Commit Graph

5303 Commits

Author SHA1 Message Date
desrosj
be121a35d7 Grouped backports to the 4.2 branch.
- Query: Improve sanitization within `WP_Tax_Query`.
- Query: Improve sanitization within `WP_Meta_Query`.
- Upgrade/Install: Avoid using `unserialize()` unnecessarily.
- Formatting: Correctly encode ASCII characters in post slugs.

Merges [52454-52457] to the 4.2 branch.
Props vortfu, dd32, ehtis, zieladam, whyisjake, xknown, peterwilsoncc, desrosj, iandunn.
Built from https://develop.svn.wordpress.org/branches/4.2@52481


git-svn-id: http://core.svn.wordpress.org/branches/4.2@52073 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-01-06 18:20:40 +00:00
whyisjake
b2b0e0d427 General: WordPress updates
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 4.2 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Built from https://develop.svn.wordpress.org/branches/4.2@49404


git-svn-id: http://core.svn.wordpress.org/branches/4.2@49163 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 19:08:22 +00:00
Sergey Biryukov
0998a57991 Administration: Pass the result of set-screen-option filter to the new set_screen_option_{$option} filter to ensure backward compatibility.
Rename the `$keep` parameter of both filters to `$screen_option` for clarity, update the documentation to better reflect its purpose.

Follow-up to [47951].

Props Chouby, sswells, SergeyBiryukov.
Merges [48241] to the 4.2 branch.
Fixes #50392.
Built from https://develop.svn.wordpress.org/branches/4.2@48256


git-svn-id: http://core.svn.wordpress.org/branches/4.2@48025 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-01 09:53:39 +00:00
whyisjake
426696ba21 General: Backport several commits for release.
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.
Merges [47947-47951] to the 4.2 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.

Built from https://develop.svn.wordpress.org/branches/4.2@47970


git-svn-id: http://core.svn.wordpress.org/branches/4.2@47741 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 18:53:51 +00:00
Sergey Biryukov
9807e138d3 Escape the output in wp_ajax_upload_attachment().
Merges [45936] to the 4.2 branch.
Props whyisjake, sstoqnov.
Built from https://develop.svn.wordpress.org/branches/4.2@45953


git-svn-id: http://core.svn.wordpress.org/branches/4.2@45764 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 16:39:00 +00:00
Sergey Biryukov
bc4ed1a93e Comments: Improve comment content filtering.
Merges [44842] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@44852


git-svn-id: http://core.svn.wordpress.org/branches/4.2@44684 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-12 22:42:20 +00:00
Gary Pendergast
aab268600a Editor: Remove unwanted fields before saving posts.
The `meta_input`, `file`, and `guid` fields are not intended to be updated through user input.

Merges [44047] to the 4.2 branch.


Built from https://develop.svn.wordpress.org/branches/4.2@44066


git-svn-id: http://core.svn.wordpress.org/branches/4.2@43896 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:52:19 +00:00
Peter Wilson
303bd241f3 Multisite: Validate activation links.
Merges [44048] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@44065


git-svn-id: http://core.svn.wordpress.org/branches/4.2@43895 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:51:37 +00:00
Dion Hulse
507c958ab6 External Libraries: Remove unnecessary / obsoleted MediaElement.js files.
Merges [42478] to the 4.2 branch.
Fixes #42720 for 4.2.

Built from https://develop.svn.wordpress.org/branches/4.2@42484


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42313 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 08:12:32 +00:00
Dion Hulse
4b860b51ae Upgrade: When deleting old files, if deletion fails attempt to empty the file instead.
Props joemcgill, dd32.
Merges [42434] to the 4.2 branch.
Fixes #42963 for 4.2.

Built from https://develop.svn.wordpress.org/branches/4.2@42472


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42301 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 06:57:57 +00:00
John Blackbourn
a59dfc257f Filesystem API: Ensure filenames are valid before attempting to unzip them to ensure malformed file paths don't cause issues.
Merges [41457] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@41464


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41297 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 14:43:56 +00:00
John Blackbourn
6ddef3f8ab General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.
Merges [41434] with changes to the 4.2 branch.

See #13377

Built from https://develop.svn.wordpress.org/branches/4.2@41445


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41278 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 13:32:30 +00:00
Aaron Campbell
566df4de1a Add nonce for updating file system credentials.
Merges [40723] to 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@40729


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40587 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 14:56:24 +00:00
Pascal Birchler
82c9b36ce7 Fix broken audio/video functions when sanitizing ID3 data
This fixes a bug where running `wp_kses_post_deep()` on all the ID3
tag data corrupted blob data.

