Commit Graph

219 Commits

Author SHA1 Message Date
John Blackbourn f5db1e4375 Filesystem API: Ensure filenames are valid before attempting to unzip them to ensure malformed file paths don't cause issues.
Merges [41457] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@41467


git-svn-id: http://core.svn.wordpress.org/branches/3.9@41300 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 14:45:15 +00:00
Aaron Campbell 700dd168fd Add nonce for updating file system credentials.
Merges [40723] to 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@40732


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40590 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 14:57:32 +00:00
Sergey Biryukov 2cb849fc52 Fix typo in verify_file_md5() description. see [25541].
props siobhan.
see #27651.
Built from https://develop.svn.wordpress.org/trunk@27938


git-svn-id: http://core.svn.wordpress.org/trunk@27768 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-04-04 00:03:14 +00:00
Drew Jaynes 8efd225e4d Inline documentation for hooks in wp-admin/includes/file.php.
Fixes #27429.

Built from https://develop.svn.wordpress.org/trunk@27672


git-svn-id: http://core.svn.wordpress.org/trunk@27515 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-24 02:45:15 +00:00
Dion Hulse 87c6791a41 WP_Filesystem: Update request_filesystem_credentials() to handle the correct ssh value of FS_METHOD. Props jnielsendotnet. Fixes #27265
Built from https://develop.svn.wordpress.org/trunk@27546


git-svn-id: http://core.svn.wordpress.org/trunk@27389 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-15 03:09:16 +00:00
Sergey Biryukov bc036d0843 Avoid an undefined index notice in wp_handle_upload().
props tivnet.
fixes #27225.
Built from https://develop.svn.wordpress.org/trunk@27319


git-svn-id: http://core.svn.wordpress.org/trunk@27171 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-02-27 21:16:15 +00:00
Andrew Nacin 912379a022 Simplify error in validate_file_to_edit().
props MattyRob for initial patch.
fixes #25924.

Built from https://develop.svn.wordpress.org/trunk@27219


git-svn-id: http://core.svn.wordpress.org/trunk@27076 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-02-21 14:46:14 +00:00
Andrew Ozz eb1d21d782 Remove all "valign" attributes from tables in wp-admin, props MikeHansenMe, Marventus. Fixes #22712.
Built from https://develop.svn.wordpress.org/trunk@27029


git-svn-id: http://core.svn.wordpress.org/trunk@26905 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-01-24 19:06:15 +00:00
Drew Jaynes cd8cedc40d First there were two, and now there are three -- in the @since versions that came before and that shall be. And so it will be, says nacin.
Props JustinSainton, SergeyBiryukov, DrewAPicture.
Fixes #26713.

Built from https://develop.svn.wordpress.org/trunk@26868


git-svn-id: http://core.svn.wordpress.org/trunk@26754 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-12-24 18:57:12 +00:00
Andrew Nacin d61e188f23 Only enforce disk free space checks when doing background updates.
see #25652.

Built from https://develop.svn.wordpress.org/trunk@25869


git-svn-id: http://core.svn.wordpress.org/trunk@25869 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-24 22:59:29 +00:00
Dion Hulse 8abd2f86d5 Silence PHP warnings from disk_free_space(). disk_free_space() will produce a warning in error conditions in addition to returning false, this includes a case where the bytes free is greater than PHP_INT_MAX (which is a error condition we don't need to check).
See #25576, #22704

Built from https://develop.svn.wordpress.org/trunk@25831


git-svn-id: http://core.svn.wordpress.org/trunk@25831 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-24 22:54:05 +00:00
Andrew Nacin 8ae8e01b67 Remove the old wp_auto_updates_maybe_update cron event. Schedule the new wp_maybe_auto_update event at 7 a.m. and 7 p.m. in the site's timezone.
see #27704.

Built from https://develop.svn.wordpress.org/trunk@25825


git-svn-id: http://core.svn.wordpress.org/trunk@25825 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-24 22:53:14 +00:00
Andrew Nacin d5fdd66f9d Only enforce disk free space checks when doing background updates.
see #25652.

