_error(__('The backup directory is not writeable!'));
-			return false;
-		}
-		
-		//Begin new backup of MySql
-		$this->stow("# WordPress MySQL database backup\n");
-		$this->stow("#\n");
-		$this->stow("# Generated: " . date("l j. F Y H:i T") . "\n");
-		$this->stow("# Hostname: " . DB_HOST . "\n");
-		$this->stow("# Database: " . $this->backquote(DB_NAME) . "\n");
-		$this->stow("# --------------------------------------------------------\n");
-		
-			if ( (is_array($other_tables)) && (count($other_tables) > 0) )
-			$tables = array_merge($core_tables, $other_tables);
-		else
-			$tables = $core_tables;
-		
-		foreach ($tables as $table) {
-			// Increase script execution time-limit to 15 min for every table.
-			if ( !ini_get('safe_mode')) @set_time_limit(15*60);
-			// Create the SQL statements
-			$this->stow("# --------------------------------------------------------\n");
-			$this->stow("# Table: " . $this->backquote($table) . "\n");
-			$this->stow("# --------------------------------------------------------\n");
-			$this->backup_table($table);
-		}
-				
-		$this->close($this->fp);
-		
-		if (count($this->backup_errors)) {
-			return false;
-		} else {
-			return $wp_backup_filename;
-		}
-		
-	} //wp_db_backup
-	
-	///////////////////////////
-	function deliver_backup ($filename = '', $delivery = 'http', $recipient = '') {
-		if ('' == $filename) { return FALSE; }
-		
-		$diskfile = ABSPATH . $this->backup_dir . $filename;
-		if ('http' == $delivery) {
-			if (! file_exists($diskfile)) {
-				$msg = sprintf(__('File not found:%s'), "<br /><strong>$filename</strong><br />");
-				$this_basename = preg_replace('/^.*wp-content[\\\\\/]plugins[\\\\\/]/', '', __FILE__);
-				$msg .= '<br /><a href="' . get_settings('siteurl') . "/wp-admin/edit.php?page={$this_basename}" . '">' . __('Return to Backup');
-			die($msg);
-			}
-			header('Content-Description: File Transfer');
-			header('Content-Type: application/octet-stream');
-			header('Content-Length: ' . filesize($diskfile));
-			header("Content-Disposition: attachment; filename=$filename");
-			readfile($diskfile);
-			unlink($diskfile);
-		} elseif ('smtp' == $delivery) {
-			if (! file_exists($diskfile)) return false;
-
-			if (! is_email ($recipient)) {
-				$recipient = get_settings('admin_email');
-			}
-			$randomish = md5(time());
-			$boundary = "==WPBACKUP-BY-SKIPPY-$randomish";
-			$fp = fopen($diskfile,"rb");
-			$file = fread($fp,filesize($diskfile)); 
-			$this->close($fp);
-			$data = chunk_split(base64_encode($file));
-			$headers = "MIME-Version: 1.0\n";
-			$headers .= "Content-Type: multipart/mixed; boundary=\"$boundary\"\n";
-			$headers .= 'From: ' . get_settings('admin_email') . "\n";
-		
-			$message = sprintf(__("Attached to this email is\n   %1s\n   Size:%2s kilobytes\n"), $filename, round(filesize($diskfile)/1024));
-			// Add a multipart boundary above the plain message
-			$message = "This is a multi-part message in MIME format.\n\n" .
-		        	"--{$boundary}\n" .
-				"Content-Type: text/plain; charset=\"utf-8\"\n" .
-				"Content-Transfer-Encoding: 7bit\n\n" .
-				$message . "\n\n";
-			
-			// Add file attachment to the message
-			$message .= "--{$boundary}\n" .
-				"Content-Type: application/octet-stream;\n" .
-				" name=\"{$filename}\"\n" .
-				"Content-Disposition: attachment;\n" .
-				" filename=\"{$filename}\"\n" .
-				"Content-Transfer-Encoding: base64\n\n" .
-				$data . "\n\n" .
-				"--{$boundary}--\n";
-			
-			if (function_exists('wp_mail')) {
-				wp_mail ($recipient, get_bloginfo('name') . ' ' . __('Database Backup'), $message, $headers);
-			} else {
-				mail ($recipient, get_bloginfo('name') . ' ' . __('Database Backup'), $message, $headers);
-			}
-			
-			unlink($diskfile);
-		}
-		return;
-	}
-	
-	////////////////////////////
-	function backup_menu() {
-		global $table_prefix, $wpdb;
-		$feedback = '';
-		$WHOOPS = FALSE;
-		
-		// did we just do a backup?  If so, let's report the status
-		if ( $this->backup_complete ) {
-			$feedback = '<div class="updated"><p>' . __('Backup Successful') . '!';
-			$file = $this->backup_file;
-			switch($_POST['deliver']) {
-			case 'http':
-				$feedback .= '<br />' . sprintf(__('Your backup file: <a href="%1s">%2s</a> should begin downloading shortly.'), get_settings('siteurl') . "/{$this->backup_dir}{$this->backup_file}", $this->backup_file);
-				break;
-			case 'smtp':
-				if (! is_email($_POST['backup_recipient'])) {
-					$feedback .= get_settings('admin_email');
-				} else {
-					$feedback .= $_POST['backup_recipient'];
-				}
-				$feedback = '<br />' . sprintf(__('Your backup has been emailed to %s'), $feedback);
-				break;
-			case 'none':
-				$feedback .= '<br />' . __('Your backup file has been saved on the server. If you would like to download it now, right click and select "Save As"');