See #40075, #40085.

Merges [40400] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@40465


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40341 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-17 13:22:30 +00:00
John Blackbourn
8299a48476 Press This: Verify intent before fetching in-page resources using Press This.
Props vortfu

Merges [40195] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@40201


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40140 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 14:04:31 +00:00
Jeremy Felt
933f556e84 Validate video and audio metadata.
Merge of [40148] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@40154


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40093 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 08:09:31 +00:00
John Blackbourn
22688ca8c6 Posts, Post Types: When using Excerpt mode on the Posts list table, ensure the excerpt output matches what was manually entered into the Excerpt field.
Merges [39956] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@39984


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39921 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 14:17:17 +00:00
Dominik Schilling
afc91088f4 Press This: Do not show Categories & Tags UI for users who cannot assign terms to posts anyways.
Merge of [39968] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@39975


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39912 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 14:13:31 +00:00
Aaron Campbell
9f4a883e2f Add nonce for widget accessibility mode.
Props vortfu.

See #23328.

Merges [39765] to 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@39766


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39704 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 01:49:32 +00:00
Joe McGill
8afdd2be32 Media: Improved media titles when created from filename.
Preserves spaces and generally creates more accurate, cleaner titles from filenames of uploaded media.

Merge of [38615] to the 4.2 branch.

Fixes #37989.

Built from https://develop.svn.wordpress.org/branches/4.2@39714


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39654 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-06 22:01:02 +00:00
Jeremy Felt
f7adf3c9d2 Media: Sanitize upload filename.
Merge of [38538] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@38543


git-svn-id: http://core.svn.wordpress.org/branches/4.2@38486 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-07 13:59:32 +00:00
Pascal Birchler
0e5485fe33 Upgrade/Install: Sanitize file name in File_Upload_Upgrader.
Merge of [38524] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@38529


git-svn-id: http://core.svn.wordpress.org/branches/4.2@38470 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-06 17:55:29 +00:00
Gary Pendergast
2c40eb4cf2 Database: dbDelta() will no longer try to downgrade the size of TEXT and BLOB columns.
When upgrading to `utf8mb4`, `TEXT` fields will be upgraded to `MEDIUMTEXT` (and likewise for all other `*TEXT` and `*BLOB` fields). This is to allow for the additional space requirements of `utf8mb4`.

On the subsequent upgrade, `dbDelta()` would try and downgrade the fields to their original size again. At best, this it a waste of time, at worst, this could truncate any data larger than the original size. There's no harm in leaving them at their new size, so let's do that.

The `FULLTEXT` indexes are removed from the tests, as `dbDelta()`'s `FULLTEXT` support was added in WordPress 4.4.

This also includes the `setUp()` and `tearDown()` parts of [32270], to allow the tests to run, and fixes a typo them.

Merge of [37525] to the 4.2 branch.
Partial merge of [36552] to the 4.2 branch.
Partial merge of [32270] to the 4.2 branch.

See #36748.


Built from https://develop.svn.wordpress.org/branches/4.2@37939


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37880 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-01 11:51:28 +00:00
Nikolay Bachiyski
3c1876e6c5 Admin: escape URL-encoded permalinks
Merge of [37801] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@37812


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37777 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:54:28 +00:00
Rachel Baker
d5a6676eb2 Revisions: Change the capability needed to view revision diffs to edit_post.
Merge of [37779] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@37799


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37764 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:44:29 +00:00
Nikolay Bachiyski
437f727e8f Admin: Escape attachment name in case it contains special characters
Merge of [37774] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@37789


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37754 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:26:11 +00:00
Boone Gorges
b4bf158d3a Taxonomy: More specific cap check when processing category data on post save.
Ports [37691] to the 4.2 branch.

Props dlh.
Fixes #36379.
Built from https://develop.svn.wordpress.org/branches/4.2@37776


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37741 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:21:38 +00:00
Dominik Schilling
ec4db723d2 XMLRPC: Don't allow private posts to be sticky.
Merge of [33325], [33612], and [34135] to the 4.2 branch.

