Andrew Nacin
432912f7e9
Use hash_equals() for old md5 hashes.
...
Merges [30412] to the 4.0 branch.
Built from https://develop.svn.wordpress.org/branches/4.0@30413
git-svn-id: http://core.svn.wordpress.org/branches/4.0@30408 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-20 12:02:35 +00:00
Andrew Nacin
4edbc74e65
Add safeguards for when ext/hash is not compiled with PHP.
...
Merges [29751] to the 4.0 branch.
fixes #29518 .
Built from https://develop.svn.wordpress.org/branches/4.0@29761
git-svn-id: http://core.svn.wordpress.org/branches/4.0@29533 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-09-23 18:14:39 +00:00
Andrew Nacin
768136c6da
Rename the public methods in the session tokens API.
...
Introduces a new get( $token ) method. get_token() would not have made sense and spurred the overall renaming. Public methods are now get, get_all, verify, create, update, destroy, destroy_others, and destroy_all.
The protected abstract methods designed for alternative implementations remain the same.
props mdawaffe.
see #20276 .
Built from https://develop.svn.wordpress.org/trunk@29635
git-svn-id: http://core.svn.wordpress.org/trunk@29409 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-08-27 02:07:16 +00:00
Andrew Nacin
3951d9689c
Require a non-empty $nonce value in wp_verify_nonce().
...
props ocean90.
fixes #29217 .
Built from https://develop.svn.wordpress.org/trunk@29620
git-svn-id: http://core.svn.wordpress.org/trunk@29394 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-08-26 07:39:19 +00:00
Drew Jaynes
a227d4ff08
s/does/does not in `wp_set_password()` docblock.
...
See [29461]. See #28316 .
Built from https://develop.svn.wordpress.org/trunk@29462
git-svn-id: http://core.svn.wordpress.org/trunk@29240 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-08-10 02:44:16 +00:00
Drew Jaynes
0f7d35597c
Improve the `wp_set_password()` PHPDoc with a note to guard against executing the function on every page load, such as through a theme's functions.php file.
...
See #28316 .
Built from https://develop.svn.wordpress.org/trunk@29461
git-svn-id: http://core.svn.wordpress.org/trunk@29239 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-08-10 02:39:16 +00:00
Andrew Nacin
ee4ce8688d
Escape late in get_avatar().
...
Built from https://develop.svn.wordpress.org/trunk@29397
git-svn-id: http://core.svn.wordpress.org/trunk@29175 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-08-06 07:50:18 +00:00
Andrew Nacin
7d672c38a4
Constant time for wp_verify_nonce().
...
Built from https://develop.svn.wordpress.org/trunk@29382
git-svn-id: http://core.svn.wordpress.org/trunk@29160 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-08-06 05:26:16 +00:00
Andrew Nacin
654e46f03d
Tie cookies and nonces to user sessions so they may be invalidated upon logout.
...
Sessions are stored in usermeta via WP_User_Meta_Session_Tokens, which extends the abstract WP_Session_Tokens class. Extending WP_Session_Tokens can allow for alternative storage, such as a separate table or Redis.
Introduces some simple APIs for session listing and destruction, such as wp_get_active_sessions() and wp_destroy_all_sessions().
This invalidates all existing authentication cookies, as a new segment (the session token) has been added to them.
props duck_, nacin, mdawaffe.
see #20276 .
Built from https://develop.svn.wordpress.org/trunk@29221
git-svn-id: http://core.svn.wordpress.org/trunk@29005 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-18 09:13:15 +00:00
Sergey Biryukov
177fe21194
Asterisk is an allowed character in a URI and should not be stripped out by wp_sanitize_redirect().
...
fixes #28362 .
Built from https://develop.svn.wordpress.org/trunk@28939
git-svn-id: http://core.svn.wordpress.org/trunk@28737 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-01 15:56:15 +00:00
Scott Taylor
c8852cc909
Use the `WPINC` constant when loading `class-phpass.php`
...
Props wojtek.szkutnik
See #14157 .
Built from https://develop.svn.wordpress.org/trunk@28903
git-svn-id: http://core.svn.wordpress.org/trunk@28702 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-29 22:12:16 +00:00
Andrew Nacin
dc0aca09f5
Fix documentation for wp_create_nonce() which wrongly suggests these tokens are actually numbers used once.
...
Built from https://develop.svn.wordpress.org/trunk@28793
git-svn-id: http://core.svn.wordpress.org/trunk@28606 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-20 20:47:14 +00:00
Scott Taylor
43bf7f271f
Don't use variable variables in `wp_salt()`.
...
See #27881 .
