Commit Graph

1399 Commits

Author SHA1 Message Date
whyisjake
9a0b89f7a8 Backporting several bug fixes.
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
- Customizer: Properly sanitize background images.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@46498


git-svn-id: http://core.svn.wordpress.org/branches/4.4@46295 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 19:09:23 +00:00
Jeremy Felt
60dacc5deb Media: Improve verification of MIME file types.
Merges [43988] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@43995


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43827 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:14:21 +00:00
John Blackbourn
82dc7df085 Media: Limit thumbnail file deletions to the same directory as the original file.
Merges [43393] into the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@43398


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43226 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 14:57:24 +00:00
John Blackbourn
4fac456d88 Hardening: Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.
Merges [42261] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@42287


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42116 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:30:31 +00:00
Joe McGill
af0a3c59d1 Media: Fix exif_imagetype check in wp_get_image_mime
This is a follow up to [39831].

Merges [39850] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@39854


git-svn-id: http://core.svn.wordpress.org/branches/4.4@39791 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 16:42:31 +00:00
Joe McGill
47bc8e98bd Media: Improve image filetype checking.
This adds a new function `wp_get_image_mime()` which is used by
`wp_check_filetype_and_ext()` to validate image files using
`exif_imagetype()` if available instead of `getimagesize()`.

`getimagesize()` is less performant than `exif_imagetype()` and is
dependent on GD. If `exif_imagetype()` is not available, it falls back to
`getimagesize()` as before.

If `wp_check_filetype_and_ext()` can't validate the filetype, we now return
`false` for ext/MIME values.

Merges [39831] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@39835


git-svn-id: http://core.svn.wordpress.org/branches/4.4@39773 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 13:16:32 +00:00
Dion Hulse
70d9869e38 I18N: In wp_maybe_decline_date(), bail early if translation functions are not available, e.g. in SHORTINIT mode.
Merges [35880] to the 4.4 branch.
Props SergeyBiryukov.
Fixes #34967.

Built from https://develop.svn.wordpress.org/branches/4.4@36063


git-svn-id: http://core.svn.wordpress.org/branches/4.4@36028 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-23 01:39:28 +00:00
Sergey Biryukov
d9faafbd44 I18N: Move translatable Codex URLs to separate strings in wp-includes/functions.php.
Props ramiy.
See #34687.
Built from https://develop.svn.wordpress.org/trunk@35667


git-svn-id: http://core.svn.wordpress.org/trunk@35631 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-18 17:41:27 +00:00
Sergey Biryukov
2583c1e4ec Replace 7 * DAY_IN_SECONDS with WEEK_IN_SECONDS in get_weekstartend().
Props MikeHansenMe.
Fixes #34603.
Built from https://develop.svn.wordpress.org/trunk@35556


git-svn-id: http://core.svn.wordpress.org/trunk@35520 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-06 16:37:27 +00:00
Sergey Biryukov
5d87e7d2b8 Introduce wp_maybe_decline_date() for languages where certain date formats need to be declined, and hook it to the date_i18n filter.
If the locale specifies that month names require a genitive case in certain formats like `'j F Y'` or `'j. F'`, the month name will be replaced with a correct form. 

Fixes #11226.
Built from https://develop.svn.wordpress.org/trunk@35517


git-svn-id: http://core.svn.wordpress.org/trunk@35481 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-04 21:28:26 +00:00
Andrea Fercia
04c2cd1913 Accessibility: Improve buttons focus and links style in the install screens.
Fixes #34530.
Built from https://develop.svn.wordpress.org/trunk@35494


git-svn-id: http://core.svn.wordpress.org/trunk@35458 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-03 17:59:24 +00:00
John Blackbourn
263b2890d4 Add wp-post-new-reload to the list of removable query vars so it doesn't persist in the URL.
Fixes #34510

Built from https://develop.svn.wordpress.org/trunk@35460


git-svn-id: http://core.svn.wordpress.org/trunk@35424 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-30 18:06:34 +00:00
Helen Hou-Sandí
8803c05db5 wp_die(): Update colors and button styling.
see #34388, #31459.

