Commit Graph

91 Commits

Author SHA1 Message Date
whyisjake
51d665a4a5 Backporting several bug fixes.
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@46496


git-svn-id: http://core.svn.wordpress.org/branches/4.6@46293 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 19:02:25 +00:00
Peter Wilson
41a7a8e581 Multisite: Validate activation links.
Merges [44048] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@44057


git-svn-id: http://core.svn.wordpress.org/branches/4.6@43887 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:42:20 +00:00
Drew Jaynes
da78aeffe9 Docs: Apply inline @see tags to hooks referenced in DocBlocks in a variety of wp-includes/* files.
Applying these specially-crafted `@see` tags allows the Code Reference parser to recognize and link these elements as actions and filters.

See #36921.

Built from https://develop.svn.wordpress.org/trunk@37542


git-svn-id: http://core.svn.wordpress.org/trunk@37510 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-23 18:59:27 +00:00
Drew Jaynes
9cb5247392 Docs: Standardize filter docs in remaining wp-includes/* files to use third-person singular verbs per the inline documentation standards for PHP.
See #36913.

Built from https://develop.svn.wordpress.org/trunk@37518


git-svn-id: http://core.svn.wordpress.org/trunk@37486 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-22 18:50:28 +00:00
Drew Jaynes
f52a8cb1fa Docs: Remove/replace invalid inline @link tags in DocBlocks in wp-includes/*.
Fixes #36910.

Built from https://develop.svn.wordpress.org/trunk@37487


git-svn-id: http://core.svn.wordpress.org/trunk@37455 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-22 17:39:28 +00:00
Drew Jaynes
2459e4e880 Docs: Remove backticks from the DocBlock summary for WP::$request, added in [37356].
Markdown formatting is not supported in DocBlock summaries, per the inline documentation standards for PHP :-)

See #32246. See #36674.

Built from https://develop.svn.wordpress.org/trunk@37366


git-svn-id: http://core.svn.wordpress.org/trunk@37332 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-05 20:03:27 +00:00
Eric Lewis
98d5d4919c Rewrite Rules: Add self-describing variables to rewrite matcher.
The rewrite rule matching code in WP::parse_request() used an unclear variable `$request` to represent the requested path (e.g. "2016/05/03") as well as a deceptively named variable `$request_uri`, which actually represents the requested file when an install used PATHINFO links. 

Those variables are replaced with `$requested_path` and `$requested_file` respectively for clarity.

Fixes #36674.

Built from https://develop.svn.wordpress.org/trunk@37356


git-svn-id: http://core.svn.wordpress.org/trunk@37322 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-03 19:36:28 +00:00
Drew Jaynes
745ae9915f Docs: Improve the DocBlock summary for WP::remove_query_var(), introduced in [36177].
See #35234. See #35986.

Built from https://develop.svn.wordpress.org/trunk@36900


git-svn-id: http://core.svn.wordpress.org/trunk@36868 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-09 17:05:29 +00:00
Dominik Schilling
e5ea82d81a Spelling: Standardize on "front end"/"back end" (noun) and "front-end"/"back-end" (adjective).
Props obrienlabs, thewanderingbrit.
Fixes #34887.
Built from https://develop.svn.wordpress.org/trunk@36709


git-svn-id: http://core.svn.wordpress.org/trunk@36676 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-25 12:53:27 +00:00
Dominik Schilling
724ccb492f In WP::handle_404() introduce a filter pre_handle_404 to short-circuit default header status handling.
This comes handy if you use WordPress without posts, means `$wp_query` contains no results.

Props prettyboymp, hakre, prettyboymp, Denis-de-Bernardy, ethitter, ocean90.
Fixes #10722.
Built from https://develop.svn.wordpress.org/trunk@36629


git-svn-id: http://core.svn.wordpress.org/trunk@36596 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-23 16:08:25 +00:00
Boone Gorges
48b8ea78da Introduce publicly_queryable taxonomy argument.
Taxonomies registered as `publicly_queryable` can be queried as taxonomy
archives.

If not provided explicitly, the value of `publicly_queryable` is inherited
from `public`.