Built from https://develop.svn.wordpress.org/trunk@28741
git-svn-id: http://core.svn.wordpress.org/trunk@28555 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-11 18:36:15 +00:00
Drew Jaynes
cb0fc9c64b
Update the `$secure_logged_in_cookie` variable in the 'secure_logged_in_cookie' hook docs following [28627].
...
See #15330 .
Built from https://develop.svn.wordpress.org/trunk@28628
git-svn-id: http://core.svn.wordpress.org/trunk@28448 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-30 15:20:16 +00:00
Andrew Nacin
733057e7d6
Use a secure logged_in_cookie when the home URL is forced HTTPS (see #27954 ).
...
see #15330 .
Built from https://develop.svn.wordpress.org/trunk@28627
git-svn-id: http://core.svn.wordpress.org/trunk@28447 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-30 15:08:15 +00:00
Scott Taylor
8e98541d5f
Eliminate the use of `extract()` in `wp_mail()`. Check the filtered array for each value before re-setting variables.
...
See #22400 .
Built from https://develop.svn.wordpress.org/trunk@28425
git-svn-id: http://core.svn.wordpress.org/trunk@28252 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-15 06:17:15 +00:00
Scott Taylor
f5bd0de275
Eliminate the use of `extract()` in `wp_validate_auth_cookie()`.
...
Don't do anything fancy here, just set the 4 returned properties to variables. This function is semi-important.
See #22400 .
Built from https://develop.svn.wordpress.org/trunk@28424
git-svn-id: http://core.svn.wordpress.org/trunk@28251 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-15 06:11:13 +00:00
Andrew Nacin
7f001bfe24
Harden HMAC verification. props duck_.
...
Built from https://develop.svn.wordpress.org/trunk@28053
git-svn-id: http://core.svn.wordpress.org/trunk@27883 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-04-08 18:06:16 +00:00
Drew Jaynes
684145ca81
Inline documentation fixes related to the `determine_current_user` filter
...
See #26706 , #27700 .
Built from https://develop.svn.wordpress.org/trunk@28007
git-svn-id: http://core.svn.wordpress.org/trunk@27837 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-04-07 21:18:15 +00:00
Drew Jaynes
100e737eb0
Inline documentation for hooks in wp-includes/pluggable.php.
...
Props kpdesign for some cleanup.
Fixes #26888 .
Built from https://develop.svn.wordpress.org/trunk@27825
git-svn-id: http://core.svn.wordpress.org/trunk@27659 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-28 21:21:15 +00:00
Andrew Nacin
c3ca81ba94
Always decode special characters for email subjects.
...
props tlovett1, jeremyfelt.
fixes #25346 .
Built from https://develop.svn.wordpress.org/trunk@27801
git-svn-id: http://core.svn.wordpress.org/trunk@27636 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-28 02:44:15 +00:00
Andrew Nacin
182de5881d
Avoid notices in wp_notify_postauthor() when a post has no author.
...
props drozdz.
fixes #26659 .
Built from https://develop.svn.wordpress.org/trunk@27568
git-svn-id: http://core.svn.wordpress.org/trunk@27411 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-17 20:31:14 +00:00
Andrew Nacin
e7be7a0a8d
Use get_comment_link() in wp_notify_postauthor().
...
Fixes pagination for the link directly to the moderated comment.
props eatingrules.
fixes #26133 .
Built from https://develop.svn.wordpress.org/trunk@27567
git-svn-id: http://core.svn.wordpress.org/trunk@27410 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-17 20:20:15 +00:00
Andrew Nacin
acba3131d7
Allow for custom authentication handlers for all requests.
...
Turn the logic used by wp_get_current_user() into a determine_current_user filter.
props rmccue.
fixes #26706 .
Built from https://develop.svn.wordpress.org/trunk@27484
git-svn-id: http://core.svn.wordpress.org/trunk@27328 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-09 15:23:15 +00:00
Drew Jaynes
db605f4767
Improve inline documentation for `wp_new_user_notification()`.
...
Props antorome for the initial patch.
Fixes #26703 .
Built from https://develop.svn.wordpress.org/trunk@27149
git-svn-id: http://core.svn.wordpress.org/trunk@27016 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-02-09 21:07:12 +00:00
Sergey Biryukov
1f86e0c1e1
Fix typo in wp_set_auth_cookie() description.
...
props drozdz.
fixes #27046 .
Built from https://develop.svn.wordpress.org/trunk@27116
git-svn-id: http://core.svn.wordpress.org/trunk@26983 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-02-07 09:47:12 +00:00
Drew Jaynes
cd8cedc40d
First there were two, and now there are three -- in the @since versions that came before and that shall be. And so it will be, says nacin.
