Commit Graph

158 Commits

Author SHA1 Message Date
Andrew Nacin 96ee267343 Better validation of the URL used in core HTTP requests.
git-svn-id: http://core.svn.wordpress.org/trunk@24480 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-06-21 06:07:47 +00:00
Peter Westwood 34001cb325 XMLRPC: Expose the admin and login urls as read-only options over xml-rpc to make it easier to write rich clients. Fixes #23446 props daniloercoli.
git-svn-id: http://core.svn.wordpress.org/trunk@24382 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-05-29 11:01:32 +00:00
Sergey Biryukov 5679830030 Fix typos in comments. fixes #24337.
git-svn-id: http://core.svn.wordpress.org/trunk@24255 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-05-14 18:22:54 +00:00
Sergey Biryukov 57c10eadbb Use ellipsis instead of three dots. props tjsingleton, jordie23, wojtek.szkutnik, DrewAPicture, SergeyBiryukov. see #8714.
git-svn-id: http://core.svn.wordpress.org/trunk@24207 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-05-08 21:27:31 +00:00
Sergey Biryukov c955859738 Remove \s from regex in pingback_ping() to avoid UTF-8 issues. props tenpura. fixes #24001.
git-svn-id: http://core.svn.wordpress.org/trunk@23952 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-04-10 16:29:00 +00:00
Mark Jaquith acfeb6f20f Take revision control out of the realm of a pure constant. Make it filterable.
* New filter: wp_revisions_to_keep

props ethitter, SergeyBiryukov. fixes #22289.

git-svn-id: http://core.svn.wordpress.org/trunk@23818 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-27 18:11:56 +00:00
Andrew Nacin 799ac18951 XML-RPC: Return an error for getRecentPosts (mw and blogger) if the user does not have edit_posts.
props redsweater.
fixes #22320.



git-svn-id: http://core.svn.wordpress.org/trunk@23636 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-07 06:52:37 +00:00
Ryan Boren 15a06a35ab Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().
see #WP21767


git-svn-id: http://core.svn.wordpress.org/trunk@23591 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-03 16:30:38 +00:00
Ryan Boren 43a7e695e9 Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23554 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 16:28:40 +00:00
Andrew Nacin 5cd77fdb99 Revert [23359]. The post_author and comment_count post object fields will remain numeric strings for back compat. see #22324.
git-svn-id: http://core.svn.wordpress.org/trunk@23531 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-28 19:40:26 +00:00
Ryan Boren cc5ed3a485 Change all core API to expect unslashed rather than slashed arguments.
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.

Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.

Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.

Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.

Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.

Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.

Plugins should use wp_unslash() on data being passed to core API.

Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.

Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.

Remove many no longer necessary calls to $wpdb->escape() and esc_sql().

In wp_get_referer() and wp_get_original_referer(), return unslashed data.

Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.

Switch several queries over to prepare().

Expect something to break.

Props alexkingorg
see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-14 22:51:06 +00:00
Sergey Biryukov 1d396b8a1f Merge two different descriptions of siteurl and home options. fixes #22771.
git-svn-id: http://core.svn.wordpress.org/trunk@23363 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-01 01:35:37 +00:00
Sergey Biryukov 142f8bbe58 Cast post_author to string in XML-RPC methods. props markoheijnen. fixes #22324.
git-svn-id: http://core.svn.wordpress.org/trunk@23359 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-01-31 01:25:26 +00:00
Andrew Nacin 82e9c40482 Validate pingback source URIs. Less verbose errors.
git-svn-id: http://core.svn.wordpress.org/trunk@23329 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-01-22 22:30:08 +00:00
Andrew Nacin fbf4acf638 Remove XML-RPC's blogger::getTemplate and setTemplate. They are not supported and do nothing.
git-svn-id: http://core.svn.wordpress.org/trunk@22914 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-29 02:35:39 +00:00
Andrew Nacin 61caecfa93 Use the create_posts post type cap in more places. Remove the janky create_posts meta cap. see #16714.
git-svn-id: http://core.svn.wordpress.org/trunk@22908 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-28 22:28:20 +00:00
Ryan Boren 55dc9d1616 Define array to avoid notice.
Props ericmann
fixes #22479