-				$feedback .= ':<br /> <a href="' . get_settings('siteurl') . "/{$this->backup_dir}$file\">$file</a> : " . sprintf(__('%s bytes'), filesize(ABSPATH . $this->backup_dir . $file));
-			}
-			$feedback .= '</p></div>';
-		}
-		
-		if (count($this->backup_errors)) {
-			$feedback .= '<div class="updated error">' . __('The following errors were reported:') . "<pre>";
-			foreach($this->backup_errors as $error) {
-				$feedback .= "{$error}\n";  //Errors are already localized
-			}
-			$feedback .= "</pre></div>";
-		}
-		
-		// did we just save options for wp-cron?
-		if ( (function_exists('wp_cron_init')) && isset($_POST['wp_cron_backup_options']) ) {
-			update_option('wp_cron_backup_schedule', intval($_POST['cron_schedule']), FALSE);
-			update_option('wp_cron_backup_tables', $_POST['wp_cron_backup_tables']);
-			if (is_email($_POST['cron_backup_recipient'])) {
-				update_option('wp_cron_backup_recipient', $_POST['cron_backup_recipient'], FALSE);
-			}
-			$feedback .= '<div class="updated"><p>' . __('Scheduled Backup Options Saved!') . '</p></div>';
-		}
-		
-		// Simple table name storage
-		$wp_table_names = explode(',','categories,comments,linkcategories,links,options,post2cat,postmeta,posts,users,usermeta');
-		// Apply WP DB prefix to table names
-		$wp_table_names = array_map(create_function('$a', 'global $table_prefix;return "{$table_prefix}{$a}";'), $wp_table_names);
-		
-		$other_tables = array();
-		$also_backup = array();
-	
-		// Get complete db table list	
-		$all_tables = $wpdb->get_results("SHOW TABLES", ARRAY_N);
-		$all_tables = array_map(create_function('$a', 'return $a[0];'), $all_tables);
-		// Get list of WP tables that actually exist in this DB (for 1.6 compat!)
-		$wp_backup_default_tables = array_intersect($all_tables, $wp_table_names);
-		// Get list of non-WP tables
-		$other_tables = array_diff($all_tables, $wp_backup_default_tables);
-		
-		if ('' != $feedback) {
-			echo $feedback;
-		}
-
-		// Give the new dirs the same perms as wp-content.
-		$stat = stat( ABSPATH . 'wp-content' );
-		$dir_perms = $stat['mode'] & 0000777; // Get the permission bits.
-
-		if ( !file_exists( ABSPATH . $this->backup_dir) ) {
-			if ( @ mkdir( ABSPATH . $this->backup_dir) ) {
-				@ chmod( ABSPATH . $this->backup_dir, $dir_perms);
-			} else {
-				echo '<div class="updated error"><p align="center">' . __('WARNING: Your wp-content directory is <strong>NOT</strong> writable! We can not create the backup directory.') . '<br />' . ABSPATH . $this->backup_dir . "</p></div>";
-			$WHOOPS = TRUE;
-			}
-		}
-		
-		if ( !is_writable( ABSPATH . $this->backup_dir) ) {
-			echo '<div class="updated error"><p align="center">' . __('WARNING: Your backup directory is <strong>NOT</strong> writable! We can not create the backup directory.') . '<br />' . ABSPATH . "</p></div>";
-		}
-
-		if ( !file_exists( ABSPATH . $this->backup_dir . 'index.php') ) {
-			@ touch( ABSPATH . $this->backup_dir . "index.php");
-		}
-
-		echo "<div class='wrap'>";
-		echo '<h2>' . __('Backup') . '</h2>';
-		echo '<fieldset class="options"><legend>' . __('Tables') . '</legend>';
-		echo '<form method="post">';
-		echo '<table align="center" cellspacing="5" cellpadding="5"><tr><td width="50%" align="left" class="alternate" valign="top">';
-		echo __('These core WordPress tables will always be backed up:') . '<br /><ul>';
-		foreach ($wp_backup_default_tables as $table) {
-			echo "<li><input type='hidden' name='core_tables[]' value='$table' />$table</li>";
-		}
-		echo '</ul></td><td width="50%" align="left" valign="top">';
-		if (count($other_tables) > 0) {
-			echo __('You may choose to include any of the following tables:') . ' <br />';
-			foreach ($other_tables as $table) {
-				echo "<label style=\"display:block;\"><input type='checkbox' name='other_tables[]' value='{$table}' /> {$table}</label>";
-			}
-		}
-		echo '</tr></table></fieldset>';
-		echo '<fieldset class="options"><legend>' . __('Backup Options') . '</legend>';
-		echo __('What to do with the backup file:') . "<br />";
-		echo '<label style="display:block;"><input type="radio" name="deliver" value="none" /> ' . __('Save to server') . " ({$this->backup_dir})</label>";
-		echo '<label style="display:block;"><input type="radio" checked="checked" name="deliver" value="http" /> ' . __('Download to your computer') . '</label>';
-		echo '<div><input type="radio" name="deliver" id="do_email" value="smtp" /> ';
-		echo '<label for="do_email">'.__('Email backup to:').'</label><input type="text" name="backup_recipient" size="20" value="' . get_settings('admin_email') . '" />';
-		
-		// Check DB dize.
-		$table_status = $wpdb->get_results("SHOW TABLE STATUS FROM " . $this->backquote(DB_NAME));
-		$core_size = $db_size = 0;
-		foreach($table_status as $table) {
-			$table_size = $table->Data_length - $table->Data_free;
