Commit Graph

1343 Commits

Author SHA1 Message Date
whyisjake
1fcbdb46e6 Backporting several bug fixes.
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
- Customizer: Properly sanitize background images.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@46500


git-svn-id: http://core.svn.wordpress.org/branches/4.2@46297 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 19:15:22 +00:00
Jeremy Felt
f91b78ec58 Media: Improve verification of MIME file types.
Merges [43988] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@43998


git-svn-id: http://core.svn.wordpress.org/branches/4.2@43830 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:18:20 +00:00
John Blackbourn
ef0bb8bab1 Media: Limit thumbnail file deletions to the same directory as the original file.
Merges [43393] into the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@43400


git-svn-id: http://core.svn.wordpress.org/branches/4.2@43228 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 15:06:23 +00:00
John Blackbourn
64c1ec2877 Hardening: Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.
Merges [42261] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@42295


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42124 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:35:01 +00:00
Joe McGill
073c7e6092 Media: Fix exif_imagetype check in wp_get_image_mime
This is a follow up to [39831].

Merges [39850] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@39856


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39793 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 16:43:32 +00:00
Joe McGill
99f9d45c10 Media: Improve image filetype checking.
This adds a new function `wp_get_image_mime()` which is used by
`wp_check_filetype_and_ext()` to validate image files using
`exif_imagetype()` if available instead of `getimagesize()`.

`getimagesize()` is less performant than `exif_imagetype()` and is
dependent on GD. If `exif_imagetype()` is not available, it falls back to
`getimagesize()` as before.

If `wp_check_filetype_and_ext()` can't validate the filetype, we now return
`false` for ext/MIME values.

Merges [39831] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@39837


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39775 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 13:18:29 +00:00
Gary Pendergast
024e7bbd46 Revert [30640], as it was incorrectly checking some filenames.
Built from https://develop.svn.wordpress.org/trunk@32171


git-svn-id: http://core.svn.wordpress.org/trunk@32146 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-20 06:39:25 +00:00
Dominik Schilling
64fc7294b6 Use HTTPS URLs for codex.wordpress.org.
see #27115.
Built from https://develop.svn.wordpress.org/trunk@32116


git-svn-id: http://core.svn.wordpress.org/trunk@32095 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-12 21:29:32 +00:00
Gary Pendergast
acef02f060 Smilies: One more tweak to matching smilies with emoji.
Props iseulde.

See #31709.


Built from https://develop.svn.wordpress.org/trunk@32107


git-svn-id: http://core.svn.wordpress.org/trunk@32086 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-11 02:17:29 +00:00
Gary Pendergast
56f59c2ad7 Smilies: Tweak which smiley matches which emoji.
Props iseulde.

See #31709.


Built from https://develop.svn.wordpress.org/trunk@32105


git-svn-id: http://core.svn.wordpress.org/trunk@32084 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-10 06:30:26 +00:00
Gary Pendergast
b7c7882d1c Smilies: Update our few remaining smilies to better align with Twemoji, and add frownie.png until Twemoji provide a build containing it.
Props joen.

See #31709.


Built from https://develop.svn.wordpress.org/trunk@32104


git-svn-id: http://core.svn.wordpress.org/trunk@32083 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-10 06:20:26 +00:00
Boone Gorges
481352bd2e Avoid the use of array_replace() in add_query_arg().
`array_replace()` was introduced PHP 5.3+. Instead, we walk the array manually.

See [31966].

Fixes #31306.
Built from https://develop.svn.wordpress.org/trunk@31967


git-svn-id: http://core.svn.wordpress.org/trunk@31946 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-01 19:40:26 +00:00
Scott Taylor
c113cb5130 Respect numerical keys in add_query_arg(), use array_replace() instead of array_merge().
Adds unit test.

Props tyxla.
Fixes #31306.

Built from https://develop.svn.wordpress.org/trunk@31966


git-svn-id: http://core.svn.wordpress.org/trunk@31945 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-01 19:15:31 +00:00
Drew Jaynes
79f58d9d40 Clarify the DocBlock summary for wp_scheduled_delete() to mention that it includes posts of any type where the 'trash' status is used.
Props dkotter for the initial patch.
Fixes #31757.