Props Chouby.
Fixes #34491.
Built from https://develop.svn.wordpress.org/trunk@36525


git-svn-id: http://core.svn.wordpress.org/trunk@36492 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-13 03:51:26 +00:00
Drew Jaynes
1e1d1375b0 Docs: Add missing @access tags to DocBlocks for WP class methods and properties.
See #32246.

Built from https://develop.svn.wordpress.org/trunk@36365


git-svn-id: http://core.svn.wordpress.org/trunk@36332 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-20 18:19:27 +00:00
Pascal Birchler
85bb9aa5fb Query: Add a WP::remove_query_var() helper function.
This makes cleaning up public query vars easier.

Fixes #35234.
Built from https://develop.svn.wordpress.org/trunk@36177


git-svn-id: http://core.svn.wordpress.org/trunk@36144 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-05 20:57:28 +00:00
Gary Pendergast
dbf5d782ad Query: Remove title from the public query vars list.
[33706] added `title` as a public query var, but there's not really a practical need for this, and it interferes with any plugin that uses `title` as a query var for itself.

Props tyxla.

Fixes #35115 for trunk.


Built from https://develop.svn.wordpress.org/trunk@36034


git-svn-id: http://core.svn.wordpress.org/trunk@35999 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-21 00:43:27 +00:00
Pascal Birchler
7b6c596e92 In WP::handle_404(), make sure $wp_query->post is a WP_Post object before cloning it.
Props igmoweb for initial patch.
See #35013.
Built from https://develop.svn.wordpress.org/trunk@35994


git-svn-id: http://core.svn.wordpress.org/trunk@35959 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-17 18:13:29 +00:00
John Blackbourn
a027edc277 Comments: The year is 2003. Permalinks are a new thing and everyone's using Blogger. It's a time when opening a modal window in JavaScript to view a section of a website is not a completely weird thing, although many users get annoyed by it. b2 has recently become WordPress, and with it comes a bunch of functionality that will become stale over the next decade, remnants of simpler times.
Twelve years later, after no fewer than three themes have intentionally implemented popup comments in their functionality, before being abandoned for at least the last six years, we've reached a time where we can put this era behind us. A time when we can remove comment popup functionality from WordPress.

If this breaks the internet, I'll eat my hat.

Fixes #28617

Built from https://develop.svn.wordpress.org/trunk@35848


git-svn-id: http://core.svn.wordpress.org/trunk@35812 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-10 03:06:30 +00:00
Gary Pendergast
8be4a22f82 Embeds: Who put this REST API infrastructure in my WordPress?
Well, while it's here, we probably should make use of it. The oEmbed endpoint now uses the REST API infrastructure, instead of providing its own.

Props swissspidy.

Fixes #34207.


Built from https://develop.svn.wordpress.org/trunk@35436


git-svn-id: http://core.svn.wordpress.org/trunk@35400 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-29 22:51:24 +00:00
Boone Gorges
9088df3fee Prevent non-public taxonomies from registering aquery var.
[34247] made the 'public' paramater of `register_taxonomy()` work by blocking
requests for non-public taxonomy archives during `parse_request()`. Blocking
taxonomy archive requests this late means that it's impossible to register an
independent query var that matches the slug of a non-public taxonomy. By
moving the block to `register_taxonomy()` - not allowing these taxonomies to
register their query vars in the first place - we free up the slug for other
use. In addition, we free up a bit of processing (no need to look for the query
var in `parse_request()` and better parallel the way non-public post types
work. See `register_post_type()`.

Non-public taxonomy archives that are requested using `?taxonomy=tax_name` are
still blocked during `parse_request`. It's only custom query vars -
`?tax_name=term` - that are affected by this change.

Props mboynes.
Fixes #21949.
Built from https://develop.svn.wordpress.org/trunk@35333


git-svn-id: http://core.svn.wordpress.org/trunk@35299 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-21 16:54:24 +00:00
Sergey Biryukov
2d540d0280 In WP::parse_request() and url_to_postid(), don't skip objects that have a post status with 'exclude_from_search' => false, e.g. inherit.
This fixes pretty permalinks for attachments, broken in [35195].

