Commit Graph

162 Commits

Author SHA1 Message Date
John Blackbourn fbd44ee554 Security: Add a referrer policy header to the admin and login screens.
This sets a referrer policy of `same-origin` which adds hardening by preventing a referrer being sent from the admin area or login screens to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within URLs.

This change introduces a new filter, `admin_referrer_policy`, for filtering the referrer policy header value. The header can be disabled if necessary by removing the `wp_admin_headers` action from the `admin_init` and `login_init` hooks.

Props joostdevalk
Fixes #42036

Built from https://develop.svn.wordpress.org/trunk@41741


git-svn-id: http://core.svn.wordpress.org/trunk@41575 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-04 18:25:46 +00:00
John Blackbourn b52e37f9bf Options, Meta APIs: Require a confirmation link in an email to be clicked when an admin attempts to change the site admin email address.
This adds this previously Multisite-only functionality to single site installations too. This change prevents accidental or erroneous email address changes from potentially locking users out of their site.

Props MatheusGimenez, johnbillion

Fixes #39118

Built from https://develop.svn.wordpress.org/trunk@41254


git-svn-id: http://core.svn.wordpress.org/trunk@41094 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-08-14 20:13:43 +00:00
Dion Hulse e8211f783a Docs: Correct a number of typos/spelling mistakes in inline comments.
Props ottok.
Fixes #38464.

Built from https://develop.svn.wordpress.org/trunk@38893


git-svn-id: http://core.svn.wordpress.org/trunk@38836 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-25 00:38:35 +00:00
Drew Jaynes 7eb6471461 Docs: Fix minor formatting and syntax for wp-admin/* elements introduced in 4.6.
See #37318.

Built from https://develop.svn.wordpress.org/trunk@38024


git-svn-id: http://core.svn.wordpress.org/trunk@37965 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-09 14:00:31 +00:00
Peter Wilson 47d26cd9fb DOCS: Replace HTTP links with HTTPS.
Replaces unsecure links in documentation and translator comments with their secure versions.

Props johnpgreen, netweb

Fixes #36993

Built from https://develop.svn.wordpress.org/trunk@37674


git-svn-id: http://core.svn.wordpress.org/trunk@37640 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-10 04:50:33 +00:00
Andrew Ozz 82ee5ca020 Editor: ensure the page is refreshed when the users navigate to it with the Back or Forward buttons. In these cases the browsers usually load the page from (memory) cache and it contains the old editor content.
Fixes #35852.
Built from https://develop.svn.wordpress.org/trunk@37619


git-svn-id: http://core.svn.wordpress.org/trunk@37587 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-02 01:30:27 +00:00
Drew Jaynes 1947f4d17c Docs: Apply inline `@see` tags to hooks referenced in DocBlocks for wp-admin/* files.
Applying these specially-crafted `@see` tags allows the Code Reference parser to recognize and link these elements as actions and filters.

See #36921.

Built from https://develop.svn.wordpress.org/trunk@37537


git-svn-id: http://core.svn.wordpress.org/trunk@37505 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-23 17:28:27 +00:00
Drew Jaynes c3055cc190 Docs: Standardize hook docs in wp-admin/* to use third-person singular verbs per the inline documentation standards for PHP.
See #36913.

Built from https://develop.svn.wordpress.org/trunk@37488


git-svn-id: http://core.svn.wordpress.org/trunk@37456 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-22 18:01:30 +00:00
Pascal Birchler a47fa4f197 Rewrite Rules: After [36953], correctly replace existing rules on IIS when updating them.
Props WiZZarD_.
Fixes #36506 for trunk.
Built from https://develop.svn.wordpress.org/trunk@37273


git-svn-id: http://core.svn.wordpress.org/trunk@37239 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-04-21 09:33:27 +00:00
Andrea Fercia 30866ceb5d Accessibility: Improve color contrast updating any `#999` gray used for text or icons to a darker gray.
Fixes #35660.
Built from https://develop.svn.wordpress.org/trunk@36587


git-svn-id: http://core.svn.wordpress.org/trunk@36554 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-19 18:44:27 +00:00
John Blackbourn a5d44337b2 Docs: `@param` fixes for a variety of docblocks.
See #32246