Built from https://develop.svn.wordpress.org/trunk@25869


git-svn-id: http://core.svn.wordpress.org/trunk@25781 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-22 18:18:09 +00:00
Dion Hulse 924e35d66a Silence PHP warnings from disk_free_space(). disk_free_space() will produce a warning in error conditions in addition to returning false, this includes a case where the bytes free is greater than PHP_INT_MAX (which is a error condition we don't need to check).
See #25576, #22704

Built from https://develop.svn.wordpress.org/trunk@25831


git-svn-id: http://core.svn.wordpress.org/trunk@25743 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-17 18:40:10 +00:00
Dion Hulse 1c8e79353a Language Packs: Many many fixes such as:
- Add a "Update Translations" stand-alone button to the updates page
- Shift Language feedback to before update process completion action links & limit the verbosity of output (name + success/errors)
- Simplify/combine the language update descriptive string to only include a plugin/theme name
- Properly handle cache clearing after language updates to prevent langs being repeditively updated
- Display a "All items up to date" string when there's nothing to do
- Reduce the 'Connection Information' from a <h2> to a <h3> to remove duplicate h2's and screen icons from update screens
- Fix the Direct filesystem method not being used for Language updates because WP_LANG_DIR doesn't exist (check it's parent for writable instead)
See #18200, #22704


Built from https://develop.svn.wordpress.org/trunk@25806


git-svn-id: http://core.svn.wordpress.org/trunk@25718 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-16 04:15:09 +00:00
Andrew Nacin 95831a8a67 Remove accidental debug cruft in [25780]. see #22704.
Built from https://develop.svn.wordpress.org/trunk@25799


git-svn-id: http://core.svn.wordpress.org/trunk@25711 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-15 21:24:09 +00:00
Andrew Nacin eeaad19a26 Use FS_CHMOD_FILE rather than an explicit 0644 in copy_dir() and _copy_dir().
This occurs when we can't copy a file. We chmod it and try again.

see #22704.

Built from https://develop.svn.wordpress.org/trunk@25793


git-svn-id: http://core.svn.wordpress.org/trunk@25705 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-15 19:14:10 +00:00
Andrew Nacin 9b56d4d11f Parse absolute paths out of error data. see #22704.
Built from https://develop.svn.wordpress.org/trunk@25780


git-svn-id: http://core.svn.wordpress.org/trunk@25693 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-14 22:25:08 +00:00
Dion Hulse 4dcca90887 Remove PHP4 compat code from the ZipArchive unzip handler, and pass the failure reason into the WP_Error return.
See #22704

Built from https://develop.svn.wordpress.org/trunk@25779


git-svn-id: http://core.svn.wordpress.org/trunk@25692 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-14 21:55:09 +00:00
Andrew Nacin 145dbde82f Account for possible failures by disk_free_space(), as well as the potential need to copy the unzipped files.
see #25576.

Built from https://develop.svn.wordpress.org/trunk@25776


git-svn-id: http://core.svn.wordpress.org/trunk@25689 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-14 20:58:09 +00:00
Andrew Nacin d68a80217f In unzip_file(), confirm we have enough available disk space before extracting.
"enough" is calculated by adding up the uncompressed size of the files in the archive, then adding a 20% buffer.

props dd32.
fixes #25576.

Built from https://develop.svn.wordpress.org/trunk@25774


git-svn-id: http://core.svn.wordpress.org/trunk@25687 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-14 20:15:09 +00:00
Andrew Nacin 29f5f5b5fd Refine error codes throughout the upgrader so we can better detect at what stage updates fail.
see #22704.

