- Comments: Prevent users who can not see a post from seeing comments on it.
- Shortcodes: Restrict media shortcode ajax to certain type.
- REST API: Ensure no-cache headers are sent when methods are overridden.
- REST API: Limit `search_columns` for users without `list_users`.
- Prevent unintended behavior when certain objects are unserialized.
Merges [56834], [56835], [56836], [56838], and [56840] to the 4.9 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.
Built from https://develop.svn.wordpress.org/branches/4.9@56865
git-svn-id: http://core.svn.wordpress.org/branches/4.9@56376 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.
Brings the changes from [49380,49382-49388] to the 4.9 branch.
Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.
Built from https://develop.svn.wordpress.org/branches/4.9@49397
git-svn-id: http://core.svn.wordpress.org/branches/4.9@49156 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fixes#38070, #37733 by reverting part of [38429] and using the fix in Requests.
Fixes#37992 allowing for connecting to SSL resources on ports other than 443.
Fixes#37991 by not sending default ports in the `Host:` header.
Fixes#37839 to match and decode Chunked responses correctly.
Fixes#38232 allowing a SSL connection to ignore the hostname of the certificate when verification is disabled.
Built from https://develop.svn.wordpress.org/trunk@38727
git-svn-id: http://core.svn.wordpress.org/trunk@38670 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This introduces a minimum value of 1 second for timeouts passed to cURL.
Internally, cURL uses alarm() for interrupts, which accepts a second-resolution timeout. Any values lower than 1 second are instantly failed rather than being rounded upwards. While this makes the experience worse for those using asynchronous DNS lookups, there's no way to detect which DNS resolver is being used from PHP.
See #33055, #8923.
Built from https://develop.svn.wordpress.org/trunk@37694
git-svn-id: http://core.svn.wordpress.org/trunk@37660 1a063a9b-81f0-0310-95a4-ce76da25c4cd