...
Props JustinSainton, SergeyBiryukov, DrewAPicture.
Fixes #26713 .
Built from https://develop.svn.wordpress.org/trunk@26868
git-svn-id: http://core.svn.wordpress.org/trunk@26754 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-12-24 18:57:12 +00:00
Drew Jaynes
223a2c7138
Inline documentation for the following filter hooks in wp-includes/pluggable.php:
...
* `comment_notification_recipients`
* `comment_notification_notify_author`
Also removes some generic `@uses` tags from various related doc blocks.
Props markjaquith.
Fixes #25699 .
Built from https://develop.svn.wordpress.org/trunk@26388
git-svn-id: http://core.svn.wordpress.org/trunk@26288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-11-26 04:10:09 +00:00
Mark Jaquith
c2cdbf9648
Fix `comment_notification_recipients` filter behavior so that it is still respected even on comments left by the post author
...
The code was bailing on this-is-a-comment-on-your-own-post detection, ignoring additional recipients. Now:
* Logic check is done within `wp_notify_postauthor()`
* Logic check is overridable via `comment_notification_notify_author` filter (default still false)
* The code doesn't bail on comment-on-own-post detection, but just removes the author from the array
* The code instead now bails if the recipients list is empty, so `comment_notification_recipients` works properly
props ethitter.
fixes #25699
Built from https://develop.svn.wordpress.org/trunk@26367
git-svn-id: http://core.svn.wordpress.org/trunk@26268 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-11-25 01:47:10 +00:00
Peter Westwood
bca9252522
Deprecate the second argument for wp_notify_postauthor because it is unecessary. Fixes #17862 props scribu and wonderboymusic.
...
Built from https://develop.svn.wordpress.org/trunk@26358
git-svn-id: http://core.svn.wordpress.org/trunk@26259 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-11-24 16:26:10 +00:00
Sergey Biryukov
12d10da7e6
Remove redundant cleanup of PHPMailer addresses in wp_mail().
...
props bananastalktome.
fixes #25789 .
Built from https://develop.svn.wordpress.org/trunk@26121
git-svn-id: http://core.svn.wordpress.org/trunk@26033 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-11-13 03:45:11 +00:00
Sergey Biryukov
eae4e5936f
Use case-insensitive comparison for email addresses. fixes #25779 .
...
Built from https://develop.svn.wordpress.org/trunk@26115
git-svn-id: http://core.svn.wordpress.org/trunk@26027 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-11-13 02:41:09 +00:00
Sergey Biryukov
9c3b98e6d3
Avoid PHP notices in wp_notify_postauthor() when using a custom comment type.
...
Use a switch statement for consistency with wp_notify_moderator().
fixes #25880 .
Built from https://develop.svn.wordpress.org/trunk@26114
git-svn-id: http://core.svn.wordpress.org/trunk@26026 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-11-13 02:32:10 +00:00
Sergey Biryukov
40391f4e37
Fall back to comment author email in get_avatar() if the user who left the comment no longer exists.
...
props mauryaratan, lite3.
fixes #25803 .
Built from https://develop.svn.wordpress.org/trunk@26000
git-svn-id: http://core.svn.wordpress.org/trunk@25933 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-11-02 12:20:11 +00:00
Andrew Nacin
70fd806759
Revert r25824:25875 from the core.svn.wordpress.org repository.
...
These commits were accidentally re-synced commits from develop.svn.wordpress.org due to a race condition. Thankfully, the history of this repository matters fairly little. It also happened only for trunk.
git-svn-id: http://core.svn.wordpress.org/trunk@25876 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-25 02:29:52 +00:00
Andrew Nacin
8ae8e01b67
Remove the old wp_auto_updates_maybe_update cron event. Schedule the new wp_maybe_auto_update event at 7 a.m. and 7 p.m. in the site's timezone.
...
see #27704 .
Built from https://develop.svn.wordpress.org/trunk@25825
git-svn-id: http://core.svn.wordpress.org/trunk@25825 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-24 22:53:14 +00:00
Andrew Nacin
9c6a15ef8f
Maintain the same output for get_avatar() as 3.6. see [25895].
...
Built from https://develop.svn.wordpress.org/trunk@25899
git-svn-id: http://core.svn.wordpress.org/trunk@25811 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-24 19:32:09 +00:00
Andrew Nacin
af4535596b
Always escape URLs at the last possible moment.
...