git-svn-id: http://core.svn.wordpress.org/trunk@22622 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-16 22:14:57 +00:00
Peter Westwood fe99b07017 XMLRPC: When Editing an existing post make sure to use wp_update_post instead of wp_insert_post so as to not perform destructive actions on the content.
The wp.EditPost() API will accept very limited data to only edit specific attributes of a post, if you didn't supply a category change then we would previously
overwrite the original categories with the default cat.

Fixes #22220 props nacin.


git-svn-id: http://core.svn.wordpress.org/trunk@22584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-14 22:58:24 +00:00
Mark Jaquith ca7b159cc7 Squash a PHP notice in the XML-RPC server.
git-svn-id: http://core.svn.wordpress.org/trunk@22560 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-13 22:35:41 +00:00
Ryan Boren cf596d4979 In wp_xmlrpc_server::_insert_post(), preservea valid post status instead of overwriting it with 'draft'. This preserves the 'inherit' status of attachments. Props markoheijnen. fixes #22335
git-svn-id: http://core.svn.wordpress.org/trunk@22368 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-05 14:44:25 +00:00
Ryan Boren 3d4470939d In wp_xmlrpc_server::_insert_post(), don't return an error if set_post_thumbnail() returns false when the attachment ID doesn't change.
Props picklepete
fixes #22204


git-svn-id: http://core.svn.wordpress.org/trunk@22277 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-23 14:08:20 +00:00
Andrew Nacin 64a9609aeb Reference xmlrpc.php with the 'rpc' site_url() argument to ensure a proper scheme is applied. see #18731.
git-svn-id: http://core.svn.wordpress.org/trunk@22171 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-10 21:55:36 +00:00
Andrew Nacin dfbe93b7a5 Improve pingback text extraction by stopping at a closing block-level tag. props Otto42. see #21914.
git-svn-id: http://core.svn.wordpress.org/trunk@22152 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-09 23:56:32 +00:00
Andrew Nacin c38412a62f Request WP_User objects when caling get_users() in XML-RPC's wp.getUsers method. see #18428.
git-svn-id: http://core.svn.wordpress.org/trunk@22134 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-07 23:33:35 +00:00
Ryan Boren 7a86de87fb Reduce use of global. Use get_blog_details() instead. fixes #22090
git-svn-id: http://core.svn.wordpress.org/trunk@22108 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-04 12:40:09 +00:00
Andrew Nacin 8f62dfaf00 XML-RPC: Introduce wp.getRevisions and wp.restoreRevision.
props brandondove, koke, markoheijnen, JustinSainton, maxcutler.

fixes #21397.



git-svn-id: http://core.svn.wordpress.org/trunk@22037 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-27 04:17:15 +00:00
Andrew Nacin 646a4fd1e9 XML-RPC: Add an if_not_modified_since argument to wp.editPost.
Accepts a GMT date, which is used to compare to the current post_modified_gmt
value for the post being edited. If the post has since been edited (as in, too
old of a date was passed), the edit is rejected as overwriting a newer version.