-			if(in_array($table->Name, $wp_backup_default_tables)) {
-				$core_size += $table_size;	
-			}
-			$db_size += $table_size;
-		}
-		$mem_limit = ini_get('memory_limit');
-		$mem_limit = $this->return_bytes($mem_limit);
-		$mem_limit = ($mem_limit == 0) ? 8*1024*1024 :  $mem_limit - 2000000;
-		
-		if (! $WHOOPS) {
-			echo '<input type="hidden" name="do_backup" id="do_backup" value="backup" /></div>';
-			echo '<p class="submit"><input type="submit" name="submit" onclick="document.getElementById(\'do_backup\').value=\'fragments\';" value="' . __('Backup') . '!" / ></p>';
-		} else {
-			echo '<p class="alternate">' . __('WARNING: Your backup directory is <strong>NOT</strong> writable!') . '</p>';
-		}
-		echo '</fieldset>';
-		echo '</form>';
-		
-		// this stuff only displays if wp_cron is installed
-		if (function_exists('wp_cron_init')) {
-			echo '<fieldset class="options"><legend>' . __('Scheduled Backup') . '</legend>';
-			$datetime = get_settings('date_format') . ' @ ' . get_settings('time_format');
-			echo '<p>' . __('Last WP-Cron Daily Execution') . ': ' . date($datetime, get_option('wp_cron_daily_lastrun')) . '<br />';
-			echo __('Next WP-Cron Daily Execution') . ': ' . date($datetime, (get_option('wp_cron_daily_lastrun') + 86400)) . '</p>';
-			echo '<form method="post">';
-			echo '<table width="100%" callpadding="5" cellspacing="5">';
-			echo '<tr><td align="center">';
-			echo __('Schedule: ');
-			$wp_cron_backup_schedule = get_option('wp_cron_backup_schedule');
-			$schedule = array(0 => __('None'), 1 => __('Daily'));
-			foreach ($schedule as $value => $name) {
-				echo ' <input type="radio" name="cron_schedule"';
-				if ($wp_cron_backup_schedule == $value) {
-					echo ' checked="checked" ';
-				}
-				echo 'value="' . $value . '" /> ' . __($name);
-			}
-			echo '</td><td align="center">';
-			$cron_recipient = get_option('wp_cron_backup_recipient');
-			if (! is_email($cron_recipient)) {
-				$cron_recipient = get_settings('admin_email');
-			}
-			echo __('Email backup to:') . ' <input type="text" name="cron_backup_recipient" size="20" value="' . $cron_recipient . '" />';
-			echo '</td></tr>';
-			$cron_tables = get_option('wp_cron_backup_tables');
-			if (! is_array($cron_tables)) {
-				$cron_tables = array();
-			}
-			if (count($other_tables) > 0) {
-				echo '<tr><td colspan="2" align="left">' . __('Tables to include:') . '<br />';
-				foreach ($other_tables as $table) {
-					echo '<input type="checkbox" ';
-					if (in_array($table, $cron_tables)) {
-						echo 'checked=checked ';
-					}
-					echo "name='wp_cron_backup_tables[]' value='{$table}' /> {$table}<br />";
-				}
-				echo '</td></tr>';
-			}
-			echo '<tr><td colspan="2" align="center"><input type="hidden" name="wp_cron_backup_options" value="SET" /><input type="submit" name="submit" value="' . __('Submit') . '" /></td></tr></table></form>';
-			echo '</fieldset>';
-		}
-		// end of wp_cron section
-		
-		echo '</div>';
-		
-	}// end wp_backup_menu()
-	
-	/////////////////////////////
-	function wp_cron_daily() {
-		
-		$schedule = intval(get_option('wp_cron_backup_schedule'));
-		if (0 == $schedule) {
-		        // Scheduled backup is disabled
-		        return;
-		}
-		
-		global $table_prefix, $wpdb;
-
-		$wp_table_names = explode(',','categories,comments,linkcategories,links,options,post2cat,postmeta,posts,users,usermeta');
-		$wp_table_names = array_map(create_function('$a', 'global $table_prefix;return "{$table_prefix}{$a}";'), $wp_table_names);
-		$all_tables = $wpdb->get_results("SHOW TABLES", ARRAY_N);
-		$all_tables = array_map(create_function('$a', 'return $a[0];'), $all_tables);
-		$core_tables = array_intersect($all_tables, $wp_table_names);
-		$other_tables = get_option('wp_cron_backup_tables');
-		
-		$recipient = get_option('wp_cron_backup_recipient');
-		
-		$backup_file = $this->db_backup($core_tables, $other_tables);
-		if (FALSE !== $backup_file) {
-			$this->deliver_backup ($backup_file, 'smtp', $recipient);
-		}
-		
-		return;
-	} // wp_cron_db_backup
-
-	function validate_file($file) {
-		if (false !== strpos($file, '..'))
-			die(__("Cheatin' uh ?"));
-
-		if (false !== strpos($file, './'))
-			die(__("Cheatin' uh ?"));
-
-		if (':' == substr($file, 1, 1))
-			die(__("Cheatin' uh ?"));
-	}
-
-}
-
-function wpdbBackup_init() {
-	global $mywpdbbackup;
-
-	if ( !current_user_can('import') ) return;
-
-	$mywpdbbackup = new wpdbBackup(); 	
-}
-
-add_action('plugins_loaded', 'wpdbBackup_init');
-
-?>
diff -Nru wordpress/wp-content/themes/default/functions.php wordpress-etch/wp-content/themes/default/functions.php
--- wordpress-etch/wp-content/themes/default/functions.php	2006-07-06 04:44:40.000000000 +0200
+++ wordpress-etch/wp-content/themes/default/functions.php	2008-04-22 11:42:10.000000000 +0200
@@ -21,11 +21,11 @@
 add_action('wp_head', 'kubrick_head');
 
