Commit Graph

469 Commits

Author SHA1 Message Date
John Blackbourn
a1d61a95e1 Security: Return a 403 instead of a 200 HTTP status when check_ajax_referer() fails.
This is, unfortunately, untestable in the current test suite, even in the AJAX tests.

Fixes #36362

Built from https://develop.svn.wordpress.org/trunk@38421


git-svn-id: http://core.svn.wordpress.org/trunk@38362 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-08-28 17:31:30 +00:00
John Blackbourn
b85e322e35 Security: Trigger a _doing_it_wrong() when check_ajax_referer() is called without its first parameter. This brings it inline with check_admin_referer().
Fixes #36361

Built from https://develop.svn.wordpress.org/trunk@38420


git-svn-id: http://core.svn.wordpress.org/trunk@38361 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-08-28 17:15:28 +00:00
Scott Taylor
390ceba6c7 Bootstrap: after r38409 and r38410, revert r38402 which reverted r38399.
This fixes the paths in `wp-vendor/` that were including `src`. I want to drop this in so we can find out what else will break.

See #36335.

Built from https://develop.svn.wordpress.org/trunk@38411


git-svn-id: http://core.svn.wordpress.org/trunk@38352 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-08-27 22:32:37 +00:00
Dion Hulse
0e31a46161 Bootstrap: Revert [38399] as it's broken /build/ and subsequently core.svn.wordpress.org.
The generated classmaps reference `/src/` files and operates in the assumption that the base directory is one level above `wp-settings.php`, which it isn't after our build processes are run.

See #36335

Built from https://develop.svn.wordpress.org/trunk@38402


git-svn-id: http://core.svn.wordpress.org/trunk@38343 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-08-27 14:37:32 +00:00
Scott Taylor
6a529648cf Bootstrap: Autoload classes using a Composer-generated PHP 5.2-compatible Autoloader.
* `wp-admin` and `wp-includes` are scanned for classes to autoload
* Several 3rd-party and Ryan McCue-shaped libraries are excluded when the classmap is generated, see `composer.json`: `autoload.exclude-from-classmap`
* `wp-vendor/autoload_52.php` is included at the top of `wp-settings.php` - no changes need to be made to unit tests to include the autoloader
* An avalanche of `require()` and `require_once()` calls that loaded class files have been removed from the codebase.

The following files have been added to `svn:ignore` - they are not 5.2-compatible and fail during pre-commit:
* src/wp-vendor/autoload.php
* src/wp-vendor/composer/autoload_real.php
* src/wp-vendor/composer/autoload_static.php
* src/wp-vendor/composer/ClassLoader.php

We favor these files instead:
* src/wp-vendor/autoload_52.php
* src/wp-vendor/composer/autoload_real_52.php
* src/wp-vendor/composer/ClassLoader52.php

When new PHP classes are added to the codebase, simply run `composer install` or `composer update` from the project root to update the autoloader.

The future is now.

See #36335.

Built from https://develop.svn.wordpress.org/trunk@38399


git-svn-id: http://core.svn.wordpress.org/trunk@38340 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-08-27 09:15:29 +00:00
Scott Taylor
481123661c Load: load class-phpass.php (PasswordHash class) early in wp-settings.php, instead of require_once()'ing it in several places.
See #36335.

Built from https://develop.svn.wordpress.org/trunk@38371


git-svn-id: http://core.svn.wordpress.org/trunk@38312 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-08-26 17:40:35 +00:00
Drew Jaynes
f07f1b126e Docs: Add a missing parenthesis in an example in the DocBlock for wp_redirect().
Props shayanys.
See #37770.

Built from https://develop.svn.wordpress.org/trunk@38350


git-svn-id: http://core.svn.wordpress.org/trunk@38291 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-08-25 07:36:31 +00:00
Scott Taylor
b7812bd416 AJAX: add a new function, wp_doing_ajax(), which can replace... (wait for it...) DOING_AJAX checks via the constant.
Props Mte90, sebastian.pisula, swissspidy.
Fixes #25669.

Built from https://develop.svn.wordpress.org/trunk@38334


git-svn-id: http://core.svn.wordpress.org/trunk@38275 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-08-23 14:33:30 +00:00
Boone Gorges
54fe38c7cc Mail: Don't set Sender field when setting From.
[38058] changed `wp_mail()` so that it used PHPMailer's `setFrom()`
method rather than setting the From and FromName headers directly. See
behavior of setting the `Sender` field. This causes `mail` to be
called with the `-f` flag, which causes outgoing email to fail on some
server environments.