Fixes #21970.
Built from https://develop.svn.wordpress.org/trunk@35205


git-svn-id: http://core.svn.wordpress.org/trunk@35171 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-15 17:53:24 +00:00
Sergey Biryukov
8a6d07f596 In WP::parse_request() and url_to_postid(), if a post slug clashes with a trashed page, return the post instead of the page.
Props kovshenin, SergeyBiryukov, igmoweb.
Fixes #21970.
Built from https://develop.svn.wordpress.org/trunk@35195


git-svn-id: http://core.svn.wordpress.org/trunk@35161 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-15 06:49:25 +00:00
Gary Pendergast
83c3e3e00e Embeds: Add oEmbed provider support.
For the past 6 years, WordPress has operated as an oEmbed consumer, allowing users to easily embed content from other sites. By adding oEmbed provider support, this allows any oEmbed consumer to embed posts from WordPress sites.

In addition to creating an oEmbed provider, WordPress' oEmbed consumer code has been enhanced to work with any site that provides oEmbed data (as long as it matches some strict security rules), and provides a preview from within the post editor.

For security, embeds appear within a sandboxed iframe - the iframe content is a template that can be styled or replaced entirely by the theme on the provider site.

Props swissspidy, pento, melchoyce, netweb, pfefferle, johnbillion, extendwings, davidbinda, danielbachhuber, SergeyBiryukov, afercia

Fixes #32522.


Built from https://develop.svn.wordpress.org/trunk@34903


git-svn-id: http://core.svn.wordpress.org/trunk@34868 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-07 10:36:25 +00:00
Drew Jaynes
9c46736476 Docs: Fix some syntatical issues in the DocBlock for WP::send_headers() following [34632].
See #20226. See #32246.

Built from https://develop.svn.wordpress.org/trunk@34635


git-svn-id: http://core.svn.wordpress.org/trunk@34599 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-27 18:49:29 +00:00
Scott Taylor
8272a839cd Update the docs in WP to explain the need to do [34476].
Fixes #20226.

Built from https://develop.svn.wordpress.org/trunk@34632


git-svn-id: http://core.svn.wordpress.org/trunk@34596 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-27 18:28:24 +00:00
Scott Taylor
b45178379b After [34492], no need to import the global instance when we are, in fact, currently, that instance.
See #11694.

Built from https://develop.svn.wordpress.org/trunk@34494


git-svn-id: http://core.svn.wordpress.org/trunk@34458 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-24 14:20:24 +00:00
Scott Taylor
175d476b0e Canonical/Rewrite: sanity check posts that are paged with <!--nextpage-->. Page numbers past the max number of pages are returning the last page of content and causing infinite duplicate content.
Awesome rewrite bug: the `page` query var was being set to `'/4'` in `$wp`. When cast to `int`, it returns `0` (Bless you, PHP). `WP_Query` calls `trim( $page, '/' )` when setting its own query var. The few places that were checking `page`	before posts were queried now have sanity checks, so that these changes work without flushing rewrites.	

Adds/updates unit tests.

Props wonderboymusic, dd32.
See #11694.

Built from https://develop.svn.wordpress.org/trunk@34492


git-svn-id: http://core.svn.wordpress.org/trunk@34456 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-24 14:04:24 +00:00
Scott Taylor
7a154ca666 WP: after [34443], calling get_queried_object() messes up unit tests. We can just clone the $post prop and call it a day.
Fixes #20226.

Built from https://develop.svn.wordpress.org/trunk@34476


git-svn-id: http://core.svn.wordpress.org/trunk@34440 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-24 03:54:24 +00:00
Scott Taylor
4cdd0b1688 PINGBACKS: After [34442], switch to is_singular() to check attachments and pages as well.
See #20226.

Built from https://develop.svn.wordpress.org/trunk@34443


git-svn-id: http://core.svn.wordpress.org/trunk@34407 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-22 19:10:29 +00:00
Scott Taylor
3bbd53c717 PINGBACKS: rather than sending the X-Pingback HTTP header on every single request for fun, perhaps only send it on single posts with pings open.
See #20226.

Built from https://develop.svn.wordpress.org/trunk@34442


git-svn-id: http://core.svn.wordpress.org/trunk@34406 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-22 18:47:25 +00:00
Boone Gorges
471fc6d9a5 Allow taxonomies to be non-public.
[13216] introduced the 'public' argument for `register_taxonomy()`. This param
was used to set defaults for 'show_ui' and a number of other params, but it
never did anything itself.