Built from https://develop.svn.wordpress.org/trunk@31891


git-svn-id: http://core.svn.wordpress.org/trunk@31870 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-03-25 22:45:27 +00:00
Andrew Ozz
64f1a8a992 TinyMCE: fix error and PHP warning when adding more than one instance in RTL mode.
Part props maimairel. Fixes #31578.
Built from https://develop.svn.wordpress.org/trunk@31874


git-svn-id: http://core.svn.wordpress.org/trunk@31853 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-03-24 20:33:27 +00:00
Gary Pendergast
46e2a65cf1 Add emoji support, with Twemoji fallback.
Replace exisiting smilies with equivalent emoji, or with shiny new smiley images where no emoji existed.

Props batmoo, joen and mkaz for the original plugin upon which this is based.

Props pento, iseulde, kraftbj and peterwilsoncc for making the internet's dreams come true.

See #31242


Built from https://develop.svn.wordpress.org/trunk@31733


git-svn-id: http://core.svn.wordpress.org/trunk@31714 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-03-11 22:49:28 +00:00
Drew Jaynes
a49cd7851b Add an entry to the changelog for wp_get_mime_types() mentioning that GIMP (xcf) file support was added in 4.2.
See [31578].
Fixes #31146.

Built from https://develop.svn.wordpress.org/trunk@31590


git-svn-id: http://core.svn.wordpress.org/trunk@31571 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-03-01 07:10:26 +00:00
Scott Taylor
7994009296 Support GIMP files in the Media Library. We already support Photoshop files.
Props MikeHansenMe.
Fixes #31146.

Built from https://develop.svn.wordpress.org/trunk@31578


git-svn-id: http://core.svn.wordpress.org/trunk@31559 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-02-27 19:47:25 +00:00
Scott Taylor
f6b1b01ecd Make a new function, wp_delete_file(). Use it.
Props scribu, wonderboymusic.
Fixes #17864.

Built from https://develop.svn.wordpress.org/trunk@31575


git-svn-id: http://core.svn.wordpress.org/trunk@31556 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-02-27 16:51:25 +00:00
Scott Taylor
7cb45f2402 Don't call the size function count() as part of a test condition in loops. Compute the size beforehand, and not on each iteration.
Scrutinizer added a Performance label: these are the only violations.

See #30799.

Built from https://develop.svn.wordpress.org/trunk@31554


git-svn-id: http://core.svn.wordpress.org/trunk@31535 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-02-26 05:48:24 +00:00
Boone Gorges
6505278ea7 Improve documentation for return value of wp_list_pluck().
`wp_list_pluck()` will preserve the original array keys if no `$index_key`
parameter is provided. This changeset updates the documentation accordingly.

Props adamsilverstein.
Fixes #31316.
Built from https://develop.svn.wordpress.org/trunk@31451


git-svn-id: http://core.svn.wordpress.org/trunk@31432 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-02-13 16:52:27 +00:00
Scott Taylor
bc55996a0b @param cleanup:
* `get_metadata()` will return literally anything, needs to be `mixed`
* `wp()` and `WP_Query::__construct()` no longer just take a query string
* Clarify a few others

See #30799.

Built from https://develop.svn.wordpress.org/trunk@31212


git-svn-id: http://core.svn.wordpress.org/trunk@31193 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-16 19:03:23 +00:00
Drew Jaynes
f2bc30c03f Ensure we're using the correct @ignore phpDocumentor tag to mark elements that should be skipped when parsing.
Up to this point, various core elements' DocBlocks incorrectly included an `@internal` tag as a means for skipping the parsing process. When paired with a description (inline or otherwise), `@internal` is a valid tag meant to provide internal-only context, but not necessarily to skip parsing the entire element.

See #30987.