Built from https://develop.svn.wordpress.org/trunk@35327


git-svn-id: http://core.svn.wordpress.org/trunk@35293 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-21 15:23:26 +00:00
Drew Jaynes
81524f3bfc Filesystem: Following the introduction of the KB|MB|GB|TB_IN_BYTES constants in [35286], use them in various places in core.
Props sudar.
Fixes #22405.

Built from https://develop.svn.wordpress.org/trunk@35325


git-svn-id: http://core.svn.wordpress.org/trunk@35291 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-21 14:03:25 +00:00
Drew Jaynes
875c82f17f Media: Introduce the enclosure_links filter, which makes it possible to adjust the list of audio and video enclosure links derived from post content before querying the database.
Props niallkennedy, stevenkword.
Fixes #19890.

Built from https://develop.svn.wordpress.org/trunk@35288


git-svn-id: http://core.svn.wordpress.org/trunk@35254 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-20 07:09:25 +00:00
Scott Taylor
89d1eb1e00 Formatting: when making unique filenames in wp_unique_filename() by adding an incrementing number, prefix it with a dash to disambiguate from files that end in numbers.
Updates unit tests.

Props mikejolley, tyxla.
Fixes #21453.

Built from https://develop.svn.wordpress.org/trunk@35276


git-svn-id: http://core.svn.wordpress.org/trunk@35242 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-20 04:05:25 +00:00
Drew Jaynes
217b661703 Docs: Add missing descriptions for the $wpdb global in DocBlocks all the places.
See #32246.

Built from https://develop.svn.wordpress.org/trunk@35170


git-svn-id: http://core.svn.wordpress.org/trunk@35136 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-14 23:44:25 +00:00
Sergey Biryukov
c332da3e12 Feeds: Pass the feed name to do_feed_{$feed} action.
Props johnbillion.
See #34259.
Built from https://develop.svn.wordpress.org/trunk@35115


git-svn-id: http://core.svn.wordpress.org/trunk@35080 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-13 02:44:23 +00:00
Drew Jaynes
48811702cd Feeds: Simplify logic for checking if the do_feed_{$feed} action is hooked to any callbacks.
See [35097] for where the aforementioned hook was renamed to actually be dynamic, thus rendering creation of the extra `$hook` variable moot.

See #34264.

Built from https://develop.svn.wordpress.org/trunk@35098


git-svn-id: http://core.svn.wordpress.org/trunk@35063 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-13 01:07:25 +00:00
Drew Jaynes
b234b5d896 Feeds: Adjust the do_feed_{$feed} hook name to actually be dynamic, rather than pre-storing the tag name in a variable and referencing that.
Props johnbillion.
Fixes #34264.

Built from https://develop.svn.wordpress.org/trunk@35097


git-svn-id: http://core.svn.wordpress.org/trunk@35062 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-13 01:03:25 +00:00
Sergey Biryukov
7ef095171a In number_format_i18n(), check if $wp_locale is set before using it.
Props pauldewouters.
Fixes #31553.
Built from https://develop.svn.wordpress.org/trunk@35092


git-svn-id: http://core.svn.wordpress.org/trunk@35057 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-13 00:30:24 +00:00
Sergey Biryukov
0d7c5569f5 In do_robots(), allow crawling for admin-ajax.php, since it's often used on front-end.
Props dmchale, joostdevalk.
Fixes #33156.
Built from https://develop.svn.wordpress.org/trunk@34985


git-svn-id: http://core.svn.wordpress.org/trunk@34950 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-09 05:16:23 +00:00
Ryan McCue
b3051048be REST API: Add wp_is_numeric_array helper function
The API uses this to do special operations on list responses (used
for collections), so we need to detect whether an array is
associative or numeric-indexed.

After much discussion, the bikeshed is to be painted green and gold.