With this changeset, taxonomies registered with `public=false` will no longer
be queryable on the front end, ie via taxonomy archive queries.

Props wpsmith, ocean90, nacin, ericlewis, boonebgorges.
Fixes #21949.
Built from https://develop.svn.wordpress.org/trunk@34247


git-svn-id: http://core.svn.wordpress.org/trunk@34211 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-16 19:05:23 +00:00
Scott Taylor
8573a86def In WP::parse_request(), don't add query vars of non-viewable post types to WP::public_query_vars. In register_post_type(), don't add query vars of non-viewable post types to WP::public_query_vars.
In `_unregister_post_type()` (unit tests), don't add query vars of non-viewable post types to `WP::public_query_vars`.

Adds unit test.

Fixes #30018.

Built from https://develop.svn.wordpress.org/trunk@34215


git-svn-id: http://core.svn.wordpress.org/trunk@34179 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-15 18:54:30 +00:00
Scott Taylor
ef87172270 foreach is a statement, not a function.
See #33491.

Built from https://develop.svn.wordpress.org/trunk@33734


git-svn-id: http://core.svn.wordpress.org/trunk@33702 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-25 20:28:22 +00:00
Scott Taylor
523b51a359 Query:
Add a query var, `title`, that allows you to query posts by `post_title`. To accomplish this now, you have to do something like:

{{{
$tacos = get_posts( [
  'post_type' => 'taco',
  's' => $name,
  'exact' => true,
  'sentence' => true,
  'post_status' => 'publish',
  'fields' => 'ids',
  'posts_per_page' => 1
] );
}}}

Adds unit tests.

Fixes #33074.

Built from https://develop.svn.wordpress.org/trunk@33706


git-svn-id: http://core.svn.wordpress.org/trunk@33673 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-22 16:59:26 +00:00
Scott Taylor
1fd0dcbc9e Ensure that feeds are served with the proper Content-Type HTTP header.
Props stevenkword.
Fixes #32024.

Built from https://develop.svn.wordpress.org/trunk@33658


git-svn-id: http://core.svn.wordpress.org/trunk@33625 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-20 06:10:24 +00:00
Dominik Schilling
0549150843 Parse request: Quote regular expression characters in home path.
Adds unit tests.

props akirk.
fixes #30438.
Built from https://develop.svn.wordpress.org/trunk@32708


git-svn-id: http://core.svn.wordpress.org/trunk@32678 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-08 13:29:26 +00:00
Boone Gorges
ebac76facc When parsing what appears to be a date archive request, check for a post with a clashing permalink before resolving to the archive.
A URL like `example.com/2015/05/15/` generally resolves to the May 15, 2015 date
archive. But in certain cases, it could also be the permalink of a post with
the slug `'2015'`. When a conflict of this sort is detected, resolve to the post
instead of the archive.

URL conflicts of this sort should no longer occur for new posts; see [32647].

Props valendesigns, boonebgorges, Denis-de-Bernardy.
Fixes #5305.
Built from https://develop.svn.wordpress.org/trunk@32648


git-svn-id: http://core.svn.wordpress.org/trunk@32618 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-29 13:10:24 +00:00
Scott Taylor
f217f8c5d2 Add missing doc blockss in class-wp.php.
See #32444.

Built from https://develop.svn.wordpress.org/trunk@32551


git-svn-id: http://core.svn.wordpress.org/trunk@32521 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-22 20:05:25 +00:00
Scott Taylor
cde4c83091 [31210] broke Supportflow on dotorg, which declares these methods as protected. Switch to protected for the noop methods. The subclasses can make them more visible using public.
See #30799.

Built from https://develop.svn.wordpress.org/trunk@31211


git-svn-id: http://core.svn.wordpress.org/trunk@31192 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-16 18:37:24 +00:00
Scott Taylor
eab3aa7802 In WP_MatchesMapRegex:
* Exactly one method was made private in [28516], and is only used internally.
* 2 properties were made private, but they just store variables passed to the constructor.
* Instances of this class are never created in core. `WP_MatchesMapRegex::apply()` is called statically in `WP->parse_request()` and `url_to_postid()`. 

The chances that: 
1) this class is used as an instance somewhere and 
2) the properties that have always been marked `@access private` and begin with `_` were used publicly

...is extremely low.