It is rejected with a HTTP 409 Conflict status code. (Fancy.)

props koke, markoheinjen.
Tests: [UT1049]

see #21397.



git-svn-id: http://core.svn.wordpress.org/trunk@22034 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-27 03:39:40 +00:00
Andrew Nacin 7078e18d82 XML-RPC: Accept 'url', not 'website' in wp.editProfile. props maxcutler. see #18428.
git-svn-id: http://core.svn.wordpress.org/trunk@21959 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-23 19:36:17 +00:00
Peter Westwood 2fcdb3395d XMLRPC: Support searching via wp.getPosts() fixes #21623 props ericmann.
git-svn-id: http://core.svn.wordpress.org/trunk@21936 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-21 10:18:32 +00:00
Andrew Nacin bf3c8017a8 Introduce the xmlrpc_login_error filter, applied to the IXR_Error being returned by the server when login() fails. props JustinSainton, fixes #21907.
git-svn-id: http://core.svn.wordpress.org/trunk@21912 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-19 01:36:47 +00:00
Andrew Nacin c178b59da3 XML-RPC: Have the deprecated login_pass_ok() method wrap login(). Move it below login() so the proper method is found first. see #21907.
git-svn-id: http://core.svn.wordpress.org/trunk@21910 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-19 01:27:21 +00:00
Andrew Nacin 3c4460fc86 Allow wp.uploadFile to upload the attachment to a post. props djzone, josephscott, maxcutler. fixes #13917.
git-svn-id: http://core.svn.wordpress.org/trunk@21896 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-18 19:06:27 +00:00
Andrew Nacin f431b408da Combine some strings. props pavelevap. fixes #21087.
git-svn-id: http://core.svn.wordpress.org/trunk@21857 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-15 19:57:05 +00:00
Andrew Nacin 6a71516a85 XML-RPC: Introduce wp.getUsers, wp.getUser, wp.getProfile, wp.editProfile.
props maxcutler.
props nprasath002 for earlier patches.

see #18428.



git-svn-id: http://core.svn.wordpress.org/trunk@21824 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-12 00:04:21 +00:00
Andrew Nacin f84f149445 XML-RPC: Add the 'home' option to wp.getOptons. props mrroundhill. fixes #21822.
git-svn-id: http://core.svn.wordpress.org/trunk@21805 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-11 01:26:38 +00:00
Andrew Nacin 26dc1e74e5 Turn XML-RPC on and remove the option on the Writing Settings page.
props markoheijnen for the initial patch.

Introduces a new filter, xmlrpc_enabled.

Respects any current callbacks registered to the pre_option_enable_xmlrpc
and option_enable_xmlrpc filters, for anyone forcing it off via code.

fixes #21509.



git-svn-id: http://core.svn.wordpress.org/trunk@21804 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-11 00:37:31 +00:00
Ryan Boren bf9cff8bfc Fix typo in phpdoc for wp_newPost(). Props alyssonweb. fixes #21798
git-svn-id: http://core.svn.wordpress.org/trunk@21765 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-05 15:36:59 +00:00
Ryan Boren c55cf716da Use set_url_scheme(). Props johnbillion, MarcusPope. see #19037 #20759
git-svn-id: http://core.svn.wordpress.org/trunk@21664 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-08-30 13:33:00 +00:00
Ryan Boren 52b3f498e6 Add tags_input, page_template, and post_category get magic to WP_Post.
Deprecate get_post_to_edit() and wp_get_single_post().
Props scribu
see #21309


git-svn-id: http://core.svn.wordpress.org/trunk@21651 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-08-28 19:08:28 +00:00
Ryan Boren f56d8278bb Remove return ref from all calls to get_post()
Return WP_Post from get_default_post_to_edit()
Replace all calls to get_page() with get_post()
see #21309


git-svn-id: http://core.svn.wordpress.org/trunk@21597 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-08-23 20:01:10 +00:00
Ryan Boren 489924938f Return post_parent, menu_order, guid, and post_mime_type from wp.getPost(). Props maxcutler. fixes #21308
git-svn-id: http://core.svn.wordpress.org/trunk@21526 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-08-15 16:06:05 +00:00
ryan d286875515 switch_to_blog() and restore_current_blog() housekeeping.
wp-includes/admin-bar.php:

* Replace get_admin_url() and get_home_url() with admin_url() and home_url() and place them inside a switch/restore. Likewise replace current_user_can_for_blog() with current_user_can(). This avoids doing multiple switch restores.