Props Clorith, iandunn, DrewAPicture.
Fixes #37736.
Built from https://develop.svn.wordpress.org/trunk@38286


git-svn-id: http://core.svn.wordpress.org/trunk@38227 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-08-20 02:17:38 +00:00
Boone Gorges
905f4ec0f8 Mail: Improve handling of UTF-8 address headers.
Previously, `wp_mail()` implemented Reply-To as a generic header, using
PHPMailer's `addCustomHeader()`. As such, the email address portion of
the header was being incorrectly encoded when the name portion
contained UTF-8 characters. Switching to PHPMailer's more specific
`addReplyTo()` method fixes the issue.

For greater readability, the handling of all address-related headers
(To, CC, BCC, Reply-To) has been standardized.

Props szepe.viktor, iandunn, bpetty, stephenharris.
Fixes #21659.
Built from https://develop.svn.wordpress.org/trunk@38058


git-svn-id: http://core.svn.wordpress.org/trunk@37999 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-13 18:04:28 +00:00
Drew Jaynes
6c7148943b Docs: Standardize capitalization of Ajax throughout core documentation per the core spelling guide.
Ajax, while considered an acronym for Asynchronous JavaScript and XML, is most commonly capitalized only in the first character.

Part props ocean90.
See #32246.

Built from https://develop.svn.wordpress.org/trunk@38028


git-svn-id: http://core.svn.wordpress.org/trunk@37969 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-10 00:51:30 +00:00
Sergey Biryukov
139387b7e5 Docs: Use 3-digit, x.x.x-style semantic versioning for _doing_it_wrong(), _deprecated_function(), _deprecated_argument(), and _deprecated_file() throughout core.
Props metodiew.
Fixes #36495.
Built from https://develop.svn.wordpress.org/trunk@37985


git-svn-id: http://core.svn.wordpress.org/trunk@37926 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-06 12:40:29 +00:00
Jeremy Felt
6f3f00ea97 Multisite: Change WP_Network id property to an integer.
For consistency and developer sanity.

Props flixos90.
Fixes #37050.

Built from https://develop.svn.wordpress.org/trunk@37870


git-svn-id: http://core.svn.wordpress.org/trunk@37811 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-26 14:26:29 +00:00
Sergey Biryukov
bbd663415c Text Changes: Simplify two strings in wp_password_change_notification().
Add translator comments.

Props ramiy.
See #35736.
Built from https://develop.svn.wordpress.org/trunk@37704


git-svn-id: http://core.svn.wordpress.org/trunk@37670 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-14 22:09:28 +00:00
Jeremy Felt
d75f77a410 Admin: Allow for the consistent filtering of auth_redirect_scheme
Fixes #37047.

Built from https://develop.svn.wordpress.org/trunk@37651


git-svn-id: http://core.svn.wordpress.org/trunk@37617 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-07 20:49:30 +00:00
Drew Jaynes
9193013158 Docs: Apply inline @see tags to hooks referenced in DocBlocks in a variety of wp-includes/* files.
Applying these specially-crafted `@see` tags allows the Code Reference parser to recognize and link these elements as actions and filters.

Fixes #36921.

Built from https://develop.svn.wordpress.org/trunk@37544


git-svn-id: http://core.svn.wordpress.org/trunk@37512 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-23 19:02:28 +00:00
Drew Jaynes
6c534918d4 Docs: Standardize filter docs in wp-includes/pluggable.php to use third-person singular verbs per the inline documentation standards for PHP.
See #36913.

Built from https://develop.svn.wordpress.org/trunk@37508


git-svn-id: http://core.svn.wordpress.org/trunk@37476 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-22 18:35:27 +00:00
Eric Lewis
02a4e761f2 Users: Correct inline docs for cookie expiration.
Props kjbenk.
Fixes #35568.

Built from https://develop.svn.wordpress.org/trunk@37315


git-svn-id: http://core.svn.wordpress.org/trunk@37281 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-04-27 02:52:28 +00:00
Sergey Biryukov
c371296223 Users: In wp_new_user_notification(), sdd 'user' option for the $notify parameter, which allows for sending notification only to the user created.
Props akibjorklund.
Fixes #36009.
Built from https://develop.svn.wordpress.org/trunk@37276


git-svn-id: http://core.svn.wordpress.org/trunk@37242 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-04-21 10:20:27 +00:00
Drew Jaynes
11ab384086 Docs: Improve 4.5 changelog entries introduced in [36992] for wp_authenticate(), and the authenticate and wp_login_failed hooks.
See #9568. See #35986.