See #33982.

Built from https://develop.svn.wordpress.org/trunk@34927


git-svn-id: http://core.svn.wordpress.org/trunk@34892 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-08 02:14:25 +00:00
Ryan McCue
4bac3c3f14 REST API: Add JsonSerializable compatibility to wp_json_encode
Following on from r34845, the JsonSerializable shim needs support
on the encoding side too. _wp_json_prepare_data handles this when
we've loaded the shim.

Props chriscct7.

See #33982. 

Built from https://develop.svn.wordpress.org/trunk@34926


git-svn-id: http://core.svn.wordpress.org/trunk@34891 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-08 01:30:25 +00:00
John Blackbourn
c83a66cbf3 Add an optional $description parameter to status_header() so custom HTTP status descriptions can be provided.
Fixes #21472
Props nbachiyski, iamfriendly

Built from https://develop.svn.wordpress.org/trunk@34914


git-svn-id: http://core.svn.wordpress.org/trunk@34879 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-07 21:26:25 +00:00
Jeremy Felt
9926983b66 Revert [34778], continue using _site_option() for the current network.
The `_network_option()` parameter order will be changing to accept `$network_id` first. The `_site_option()` functions will remain in use throughout core as our way of retrieving a network option for the current network.

See #28290.

Built from https://develop.svn.wordpress.org/trunk@34912


git-svn-id: http://core.svn.wordpress.org/trunk@34877 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-07 17:11:25 +00:00
Boone Gorges
226bb29ff0 Move wp_installing() to load.php.
Various functions in load.php need to check whether WP is in installation mode.
Let's let them.

Props adamsilverstein.
See #31130.
Built from https://develop.svn.wordpress.org/trunk@34896


git-svn-id: http://core.svn.wordpress.org/trunk@34861 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-07 03:02:23 +00:00
Scott Taylor
4d3223b28e Introduce wp_get_server_protocol() to DRY protocol parsing logic and make adding more protocols, like HTTP/2, easier.
Props johnbillion, wonderboymusic.
Fixes #34131.

Built from https://develop.svn.wordpress.org/trunk@34894


git-svn-id: http://core.svn.wordpress.org/trunk@34859 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-07 02:35:26 +00:00
Scott Taylor
0c6ee34d00 REST API: add a utility function, mysql_to_rfc3339() to functions.php
Background:
6d0ad766ca

Props rmmcue.
See #33982.

Built from https://develop.svn.wordpress.org/trunk@34846


git-svn-id: http://core.svn.wordpress.org/trunk@34811 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-06 03:19:25 +00:00
Boone Gorges
0e7c1d3b14 Use wp_installing() instead of WP_INSTALLING constant.
The `WP_INSTALLING` constant is a flag that WordPress sets in a number of
places, telling the system that options should be fetched directly from the
database instead of from the cache, that WP should not ping wordpress.org for
updates, that the normal "not installed" checks should be bypassed, and so on.

A constant is generally necessary for this purpose, because the flag is
typically set before the WP bootstrap, meaning that WP functions are not yet
available.  However, it is possible - notably, during `wpmu_create_blog()` -
for the "installing" flag to be set after WP has already loaded. In these
cases, `WP_INSTALLING` would be set for the remainder of the process, since
there's no way to change a constant once it's defined. This, in turn, polluted
later function calls that ought to have been outside the scope of site
creation, particularly the non-caching of option data. The problem was
particularly evident in the case of the automated tests, where `WP_INSTALLING`
was set the first time a site was created, and remained set for the rest of the
suite.

The new `wp_installing()` function allows developers to fetch the current
installation status (when called without any arguments) or to set the
installation status (when called with a boolean `true` or `false`). Use of
the `WP_INSTALLING` constant is still supported; `wp_installing()` will default
to `true` if the constant is defined during the bootstrap.