wp-includes/ms-blogs.php:

* Deprecate the $validate argument to switch_to_blog(). This avoids a not very necessary call to get_blog_details(), possibly saving a few queries.
* Use $_wp_switched and $_wp_switched_stack instead of $switched and $switched_stack to make it less likely these globals will be stomped.
* Use GLOBALS to access blog_id and other globals. I've preferred this style lately since it makes it obvious a global is being used and avoids global blog_id being stomped by a local variable.
* Lose some is_object() checks. wp_get_current_user() always returns an object, for example.
* Call the new WP_Roles::reinit() method.

wp-includes/class-wp-xmlrpc-server.php:

* Replace current_user_can_for_blog() with current_user_can() and move it inside the switch/restore pair. This eliminates a switch/restore.

wp-includes/capabilities.php:

* Use array_keys() instead of $role => $data since $data is unused. I *think* this is a bit faster.
* Introduce WP_Roles::reinit(). This reinitializes WP_Roles and is used after switch_to_blog() has already update the blog ID in the wpdb object. If a global roles array is being used instead of the db, reinit is skipped.
* current_user_can_for_blog() now does a switch/restore. It didn't before meaning it could be reinitializing the user with the wrong role information for the current blog.

wp-includes/ms-settings.php:

* Define $_wp_switched_stack and $_wp_switched. This way switch_to_blog() and restore_current_blog() can rely on it being set.

wp-settings.php:

* Instantiate the WP_Roles global. This was it is always defined during init. To remove the WP_Roles checks from WP_Role and WP_User this would probably have to move before plugins are loaded, which might not be a good thing.

wp-includes/functions.php:

* Update wp_upload_dir() to reference _wp_switched.



git-svn-id: http://core.svn.wordpress.org/trunk@21485 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-08-09 16:28:15 +00:00
ryan 5ca54e7d2f Deprecate get_blog_option(), add_blog_option(), update_blog_option(), and delete_blog_option().
Use the regular option functions wrapped in switch_to_blog() and restore_current_blog() instead.

Group multiple operations within a single switch where possible.

fixes #21432


git-svn-id: http://core.svn.wordpress.org/trunk@21414 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-08-03 17:51:42 +00:00
nacin 81c22c98f8 Don't use switch_to_blog() in wp.getUsersBlogs to improve performance and memory footprint. props mohanjith for initial patch. fixes #20665.
git-svn-id: http://core.svn.wordpress.org/trunk@21194 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-06-30 11:49:02 +00:00
nacin e0012c7e67 Initialize a variable. props maxcutler. fixes #21058.
git-svn-id: http://core.svn.wordpress.org/trunk@21158 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-06-28 19:04:42 +00:00
nacin 9b7e633336 Use set_post_format(), not wp_set_post_terms(), in XML-RPC mw_newPost and mw_editPost. props koke. see #20697.
git-svn-id: http://core.svn.wordpress.org/trunk@21145 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-06-26 21:07:12 +00:00
nacin 1270e4cef6 Check XML-RPC cap before running the query. props maxcutler. see #20991 for trunk.
git-svn-id: http://core.svn.wordpress.org/trunk@21137 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-06-26 19:04:10 +00:00
nacin 92efcbaf6d Combine 'Invalid term ID.' into the 'Invalid term ID' string. props pavelevap. fixes #20809.
git-svn-id: http://core.svn.wordpress.org/trunk@20996 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-06-05 16:25:05 +00:00
ryan eaa419dba3 Consolodate some strings. Props pavelevap. fixes #20809
git-svn-id: http://core.svn.wordpress.org/trunk@20972 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-06-01 19:05:30 +00:00
ryan f35fdc678f Introduce _prepare_comment(). Avoid repeated auth attempts. Props maxcutler. fixes #20703
git-svn-id: http://core.svn.wordpress.org/trunk@20856 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-05-23 20:40:40 +00:00