Built from https://develop.svn.wordpress.org/trunk@36232


git-svn-id: http://core.svn.wordpress.org/trunk@36199 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-09 01:45:26 +00:00
John Blackbourn 7718e07129 Docs: Correct the parameter docs for various Heartbeat filters and functions.
See #32246

Built from https://develop.svn.wordpress.org/trunk@36231


git-svn-id: http://core.svn.wordpress.org/trunk@36198 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-09 01:37:26 +00:00
Drew Jaynes e6578e7b4f Docs: Use 3-digit, x.x.x-style semantic versioning in the DocBlocks for `post_form_autocomplete_off()` and `WP_Filesystem_SSH2::sftp_path()`.
Props aaronrutley.
Fixes #34518.

Built from https://develop.svn.wordpress.org/trunk@35468


git-svn-id: http://core.svn.wordpress.org/trunk@35432 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-31 13:16:24 +00:00
Helen Hou-Sandí 6ca92efe23 List tables: Move the view mode switcher into screen options for posts.
Having a view mode switcher nestled within table navigation makes no sense, especially now that it's a sticky user option. While less convenient for frequent switching, there is no evidence as of yet that there is a large userbase of frequent view mode switchers.

Introduces a filter for `view_mode_post_types`, which by default is all hierarchical post types with edit UI on.

props Oxymoron.
fixes #22222.

Built from https://develop.svn.wordpress.org/trunk@35357


git-svn-id: http://core.svn.wordpress.org/trunk@35323 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-22 19:25:25 +00:00
Scott Taylor 8eb3de46c9 Formatting: move `url_shorten()` from `wp-admin/includes/misc.php` to `wp-includes/formatting.php` for more global access.
Adds unit tests.

Props mulvane, chriscct7.
Fixes #20166.

Built from https://develop.svn.wordpress.org/trunk@35314


git-svn-id: http://core.svn.wordpress.org/trunk@35280 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-21 03:48:24 +00:00
Dion Hulse 85258bb914 In `insert_with_markers()` restore the 4.3 behaviour of creating the file if it doesn't exist.
This change also makes it bail early (without writing) if the markers content is the same as the existing, and uses `ftell()` rather than `$bytes` for the location to truncate the file to - based on the file pointer being at the end of the written stream.

Props willmot tigertech kevinatelement
See #31767

Built from https://develop.svn.wordpress.org/trunk@35267


git-svn-id: http://core.svn.wordpress.org/trunk@35233 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-19 00:53:24 +00:00
Boone Gorges 0e7c1d3b14 Use `wp_installing()` instead of `WP_INSTALLING` constant.
The `WP_INSTALLING` constant is a flag that WordPress sets in a number of
places, telling the system that options should be fetched directly from the
database instead of from the cache, that WP should not ping wordpress.org for
updates, that the normal "not installed" checks should be bypassed, and so on.

A constant is generally necessary for this purpose, because the flag is
typically set before the WP bootstrap, meaning that WP functions are not yet
available.  However, it is possible - notably, during `wpmu_create_blog()` -
for the "installing" flag to be set after WP has already loaded. In these
cases, `WP_INSTALLING` would be set for the remainder of the process, since
there's no way to change a constant once it's defined. This, in turn, polluted
later function calls that ought to have been outside the scope of site
creation, particularly the non-caching of option data. The problem was
particularly evident in the case of the automated tests, where `WP_INSTALLING`
was set the first time a site was created, and remained set for the rest of the
suite.

The new `wp_installing()` function allows developers to fetch the current
installation status (when called without any arguments) or to set the
installation status (when called with a boolean `true` or `false`). Use of
the `WP_INSTALLING` constant is still supported; `wp_installing()` will default
to `true` if the constant is defined during the bootstrap.

Props boonebgorges, jeremyfelt.
See #31130.
Built from https://develop.svn.wordpress.org/trunk@34828


git-svn-id: http://core.svn.wordpress.org/trunk@34793 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-05 15:06:28 +00:00
Drew Jaynes 4c2203b370 Docs: Add missing summaries for functions in wp-admin/includes/misc.php.
Also restructures the summary for `update_home_siteurl()`.

See #32246.

