diff -r 346c88efed21 -r 5e2f62d02dcd wp/wp-includes/class-IXR.php
--- a/wp/wp-includes/class-IXR.php	Mon Jun 08 16:11:51 2015 +0000
+++ b/wp/wp-includes/class-IXR.php	Tue Jun 09 03:35:32 2015 +0200
@@ -30,7 +30,7 @@
  * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
  * @package IXR
- * @since 1.5
+ * @since 1.5.0
  *
  * @copyright  Incutio Ltd 2010 (http://www.incutio.com)
  * @version    1.7.4 7th September 2010
@@ -43,7 +43,7 @@
  * IXR_Value
  *
  * @package IXR
- * @since 1.5
+ * @since 1.5.0
  */
 class IXR_Value {
     var $data;
@@ -151,7 +151,7 @@
     /**
      * Checks whether or not the supplied array is a struct or not
      *
-     * @param unknown_type $array
+     * @param array $array
      * @return boolean
      */
     function isStruct($array)
@@ -171,7 +171,7 @@
  * IXR_MESSAGE
  *
  * @package IXR
- * @since 1.5
+ * @since 1.5.0
  *
  */
 class IXR_Message
@@ -203,11 +203,44 @@
     {
         // first remove the XML declaration
         // merged from WP #10698 - this method avoids the RAM usage of preg_replace on very large messages
-        $header = preg_replace( '/<\?xml.*?\?'.'>/', '', substr($this->message, 0, 100), 1);
-        $this->message = substr_replace($this->message, $header, 0, 100);
-        if (trim($this->message) == '') {
+        $header = preg_replace( '/<\?xml.*?\?'.'>/s', '', substr( $this->message, 0, 100 ), 1 );
+        $this->message = trim( substr_replace( $this->message, $header, 0, 100 ) );
+        if ( '' == $this->message ) {
+            return false;
+        }
+
+        // Then remove the DOCTYPE
+        $header = preg_replace( '/^<!DOCTYPE[^>]*+>/i', '', substr( $this->message, 0, 200 ), 1 );
+        $this->message = trim( substr_replace( $this->message, $header, 0, 200 ) );
+        if ( '' == $this->message ) {
+            return false;
+        }
+
+        // Check that the root tag is valid
+        $root_tag = substr( $this->message, 0, strcspn( substr( $this->message, 0, 20 ), "> \t\r\n" ) );
+        if ( '<!DOCTYPE' === strtoupper( $root_tag ) ) {
             return false;
         }
+        if ( ! in_array( $root_tag, array( '<methodCall', '<methodResponse', '<fault' ) ) ) {
+            return false;
+        }
+
+        // Bail if there are too many elements to parse
+        $element_limit = 30000;
+        if ( function_exists( 'apply_filters' ) ) {
+            /**
+             * Filter the number of elements to parse in an XML-RPC response.
+             *
+             * @since 4.0.0
+             *
+             * @param int $element_limit Default elements limit.
+             */
+            $element_limit = apply_filters( 'xmlrpc_element_limit', $element_limit );
+        }
+        if ( $element_limit && 2 * $element_limit < substr_count( $this->message, '<' ) ) {
+            return false;
+        }
+
         $this->_parser = xml_parser_create();
         // Set XML parser to take the case of tags in to account
         xml_parser_set_option($this->_parser, XML_OPTION_CASE_FOLDING, false);
@@ -332,7 +365,7 @@
                     $this->_arraystructs[count($this->_arraystructs)-1][] = $value;
                 }
             } else {
-                // Just add as a paramater
+                // Just add as a parameter
                 $this->params[] = $value;
             }
         }
@@ -344,7 +377,7 @@
  * IXR_Server
  *
  * @package IXR
- * @since 1.5
+ * @since 1.5.0
  */
 class IXR_Server
 {
@@ -369,7 +402,11 @@
     {
         if (!$data) {
             if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] !== 'POST') {
-            	header('Content-Type: text/plain'); // merged from WP #9093
+                if ( function_exists( 'status_header' ) ) {
+                    status_header( 405 ); // WP #20986
+                    header( 'Allow: POST' );
+                }
+                header('Content-Type: text/plain'); // merged from WP #9093
                 die('XML-RPC server accepts POST requests only.');
             }
 
@@ -425,7 +462,7 @@
 
         // Perform the callback and send the response
         if (count($args) == 1) {
-            // If only one paramater just send that instead of the whole array
+            // If only one parameter just send that instead of the whole array
             $args = $args[0];
         }
 
@@ -555,7 +592,7 @@
  * IXR_Request
  *
  * @package IXR
- * @since 1.5
+ * @since 1.5.0
  */
 class IXR_Request
 {
@@ -598,7 +635,7 @@
  * IXR_Client
  *
  * @package IXR
- * @since 1.5
+ * @since 1.5.0
  *
  */
 class IXR_Client
@@ -629,6 +666,10 @@
             if (!$this->path) {
                 $this->path = '/';
             }
+
+            if ( ! empty( $bits['query'] ) ) {
+                $this->path .= '?' . $bits['query'];
+            }
         } else {
             $this->server = $server;
             $this->path = $path;
@@ -750,7 +791,7 @@
  * IXR_Error
  *
  * @package IXR
- * @since 1.5
+ * @since 1.5.0
  */
 class IXR_Error
 {
@@ -792,7 +833,7 @@
  * IXR_Date
  *
  * @package IXR
- * @since 1.5
+ * @since 1.5.0
  */
 class IXR_Date {
     var $year;
@@ -855,7 +896,7 @@
  * IXR_Base64
  *
  * @package IXR
- * @since 1.5
+ * @since 1.5.0
  */
 class IXR_Base64
 {
@@ -876,7 +917,7 @@
  * IXR_IntrospectionServer
  *
  * @package IXR
- * @since 1.5
+ * @since 1.5.0
  */
 class IXR_IntrospectionServer extends IXR_Server
 {
@@ -1039,7 +1080,7 @@
  * IXR_ClientMulticall
  *
  * @package IXR
- * @since 1.5
+ * @since 1.5.0
  */
 class IXR_ClientMulticall extends IXR_Client
 {