Built from https://develop.svn.wordpress.org/trunk@37030


git-svn-id: http://core.svn.wordpress.org/trunk@36997 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-17 08:06:27 +00:00
John Blackbourn
621085a360 Users: Add @since entries to wp_authenticate() and its filters now that the $username parameter can also be an email address.
See #9568, #35986

Built from https://develop.svn.wordpress.org/trunk@36992


git-svn-id: http://core.svn.wordpress.org/trunk@36959 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-14 22:31:27 +00:00
Sergey Biryukov
ef7a559e2e Docs: Correct filter reference in pre_get_avatar filter description.
Props henry.wright.
Fixes #36031.
Built from https://develop.svn.wordpress.org/trunk@36800


git-svn-id: http://core.svn.wordpress.org/trunk@36767 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-02 03:41:28 +00:00
Dominik Schilling
e5ea82d81a Spelling: Standardize on "front end"/"back end" (noun) and "front-end"/"back-end" (adjective).
Props obrienlabs, thewanderingbrit.
Fixes #34887.
Built from https://develop.svn.wordpress.org/trunk@36709


git-svn-id: http://core.svn.wordpress.org/trunk@36676 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-25 12:53:27 +00:00
Drew Jaynes
f5ea3e5dac Docs: Make a few syntactical improvements to the DocBlock for _wp_get_current_user(), introduced in [36651].
Includes a cross reference from the DocBlock for `wp_get_current_user()`, which itself is pluggable, but the new internal function is not.

See #19615. See #32246.

Built from https://develop.svn.wordpress.org/trunk@36705


git-svn-id: http://core.svn.wordpress.org/trunk@36672 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-25 05:07:26 +00:00
Sergey Biryukov
f170058209 Mail: Correct compact() usage in wp_mail().
Props Ankit K Gupta, maweder.
Fixes #35781 for trunk.
Built from https://develop.svn.wordpress.org/trunk@36688


git-svn-id: http://core.svn.wordpress.org/trunk@36655 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-24 17:38:27 +00:00
Pascal Birchler
9612c26db3 Users: Introduce _wp_get_current_user() for improved backward compatibility.
This new helper function is used by the pluggable functions `wp_get_current_user()` and `get_currentuserinfo()`, which was previously being called by the former before [36311]. Without it, infinite loops could be caused when plugins implement these functions, as they are now called the other way around.

Fixes #19615.
Built from https://develop.svn.wordpress.org/trunk@36651


git-svn-id: http://core.svn.wordpress.org/trunk@36618 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-23 22:26:28 +00:00
Dominik Schilling
7ebe2c1e7a Authentication: Allow users to log in using their email address.
Introduces `wp_authenticate_email_password()` which is hooked into `authenticate` after `wp_authenticate_username_password()`.

Props Denis-de-Bernardy, ericlewis, vhomenko, MikeHansenMe, swissspidy, ocean90.
Fixes #9568.
Built from https://develop.svn.wordpress.org/trunk@36617


git-svn-id: http://core.svn.wordpress.org/trunk@36584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-22 23:15:27 +00:00
Rachel Baker
06225cc394 Comments: Refresh the Moderate Comment screen for a friendlier experience with email moderation actions.
Brings some love to this neglected screen:
* format `comment_content`, instead of escaping in one massive block of text
* only wrap the comment date in a link if the comment permalink exists
* include link to the Edit Comment screen at the bottom of the comment_content
* update the message styles to match other screens
* append `#wpbody-content` to the comment email message links for accessibility

Props johnbillion, rachelbaker, afercia, melchoyce, karmatosed.

Fixes #34133
Built from https://develop.svn.wordpress.org/trunk@36588


git-svn-id: http://core.svn.wordpress.org/trunk@36555 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-19 19:14:26 +00:00
Dominik Schilling
72c6f7f86f Suppress possible warnings in PHP < 5.3.3 by parse_url() in wp_validate_redirect().
PHP 5.3.3 removed the E_WARNING that was emitted when URL parsing failed.
Built from https://develop.svn.wordpress.org/trunk@36446


git-svn-id: http://core.svn.wordpress.org/trunk@36413 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 16:34:27 +00:00
Aaron Jorbin
5c4031dd84 Revert [35792]
This causes a regression and causes redirects to potentially fail.

