Commit Graph

25888 Commits

Author SHA1 Message Date
John Blackbourn 8c9519f1e7 Hardening: Add escaping to the language attributes used on `html` elements.
Merges [42259] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@42305


git-svn-id: http://core.svn.wordpress.org/branches/3.9@42134 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:41:04 +00:00
John Blackbourn d8e9c02011 Hardening: Use a properly generated hash for the `newbloguser` key instead of a determinate substring.
Merges [42258] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@42304


git-svn-id: http://core.svn.wordpress.org/branches/3.9@42133 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:40:50 +00:00
Dion Hulse 80a325fda9 WPDB: Check that `AUTH_SALT` is not empty, Fix a PHP notice when `AUTH_SALT` is undefined.
Props jsonfry, mkomar, pento.
Merges [42119] and [42120] to the 3.9 branch.
Fixes #42431 and #42401 for 3.9.

Built from https://develop.svn.wordpress.org/branches/3.9@42239


git-svn-id: http://core.svn.wordpress.org/branches/3.9@42068 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-27 01:14:32 +00:00
John Blackbourn a17059be19 General: Remove the version number from the readme file in the 4.
See #42386

Built from https://develop.svn.wordpress.org/branches/3.9@42097


git-svn-id: http://core.svn.wordpress.org/branches/3.9@41926 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 18:02:33 +00:00
Gary Pendergast 76ec03176d Bump 3.9 branch to version 3.9.21.
Built from https://develop.svn.wordpress.org/branches/3.9@42078


git-svn-id: http://core.svn.wordpress.org/branches/3.9@41907 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 13:45:15 +00:00
Gary Pendergast 9b92304fd1 Database: Restore numbered placeholders in `wpdb::prepare()`.
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.

Merges [41662], [42056] to the 3.9 branch.
See #41925.


Built from https://develop.svn.wordpress.org/branches/3.9@42066


git-svn-id: http://core.svn.wordpress.org/branches/3.9@41895 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 12:57:16 +00:00
Dominik Schilling ee47cb6d42 Users: Use correct escaping function for URLs.
Merge of [41522] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@41532


git-svn-id: http://core.svn.wordpress.org/branches/3.9@41365 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 21:40:14 +00:00
Aaron Campbell 79224df81a Bump 3.9 branch to version 3.9.20.
Built from https://develop.svn.wordpress.org/branches/3.9@41519


git-svn-id: http://core.svn.wordpress.org/branches/3.9@41352 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 20:13:15 +00:00
Aaron Campbell f6afa94bef Database: Hardening to bring `wpdb::prepare()` inline with documentation.
`wpdb::prepare()` supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.

Merges [41496] to 3.9 branch.


Built from https://develop.svn.wordpress.org/branches/3.9@41506


git-svn-id: http://core.svn.wordpress.org/branches/3.9@41339 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 18:43:15 +00:00
Aaron Campbell 30570f494f Database: Don’t trigger `_doing_it_wrong()` for null values in `wpdb::prepare()`.
While `wpdb::prepare()` does not support null values (see #12819) they still appear in the wild like in the WordPress Importer and other plugins.

Merges [41483] to 3.9 branch.


Built from https://develop.svn.wordpress.org/branches/3.9@41493


git-svn-id: http://core.svn.wordpress.org/branches/3.9@41326 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 16:27:16 +00:00
Aaron Campbell a5756e9c27 Database: Hardening for `wpdb::prepare()`
Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.

Merges [41470] to 3.9 branch.


Built from https://develop.svn.wordpress.org/branches/3.9@41480


git-svn-id: http://core.svn.wordpress.org/branches/3.9@41313 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 15:04:33 +00:00
John Blackbourn f5db1e4375 Filesystem API: Ensure filenames are valid before attempting to unzip them to ensure malformed file paths don't cause issues.
Merges [41457] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@41467


git-svn-id: http://core.svn.wordpress.org/branches/3.9@41300 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 14:45:15 +00:00
John Blackbourn d46699267b General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.
Merges [41434] with changes to the 3.9 branch.