See #20662.
Built from https://develop.svn.wordpress.org/branches/4.2@34152


git-svn-id: http://core.svn.wordpress.org/branches/4.2@34120 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 22:51:28 +00:00
Nikolay Bachiyski
c8d3901f8f List tables: escape user e-mails
Merges [34133] for 4.2 branch

Built from https://develop.svn.wordpress.org/branches/4.2@34138


git-svn-id: http://core.svn.wordpress.org/branches/4.2@34106 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 22:41:28 +00:00
Dominik Schilling
b0b028eacd Heartbeat: Ensure post locks are released.
Merge of [33542] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@33543


git-svn-id: http://core.svn.wordpress.org/branches/4.2@33510 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-04 04:54:59 +00:00
Gary Pendergast
c58e9ddf35 Don't blindly trust the output of glob() to be an array.
Props kitchin.

Merge of [33447] to the 4.2 branch.

Fixes #33093.


Built from https://develop.svn.wordpress.org/branches/4.2@33481


git-svn-id: http://core.svn.wordpress.org/branches/4.2@33448 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-29 06:53:28 +00:00
Gary Pendergast
fe2d10ea5c Capabilities: When creating an auto-draft, ensure that the current user still has permission to do so.
Merge of [33357] to the 4.2 branch.


Built from https://develop.svn.wordpress.org/branches/4.2@33358


git-svn-id: http://core.svn.wordpress.org/branches/4.2@33330 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-22 04:06:28 +00:00
Dion Hulse
b6058e2231 Updates: Correctly identify more failed update cases.
This checks for a WP_Error being raised during an individual update, in addition to just the bootstrap error cases.
When a error occurs during the connection phase, pass the error message back as the ajax failure message.

Merges [32571] & [32778] to the 4.2 branch

See #32473, #32435

Built from https://develop.svn.wordpress.org/branches/4.2@33302


git-svn-id: http://core.svn.wordpress.org/branches/4.2@33274 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-17 03:59:28 +00:00
Dion Hulse
8e96288144 Shiny Updates: Handle the case where the plugin is installed into a different directory than it previously existed in.
A good example of this is when the plugin being updated is currently installed as 'Plugin-Name' but the canonical directory is 'plugin-name', but it can also occur when the plugin is installed in 'super-cool-plugin' and it's canonical name is 'average-plugin'.

Merges [32570] to the 4.2 branch.
Fixes #32465

Built from https://develop.svn.wordpress.org/branches/4.2@33301


git-svn-id: http://core.svn.wordpress.org/branches/4.2@33273 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-17 03:55:28 +00:00
Dion Hulse
7090cf8980 Updates: When performing an ajax plugin update, rely upon wp_update_plugins() to check the contents of the transient and return early if no request needs to be made.
This works around a bug where custom update handlers are injecting an update into an empty transient, malforming the transient and causing update failures.
Merges [33257] to the 4.2 branch.
Fixes #32198 for 4.2

Built from https://develop.svn.wordpress.org/branches/4.2@33258


git-svn-id: http://core.svn.wordpress.org/branches/4.2@33230 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-14 08:04:27 +00:00
Dion Hulse
63f64d5909 Enable utf8mb4 for MySQL extension users. Previously utf8mb4 was limited to MySQLi users only unintentionally.
Ports [33055] to the 4.2 branch
Fixes #32127 for 4.2.3

Built from https://develop.svn.wordpress.org/branches/4.2@33063


git-svn-id: http://core.svn.wordpress.org/branches/4.2@33034 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-03 12:44:28 +00:00
Dion Hulse
61122743e2 Don't upgrade global tables to utf8mb4 when DO_NOT_UPGRADE_GLOBAL_TABLES is defined.
This change also standardises on only checking `DO_NOT_UPGRADE_GLOBAL_TABLES` is defined, not it's value.

Fixes #32154 for 4.2

Built from https://develop.svn.wordpress.org/branches/4.2@33059


git-svn-id: http://core.svn.wordpress.org/branches/4.2@33030 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-03 05:59:27 +00:00
Dion Hulse
371db8aea1 Remove a redundant index drop, it'll be dropped and re-created a few lines further down.
Fixes a warning during updating from 4.0 or earlier.
Merges [32852] to the 4.2 branch. Fixes #31388 for 4.2

Built from https://develop.svn.wordpress.org/branches/4.2@32853


git-svn-id: http://core.svn.wordpress.org/branches/4.2@32824 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-19 03:20:30 +00:00
Gary Pendergast
ca13bd76d5 Upgrades: If a table has already been converted to utf8mb4, there's no need to try and convert it again.
Props gabrielperezs for the initial patch.