Built from https://develop.svn.wordpress.org/trunk@31170


git-svn-id: http://core.svn.wordpress.org/trunk@31151 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-13 00:51:21 +00:00
Scott Taylor
ac654632fe Use PHP_SAPI constant instead of php_sapi_name() in iis7_supports_permalinks(), wp_fix_server_vars(), and wp_redirect().
See #30799.

Built from https://develop.svn.wordpress.org/trunk@31120


git-svn-id: http://core.svn.wordpress.org/trunk@31101 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-10 04:59:22 +00:00
Scott Taylor
60b0cd7943 The keyword elseif should be used instead of else if so that all control keywords look like single words.
This was a mess, is now standardized across the codebase, except for a few 3rd-party libs. 

See #30799.

Built from https://develop.svn.wordpress.org/trunk@31090


git-svn-id: http://core.svn.wordpress.org/trunk@31071 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-08 07:05:25 +00:00
Scott Taylor
29cd3fa5bf PHP keywords and constants "true", "false", "null" should be in lower case - there was one lingering capitalized false in _http_build_query().
See #30799.

Built from https://develop.svn.wordpress.org/trunk@31086


git-svn-id: http://core.svn.wordpress.org/trunk@31067 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-08 06:14:23 +00:00
Gary Pendergast
e6a74136f9 size_format() incorrectly included a trailing space for B values: less than 1024 bytes.
Also add a unit test to check for this, so we don't do it again.

Fixes #30908.

Props tillkruess.
 

Built from https://develop.svn.wordpress.org/trunk@31052


git-svn-id: http://core.svn.wordpress.org/trunk@31033 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-05 13:13:23 +00:00
Scott Taylor
be59efcfbf ImageMagick expects TIFF files to have .tiff as an extension, so the key in wp_get_mime_types() should be 'tiff|tif' not 'tif|tiff' so the proper extension is returned in WP_Image_Editor->get_extension() subclass invocations.
Fixes #30211.

Built from https://develop.svn.wordpress.org/trunk@31044


git-svn-id: http://core.svn.wordpress.org/trunk@31025 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-04 03:09:22 +00:00
Scott Taylor
a0df295f5c Improve various @param docs.
See #30224.

Built from https://develop.svn.wordpress.org/trunk@30674


git-svn-id: http://core.svn.wordpress.org/trunk@30664 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-30 23:24:25 +00:00
Drew Jaynes
bffe95d34c Docs Formatting: Backtick-escape inline code for all remaining dynamic hook docs in wp-includes/*.
Affects DocBlocks for the following hooks:
* `auth_post_meta_{$meta_key}`
* `term_links-$taxonomy`
* `customize_render_control_ . $this->id`
* `customize_render_panel_{$this->id}`
* `customize_render_section_{$this->id}`
* `customize_preview_{$this->id}`
* `customize_save_ . $this->id_data[ 'base' ]`
* `customize_update_ . $this->type`
* `customize_value_ . $this->id_data[ 'base' ]`
* `customize_sanitize_js_{$this->id}`
* `comment_form_field_{$name}`
* `comment_{$old_status}_to_{$new_status}`
* `comment_{$new_status}_{$comment->comment_type}`
* `extra_{$context}_headers`
* `get_template_part_{$slug}`
* `get_the_generator_{$type}`
* `get_{$adjacent}_post_join`
* `get_{$adjacent}_post_where`
* `get_{$adjacent}_post_sort`
* `{$adjacent}_post_rel_link`
* `{$adjacent}_post_link`
* `{$adjacent}_image_link`
* `blog_option_{$option}`
* `$permastructname . _rewrite_rules`
* `{$type}_template`
* `theme_mod_{$name}`
* `pre_set_theme_mod_$name`
* `current_theme_supports-{$feature}`
* `get_user_option_{$option}`
* `edit_user_{$field}`
* `pre_user_{$field}`
* `user_{$field}`

See #30552.

Built from https://develop.svn.wordpress.org/trunk@30656


git-svn-id: http://core.svn.wordpress.org/trunk@30646 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-30 12:10:23 +00:00
Scott Taylor
4718bf4f76 Adjust the RegEx in wp_check_filetype() to be aware that query strings are thing that exist sometimes in URLs.
Adds unit tests.