 function kubrick_header_image() {
-	return apply_filters('kubrick_header_image', get_settings('kubrick_header_image'));
+	return apply_filters('kubrick_header_image', get_option('kubrick_header_image'));
 }
 
 function kubrick_upper_color() {
-	if ( strstr( $url = kubrick_header_image_url(), 'header-img.php?' ) ) {
+	if (strpos($url = kubrick_header_image_url(), 'header-img.php?') !== false) {
 		parse_str(substr($url, strpos($url, '?') + 1), $q);
 		return $q['upper'];
 	} else
@@ -33,7 +33,7 @@
 }
 
 function kubrick_lower_color() {
-	if ( strstr( $url = kubrick_header_image_url(), 'header-img.php?' ) ) {
+	if (strpos($url = kubrick_header_image_url(), 'header-img.php?') !== false) {
 		parse_str(substr($url, strpos($url, '?') + 1), $q);
 		return $q['lower'];
 	} else
@@ -50,7 +50,7 @@
 }
 
 function kubrick_header_color() {
-	return apply_filters('kubrick_header_color', get_settings('kubrick_header_color'));
+	return apply_filters('kubrick_header_color', get_option('kubrick_header_color'));
 }
 
 function kubrick_header_color_string() {
@@ -62,7 +62,7 @@
 }
 
 function kubrick_header_display() {
-	return apply_filters('kubrick_header_display', get_settings('kubrick_header_display'));
+	return apply_filters('kubrick_header_display', get_option('kubrick_header_display'));
 }
 
 function kubrick_header_display_string() {
@@ -75,6 +75,7 @@
 function kubrick_add_theme_page() {
 	if ( $_GET['page'] == basename(__FILE__) ) {
 		if ( 'save' == $_REQUEST['action'] ) {
+			check_admin_referer('kubrick-header');
 			if ( isset($_REQUEST['njform']) ) {
 				if ( isset($_REQUEST['defaults']) ) {
 					delete_option('kubrick_header_image');
@@ -83,9 +84,10 @@
 				} else {
 					if ( '' == $_REQUEST['njfontcolor'] )
 						delete_option('kubrick_header_color');
-					else
-						update_option('kubrick_header_color', $_REQUEST['njfontcolor']);
-
+					else {
+						$fontcolor = preg_replace('/^.*(#[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['njfontcolor']);
+						update_option('kubrick_header_color', $fontcolor);
+					}
 					if ( preg_match('/[0-9A-F]{6}|[0-9A-F]{3}/i', $_REQUEST['njuppercolor'], $uc) && preg_match('/[0-9A-F]{6}|[0-9A-F]{3}/i', $_REQUEST['njlowercolor'], $lc) ) {
 						$uc = ( strlen($uc[0]) == 3 ) ? $uc[0]{0}.$uc[0]{0}.$uc[0]{1}.$uc[0]{1}.$uc[0]{2}.$uc[0]{2} : $uc[0];
 						$lc = ( strlen($lc[0]) == 3 ) ? $lc[0]{0}.$lc[0]{0}.$lc[0]{1}.$lc[0]{1}.$lc[0]{2}.$lc[0]{2} : $lc[0];
@@ -93,7 +95,7 @@
 					}
 