Merge of [32456] to the 4.2 branch.

Fixes #32310.


Built from https://develop.svn.wordpress.org/branches/4.2@32457


git-svn-id: http://core.svn.wordpress.org/branches/4.2@32427 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-08 12:28:28 +00:00
Michael Adams
ba2de1e736 Upgrade: Since MySQL may auto-expand column widths when changing a column's character set, we must do our length-based comment checks prior to the character set changes.
Props jorbin, et alii.

Merges [32440] for the 4.2 branch.

See #32165.

Built from https://develop.svn.wordpress.org/branches/4.2@32441


git-svn-id: http://core.svn.wordpress.org/branches/4.2@32411 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-07 01:12:29 +00:00
Michael Adams
ff4c5d2767 Upgrade: $wpdb->get_col_length() sanity check: bail on unexpected return value.
See #32165.

Built from https://develop.svn.wordpress.org/branches/4.2@32430


git-svn-id: http://core.svn.wordpress.org/branches/4.2@32400 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-06 23:12:27 +00:00
Michael Adams
f3d41b7b38 Upgrade: Ensure unintelligible DB schemas don't result in content loss.
Merge of [32417] to the 4.2 branch.

See #32165.

Props ocean90.

Built from https://develop.svn.wordpress.org/branches/4.2@32418


git-svn-id: http://core.svn.wordpress.org/branches/4.2@32388 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-06 21:50:29 +00:00
Aaron Jorbin
ca97837cf3 When upgrading WordPress remove genericons example.html files
[32385] for 4.2 branch

Props @dd32, @boone, @johnjamesjacoby, @drewapicture, @jorbin


Built from https://develop.svn.wordpress.org/branches/4.2@32386


git-svn-id: http://core.svn.wordpress.org/branches/4.2@32356 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-06 18:39:28 +00:00
Gary Pendergast
5c01870b62 Upgrades: When converting to utf8mb4, we were trying to change the wrong index on wp_signups, causing the conversion to later fail.
Merge [32378] to the 4.2 branch.

Props kovshenin, pento.

Fixes #32099.


Built from https://develop.svn.wordpress.org/branches/4.2@32380


git-svn-id: http://core.svn.wordpress.org/branches/4.2@32350 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-06 07:42:28 +00:00
Gary Pendergast
db8f915ee6 WPDB: When checking that a string can be sent to MySQL, we shouldn't use mb_convert_encoding(), as it behaves differently to MySQL's character encoding conversion.
Merge of [32364] to the 4.2 branch.

Props mdawaffe, pento, nbachiyski, jorbin, johnjamesjacoby, jeremyfelt.

See #32165.


Built from https://develop.svn.wordpress.org/branches/4.2@32367


git-svn-id: http://core.svn.wordpress.org/branches/4.2@32337 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-06 03:30:30 +00:00
Dion Hulse
4202e36193 When creating a temporary file treat the / directory properly, to prevent it ending up in an endless self-calling loop.
Props hnle, taka2. Fixes #32135. See #31811
Merges [32322] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@32324


git-svn-id: http://core.svn.wordpress.org/branches/4.2@32295 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-29 03:20:29 +00:00
Gary Pendergast
a3a76fe665 4.2: When upgrading, remove any suspicious comments.
Built from https://develop.svn.wordpress.org/branches/4.2@32311


git-svn-id: http://core.svn.wordpress.org/branches/4.2@32282 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-27 17:10:29 +00:00
Dominik Schilling
89e45feb4c Don't focus input fields outside of the request filesystem credentials form.
props valendesigns.
fixes #32055.
Built from https://develop.svn.wordpress.org/trunk@32266


git-svn-id: http://core.svn.wordpress.org/trunk@32237 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-22 16:24:26 +00:00
Dominik Schilling
e0657e6904 Don't return empty themes in wp_prepare_themes_for_js().
see #32002.
Built from https://develop.svn.wordpress.org/trunk@32264


git-svn-id: http://core.svn.wordpress.org/trunk@32235 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-22 16:11:25 +00:00
Andrew Ozz
60706015e1 Revert editing of video embed parameters in the media modal, [31620] and [31626] for now. Plan on revisiting in 4.3.
Props iseulde. Fixes #31139, fixes #32006.
Built from https://develop.svn.wordpress.org/trunk@32258


git-svn-id: http://core.svn.wordpress.org/trunk@32229 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-21 22:41:26 +00:00