Built from https://develop.svn.wordpress.org/trunk@25895
git-svn-id: http://core.svn.wordpress.org/trunk@25807 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-24 18:52:11 +00:00
Andrew Nacin
e2413462de
Move the trim() from wp_set_password() to inside wp_hash_password().
...
props rpattillo, joehoyle.
fixes #24973 . see #23494 .
Built from https://develop.svn.wordpress.org/trunk@25709
git-svn-id: http://core.svn.wordpress.org/trunk@25623 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-07 13:54:10 +00:00
Scott Taylor
c2312dfe4c
Use `elseif` when slurping the `nonce` in `check_ajax_referer()` to avoid accidentally overwriting it.
...
Fail wonderboymusic in [25433].
Props ocean90.
Fixes #25369 .
See [25433].
Built from https://develop.svn.wordpress.org/trunk@25550
git-svn-id: http://core.svn.wordpress.org/trunk@25470 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-21 16:26:12 +00:00
Scott Taylor
5df8338e0a
Fix some undefined index notices related to Comment unit tests:
...
* There are several places where a `$_POST` index was unchecked before setting a variable
* In `wp_notify_postauthor()`, `$comment` was being returned null, but its properties were being accessed.
* In `check_ajax_referer()`, 3 different values can be checked for nonce on `$_REQUEST`, but only 1 had an `isset()`
See #25282 .
Built from https://develop.svn.wordpress.org/trunk@25433
git-svn-id: http://core.svn.wordpress.org/trunk@25355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-13 22:18:08 +00:00
Andrew Nacin
cf3fddde96
Validate referrers to prevent off-domain redirects.
...
Built from https://develop.svn.wordpress.org/trunk@25318
git-svn-id: http://core.svn.wordpress.org/trunk@25280 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-10 18:07:10 +00:00
Andrew Nacin
9fdfa7ef5c
Short descriptions for inline docs should end with a period, per the vast majority of core. see #25229 .
...
Built from https://develop.svn.wordpress.org/trunk@25273
git-svn-id: http://core.svn.wordpress.org/trunk@25239 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-06 01:38:09 +00:00
Sergey Biryukov
9769012244
Add phpdoc for 'wp_redirect' and 'wp_redirect_status' filters. props DrewAPicture. fixes #25215 .
...
Built from https://develop.svn.wordpress.org/trunk@25230
git-svn-id: http://core.svn.wordpress.org/trunk@25200 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-04 08:31:09 +00:00
Sergey Biryukov
6760d294bb
Update phpdoc for get_user_to_edit(), get_userdata(), and get_user_by(). props tivnet. fixes #24992 .
...
Built from https://develop.svn.wordpress.org/trunk@25204
git-svn-id: http://core.svn.wordpress.org/trunk@25176 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-02 03:25:09 +00:00
Andrew Ozz
3c3ec6dd8c
Logging in: when the Remember Me checkbox is checked, make sure the browser continues to send the expired cookies so the "login grace period" for POST and AJAX requests works. Fixes #24735 .
...
Built from https://develop.svn.wordpress.org/trunk@25107
git-svn-id: http://core.svn.wordpress.org/trunk@25089 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-08-23 21:27:08 +00:00
Sergey Biryukov
688ecb9fcc
Use correct variable. see #22922 .
...
Built from https://develop.svn.wordpress.org/trunk@25105
git-svn-id: http://core.svn.wordpress.org/trunk@25087 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-08-23 20:57:11 +00:00
Andrew Nacin
0adcab1f7f
Add filters to the recipients of emails sent by wp_notify_postauthor() and wp_notify_moderator().
...
The new filters are called comment_notification_recipients and comment_moderation_recipients.
Add the context of $comment_id to the comment_moderation_headers filter, to match the comment_notification_headers filter.
props chipbennett.
fixes #22922 , #20353 .
Built from https://develop.svn.wordpress.org/trunk@25104
git-svn-id: http://core.svn.wordpress.org/trunk@25086 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-08-23 19:36:10 +00:00
Ryan Boren
26eb1dc6ee
Return true from wp_redirect() when redirect successful. Update phpdoc.
...
Props tivnet
fixes #24969
git-svn-id: http://core.svn.wordpress.org/trunk@24996 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-08-06 17:44:32 +00:00
Andrew Nacin
0f84b87380
Do not notify the post author about comments if they are no longer a member of the blog.
...
This updates [23294] to use capability checks to determine if the user can still edit a post, which works for super admins. Additionally, it hides Trash/Spam action links when the user is still a member of the blog but cannot (or can no longer) moderate the comment.
fixes #23136 .
git-svn-id: http://core.svn.wordpress.org/trunk@24649 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-10 22:01:12 +00:00