See #13377

Built from https://develop.svn.wordpress.org/branches/3.9@41449


git-svn-id: http://core.svn.wordpress.org/branches/3.9@41282 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 13:44:15 +00:00
Dominik Schilling 0237d2915a Users: Provide a fallback for incorrect HTTP referrers.
Merge of [41398] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@41426


git-svn-id: http://core.svn.wordpress.org/branches/3.9@41259 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 11:15:31 +00:00
Dominik Schilling 435ca07747 Editor: Prevent adding `javascript:` and `data:` URLs through the inline link dialog.
Merge of [41393] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@41409


git-svn-id: http://core.svn.wordpress.org/branches/3.9@41242 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 10:20:24 +00:00
Aaron Campbell 66aaaa6aa8 Bump 3.9 branch to version 3.9.19.
Built from https://develop.svn.wordpress.org/branches/3.9@40756


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40614 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 21:53:55 +00:00
Pascal Birchler 73b0352cba Media: Simplify upload error message construction.
Merges [40736] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@40745


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40603 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 18:05:32 +00:00
Aaron Campbell 700dd168fd Add nonce for updating file system credentials.
Merges [40723] to 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@40732


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40590 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 14:57:32 +00:00
Dominik Schilling 9febffc6f7 Customize: Ignore invalid customization sessions.
Merge of [40704] to the 3.9 branch.
Built from https://develop.svn.wordpress.org/branches/3.9@40713


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40576 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 12:21:15 +00:00
Pascal Birchler c2f264d25f Adjust post meta checks
Merges [40692] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@40701


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40564 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:54:15 +00:00
Pascal Birchler a81079c403 Whitelist post arguments in XML-RPC
Merges [40677] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@40686


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40549 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:29:15 +00:00
Pascal Birchler 063e974bd7 Bump 3.9 branch to version 3.9.18.
Built from https://develop.svn.wordpress.org/branches/3.9@40495


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40371 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-20 16:28:15 +00:00
Pascal Birchler a05429ecd1 Fix broken audio/video functions when sanitizing ID3 data
This fixes a bug where running `wp_kses_post_deep()` on all the ID3
tag data corrupted blob data.

See #40075, #40085.

Merges [40400] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@40468


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40344 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-17 13:34:16 +00:00
James Nylen f2ef35f4a9 Bump 3.9 branch to version 3.9.17.
Built from https://develop.svn.wordpress.org/branches/3.9@40210


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40149 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 16:42:15 +00:00
Aaron Campbell 244804028c Strip control characters before validating redirect.
Merges [40183] to 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@40192


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40131 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 13:45:58 +00:00
Aaron Campbell fcec9ed6ff Plugins: Add file check to plugin deletions.
Merges [40169] to 3.9 branch.


Built from https://develop.svn.wordpress.org/branches/3.9@40178


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40117 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 13:05:15 +00:00
Jeremy Felt ca488f141f Validate video and audio metadata.
Merge of [40148] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@40157


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40096 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 08:12:16 +00:00
Aaron Campbell 946d349b71 Bump 3.9 branch to version 3.9.16.
Built from https://develop.svn.wordpress.org/branches/3.9@40004


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39941 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 18:29:15 +00:00
John Blackbourn 6e66a60c3c Posts, Post Types: When using Excerpt mode on the Posts list table, ensure the excerpt output matches what was manually entered into the Excerpt field.
Merges [39956] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@39987


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39924 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 14:20:15 +00:00
Dominik Schilling a81be45d5d Press This: Do not show Categories & Tags UI for users who cannot assign terms to posts anyways.
Merge of [39968] to the 3.9 branch.
Built from https://develop.svn.wordpress.org/branches/3.9@39979


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39916 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 14:14:58 +00:00
Dominik Schilling 13a15e6e07 Query: Ensure that queries work correctly with post type names with special characters.
Merge of [39952] to the 3.9 branch.
Built from https://develop.svn.wordpress.org/branches/3.9@39964


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39901 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 13:53:00 +00:00
Aaron Campbell ec5bf14855 Bump 3.9 branch to version 3.9.15.
Built from https://develop.svn.wordpress.org/branches/3.9@39868


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39805 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 16:59:32 +00:00
Joe McGill e2ef6cefbe Media: Fix exif_imagetype check in wp_get_image_mime
This is a follow up to [39831].

Merges [39850] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@39859


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39796 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 16:45:15 +00:00
Joe McGill c47e0b66a2 Media: Improve image filetype checking.
This adds a new function `wp_get_image_mime()` which is used by
`wp_check_filetype_and_ext()` to validate image files using
`exif_imagetype()` if available instead of `getimagesize()`.

`getimagesize()` is less performant than `exif_imagetype()` and is
dependent on GD. If `exif_imagetype()` is not available, it falls back to
`getimagesize()` as before.

If `wp_check_filetype_and_ext()` can't validate the filetype, we now return
`false` for ext/MIME values.

