Commit Graph

20209 Commits

Author SHA1 Message Date
desrosj
fb3fb535c7 Build/Test Tools: Backport GitHub Action and build improvements to the 4.4 branch.
This backports several build and test tool improvements to the 4.4 branch. Most notably, this includes:

- The changes required to allow each workflow to be triggered by the `workflow_dispatch` event so that tests can be run on a schedule [50590].
- Splitting single site and multisite tests into parallel jobs [50379].
- Split slow tests into separate, parallel jobs for PHP <= 5.6 [50444].
- Better branch and path scoping for GitHub Action workflows when running on `pull_request` [50432,50479].
- Several `devDependency` updates.

Merges [50379,50387,50416,50432,50435,50436,50444,50446,50473,50474,50476,50479,50485,50486,50487,50545,50579,50590] to the 4.4 branch.
See #50401, #51801, #51802, #52548, #52612, #52624, #52625, #52645, #52653, #52658, #52660, #52667.
Built from https://develop.svn.wordpress.org/branches/4.4@50639


git-svn-id: http://core.svn.wordpress.org/branches/4.4@50251 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-04-02 15:43:22 +00:00
desrosj
a64be2cd83 Build/Test Tools: Support NodeJS 14.x in the 4.4 branch.
This updates the 4.4 branch to support the latest LTS version of NodeJS (currently 14.x), allowing the same version to be used across all WordPress branches that receive security updates as a courtesy.

Because older branches use (really) old versions of NodeJS, the local Docker environment cannot be backported since the needed dependencies will not run on these older versions (see #48301). This also blocks the ability to move automated testing over to GitHub Actions (see #50401).

This also replaces the `npm-shrinkwrap.json` with a `package-lock.json` file. Lock files were not supported in earlier versions of NPM, but can now be used.

In addition to backporting the package updates that happened after branching 4.4, dependencies that were removed in future releases have also been updated to their latest versions.

Props desrosj, dd32, netweb, jorbin.
Merges [35859,35862,36860-36865,36935,36978-36979,37017,37019-37020,37212,37612,38111,38688,39110,39113-39119,39478,42460-42461,42463,42887,43320,43323,43977,44219,44233,44728,45321,45765,46404,46408-46409,47404,47867-47869,47872-47873,48705,49636,49933,49937,49939,50017,50126,50176,50185,50192] to the 4.4 branch.
See #52341.
Built from https://develop.svn.wordpress.org/branches/4.4@50210


git-svn-id: http://core.svn.wordpress.org/branches/4.4@49881 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-05 04:23:43 +00:00
desrosj
779a2144fc Build/Test Tools: Correct JavaScript files in the 4.4 branch.
In [46498], some JavaScript files were unintentionally changed. This restores those files to their correct state.

Partially reverts [46498].
See #52367.
Built from https://develop.svn.wordpress.org/branches/4.4@50018


git-svn-id: http://core.svn.wordpress.org/branches/4.4@49719 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-25 20:15:21 +00:00
desrosj
13400ce28c WordPress 4.4.24.
Built from https://develop.svn.wordpress.org/branches/4.4@49420


git-svn-id: http://core.svn.wordpress.org/branches/4.4@49179 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 19:41:43 +00:00
whyisjake
e6644734de General: WordPress updates
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 4.4 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Built from https://develop.svn.wordpress.org/branches/4.4@49402


git-svn-id: http://core.svn.wordpress.org/branches/4.4@49161 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 19:04:23 +00:00
desrosj
9c8eee595c WordPress 4.4.23.
Built from https://develop.svn.wordpress.org/branches/4.4@47999


git-svn-id: http://core.svn.wordpress.org/branches/4.4@47767 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 21:38:55 +00:00
whyisjake
9894097207 General: Backport several commits for release.
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.
Merges [47947-47951] to the 4.4 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.

Built from https://develop.svn.wordpress.org/branches/4.4@47972


git-svn-id: http://core.svn.wordpress.org/branches/4.4@47742 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 18:54:30 +00:00
desrosj
87bf09100d WordPress 4.4.22
Built from https://develop.svn.wordpress.org/branches/4.4@47676


git-svn-id: http://core.svn.wordpress.org/branches/4.4@47453 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 18:02:47 +00:00
whyisjake
bb6d812c70 User: Invalidate user_activation_key on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.

Brings the changes in [47634], [47635], [47637], and [47638] to the 4.4 branch.

Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, whyisjake, whyisjake, xknown.

Built from https://develop.svn.wordpress.org/branches/4.4@47653


git-svn-id: http://core.svn.wordpress.org/branches/4.4@47430 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 16:39:23 +00:00
Sergey Biryukov
0983cf671d WordPress 4.4.21
Built from https://develop.svn.wordpress.org/branches/4.4@46929


git-svn-id: http://core.svn.wordpress.org/branches/4.4@46729 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 20:31:20 +00:00
Sergey Biryukov
23ac697ad8 Update wp_kses_bad_protocol() to recognize &colon; on uri attributes,
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 4.4 branch.