 					if ( isset($_REQUEST['toggledisplay']) ) {
-						if ( false === get_settings('kubrick_header_display') )
+						if ( false === get_option('kubrick_header_display') )
 							update_option('kubrick_header_display', 'none');
 						else
 							delete_option('kubrick_header_display');
@@ -102,20 +104,27 @@
 			} else {
 
 				if ( isset($_REQUEST['headerimage']) ) {
+					check_admin_referer('kubrick-header');
 					if ( '' == $_REQUEST['headerimage'] )
 						delete_option('kubrick_header_image');
-					else
-						update_option('kubrick_header_image', $_REQUEST['headerimage']);
+					else {
+						$headerimage = preg_replace('/^.*?(header-img.php\?upper=[0-9a-fA-F]{6}&lower=[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['headerimage']);
+						update_option('kubrick_header_image', $headerimage);
+					}
 				}
 
 				if ( isset($_REQUEST['fontcolor']) ) {
+					check_admin_referer('kubrick-header');
 					if ( '' == $_REQUEST['fontcolor'] )
 						delete_option('kubrick_header_color');
-					else
-						update_option('kubrick_header_color', $_REQUEST['fontcolor']);
+					else {
+						$fontcolor = preg_replace('/^.*?(#[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['fontcolor']);
+						update_option('kubrick_header_color', $fontcolor);
+					}
 				}
 