Props boonebgorges, jeremyfelt.
See #31130.
Built from https://develop.svn.wordpress.org/trunk@34828


git-svn-id: http://core.svn.wordpress.org/trunk@34793 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-05 15:06:28 +00:00
John Blackbourn
5e98b20e84 Adjust _default_wp_die_handler() formatting so it doesn't confuse Sublime Text's parsing and syntax highlighting.
Fixes #34135

Built from https://develop.svn.wordpress.org/trunk@34793


git-svn-id: http://core.svn.wordpress.org/trunk@34758 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-03 01:32:24 +00:00
Jeremy Felt
54512d64cb MS: Use *_network_option() functions throughout core.
Replaces all uses of `*_site_option()` with the corresponding "network" function.

This excludes one usage in `wp-admin/admin-footer.php` that needs more investigation.

Props spacedmonkey.
See #28290.

Built from https://develop.svn.wordpress.org/trunk@34778


git-svn-id: http://core.svn.wordpress.org/trunk@34743 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-02 19:08:26 +00:00
John Blackbourn
a8728b987f Deprecate force_ssl_login(), which is simply a wrapper for force_ssl_admin() and is not used in core.
Fixes #34011

Built from https://develop.svn.wordpress.org/trunk@34700


git-svn-id: http://core.svn.wordpress.org/trunk@34664 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-29 21:28:50 +00:00
John Blackbourn
aa35e473f7 callback is not a valid type in PHP, PSR-5, or phpDocumentor. callable should be used instead.
Fixes #34032

Built from https://develop.svn.wordpress.org/trunk@34566


git-svn-id: http://core.svn.wordpress.org/trunk@34530 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-25 23:58:25 +00:00
Drew Jaynes
f84c653fad Docs: Clarify the summary and optional $query parameter description for remove_query_arg().
Props johnbillion.
Fixes #33912.

Built from https://develop.svn.wordpress.org/trunk@34512


git-svn-id: http://core.svn.wordpress.org/trunk@34476 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-24 19:34:24 +00:00
Drew Jaynes
92574015aa Docs: Overhaul the DocBlock for add_query_arg() to attempt to better explain the various call signatures it accepts.
Also adds a couple of in-DocBlock examples illustrating single key and value, and associative array usage. Retains the note about the unescaped return value.

Props johnbillion.
See #33912.

Built from https://develop.svn.wordpress.org/trunk@34511


git-svn-id: http://core.svn.wordpress.org/trunk@34475 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-24 19:32:24 +00:00
Scott Taylor
84da11d918 Pass false as the 2nd argument to class_exists() to disable autoloading and to not cause problems for those who define __autoload().
Fixes #20523.

Built from https://develop.svn.wordpress.org/trunk@34348


git-svn-id: http://core.svn.wordpress.org/trunk@34312 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-20 03:52:25 +00:00
Helen Hou-Sandí
48befcf361 Superglobals: Revert [34059] until further notice.
see #33837.

Built from https://develop.svn.wordpress.org/trunk@34265


git-svn-id: http://core.svn.wordpress.org/trunk@34229 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-17 12:33:26 +00:00
Drew Jaynes
e13d18969f Docs: Add a reminder to the DocBlock description for add_query_arg() mentioning that the output is not escaped by default.
Props brentvr for the initial patch. (first props!)
See #33912. See #32246.

Built from https://develop.svn.wordpress.org/trunk@34264


git-svn-id: http://core.svn.wordpress.org/trunk@34228 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-17 09:39:24 +00:00
Scott Taylor
c871986819 Uploader: Fire 'wp_handle_upload' in wp_upload_bits(). Thusly, the filter in wp_xmlrpc_server::mw_newMediaObject() is redundant.
Props dllh.
Fixes #33539.

Built from https://develop.svn.wordpress.org/trunk@34257


git-svn-id: http://core.svn.wordpress.org/trunk@34221 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-17 04:46:25 +00:00
Scott Taylor
b1bc8a6522 More comment functions can accept a full object instead of comment_ID to reduce cache/db lookups.
See ##33638.