Built from https://develop.svn.wordpress.org/trunk@25763


git-svn-id: http://core.svn.wordpress.org/trunk@25676 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-11 16:06:11 +00:00
Dion Hulse 543d84a379 Upgrader: Create Directories with a minimum of 0755 and files with a minimum of 0644 when upgrading, which matches pre-3.7 behaviour. Fixes #20069
Built from https://develop.svn.wordpress.org/trunk@25739


git-svn-id: http://core.svn.wordpress.org/trunk@25652 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-09 16:47:09 +00:00
Dion Hulse a82b463610 When using download_url(), if the resource supplies a Content-MD5 header, verify the downloaded file against it. Fixes #20074
Built from https://develop.svn.wordpress.org/trunk@25541


git-svn-id: http://core.svn.wordpress.org/trunk@25461 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-21 06:54:09 +00:00
Dion Hulse 6737d0a202 Upgrader: Perform a MD5 file verification check on the files during upgrade. This ensures that both a Partial upgrade build can be used, and that all the files were copied into place correctly.
Props pento for initial patch. Fixes #18201

Built from https://develop.svn.wordpress.org/trunk@25540


git-svn-id: http://core.svn.wordpress.org/trunk@25460 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-21 06:49:11 +00:00
Dion Hulse f98f5d0a36 WordPress Upgrades: When defining the default filesystem permissions for files/directories, base the value on the existing ABSPATH & index.php file permissions - so as to respect the executable bit (if set) and not set global read if not required.
This sets a minimum permission set to 750 and 640 for directories and files, so any systems requring less permission than that will still need to define the constants themselves. Fixes #20069 

Built from https://develop.svn.wordpress.org/trunk@25469


git-svn-id: http://core.svn.wordpress.org/trunk@25390 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-17 08:06:09 +00:00
Dion Hulse 83ebc727e8 Switch unzip_file() over to using the mbstring.func_override helper functions. See #25259
Built from https://develop.svn.wordpress.org/trunk@25347


git-svn-id: http://core.svn.wordpress.org/trunk@25309 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-11 08:09:08 +00:00
Sergey Biryukov 00c9232a19 Move get_real_file_to_edit() to wp-admin/includes/deprecated.php. props iamfriendly. fixes #23680.
Built from https://develop.svn.wordpress.org/trunk@25201


git-svn-id: http://core.svn.wordpress.org/trunk@25173 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-01 12:37:12 +00:00
Dion Hulse ff290a88bf Add a note that the FTP Password will not be stored on the server to the FTP credentials page. Fixes #16492
Built from https://develop.svn.wordpress.org/trunk@25071


git-svn-id: http://core.svn.wordpress.org/trunk@25056 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-08-21 07:07:09 +00:00
Dion Hulse ad980384f2 Check to see if mbstring.func_overload is configured to affect string functions before switching charsets. Props SergeyBiryukov. Fixes #25063
Built from https://develop.svn.wordpress.org/trunk@25056


git-svn-id: http://core.svn.wordpress.org/trunk@25042 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-08-20 06:24:09 +00:00
Andrew Nacin 21a1fe8d4b Use wp_safe_remote_request() and friends instead of reject_unsafe_urls = true.
fixes #24646.



git-svn-id: http://core.svn.wordpress.org/trunk@24917 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-31 06:52:13 +00:00
Andrew Nacin 96ee267343 Better validation of the URL used in core HTTP requests.
git-svn-id: http://core.svn.wordpress.org/trunk@24480 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-06-21 06:07:47 +00:00
Andrew Nacin be01fce99f Show a relative path in an upload error message.
git-svn-id: http://core.svn.wordpress.org/trunk@24463 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-06-21 02:29:26 +00:00
Ryan Boren 469d1a3099 Escape form action urls with esc_url() rather than esc_attr().
Props SergeyBiryukov
fixes #23266


git-svn-id: http://core.svn.wordpress.org/trunk@23739 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-18 14:01:25 +00:00
Sergey Biryukov 28248c1b08 Make get_home_path() return consistent slashes. fixes #23175.
git-svn-id: http://core.svn.wordpress.org/trunk@23669 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-12 11:04:14 +00:00
Ryan Boren 5f809d1d22 Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().
see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23563 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 17:00:25 +00:00
Ryan Boren 43a7e695e9 Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23554 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 16:28:40 +00:00
Ryan Boren cc5ed3a485 Change all core API to expect unslashed rather than slashed arguments.
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.

Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.

Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.

Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.

Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.

Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.

Plugins should use wp_unslash() on data being passed to core API.

Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.

Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.

Remove many no longer necessary calls to $wpdb->escape() and esc_sql().

In wp_get_referer() and wp_get_original_referer(), return unslashed data.

Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.

Switch several queries over to prepare().

Expect something to break.

Props alexkingorg
see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-14 22:51:06 +00:00
Helen Hou-Sandí b1f1579604 its <=> it's in documentation, along with a rogue the, The, and looses. props trepmal. fixes #22665.
git-svn-id: http://core.svn.wordpress.org/trunk@23191 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-12-20 15:55:32 +00:00
Dion Hulse bcbfb232f7 Correct get_home_path() for cases where WordPress is installed in a subdirectory called /wp/, previously it would match on /wp-admin instead of /wp causing an incorrect return path. Props SergeyBiryukov. Fixes #20449
git-svn-id: http://core.svn.wordpress.org/trunk@22800 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-21 22:39:59 +00:00
Andrew Nacin 4cbc20ada1 Pass the post date to wp_upload_dir() during sideloads, just as we do uploads. Ensures that sideloaded images make it into the right uploads directory.
props solarisssmoke, fixes #16777.



git-svn-id: http://core.svn.wordpress.org/trunk@22105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-03 18:49:37 +00:00
ryan 2417e42fe5 Improved phpdoc for file.php. Props tommcfarlin. fixes #21328
git-svn-id: http://core.svn.wordpress.org/trunk@21350 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-07-26 15:08:30 +00:00
dd32 509b845abc Make get_home_path() work in more cases by being case insensitive and sanitzing Windows paths. In some cases (such as differing case of hostnames or paths in the site/home options, or when SCRIPT_FILENAME contains forward slashes) the function was failing to return the correct path, and would instead return /. Props to SergeyBiryukov for the initial patch. Fixes #20449 Fixes #10447
git-svn-id: http://core.svn.wordpress.org/trunk@21224 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-07-06 13:54:15 +00:00
nacin 23abe58a59 Rewrite theme-editor.php to use the new WP_Theme API. see #20103.
git-svn-id: http://svn.automattic.com/wordpress/trunk@20313 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-03-29 03:00:38 +00:00
dd32 86577f34ea Fix a small typo.
git-svn-id: http://svn.automattic.com/wordpress/trunk@20070 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-03-02 11:00:51 +00:00
duck_ bb94e702f8 Drop image resizing code from wp_handle_upload(). Fixes #19800.
This code stops wp_handle_upload() from reporting errors when the upload couldn't be moved to its final local and it was a non-JS fallback that is unused.


git-svn-id: http://svn.automattic.com/wordpress/trunk@20019 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-02-28 20:02:43 +00:00
ryan e3b46b25d3 Lose EOF ?>. Clean up EOF newlines. fixes #12307
git-svn-id: http://svn.automattic.com/wordpress/trunk@19712 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-01-08 17:01:11 +00:00
dd32 e15f5275a8 Fix edge case in get_home_path() where the incorrect path may be returned. Props ptahdunbar. Fixes #18768
git-svn-id: http://svn.automattic.com/wordpress/trunk@19697 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-01-06 13:46:22 +00:00
ryan 340e93324c Remove extraneous spaces. Props kenan3008, dimadin. fixes #19501 #19433
git-svn-id: http://svn.automattic.com/wordpress/trunk@19596 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-12-14 17:36:38 +00:00
ryan 07ff8b216b Use one space, not two, after trailing punctuation. fixes #19537
git-svn-id: http://svn.automattic.com/wordpress/trunk@19593 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-12-13 23:45:31 +00:00