 				if ( isset($_REQUEST['fontdisplay']) ) {
+					check_admin_referer('kubrick-header');
 					if ( '' == $_REQUEST['fontdisplay'] || 'inline' == $_REQUEST['fontdisplay'] )
 						delete_option('kubrick_header_display');
 					else
@@ -226,13 +235,13 @@
 		document.getElementById('headerimg').style.display = document.getElementById('fontdisplay').value;
 	}
 	function kRevert() {
-		document.getElementById('headerimage').value = '<?php echo kubrick_header_image(); ?>';
-		document.getElementById('advuppercolor').value = document.getElementById('uppercolor').value = '#<?php echo kubrick_upper_color(); ?>';
-		document.getElementById('advlowercolor').value = document.getElementById('lowercolor').value = '#<?php echo kubrick_lower_color(); ?>';
-		document.getElementById('header').style.background = 'url("<?php echo kubrick_header_image_url(); ?>") center no-repeat';
+		document.getElementById('headerimage').value = '<?php echo js_escape(kubrick_header_image()); ?>';
+		document.getElementById('advuppercolor').value = document.getElementById('uppercolor').value = '#<?php echo js_escape(kubrick_upper_color()); ?>';
+		document.getElementById('advlowercolor').value = document.getElementById('lowercolor').value = '#<?php echo js_escape(kubrick_lower_color()); ?>';
+		document.getElementById('header').style.background = 'url("<?php echo js_escape(kubrick_header_image_url()); ?>") center no-repeat';
 		document.getElementById('header').style.color = '';
-		document.getElementById('advfontcolor').value = document.getElementById('fontcolor').value = '<?php echo kubrick_header_color_string(); ?>';
-		document.getElementById('fontdisplay').value = '<?php echo kubrick_header_display_string(); ?>';
+		document.getElementById('advfontcolor').value = document.getElementById('fontcolor').value = '<?php echo js_escape(kubrick_header_color_string()); ?>';
+		document.getElementById('fontdisplay').value = '<?php echo js_escape(kubrick_header_display_string()); ?>';
 		document.getElementById('headerimg').style.display = document.getElementById('fontdisplay').value;
 	}
 	function kInit() {
@@ -354,11 +363,12 @@
 		<br />
 		<div id="nonJsForm">
 			<form method="post" action="">
+				<?php wp_nonce_field('kubrick-header'); ?>
 				<div class="zerosize"><input type="submit" name="defaultsubmit" value="Save" /></div>
-				<label for="njfontcolor">Font Color:</label><input type="text" name="njfontcolor" id="njfontcolor" value="<?php echo kubrick_header_color(); ?>" /> Any CSS color (<code>red</code> or <code>#FF0000</code> or <code>rgb(255, 0, 0)</code>)<br />
-				<label for="njuppercolor">Upper Color:</label><input type="text" name="njuppercolor" id="njuppercolor" value="#<?php echo kubrick_upper_color(); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
-				<label for="njlowercolor">Lower Color:</label><input type="text" name="njlowercolor" id="njlowercolor" value="#<?php echo kubrick_lower_color(); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
-				<input type="hidden" name="hi" id="hi" value="<?php echo kubrick_header_image(); ?>" />
+				<label for="njfontcolor">Font Color:</label><input type="text" name="njfontcolor" id="njfontcolor" value="<?php echo attribute_escape(kubrick_header_color()); ?>" /> Any CSS color (<code>red</code> or <code>#FF0000</code> or <code>rgb(255, 0, 0)</code>)<br />
+				<label for="njuppercolor">Upper Color:</label><input type="text" name="njuppercolor" id="njuppercolor" value="#<?php echo attribute_escape(kubrick_upper_color()); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
+				<label for="njlowercolor">Lower Color:</label><input type="text" name="njlowercolor" id="njlowercolor" value="#<?php echo attribute_escape(kubrick_lower_color()); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
+				<input type="hidden" name="hi" id="hi" value="<?php echo attribute_escape(kubrick_header_image()); ?>" />
 				<input type="submit" name="toggledisplay" id="toggledisplay" value="Toggle Text" />
 				<input type="submit" name="defaults" value="Use Defaults" />
 				<input type="submit" class="defbutton" name="submitform" value="&nbsp;&nbsp;Save&nbsp;&nbsp;" />
@@ -367,26 +377,28 @@
 			</form>
 		</div>
 		<div id="jsForm">
-			<form style="display:inline;" method="post" name="hicolor" id="hicolor" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
+			<form style="display:inline;" method="post" name="hicolor" id="hicolor" action="<?php echo attribute_escape($_SERVER['REQUEST_URI']); ?>">
+				<?php wp_nonce_field('kubrick-header'); ?>
 				<input type="button" onclick="tgt=document.getElementById('fontcolor');colorSelect(tgt,'pick1');return false;" name="pick1" id="pick1" value="Font Color"></input>
 				<input type="button" onclick="tgt=document.getElementById('uppercolor');colorSelect(tgt,'pick2');return false;" name="pick2" id="pick2" value="Upper Color"></input>
 				<input type="button" onclick="tgt=document.getElementById('lowercolor');colorSelect(tgt,'pick3');return false;" name="pick3" id="pick3" value="Lower Color"></input>
 				<input type="button" name="revert" value="Revert" onclick="kRevert()" />
 				<input type="button" value="Advanced" onclick="toggleAdvanced()" />
-				<input type="submit" name="submitform" class="defbutton" value="Save" onclick="cp.hidePopup('prettyplease')" />
 				<input type="hidden" name="action" value="save" />
-				<input type="hidden" name="fontdisplay" id="fontdisplay" value="<?php echo kubrick_header_display(); ?>" />
-				<input type="hidden" name="fontcolor" id="fontcolor" value="<?php echo kubrick_header_color(); ?>" />
-				<input type="hidden" name="uppercolor" id="uppercolor" value="<?php echo kubrick_upper_color(); ?>" />
-				<input type="hidden" name="lowercolor" id="lowercolor" value="<?php echo kubrick_lower_color(); ?>" />
-				<input type="hidden" name="headerimage" id="headerimage" value="<?php echo kubrick_header_image(); ?>" />
+				<input type="hidden" name="fontdisplay" id="fontdisplay" value="<?php echo attribute_escape(kubrick_header_display()); ?>" />
+				<input type="hidden" name="fontcolor" id="fontcolor" value="<?php echo attribute_escape(kubrick_header_color()); ?>" />
+				<input type="hidden" name="uppercolor" id="uppercolor" value="<?php echo attribute_escape(kubrick_upper_color()); ?>" />
+				<input type="hidden" name="lowercolor" id="lowercolor" value="<?php echo attribute_escape(kubrick_lower_color()); ?>" />
+				<input type="hidden" name="headerimage" id="headerimage" value="<?php echo attribute_escape(kubrick_header_image()); ?>" />
+				<p class="submit"><input type="submit" name="submitform" class="defbutton" value="<?php _e('Update Header &raquo;'); ?>" onclick="cp.hidePopup('prettyplease')" /></p>
 			</form>
 			<div id="colorPickerDiv" style="z-index: 100;background:#eee;border:1px solid #ccc;position:absolute;visibility:hidden;"> </div>
 			<div id="advanced">
 				<form id="jsAdvanced" style="display:none;" action="">
-					<label for="advfontcolor">Font Color (CSS): </label><input type="text" id="advfontcolor" onchange="advUpdate(this.value, 'fontcolor')" value="<?php echo kubrick_header_color(); ?>" /><br />
-					<label for="advuppercolor">Upper Color (HEX): </label><input type="text" id="advuppercolor" onchange="advUpdate(this.value, 'uppercolor')" value="#<?php echo kubrick_upper_color(); ?>" /><br />
-					<label for="advlowercolor">Lower Color (HEX): </label><input type="text" id="advlowercolor" onchange="advUpdate(this.value, 'lowercolor')" value="#<?php echo kubrick_lower_color(); ?>" /><br />
+					<?php wp_nonce_field('kubrick-header'); ?>
+					<label for="advfontcolor">Font Color (CSS): </label><input type="text" id="advfontcolor" onchange="advUpdate(this.value, 'fontcolor')" value="<?php echo attribute_escape(kubrick_header_color()); ?>" /><br />
+					<label for="advuppercolor">Upper Color (HEX): </label><input type="text" id="advuppercolor" onchange="advUpdate(this.value, 'uppercolor')" value="#<?php echo attribute_escape(kubrick_upper_color()); ?>" /><br />
+					<label for="advlowercolor">Lower Color (HEX): </label><input type="text" id="advlowercolor" onchange="advUpdate(this.value, 'lowercolor')" value="#<?php echo attribute_escape(kubrick_lower_color()); ?>" /><br />
 					<input type="button" name="default" value="Select Default Colors" onclick="kDefaults()" /><br />
 					<input type="button" onclick="toggleDisplay();return false;" name="pick" id="pick" value="Toggle Text Display"></input><br />
 				</form>
diff -Nru wordpress/wp-includes/version.php wordpress-etch/wp-includes/version.php
--- wordpress-etch/wp-includes/version.php	2007-04-03 02:33:57.000000000 +0200
+++ wordpress-etch/wp-includes/version.php	2008-04-22 11:42:11.000000000 +0200
@@ -2,7 +2,7 @@
 