Merges [39831] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@39840


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39778 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 13:20:15 +00:00
Dominik Schilling 95c2ed6e0d Updates: Translate plugin data on the Updates screen.
Merge of [39808] to the 3.9 branch.
Built from https://develop.svn.wordpress.org/branches/3.9@39828


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39766 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 11:43:22 +00:00
Dominik Schilling d9f0c45795 Themes: Fix markup for theme name fallbacks.
Merge of [39807] to the 3.9 branch.
Built from https://develop.svn.wordpress.org/branches/3.9@39817


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39755 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 11:12:53 +00:00
Jeremy Felt 8d2a900277 Multisite: Use `wp_rand()` in signup key creation.
Merges [39795] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@39804


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39742 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 05:36:32 +00:00
Dion Hulse 924f935cb3 Update PHPMailer to 5.2.22.
The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 3.9 branch.
Fixes #37210 for 3.9.

Built from https://develop.svn.wordpress.org/branches/3.9@39792


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39730 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 05:26:32 +00:00
Jeremy Felt 498ad8eb14 Mail: Disable wp-mail.php when `mailserver_url` is mail.example.com.
Merges [39772] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@39781


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39719 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 05:21:15 +00:00
Aaron Campbell 1db0b6e251 Add nonce for widget accessibility mode.
Props vortfu.

See #23328.

Merges [39765] to 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@39769


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39707 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 01:52:15 +00:00
Dion Hulse 40ce4b29b1 Mail: Upgrade PHPMailer to 5.2.21.
Merges [39645], [36083], [33142], [33124], [29783] to the 3.9 branch.
See #37210.

Built from https://develop.svn.wordpress.org/branches/3.9@39729


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39669 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-06 22:06:55 +00:00
Joe McGill 57383c5143 Media: Improved media titles when created from filename.
Preserves spaces and generally creates more accurate, cleaner titles from filenames of uploaded media.

Merge of [38615] to the 3.9 branch.

Fixes #37989.

Built from https://develop.svn.wordpress.org/branches/3.9@39717


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39657 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-06 22:01:57 +00:00
Dion Hulse 04cab520ed General: Update copyright year to 2017 in license.txt.
Props Nikschavan.
Merges [39659] to the 3.9 branch.
Fixes #39433.

Built from https://develop.svn.wordpress.org/branches/3.9@39705


git-svn-id: http://core.svn.wordpress.org/branches/3.9@39645 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-06 21:55:27 +00:00
Jeremy Felt ca27550a35 Bump 3.9 branch to 3.9.14.
Built from https://develop.svn.wordpress.org/branches/3.9@38556


git-svn-id: http://core.svn.wordpress.org/branches/3.9@38499 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-07 15:02:18 +00:00
Jeremy Felt cc80d2c131 Media: Sanitize upload filename.
Merge of [38538] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@38546


git-svn-id: http://core.svn.wordpress.org/branches/3.9@38489 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-07 14:00:34 +00:00
Pascal Birchler 391fa0940c Upgrade/Install: Sanitize file name in `File_Upload_Upgrader`.
Merge of [38524] to the 3.9 branch.
Built from https://develop.svn.wordpress.org/branches/3.9@38532


git-svn-id: http://core.svn.wordpress.org/branches/3.9@38473 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-06 18:03:16 +00:00
Boone Gorges 41276a8b92 Bump 3.9 branch to 3.9.13.
Built from https://develop.svn.wordpress.org/branches/3.9@37834


git-svn-id: http://core.svn.wordpress.org/branches/3.9@37799 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 16:44:14 +00:00
Joe McGill b7be0d01c0 Media: Improve handling of extensionless filenames.
Merge of [37756] to the 3.9 branch.

See #37111.
Built from https://develop.svn.wordpress.org/branches/3.9@37822


git-svn-id: http://core.svn.wordpress.org/branches/3.9@37787 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:59:24 +00:00
Nikolay Bachiyski 9858249ed9 Admin: escape URL-encoded permalinks
Merge of [37801] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@37820


git-svn-id: http://core.svn.wordpress.org/branches/3.9@37785 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:58:32 +00:00
Rachel Baker 5d8157a774 Revisions: Change the capability needed to view revision diffs to `edit_post`.
Merge of [37779] to the 3.9 branch.
Built from https://develop.svn.wordpress.org/branches/3.9@37803


git-svn-id: http://core.svn.wordpress.org/branches/3.9@37768 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:48:15 +00:00