Props: xknown, nickdaugherty, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.4@46912


git-svn-id: http://core.svn.wordpress.org/branches/4.4@46712 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:44:21 +00:00
desrosj
25a94707d9 WordPress 4.4.20.
Built from https://develop.svn.wordpress.org/branches/4.4@46516


git-svn-id: http://core.svn.wordpress.org/branches/4.4@46313 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 20:12:20 +00:00
whyisjake
9a0b89f7a8 Backporting several bug fixes.
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
- Customizer: Properly sanitize background images.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@46498


git-svn-id: http://core.svn.wordpress.org/branches/4.4@46295 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 19:09:23 +00:00
desrosj
d1cc3f64da WordPress 4.4.19.
Built from https://develop.svn.wordpress.org/branches/4.4@46038


git-svn-id: http://core.svn.wordpress.org/branches/4.4@45850 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 22:04:00 +00:00
desrosj
feda17a63c Fix for URL sanitization in wp_kses_bad_protocol_once().
Merges [45997] to the 4.4 branch.

Props irsdl, sstoqnov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/4.4@46010


git-svn-id: http://core.svn.wordpress.org/branches/4.4@45821 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 21:40:56 +00:00
Sergey Biryukov
7f160a4160 Improve handling the existing rel attribute in wp_rel_nofollow_callback().
Merges [45990] to the 4.4 branch.
Props xknown, sstoqnov.
Built from https://develop.svn.wordpress.org/branches/4.4@46001


git-svn-id: http://core.svn.wordpress.org/branches/4.4@45812 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:58:13 +00:00
Sergey Biryukov
16195095b8 Improve URL validation in wp_validate_redirect().
Merges [45971] to the 4.4 branch.
Props vortfu, whyisjake, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.4@45981


git-svn-id: http://core.svn.wordpress.org/branches/4.4@45792 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:14:19 +00:00
whyisjake
7bb2a5a110 Remove _convert_urlencoded_to_entities() from the get_the_content() callback.
Merges [45937] to the 4.4 branch.

Props vortfu, whyisjake, peterwilsoncc

Built from https://develop.svn.wordpress.org/branches/4.4@45958


git-svn-id: http://core.svn.wordpress.org/branches/4.4@45769 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 16:41:42 +00:00
Gary Pendergast
b82d7057c6 WordPress 4.4.18
Built from https://develop.svn.wordpress.org/branches/4.4@44878


git-svn-id: http://core.svn.wordpress.org/branches/4.4@44709 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-13 01:31:20 +00:00
Sergey Biryukov
f797452514 Comments: Improve comment content filtering.
Merges [44842] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@44850


git-svn-id: http://core.svn.wordpress.org/branches/4.4@44682 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-12 22:40:20 +00:00
Sergey Biryukov
ab80be3ffa Formatting: Improve rel="nofollow" handling in comments.
Merges [44833] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@44841


git-svn-id: http://core.svn.wordpress.org/branches/4.4@44673 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-12 22:27:20 +00:00
Jeremy Felt
d79c34ca3a Bump 4.4 branch to version 4.4.17.
Built from https://develop.svn.wordpress.org/branches/4.4@44083


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43913 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 02:14:45 +00:00
Peter Wilson
7da4f3910f Multisite: Validate activation links.
Merges [44048] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@44061


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43891 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:47:21 +00:00
iandunn
0fc5160483 KSES: Make the URI attributes DRY.
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes.

Merges [44014] and [44017] to the `4.4` branch.

Built from https://develop.svn.wordpress.org/branches/4.4@44035


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43865 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:59:19 +00:00
Peter Wilson
18e6420dff Multisite: Improve messaging for previously activated users.
Ensure activation of a site is not attempted multiple times and users are shown the correct message if they follow the link a second time.

Merges [44021] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@44030


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43860 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:50:20 +00:00
Gary Pendergast
9d99fdce47 KSES: Conditionally remove the <form> element from $allowedposttags.
To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.

Merges [43994] to the 4.4 branch.


Built from https://develop.svn.wordpress.org/branches/4.4@44003


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43835 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:36:20 +00:00
Jeremy Felt
60dacc5deb Media: Improve verification of MIME file types.
Merges [43988] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@43995


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43827 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:14:21 +00:00
Aaron Campbell
40f9e10d03 Bump 4.4 branch to version 4.4.16
Built from https://develop.svn.wordpress.org/branches/4.4@43412


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43240 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 16:12:48 +00:00
John Blackbourn
82dc7df085 Media: Limit thumbnail file deletions to the same directory as the original file.
Merges [43393] into the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@43398


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43226 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 14:57:24 +00:00
Aaron Campbell
77061065b4 Bump 4.4 branch to version 4.4.15
Built from https://develop.svn.wordpress.org/branches/4.4@42938


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42768 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 20:30:01 +00:00
Dominik Schilling
1816f1c364 Template: Make sure the version string is correctly escaped for use in attributes.
Merge of [42893] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@42922


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42752 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 16:08:38 +00:00
Dion Hulse
fbefbce5ea Bump the 4.4 branch to 4.4.14.
Built from https://develop.svn.wordpress.org/branches/4.4@42499


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42328 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 21:42:38 +00:00
Dion Hulse
e462191652 External Libraries: Remove unnecessary / obsoleted MediaElement.js files.
Merges [42478] to the 4.4 branch.
Fixes #42720 for 4.4.