See #5114 #34028
props ocean90

Built from https://develop.svn.wordpress.org/trunk@36445


git-svn-id: http://core.svn.wordpress.org/trunk@36412 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 16:24:26 +00:00
Dominik Schilling
361ed7a3d6 Better validation of the URL used in HTTP redirects.
Built from https://develop.svn.wordpress.org/trunk@36444


git-svn-id: http://core.svn.wordpress.org/trunk@36411 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 15:11:28 +00:00
Dominik Schilling
c5e3716c11 Docs: Fix @return type for wp_get_current_user() after [36313].
See #19615.
Built from https://develop.svn.wordpress.org/trunk@36314


git-svn-id: http://core.svn.wordpress.org/trunk@36281 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-15 11:16:26 +00:00
Pascal Birchler
9cd880d356 Users: Always return $current_user in wp_get_current_user(), never a boolean.
Fixes unit tests affected by [36311].

See #19615.
Built from https://develop.svn.wordpress.org/trunk@36313


git-svn-id: http://core.svn.wordpress.org/trunk@36280 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-15 10:47:25 +00:00
Pascal Birchler
283684b616 Users: Deprecate the get_currentuserinfo() pluggable function.
It encourages an ugly pattern like `global $userdata; get_currentuserinfo();` in plugins/themes. `wp_get_current_user()` should be used instead, e.g. `$current_user = wp_get_current_user();`.

Props scribu for initial patch.
Fixes #19615.
Built from https://develop.svn.wordpress.org/trunk@36311


git-svn-id: http://core.svn.wordpress.org/trunk@36278 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-15 10:16:27 +00:00
Eric Lewis
c52af7470b Login is not a verb, change "login" to "log in".
See #35387

Built from https://develop.svn.wordpress.org/trunk@36246


git-svn-id: http://core.svn.wordpress.org/trunk@36213 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-09 21:08:26 +00:00
Eric Lewis
2f41867519 Users: Fix incorrect docs for user authentication and login functions.
Fixes #35387

Built from https://develop.svn.wordpress.org/trunk@36245


git-svn-id: http://core.svn.wordpress.org/trunk@36212 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-09 20:52:27 +00:00
Sergey Biryukov
b0b561517d Docs: Fix typo in a comment in wp_rand().
Props boluda.
Fixes #35228.
Built from https://develop.svn.wordpress.org/trunk@36102


git-svn-id: http://core.svn.wordpress.org/trunk@36067 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-26 11:07:28 +00:00
Drew Jaynes
7b19006ce1 Docs: Add missing parameter and return notations to the DocBlock for _wp_sanitize_utf8_in_redirect().
See #32246.

Built from https://develop.svn.wordpress.org/trunk@35980


git-svn-id: http://core.svn.wordpress.org/trunk@35945 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-16 23:15:27 +00:00
John Blackbourn
593cc9abbd Add missing @param docs to wp_safe_redirect() and wp_sanitize_redirect().
See #32246

Built from https://develop.svn.wordpress.org/trunk@35914


git-svn-id: http://core.svn.wordpress.org/trunk@35878 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-14 02:43:25 +00:00
John Blackbourn
9f7165d522 Add missing @param doc to wp_hash().
See #32246

Built from https://develop.svn.wordpress.org/trunk@35913


git-svn-id: http://core.svn.wordpress.org/trunk@35877 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-14 02:39:26 +00:00
John Blackbourn
48380c58a5 Add missing @param doc to wp_check_password() and update the check_password filter docs.
See #32246

Built from https://develop.svn.wordpress.org/trunk@35909


git-svn-id: http://core.svn.wordpress.org/trunk@35873 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-14 02:30:26 +00:00
Aaron Campbell
894526c78d Consider both home and site domains to be valid in wp_validate_redirect().
Props layotte.
Fixes #34028.