Props voldemortensen.
Fixes #30377.

Built from https://develop.svn.wordpress.org/trunk@30640


git-svn-id: http://core.svn.wordpress.org/trunk@30630 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-30 06:33:23 +00:00
Drew Jaynes
a1f244d454 Improve line-wrapping and formatting in the DocBlock for wp_send_json_error().
See #30469.

Built from https://develop.svn.wordpress.org/trunk@30614


git-svn-id: http://core.svn.wordpress.org/trunk@30604 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-28 11:39:22 +00:00
Drew Jaynes
68432b0cd1 4.1 Docs Audit: Ensure optional arguments in wp_json_encode() are properly documented as such.
See #30469.

Built from https://develop.svn.wordpress.org/trunk@30613


git-svn-id: http://core.svn.wordpress.org/trunk@30603 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-28 11:36:23 +00:00
Gary Pendergast
a62fc4e4e5 When json_encode() returns a JSON string containing 'null' in PHP 5.4 or earlier, wp_json_encode() will now sanity check the data, as older versions of PHP failed to encode non UTF-8 characters correctly, instead returning 'null'.
Fixes #30471.

Built from https://develop.svn.wordpress.org/trunk@30561


git-svn-id: http://core.svn.wordpress.org/trunk@30550 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-25 05:01:23 +00:00
Drew Jaynes
07c58f5cca Ensure inline code is markdown-escaped as such, HTML tags are removed from summaries, and that code snippets in descriptions are properly indented.
Affects DocBlocks for the following core elements:
* Markdown-indent a code snippet in the description for `_deprecated_argument()`
* Markdown-indent a code snippet in the description for `wp_localize_script()`
* Backtick-escape HTML tags in two parameter descriptions for `wp_register()`
* Various DocBlock formatting in the description for `get_bloginfo()`
* Remove HTML tag from the summary for `_wp_render_title_tag()`
* Backtick-escape a HTML tag in the description for `get_archives_link()`
* Markdown-indent a code snippet in the description for `wp_admin_css_color()`
* Markdown-indent a code snippet in the description for the `welcome_panel` hook

Props rarst.
See #30473.

Built from https://develop.svn.wordpress.org/trunk@30541


git-svn-id: http://core.svn.wordpress.org/trunk@30530 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-24 05:39:22 +00:00
Drew Jaynes
0fb8811fb6 Improve return description for get_file_data() documentation.
Also convert an incorrect use of `@see` to `@link`.

Props 5um17 for the initial patch.
Fixes #30466.

Built from https://develop.svn.wordpress.org/trunk@30532


git-svn-id: http://core.svn.wordpress.org/trunk@30521 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-23 17:57:22 +00:00
John Blackbourn
b66c58f76a Update the inline docs for wp_die() to reflect parameter changes made in r30355
See #10551

Built from https://develop.svn.wordpress.org/trunk@30507


git-svn-id: http://core.svn.wordpress.org/trunk@30496 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-21 17:08:23 +00:00
John Blackbourn
53a9e3b420 Add support for WP_Error objects passed to wp_send_json_error(). The error object gets output as an array of error codes and messages, rather than as an empty object.
Fixes #28978
Props paulschreiber

Built from https://develop.svn.wordpress.org/trunk@30506


git-svn-id: http://core.svn.wordpress.org/trunk@30495 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-21 16:56:23 +00:00
Drew Jaynes
5943966b69 Ensure the mixed type of string|int is reflected on the $title parameter in wp_die().
The ability to pass an error code as short-hand to the `$title` and `$args` parameters was added in r30355. Changes also include cleaned-up formatting and line-wraps for other documentation in the DocBlock.

See [30355]. Fixes #10551.