Built from https://develop.svn.wordpress.org/trunk@34824


git-svn-id: http://core.svn.wordpress.org/trunk@34789 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-05 02:52:24 +00:00
Dion Hulse dc9203d753 Rewrite `insert_with_markers()` to use `flock()` when available, significant cleanup of the function too.
The call to `flock()` is an exclusive advisory lock, which in my testing only PHP respects (apache continues to read it).
Not all filesystems support locking (remote NFS mounts for example) so this offers minimal benefit to those platforms, but offers much better protection against file corruption on systems which do support it.
The call is blocking, so a second process will wait for the first to complete before writing if supported.

See #31767

Built from https://develop.svn.wordpress.org/trunk@34740


git-svn-id: http://core.svn.wordpress.org/trunk@34704 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-01 07:46:27 +00:00
Jeremy Felt 5397416276 MS: Delete `rewrite_rules` when updating a switched site's URL.
Previously, rewrite rules could be flushed and regenerated in the context of another site. Deleting the rules when in a switched state allows for them to be generated properly on the next page view.

Fixes #33816.

Built from https://develop.svn.wordpress.org/trunk@34672


git-svn-id: http://core.svn.wordpress.org/trunk@34636 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-28 23:24:27 +00:00
Scott Taylor 84da11d918 Pass `false` as the 2nd argument to `class_exists()` to disable autoloading and to not cause problems for those who define `__autoload()`.
Fixes #20523.

Built from https://develop.svn.wordpress.org/trunk@34348


git-svn-id: http://core.svn.wordpress.org/trunk@34312 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-20 03:52:25 +00:00
John Blackbourn 606b6d15f1 Introduce `wp_removable_query_args()`, which returns an array of single-use query variables which can be removed from a URL.
Also applies the function to the return URL when the Customizer is closed.

Fixes #32692
Props swissspidy, Mte90

Built from https://develop.svn.wordpress.org/trunk@33849


git-svn-id: http://core.svn.wordpress.org/trunk@33817 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-02 11:29:23 +00:00
John Blackbourn b9ec4136d9 Remove `error` from the query variables when cleaning up a URL in `wp_admin_canonical_url()`.
Fixes #32847

Built from https://develop.svn.wordpress.org/trunk@33770


git-svn-id: http://core.svn.wordpress.org/trunk@33738 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-27 17:26:21 +00:00
Andrew Ozz fa25fe82ef Fix updating of nonces on the Edit Post screen after the log in expires and the user logs in again.
Props iseulde, azaozz. Fixes #33098.
Built from https://develop.svn.wordpress.org/trunk@33468


git-svn-id: http://core.svn.wordpress.org/trunk@33435 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-28 22:07:25 +00:00
Scott Taylor 42d51a4f89 Add doc blocks to functions that are missing them.
If the function has no need for `@param` or `@return`, do an archeaological dig to find `@since`.

See #32444.

Built from https://develop.svn.wordpress.org/trunk@32672


git-svn-id: http://core.svn.wordpress.org/trunk@32642 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-31 03:18:25 +00:00
Scott Taylor a51dfa3971 In the style of #30947 and `default-filters.php`, add 2 new files to `wp-admin/includes`:
`admin-filters.php`
`ms-admin-filters.php`

There are random actions and filters littered among files like `misc.php`. These files contain functions that won't work outside of admin context and are typically only loaded in files that have already loaded the admin bootstrap.

See #32529.

Built from https://develop.svn.wordpress.org/trunk@32653


git-svn-id: http://core.svn.wordpress.org/trunk@32623 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-29 17:04:26 +00:00
Scott Taylor b56b9b3e5c Add `@global` annotations for `wp-admin/*`.
See #32444.

Built from https://develop.svn.wordpress.org/trunk@32642


git-svn-id: http://core.svn.wordpress.org/trunk@32612 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-28 21:41:30 +00:00
Helen Hou-Sandí bfda508c18 Update more instances of default admin blues and grays.
props hugobaeta.
fixes #31234.

Built from https://develop.svn.wordpress.org/trunk@32051


git-svn-id: http://core.svn.wordpress.org/trunk@32030 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-05 21:20:27 +00:00
Helen Hou-Sandí d85f8fe326 Admin notices: Make (most) core notices dismissible.
These no longer return upon refreshing the page when JS is on and working, so users should be able to dismiss them. This is particularly important on the post edit screen when DFW is triggered, but pretty much all notices can be dismissed if needed. A post on Make/Core will follow with information on how this can be leveraged in plugins.

props valendesigns, afercia, paulwilde, adamsilverstein, helen.
fixes #31233. see #23367.