Built from https://develop.svn.wordpress.org/trunk@35792


git-svn-id: http://core.svn.wordpress.org/trunk@35756 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-06 21:17:24 +00:00
Dominik Schilling
0632e4ab84 Passwords: Support the pre-4.3 behavior of wp_new_user_notification().
Hello, it's me again. A pluggable function named `wp_new_user_notification()`. A few months ago, after [33023], I have lost my second parameter `$plaintext_pass`. But thanks to [33620] I got a new one.
Bad idea - It hasn't had the same behavior as my previous parameter.
To solve that the second parameter got deprecated and reintroduced as the third parameter in [34116]. I was happy again, for a short time.
You remember my lost friend `$plaintext_pass`? No? Well, if its value was empty no notification was sent to the user. This behavior was still lost. And that's what this change is about: Don't notify a user if a plugin uses `wp_new_user_notification( $user_id )`.

You're asking if I'm happy now? Dunno, but maybe you have learned something about pluggable functions, have you?

Props danielbachhuber.
Fixes #34377.
Built from https://develop.svn.wordpress.org/trunk@35735


git-svn-id: http://core.svn.wordpress.org/trunk@35699 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-24 23:07:26 +00:00
Scott Taylor
34a9b6e428 Mail: in wp_notify_postauthor() and wp_notify_moderator(), ensure that special chars aren't HTML-encoded in the email message body.
Props solarissmoke, leemon.
Fixes #12584.

Built from https://develop.svn.wordpress.org/trunk@35415


git-svn-id: http://core.svn.wordpress.org/trunk@35379 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-28 18:03:24 +00:00
Dion Hulse
53afc72ab7 Update to Random_Compat 1.0.9.
This update includes fixes for Windows support & libSodium support, and removes the `Throwable` Polyfill due to PHP7 incompatibilities. 

Fixes #28633

Built from https://develop.svn.wordpress.org/trunk@35365


git-svn-id: http://core.svn.wordpress.org/trunk@35330 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-23 04:22:26 +00:00
Drew Jaynes
f954194a1c Comments: Introduce two new filters, notify_moderator and notify_post_author, both of which make it possible to selectively override site notification email settings for new comments.
The `notify_moderator` filter makes it possible to override the value for the `moderation_notify` option, which controls whether to send new comment emails to "site moderators", that is to say, the owner of the admin email for the site and the post author if they have the ability to modify the comment.

The `notify_post_author` filter likewise makes it possible to override the value for the `comments_notify` option, which controls whether to send new comment emails to the post author. If the post author is the comment author, default behavior is not to send the notification. Note: enabling or disabling notifications via this hook could also affect other recipients added via the 'comment_notification_recipients' filter in `wp_notify_postauthor()`, if hooked.

Passing a falsey value to either of the new filters will prevent notifications from being sent, regardless of their corresponding option values.

Adds tests.

Props coffee2code, adamsilverstein, DrewAPicture.
Fixes #761.

Built from https://develop.svn.wordpress.org/trunk@35339


git-svn-id: http://core.svn.wordpress.org/trunk@35305 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-21 18:35:31 +00:00
Drew Jaynes
217b661703 Docs: Add missing descriptions for the $wpdb global in DocBlocks all the places.
See #32246.

Built from https://develop.svn.wordpress.org/trunk@35170


git-svn-id: http://core.svn.wordpress.org/trunk@35136 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-14 23:44:25 +00:00
Sergey Biryukov
b40e362711 Fix typo in get_avatar() and get_avatar_data() docs.
Props johnjamesjacoby.
Fixes #34232.
Built from https://develop.svn.wordpress.org/trunk@34988


git-svn-id: http://core.svn.wordpress.org/trunk@34953 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-09 15:52:24 +00:00
Sergey Biryukov
072cdf116a Fix typo in wp_rand() docs.
See #28633.
Built from https://develop.svn.wordpress.org/trunk@34986


git-svn-id: http://core.svn.wordpress.org/trunk@34951 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-09 05:20:23 +00:00
Dion Hulse
4852cbf14b Use PHP7's random_int() CSPRNG functionality in wp_rand() with a fallback to the random_compat library for PHP 5.x.
`random_compat` offers a set of compatible functions for older versions of PHP, filling in the gap by using other PHP extensions when available.
We still include our existing `wp_rand()` functionality as a fallback for when no proper CSPRNG exists on the system.

Take Two, this was previously committed in [34922] but had an issue on PHP 5.2 which sarciszewski has now resolved.

Props sarciszewski
See #28633

Built from https://develop.svn.wordpress.org/trunk@34981


git-svn-id: http://core.svn.wordpress.org/trunk@34946 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-09 04:28:24 +00:00