Built from https://develop.svn.wordpress.org/trunk@30379


git-svn-id: http://core.svn.wordpress.org/trunk@30376 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-18 16:47:23 +00:00
John Blackbourn
d88ed475b0 Switch to a 403 response code in places where it is more appropriate than a 500 due to permissions errors.
Fixes #10551
Props nacin

Built from https://develop.svn.wordpress.org/trunk@30356


git-svn-id: http://core.svn.wordpress.org/trunk@30355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-16 06:16:22 +00:00
John Blackbourn
5f30f13780 Allow the response code to be passed as a shorthand to the $title or $args parameter of wp_die(), for brevity.
See #10551 and #11286
Props nacin

Built from https://develop.svn.wordpress.org/trunk@30355


git-svn-id: http://core.svn.wordpress.org/trunk@30354 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-16 06:11:22 +00:00
Boone Gorges
89526ca7f1 Ignore case when checking string 'false' in wp_validate_boolean().
Props TobiasBg, kitchin.
Fixes #30238.
Built from https://develop.svn.wordpress.org/trunk@30207


git-svn-id: http://core.svn.wordpress.org/trunk@30207 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-03 15:55:23 +00:00
Scott Taylor
3e4ca28eb9 Correct the @param type for the $query arg for remove_query_arg().
See #30224.

Built from https://develop.svn.wordpress.org/trunk@30191


git-svn-id: http://core.svn.wordpress.org/trunk@30191 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-03 05:29:22 +00:00
Scott Taylor
fbd6efdfb8 In _wp_json_convert_string(), when $use_mb is false, perhaps pass a variable that actually exists to wp_check_invalid_utf8().
Introduced in [30055].
See #30224.

Built from https://develop.svn.wordpress.org/trunk@30162


git-svn-id: http://core.svn.wordpress.org/trunk@30162 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-01 22:00:24 +00:00
Drew Jaynes
66c47f29bb Correct references of @uses $wpdb in core documentation to use @global.
See #30191, [30105].
Fixes #30217.

Built from https://develop.svn.wordpress.org/trunk@30122


git-svn-id: http://core.svn.wordpress.org/trunk@30122 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-31 17:56:22 +00:00
Drew Jaynes
f8657d5890 Remove redundant and erroneous @uses tag from most core inline documentation.
Per our inline documentation standards, no further use of the `@uses` tag is recommended as used and used-by relationships can be derived through other means. This removes most uses of the tag in core documentation, with remaining tags to be converted to `@global` or `@see` as they apply.

Fixes #30191.

Built from https://develop.svn.wordpress.org/trunk@30105


git-svn-id: http://core.svn.wordpress.org/trunk@30105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-30 01:05:24 +00:00
Mark Jaquith
a81a321f9a Docs and code standards cleanup for [30055] (wp_json_encode() & friends)
fixes #28786
props TobiasBg
Built from https://develop.svn.wordpress.org/trunk@30078


git-svn-id: http://core.svn.wordpress.org/trunk@30078 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-28 21:29:23 +00:00
Scott Taylor
315612a96b Adjust caching for get_term_by() calls:
* Remove md5 hashes for term name cache keys
* Remove the namespace for the keys for `names` and `slugs` and add them to the group names
* Remove `wp_get_last_changed()`, which @nacin hated
 
Props tollmanz.
Fixes #21760.

Built from https://develop.svn.wordpress.org/trunk@30073


git-svn-id: http://core.svn.wordpress.org/trunk@30073 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-28 21:05:23 +00:00
Gary Pendergast
3495fa40df Fix a PHPDoc typo for wp_json_encode().
Props JustinSainton.

See #28786.

Built from https://develop.svn.wordpress.org/trunk@30058


git-svn-id: http://core.svn.wordpress.org/trunk@30058 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-28 18:54:18 +00:00
Gary Pendergast
007ec52958 Add wp_json_encode(), a wrapper for json_encode() that ensures everything is converted to UTF-8.
Change all core calls from `json_encode()` to `wp_json_encode()`.

Fixes #28786.


Built from https://develop.svn.wordpress.org/trunk@30055


git-svn-id: http://core.svn.wordpress.org/trunk@30055 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-28 18:35:19 +00:00