 // This just holds the version number, in a separate file so we can bump it without cluttering the SVN
 
-$wp_version = '2.0.10';
+$wp_version = '2.0.12-alpha';
 $wp_db_version = 3441;
 
 ?>
diff -Nru wordpress/wp-links-opml.php wordpress-etch/wp-links-opml.php
--- wordpress-etch/wp-links-opml.php	2006-12-21 11:10:04.000000000 +0100
+++ wordpress-etch/wp-links-opml.php	2008-04-22 11:42:11.000000000 +0200
@@ -28,7 +28,7 @@
     <body>
 <?php $sql = "SELECT $wpdb->links.link_url, link_rss, $wpdb->links.link_name, $wpdb->links.link_category, $wpdb->linkcategories.cat_name, link_updated 
 FROM $wpdb->links 
- JOIN $wpdb->linkcategories on $wpdb->links.link_category = $wpdb->linkcategories.cat_id
+ INNER JOIN $wpdb->linkcategories on $wpdb->links.link_category = $wpdb->linkcategories.cat_id
  AND $wpdb->links.link_visible = 'Y'
  $sql_cat
  ORDER BY $wpdb->linkcategories.cat_name, $wpdb->links.link_name \n";
diff -Nru wordpress/wp-login.php wordpress-etch/wp-login.php
--- wordpress-etch/wp-login.php	2007-03-10 21:35:57.000000000 +0100
+++ wordpress-etch/wp-login.php	2008-04-22 13:14:13.000000000 +0200
@@ -29,7 +29,7 @@
 	if ( isset($_REQUEST['redirect_to']) )
 		$redirect_to = $_REQUEST['redirect_to'];
 			
-	wp_redirect($redirect_to);
+	wp_safe_redirect($redirect_to);
 	exit();
 
 break;
@@ -198,7 +198,7 @@
 			if ( !$using_cookie )
 				wp_setcookie($user_login, $user_pass, false, '', '', $rememberme);
 			do_action('wp_login', $user_login);
-			wp_redirect($redirect_to);
+			wp_safe_redirect($redirect_to);
 			exit;
 		} else {
 			if ( $using_cookie )			
diff -Nru wordpress/wp-mail.php wordpress-etch/wp-mail.php
--- wordpress-etch/wp-mail.php	2006-01-24 00:49:22.000000000 +0100
+++ wordpress-etch/wp-mail.php	2008-04-22 11:42:11.000000000 +0200
@@ -58,7 +58,7 @@
 
 			// Set the author using the email address (To or Reply-To, the last used)
 			// otherwise use the site admin
-			if (preg_match('/From: /', $line) | preg_match('Reply-To: /', $line))  {
+			if (preg_match('/From: /', $line) | preg_match('/Reply-To: /', $line))  {
 				$author=trim($line);
 			if ( ereg("([a-zA-Z0-9\_\-\.]+@[\a-zA-z0-9\_\-\.]+)", $author , $regs) ) {
 				$author = $regs[1];
diff -Nru wordpress/wp-pass.php wordpress-etch/wp-pass.php
--- wordpress-etch/wp-pass.php	2006-06-24 23:37:24.000000000 +0200
+++ wordpress-etch/wp-pass.php	2008-04-22 13:14:13.000000000 +0200
@@ -7,5 +7,5 @@
 // 10 days
 setcookie('wp-postpass_' . COOKIEHASH, $_POST['post_password'], time() + 864000, COOKIEPATH);
 
