Commit Graph

16968 Commits

Author SHA1 Message Date
John Blackbourn 63cc2673a1 Hardening: Add escaping to the language attributes used on `html` elements.
Merges [42259] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@42293


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42122 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:33:54 +00:00
Dion Hulse 9dadfcb012 WPDB: Check that `AUTH_SALT` is not empty, Fix a PHP notice when `AUTH_SALT` is undefined.
Props jsonfry, mkomar, pento.
Merges [42119] and [42120] to the 4.2 branch.
Fixes #42431 and #42401 for 4.2.

Built from https://develop.svn.wordpress.org/branches/4.2@42236


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42065 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-27 01:12:56 +00:00
Gary Pendergast eb5a635d04 Bump 4.2 branch to version 4.3.17.
Built from https://develop.svn.wordpress.org/branches/4.2@42075


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41904 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 13:42:30 +00:00
Gary Pendergast 86acf8b033 Database: Restore numbered placeholders in `wpdb::prepare()`.
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.

Merges [41662], [42056] to the 4.2 branch.
See #41925.


Built from https://develop.svn.wordpress.org/branches/4.2@42063


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41892 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 12:51:31 +00:00
Dominik Schilling c4fb8dfbf1 Bump 4.2 branch to version 4.2.16.
Built from https://develop.svn.wordpress.org/branches/4.2@41516


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41349 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 20:03:31 +00:00
Aaron Campbell a964c2ba2e Database: Hardening to bring `wpdb::prepare()` inline with documentation.
`wpdb::prepare()` supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.

Merges [41496] to 4.2 branch.


Built from https://develop.svn.wordpress.org/branches/4.2@41503


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41336 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 18:31:29 +00:00
Aaron Campbell 79e0bb13d4 Database: Don’t trigger `_doing_it_wrong()` for null values in `wpdb::prepare()`.
While `wpdb::prepare()` does not support null values (see #12819) they still appear in the wild like in the WordPress Importer and other plugins.

Merges [41483] to 4.2 branch.


Built from https://develop.svn.wordpress.org/branches/4.2@41490


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41323 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 16:25:54 +00:00
Aaron Campbell be9edc6bc3 Database: Hardening for `wpdb::prepare()`
Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.

Merges [41470] to 4.2 branch.


Built from https://develop.svn.wordpress.org/branches/4.2@41477


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41310 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 15:03:30 +00:00
Dominik Schilling 74df39530d TinyMCE: Improve the previews for shortcodes.
Merge of [41395] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@41441


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41274 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 12:44:31 +00:00
Dominik Schilling ecf502b597 Editor: Prevent adding `javascript:` and `data:` URLs through the inline link dialog.
Merge of [41393] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@41406


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41239 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 10:19:28 +00:00
Aaron Campbell a01117bf0d Bump 4.2 branch to version 4.2.15.
Built from https://develop.svn.wordpress.org/branches/4.2@40753


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40611 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 21:52:23 +00:00
Pascal Birchler 7f8136dfd7 Media: Simplify upload error message construction.
Merges [40736] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@40742


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40600 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 18:03:56 +00:00
Dominik Schilling 8f47014af6 Customize: Ignore invalid customization sessions.
Merge of [40704] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@40710


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40573 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 12:19:29 +00:00
Pascal Birchler 92f3fdb956 Adjust post meta checks
Merges [40692] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@40698


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40561 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:52:55 +00:00
Pascal Birchler 7fc612abfb Whitelist post arguments in XML-RPC
Merges [40677] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@40683


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40546 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:24:31 +00:00
Pascal Birchler 5565b98dde Bump 4.2 branch to version 4.2.14.
Built from https://develop.svn.wordpress.org/branches/4.2@40492


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40368 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-20 16:26:30 +00:00
James Nylen b9a98e7562 Bump 4.2 branch to version 4.2.13.
Built from https://develop.svn.wordpress.org/branches/4.2@40207


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40146 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 16:32:30 +00:00
Aaron Campbell db266e95e1 Strip control characters before validating redirect.
Merges [40183] to 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@40189


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40128 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 13:44:24 +00:00
Dominik Schilling 462631b8cc Embeds: URL encode YouTube video IDs for broader compatibility.
Merge of [40160] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@40166