Remove the magic methods, I should not have added them.

While we're at it, use the PHP5-style `__construct()` instead of the class name.

See #30891.

Built from https://develop.svn.wordpress.org/trunk@31136


git-svn-id: http://core.svn.wordpress.org/trunk@31117 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-10 23:27:21 +00:00
Scott Taylor
60b0cd7943 The keyword elseif should be used instead of else if so that all control keywords look like single words.
This was a mess, is now standardized across the codebase, except for a few 3rd-party libs. 

See #30799.

Built from https://develop.svn.wordpress.org/trunk@31090


git-svn-id: http://core.svn.wordpress.org/trunk@31071 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-08 07:05:25 +00:00
Drew Jaynes
c4b9da857a Using let's properly in inline comments lets us move on to more pressing matters of inline documentation.
Props trepmal.
Fixes #30570.

Built from https://develop.svn.wordpress.org/trunk@30703


git-svn-id: http://core.svn.wordpress.org/trunk@30693 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-02 04:43:22 +00:00
Drew Jaynes
f8657d5890 Remove redundant and erroneous @uses tag from most core inline documentation.
Per our inline documentation standards, no further use of the `@uses` tag is recommended as used and used-by relationships can be derived through other means. This removes most uses of the tag in core documentation, with remaining tags to be converted to `@global` or `@see` as they apply.

Fixes #30191.

Built from https://develop.svn.wordpress.org/trunk@30105


git-svn-id: http://core.svn.wordpress.org/trunk@30105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-30 01:05:24 +00:00
Drew Jaynes
a8583d5f19 Fix some words that aren't words.
See #28885.

Built from https://develop.svn.wordpress.org/trunk@29454


git-svn-id: http://core.svn.wordpress.org/trunk@29232 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-08-09 19:30:17 +00:00
Sergey Biryukov
47119960de Don't 404 for empty feeds.
fixes #18505.
Built from https://develop.svn.wordpress.org/trunk@29216


git-svn-id: http://core.svn.wordpress.org/trunk@29000 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-17 22:22:15 +00:00
Drew Jaynes
71eb75a159 Fill out inline documentation for magic methods added to the WP_MatchesMapRegex class in [28516].
See #27881, #22234 and #28885.

Built from https://develop.svn.wordpress.org/trunk@29142


git-svn-id: http://core.svn.wordpress.org/trunk@28926 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-13 23:39:14 +00:00
Scott Taylor
85f73cf458 Classes that have __set() also need __isset() and __unset().
See #27881, #22234.

Built from https://develop.svn.wordpress.org/trunk@28524


git-svn-id: http://core.svn.wordpress.org/trunk@28350 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-19 06:52:14 +00:00
Scott Taylor
821246b4ae Some classes with __get() method also need __set().
See #27881, #22234.

Built from https://develop.svn.wordpress.org/trunk@28521


git-svn-id: http://core.svn.wordpress.org/trunk@28347 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-19 06:31:15 +00:00
Scott Taylor
dc24cef605 Add missing access modifiers to methods in WP and WP_MatchesMapRegex. Add magic __call() and __get() methods to WP_MatchesMapRegex for BC.
See #27881, #22234.

Built from https://develop.svn.wordpress.org/trunk@28516


git-svn-id: http://core.svn.wordpress.org/trunk@28342 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-19 06:12:14 +00:00
Andrew Nacin
3eb91d047c Add post_parent to the private query vars list. Fixes detached media queries.
props SergeyBiryukov.
fixes #27532.

Built from https://develop.svn.wordpress.org/trunk@27782


git-svn-id: http://core.svn.wordpress.org/trunk@27618 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-27 16:37:16 +00:00
Andrew Nacin
86843194b8 Revert [27738] as the patient exhibited side effects. see #23862.
Built from https://develop.svn.wordpress.org/trunk@27768


git-svn-id: http://core.svn.wordpress.org/trunk@27605 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-27 01:31:15 +00:00
Andrew Nacin
f5999e5d50 WP class: Remove duplication of the post_type query var, also specified as a public QV.
props prettyboymp.
fixes #23862.

Built from https://develop.svn.wordpress.org/trunk@27738


git-svn-id: http://core.svn.wordpress.org/trunk@27575 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-26 14:45:16 +00:00