-wp_redirect(wp_get_referer());
-?>
\ No newline at end of file
+wp_safe_redirect(wp_get_referer());
+?>
diff -Nru wordpress/xmlrpc.php wordpress-etch/xmlrpc.php
--- wordpress-etch/xmlrpc.php	2007-03-26 01:06:28.000000000 +0200
+++ wordpress-etch/xmlrpc.php	2008-04-22 11:42:11.000000000 +0200
@@ -431,7 +431,7 @@
 	  if ( !current_user_can('edit_post', $post_ID) )
 	    return new IXR_Error(401, 'Sorry, you do not have the right to edit this post.');
 
-	  extract($actual_post);
+	  extract($actual_post, EXTR_SKIP);
 
 	  if ( ('publish' == $post_status) && !current_user_can('publish_posts') )
 	  	return new IXR_Error(401, 'Sorry, you do not have the right to publish this post.');
@@ -597,8 +597,8 @@
 	    return new IXR_Error(401, 'Sorry, you can not edit this post.');
 
 	  $postdata = wp_get_single_post($post_ID, ARRAY_A);
-	  extract($postdata);
 		$this->escape($postdata);
+		extract($postdata, EXTR_SKIP);
 
 	  $post_title = $content_struct['title'];
 	  $post_content = apply_filters( 'content_save_pre', $content_struct['description'] );
--- wordpress-etch/wp-includes/pluggable-functions.php
+++ wordpress-etch/wp-includes/pluggable-functions.php
@@ -120,8 +120,6 @@
 	if ( $userdata )
 		return $userdata;
 
-	$user_login = $wpdb->escape($user_login);
-
 	if ( !$user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE user_login = '$user_login'") )
 		return false;
 
@@ -259,28 +257,63 @@
 function wp_redirect($location, $status = 302) {
 	global $is_IIS;
 
+		$location = apply_filters('wp_redirect', $location, $status);
+
+	if ( !$location ) // allows the wp_redirect filter to cancel a redirect
+		return false;
+
+	$location = wp_sanitize_redirect($location);
+
+	if ( $is_IIS ) {
+		header("Refresh: 0;url=$location");
+	} else {
+		if ( php_sapi_name() != 'cgi-fcgi' )
+			status_header($status); // This causes problems on IIS and some FastCGI setups
+		header("Location: $location");
+	}
+}
+endif;
+
+if ( !function_exists('wp_sanitize_redirect') ) :
+/**
+* sanitizes a URL for use in a redirect
+* @return string redirect-sanitized URL
+**/
+function wp_sanitize_redirect($location) {
 	$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location);
+	$location = wp_kses_no_null($location);
 
-	// remove %0d and %0a from location
 	$strip = array('%0d', '%0a');
-	$found = true;
-	while($found) {
-		$found = false;
-		foreach($strip as $val) {
-			while(strpos($location, $val) !== false) {
-				$found = true;
-				$location = str_replace($val, '', $location);
-			}
-		}
-	}
+	$location = str_replace($strip, '', $location);
+
+	return $location;
+}
+endif;
+
+if ( !function_exists('wp_safe_redirect') ) :
+/**
+* performs a safe (local) redirect, using wp_redirect()
+* @return void
+**/
+function wp_safe_redirect($location, $status = 302) {
+
+	// Need to look at the URL the way it will end up in wp_redirect()
+	$location = wp_sanitize_redirect($location);
+
+	// browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
+	if ( substr($location, 0, 2) == '//' )
+		$location = 'http:' . $location;
+
+	$lp  = parse_url($location);
+	$wpp = parse_url(get_option('home'));
+
+	$allowed_hosts = (array) apply_filters('allowed_redirect_hosts', array($wpp['host']));
+
+	if ( isset($lp['host']) && ( !in_array($lp['host'], $allowed_hosts) && $lp['host'] != strtolower($wpp['host'])) )
+		$location = get_option('siteurl') . '/wp-admin/';
+	
+	wp_redirect($location, $status);
 
-	if ( $is_IIS ) {
-		header("Refresh: 0;url=$location");
-	} else {
-		if ( php_sapi_name() != 'cgi-fcgi' )
-			status_header($status); // This causes problems on IIS and some FastCGI setups
-		header("Location: $location");
-	}
 }
 endif;
 
@@ -522,4 +555,4 @@
 }
 endif;
 
-?>
\ No newline at end of file
+?>