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 12:07:35 +00:00
Aaron Campbell f449b0a0ce Bump 4.2 branch to version 4.2.12.
Built from https://develop.svn.wordpress.org/branches/4.2@40001


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39938 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 18:25:29 +00:00
Dominik Schilling b7509648b8 Query: Ensure that queries work correctly with post type names with special characters.
Merge of [39952] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@39961


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39898 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 13:52:00 +00:00
Aaron Campbell ab64033700 Bump 4.2 branch to version 4.2.11.
Built from https://develop.svn.wordpress.org/branches/4.2@39865


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39802 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 16:58:29 +00:00
Joe McGill 073c7e6092 Media: Fix exif_imagetype check in wp_get_image_mime
This is a follow up to [39831].

Merges [39850] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@39856


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39793 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 16:43:32 +00:00
Joe McGill 99f9d45c10 Media: Improve image filetype checking.
This adds a new function `wp_get_image_mime()` which is used by
`wp_check_filetype_and_ext()` to validate image files using
`exif_imagetype()` if available instead of `getimagesize()`.

`getimagesize()` is less performant than `exif_imagetype()` and is
dependent on GD. If `exif_imagetype()` is not available, it falls back to
`getimagesize()` as before.

If `wp_check_filetype_and_ext()` can't validate the filetype, we now return
`false` for ext/MIME values.

Merges [39831] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@39837


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39775 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 13:18:29 +00:00
Dominik Schilling 76d93255d6 Themes: Fix markup for theme name fallbacks.
Merge of [39807] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@39814


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39752 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 11:11:56 +00:00
Jeremy Felt ed1586d7ff Multisite: Use `wp_rand()` in signup key creation.
Merges [39795] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@39801


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39739 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 05:34:56 +00:00
Dion Hulse 4873f1b139 Update PHPMailer to 5.2.22.
The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.2 branch.
Fixes #37210 for 4.2.

Built from https://develop.svn.wordpress.org/branches/4.2@39789


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39727 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 05:25:28 +00:00
Dion Hulse 755a765d49 Mail: Upgrade PHPMailer to 5.2.21.
Merges [39645], [36083], [33142], [33124] to the 4.2 branch.
See #37210.

Built from https://develop.svn.wordpress.org/branches/4.2@39726


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39666 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-06 22:06:00 +00:00
Jeremy Felt e57416e1d7 Bump 4.2 branch to 4.2.10.
Built from https://develop.svn.wordpress.org/branches/4.2@38553


git-svn-id: http://core.svn.wordpress.org/branches/4.2@38496 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-07 15:00:32 +00:00
Boone Gorges 3042245749 Bump 4.2 branch to 4.2.9.
Built from https://develop.svn.wordpress.org/branches/4.2@37831


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37796 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 16:36:27 +00:00
Joe McGill 754a809bfb Media: Improve handling of extensionless filenames.
Merge of [37756] to the 4.2 branch.

See #37111.
Built from https://develop.svn.wordpress.org/branches/4.2@37816


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37781 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:56:48 +00:00
Nikolay Bachiyski 437f727e8f Admin: Escape attachment name in case it contains special characters
Merge of [37774] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@37789


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37754 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:26:11 +00:00
Jeremy Felt 0ba49c4a4c Admin: Allow for the consistent filtering of `auth_redirect_scheme`
Merge of [37651] to the 4.2 branch.

See #37047.

Built from https://develop.svn.wordpress.org/branches/4.2@37761


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37726 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:12:47 +00:00
Dominik Schilling 94306911e2 Bump 4.2 branch to 4.2.8.
Built from https://develop.svn.wordpress.org/branches/4.2@37387


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37353 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-06 18:13:27 +00:00
Nikolay Bachiyski 96731bcfb4 External Libraries: Update plupload from upstream
Built from https://develop.svn.wordpress.org/branches/4.2@37379


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37345 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-06 17:59:26 +00:00
Dominik Schilling e35259b0bc External Libraries: Update MediaElement.js from upstream.
Merge of [37370] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@37375


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37341 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-06 17:55:00 +00:00
Nikolay Bachiyski 0986b209ea Taxonomies: make sure taxonomy functions work correctly with taxonomy names with special characters
The codex says that taxonomy names "should only contain lowercase letters and the underscore character", but that's not enforced. It's too late to enforce it, since some plugins haven't been following it and the official phpdoc doesn't mention this restriction.

