- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 5.1 branch.
Built from https://develop.svn.wordpress.org/branches/5.1@46490
git-svn-id: http://core.svn.wordpress.org/branches/5.1@46288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The Site Health tool serves two purposes:
- Provide site owners with information to improve the performance, reliability, and security of their site.
- Collect comprehensive debug information about the site.
By encouraging site owners to maintain their site and adhere to modern best practices, we ultimately improve the software hygeine of both the WordPress ecosystem, and the open internet as a whole.
Props Clorith, hedgefield, melchoyce, xkon, karmatosed, jordesign, earnjam, ianbelanger, wpscholar, desrosj, pedromendonca, peterbooker, jcastaneda, garyj, soean, pento, timothyblynjacobs, zodiac1978, dgroddick, garrett-eclipse, netweb, tobifjellner, pixolin, afercia, joedolson, birgire.
See #46573.
Built from https://develop.svn.wordpress.org/branches/5.1@44984
git-svn-id: http://core.svn.wordpress.org/branches/5.1@44815 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Prior to this change, querying sites early in the bootstrap process could potentially cause a fatal error, since at that stage the filter to bail on updating site meta cache if the respective database table has not been installed yet is not hooked in yet. This changeset forces the filter to be added if that is not already the case.
Merges [44925] to the 5.1 branch.
Props spacedmonkey.
Fixes#46167.
Built from https://develop.svn.wordpress.org/branches/5.1@44927
git-svn-id: http://core.svn.wordpress.org/branches/5.1@44758 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `change` event was previously required to ensure that the Customizer picked detected changes to the widget's content and synced them to the preview. In the current state, though, the `trigger( 'change' )` is no longer required and is causing issues with the widget's “Done” and “Save” buttons.
Merges [44816] to the 5.1 branch.
Fixes#46335.
Props audrasjb, afercia, westonruter.
Built from https://develop.svn.wordpress.org/branches/5.1@44817
git-svn-id: http://core.svn.wordpress.org/branches/5.1@44649 1a063a9b-81f0-0310-95a4-ce76da25c4cd
A direct URL to where a user can update PHP for their website can now be specified in one of two ways:
- Defining the `WP_DIRECT_UPDATE_PHP_URL` environment variable.
- Returning a URL to the `wp_direct_php_update_url` filter.
When a URL is specified, an additional “Update PHP” button will be displayed at the bottom of the Core dashboard widget informing administrators that their site is running an outdated version of PHP (see [42832]).
Merges [44814] to the 5.1 branch.
Fixes#46074.
Props afragen, desrosj, lukecarbis.
Built from https://develop.svn.wordpress.org/branches/5.1@44815
git-svn-id: http://core.svn.wordpress.org/branches/5.1@44647 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Restores `public`, `archived`, `mature`, `spam`, `deleted`, `lang_id`, and `WPLANG` to the `$meta` data passed to `wpmu_new_blog`. This hook was deprecated in 5.1.0, but code using it still relies on this data.
Props davidbinda, pbiron.
Merges [44805] and [44806] to the 5.1 branch.
Fixes#46351.
Built from https://develop.svn.wordpress.org/branches/5.1@44807
git-svn-id: http://core.svn.wordpress.org/branches/5.1@44639 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Allows for themes or plugins setting the comment-reply JavaScript as a dependency of an HTML header script. This in turn causes `comment-reply.js` to be loaded early, requiring execution to be delayed.
Props pento, peterwilsoncc, jorbin for feedback.
Merges [44794] to the 5.1 branch.
Fixes#46280.
Built from https://develop.svn.wordpress.org/branches/5.1@44795
git-svn-id: http://core.svn.wordpress.org/branches/5.1@44627 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The filter is only run if the wordpress.org API considers the PHP version acceptable. This ensures that other plugins or hosting providers can only make this check stricter, but not loosen it.
Merges [44788] to the 5.1 branch.
Props j-falk, mikeschroder.
Fixes#46065.
Built from https://develop.svn.wordpress.org/branches/5.1@44789
git-svn-id: http://core.svn.wordpress.org/branches/5.1@44621 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit also moves the images to s.w.org, removes the old "Gutenberg has been deactivated" warning, as well as removing some old JS from About pages of years gone past.
Merges [44749] to the 5.1 branch.
Props melchoyce, ryelle, paaljoachim, karmatosed, pento.
Fixes#46161.
Built from https://develop.svn.wordpress.org/branches/5.1@44752
git-svn-id: http://core.svn.wordpress.org/branches/5.1@44584 1a063a9b-81f0-0310-95a4-ce76da25c4cd