Built from https://develop.svn.wordpress.org/branches/4.4@42482


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42311 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 08:09:32 +00:00
John Blackbourn
448ccd4397 Bump 4.4 branch to version 4.4.13.
Built from https://develop.svn.wordpress.org/branches/4.4@42321


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42150 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 19:01:31 +00:00
John Blackbourn
4fac456d88 Hardening: Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.
Merges [42261] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@42287


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42116 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:30:31 +00:00
John Blackbourn
94ed06c3c0 Hardening: Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
Merges [42260] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@42286


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42115 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:29:31 +00:00
John Blackbourn
5f6f29f00a Hardening: Add escaping to the language attributes used on html elements.
Merges [42259] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@42285


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42114 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:29:00 +00:00
Dion Hulse
5da6b7c200 WPDB: Check that AUTH_SALT is not empty, Fix a PHP notice when AUTH_SALT is undefined.
Props jsonfry, mkomar, pento.
Merges [42119] and [42120] to the 4.4 branch.
Fixes #42431 and #42401 for 4.4.

Built from https://develop.svn.wordpress.org/branches/4.4@42234


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42063 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-27 01:11:03 +00:00
Gary Pendergast
2f96a03e6c Bump 4.4 branch to version 4.4.12.
Built from https://develop.svn.wordpress.org/branches/4.4@42073


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41902 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 13:26:30 +00:00
Gary Pendergast
aec6946594 Database: Restore numbered placeholders in wpdb::prepare().
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.

Merges [41662], [42056] to the 4.4 branch.
See #41925.


Built from https://develop.svn.wordpress.org/branches/4.4@42061


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 12:46:31 +00:00
Dominik Schilling
a80bb4a686 Bump 4.4 branch to version 4.4.11.
Built from https://develop.svn.wordpress.org/branches/4.4@41514


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41347 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 20:02:00 +00:00
Aaron Campbell
a89b23a75a Database: Hardening to bring wpdb::prepare() inline with documentation.
`wpdb::prepare()` supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.

Merges [41496] to 4.4 branch.


Built from https://develop.svn.wordpress.org/branches/4.4@41501


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41334 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 18:15:37 +00:00
Aaron Campbell
5a0f95b6cf Database: Don’t trigger _doing_it_wrong() for null values in wpdb::prepare().
While `wpdb::prepare()` does not support null values (see #12819) they still appear in the wild like in the WordPress Importer and other plugins.

Merges [41483] to 4.4 branch.


Built from https://develop.svn.wordpress.org/branches/4.4@41488


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41321 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 16:24:03 +00:00
Aaron Campbell
45280bda66 Database: Hardening for wpdb::prepare()
Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.

Merges [41470] to 4.4 branch.


Built from https://develop.svn.wordpress.org/branches/4.4@41475


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 15:02:30 +00:00
Aaron Campbell
78462a6178 oEmbed: Add extra hardening around allowed HTML for improved sandboxing.
Merges [41448] to 4.4 branch.


Built from https://develop.svn.wordpress.org/branches/4.4@41455


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 13:51:01 +00:00
Dominik Schilling
2603a8b4d6 TinyMCE: Improve the previews for shortcodes.
Merge of [41395] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@41439


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41272 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 12:43:37 +00:00
Dominik Schilling
c448e53286 Customize: Ensure valid themes in the preview.
Merge of [41397] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@41433


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41266 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 11:52:37 +00:00
Dominik Schilling
6b08998219 Editor: Prevent adding javascript: and data: URLs through the inline link dialog.
Merge of [41393] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@41404


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41237 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 10:18:31 +00:00
John Blackbourn
866662a9fd General: Backport PHP 7.1 fixes to the 4.4 branch to avoid fatal errors and warnings.
See #41135

Built from https://develop.svn.wordpress.org/branches/4.4@41129


git-svn-id: http://core.svn.wordpress.org/branches/4.4@40969 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-07-24 22:27:31 +00:00
Aaron Campbell
13db27bb7b Bump 4.7 branch to version 4.4.10.
Built from https://develop.svn.wordpress.org/branches/4.4@40751


git-svn-id: http://core.svn.wordpress.org/branches/4.4@40609 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 21:51:30 +00:00