Merge of [37133] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@37137


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37104 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-30 17:29:28 +00:00
Dominik Schilling a60f6eea61 HTTP: Improve detection of valid IP addresses.
Merge of [37115] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@37118


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37085 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-30 15:52:12 +00:00
Nikolay Bachiyski 080ef55551 Snoopy: use escapeshellarg instead of escapeshellcmd
We are escaping arguments, not commands, so we'd better use the semantically correct function, even though they are similar.

Merges [37094] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@37097


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37064 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-30 14:08:28 +00:00
Dominik Schilling 666b9f8558 Bump 4.2 branch to 4.2.7.
Built from https://develop.svn.wordpress.org/branches/4.2@36457


git-svn-id: http://core.svn.wordpress.org/branches/4.2@36424 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 17:28:49 +00:00
Dominik Schilling c1769766f6 Better validation of the URL used in HTTP redirects.
Merges [36444] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@36449


git-svn-id: http://core.svn.wordpress.org/branches/4.2@36416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 17:00:28 +00:00
Dominik Schilling c30865a6b5 HTTP: `0.1.2.3` is not a valid IP.
Merges [36435] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@36438


git-svn-id: http://core.svn.wordpress.org/branches/4.2@36405 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 13:04:20 +00:00
Dominik Schilling c897bed043 Bump 4.2 branch to 4.2.6.
Built from https://develop.svn.wordpress.org/branches/4.2@36198


git-svn-id: http://core.svn.wordpress.org/branches/4.2@36165 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-06 18:49:27 +00:00
Aaron Jorbin f26900d209 Theme: Escape error messages
[36185] for 4.2 branch

Built from https://develop.svn.wordpress.org/branches/4.2@36188


git-svn-id: http://core.svn.wordpress.org/branches/4.2@36155 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-06 17:26:28 +00:00
Dion Hulse 5686506414 Background Updates: Remove the 7am/7pm background update check.
This changeset is a more basic version of [36180], clearing the extra now redundant schedule.
As the functionality for this was introduced in 3.9, [28129] has been backported to 3.7/3.8, allowing the API TTL to be respected by those versions.

See #27772.
Fixes #35323.

Built from https://develop.svn.wordpress.org/trunk@36184


git-svn-id: http://core.svn.wordpress.org/branches/4.2@36151 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-06 13:24:33 +00:00
Helen Hou-Sandí ca39e38e59 Finish bumping the 4.2 branch to 4.2.5.
Built from https://develop.svn.wordpress.org/branches/4.2@34190


git-svn-id: http://core.svn.wordpress.org/branches/4.2@34158 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-15 14:50:07 +00:00
Dominik Schilling ec4db723d2 XMLRPC: Don't allow private posts to be sticky.
Merge of [33325], [33612], and [34135] to the 4.2 branch.

See #20662.
Built from https://develop.svn.wordpress.org/branches/4.2@34152


git-svn-id: http://core.svn.wordpress.org/branches/4.2@34120 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 22:51:28 +00:00
Nikolay Bachiyski a4dba03383 Shortcodes: don't allow unclosed HTML elements in attributes
Merges [34134] for 4.2 branch

Built from https://develop.svn.wordpress.org/branches/4.2@34145


git-svn-id: http://core.svn.wordpress.org/branches/4.2@34113 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 22:48:27 +00:00
Gary Pendergast 56b1ceaf04 WPDB: `get_table_from_query()` didn't find table names with hyphens in them.
Merge of [33718] to the 4.2 branch.

Props dustinbolton, pento.

See #33470.


Built from https://develop.svn.wordpress.org/branches/4.2@33992


git-svn-id: http://core.svn.wordpress.org/branches/4.2@33961 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-10 06:57:28 +00:00
Gary Pendergast 6b2df3479c Capabilities: Fall back to the `edit_posts` capability for orphaned comments.
Merge of the `capabilities.php` part of [33614] to the 4.2 branch.

Props pento, dd32.

See #33154.


Built from https://develop.svn.wordpress.org/branches/4.2@33972


git-svn-id: http://core.svn.wordpress.org/branches/4.2@33941 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-09 06:01:28 +00:00