Built from https://develop.svn.wordpress.org/trunk@34129


git-svn-id: http://core.svn.wordpress.org/trunk@34097 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 21:40:24 +00:00
Dion Hulse
476b5c2046 When running on windows systems, normalise the capitalisation of the drive letter for more reliable string comparisons.
Props tyxla
Fixes #33265

Built from https://develop.svn.wordpress.org/trunk@34104


git-svn-id: http://core.svn.wordpress.org/trunk@34072 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 01:59:25 +00:00
Scott Taylor
cd7c0f0b0d Introduce wp_validate_action( $action = '' ), a helper function that checks $_REQUEST for action and returns it, or empty string if not present. If $action is passed, it checks to make sure they match before returning it, or an empty string. Strings are always returned to avoid returning multiple types.
Implementing this removes 27 uses of direct superglobal access in the admin.

For more reading:
https://codeclimate.com/github/WordPress/WordPress/wp-admin/edit-comments.php

See #33837.

Built from https://develop.svn.wordpress.org/trunk@34059


git-svn-id: http://core.svn.wordpress.org/trunk@34027 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-11 21:08:26 +00:00
Scott Taylor
62ec4a3bfd Deprecate wp_get_http() - function isn't used anywhere (apart from itself).
Props swissspidy.
Fixes #33709.

Built from https://develop.svn.wordpress.org/trunk@33969


git-svn-id: http://core.svn.wordpress.org/trunk@33938 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-09 04:26:25 +00:00
John Blackbourn
606b6d15f1 Introduce wp_removable_query_args(), which returns an array of single-use query variables which can be removed from a URL.
Also applies the function to the return URL when the Customizer is closed.

Fixes #32692
Props swissspidy, Mte90

Built from https://develop.svn.wordpress.org/trunk@33849


git-svn-id: http://core.svn.wordpress.org/trunk@33817 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-02 11:29:23 +00:00
Gary Pendergast
48e83418ed When wp_json_encode() calls json_encode(), the latter will generate warnings if the string contains non-UTF-8 characters. No-one likes warnings, so we need to do something about that.
The good news is, the point of `wp_json_encode()` is to handle those non-UTF-8 characters. It'll totally just fix them up, no problem.

Anyway, we can just ignore those warnings.

Fixes #33524.


Built from https://develop.svn.wordpress.org/trunk@33747


git-svn-id: http://core.svn.wordpress.org/trunk@33715 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-26 03:26:21 +00:00
Scott Taylor
ef87172270 foreach is a statement, not a function.
See #33491.

Built from https://develop.svn.wordpress.org/trunk@33734


git-svn-id: http://core.svn.wordpress.org/trunk@33702 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-25 20:28:22 +00:00
Drew Jaynes
ceec5ac00b Fix inline documentation syntax for a few general-purpose functions and hooks added in 4.3.
* `_deprecated_constructor()` See [32989]
* `deprecated_constructor_trigger_error` See [32989]
* `get_main_network_id()` See [32775]
* `wp_post_preview_js()` See [32809]

See #32891.

Built from https://develop.svn.wordpress.org/trunk@33226


git-svn-id: http://core.svn.wordpress.org/trunk@33198 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-13 21:35:24 +00:00
Aaron Jorbin
a6ebaefb92 Add Deprecated Constructor Function
This function is one that can be called in core to indicate that a PHP4 style constructor is used. PHP4 style constructors are deprecated in PHP7.

Props jorbin, DrewAPicture for docs
See #31982


Built from https://develop.svn.wordpress.org/trunk@32989


git-svn-id: http://core.svn.wordpress.org/trunk@32960 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-28 14:56:24 +00:00
Scott Taylor
642af1f3f4 Some doc blocks should use bool instead of true|false
See #32444.

Built from https://develop.svn.wordpress.org/trunk@32963


git-svn-id: http://core.svn.wordpress.org/trunk@32934 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-27 00:45:24 +00:00