Built from https://develop.svn.wordpress.org/trunk@31973


git-svn-id: http://core.svn.wordpress.org/trunk@31952 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-01 22:06:28 +00:00
Dion Hulse 7b5ae90225 When altering the admin URL to reflect the canonical location, keep the existing hash (if present) in the URL.
Fixes #31758. See #23367

Built from https://develop.svn.wordpress.org/trunk@31882


git-svn-id: http://core.svn.wordpress.org/trunk@31861 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-03-25 04:32:26 +00:00
Dominik Schilling 4cc85f4da2 Administration: Remove single-use URL parameters and create canonical link based on new URL.
The default removable query args are 'message', 'settings-updated', 'saved', 'update', 'updated','activated', 'activate', 'deactivate', 'locked', 'deleted', 'trashed', 'untrashed', 'enabled', 'disabled', and 'skipped'. 

props morganestes.
fixes #23367.
Built from https://develop.svn.wordpress.org/trunk@31736


git-svn-id: http://core.svn.wordpress.org/trunk@31717 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-03-11 23:09:26 +00:00
Scott Taylor 196d85a9f6 Fill in the `@param` types for the args for functions missing them in `wp-admin/includes/misc.php`.
See #30224.

Built from https://develop.svn.wordpress.org/trunk@30200


git-svn-id: http://core.svn.wordpress.org/trunk@30200 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-03 06:01:24 +00:00
Gary Pendergast 007ec52958 Add `wp_json_encode()`, a wrapper for `json_encode()` that ensures everything is converted to UTF-8.
Change all core calls from `json_encode()` to `wp_json_encode()`.

Fixes #28786.


Built from https://develop.svn.wordpress.org/trunk@30055


git-svn-id: http://core.svn.wordpress.org/trunk@30055 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-28 18:35:19 +00:00
Andrew Nacin f7392ef917 Pinking shears.
Built from https://develop.svn.wordpress.org/trunk@29707


git-svn-id: http://core.svn.wordpress.org/trunk@29481 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-09-04 15:23:16 +00:00
Andrew Ozz 4deee321e3 Editor: use the `post_edit_form_tag` action to add autocomplete="off" to the whole form on the Add/Edit Post screen in WebKit. Prevents editor problems when the browser's Back button is used. Fixes #28037.
Built from https://develop.svn.wordpress.org/trunk@29448


git-svn-id: http://core.svn.wordpress.org/trunk@29226 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-08-08 20:54:15 +00:00
Drew Jaynes 097dc8ee15 Fix syntax for single- and multi-line comments in wp-admin-directory files.
See #28931.

Built from https://develop.svn.wordpress.org/trunk@29206


git-svn-id: http://core.svn.wordpress.org/trunk@28990 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-17 09:14:16 +00:00
Andrew Ozz 5168f9c7c6 Secure embeds in the editor (first run):
- When the user pastes an embeddable http URL, try to get the https embed.
- If an embed provider doesn't support ssl embeds, show a placeholder/error message.
- Revise the way we return error messages.
See #28195, #28507.
Built from https://develop.svn.wordpress.org/trunk@28919


git-svn-id: http://core.svn.wordpress.org/trunk@28718 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-30 05:49:16 +00:00
Andrew Ozz 84f3e30f7b wpView: improve handling of embed errors/error messages, see #28195
Built from https://develop.svn.wordpress.org/trunk@28754


git-svn-id: http://core.svn.wordpress.org/trunk@28568 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-15 22:53:16 +00:00
Scott Taylor 69fbe27f48 Don't use variable variables in `wp_reset_vars()`. Test by searching in list tables, etc.
See #27881.

Built from https://develop.svn.wordpress.org/trunk@28746


git-svn-id: http://core.svn.wordpress.org/trunk@28560 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-11 20:00:15 +00:00
Drew Jaynes a6e536fba6 Make sure to use 3-digit x.x.x style for two 3.9.0 `@since` versions.
Props netweb.
Fixes #28446.

Built from https://develop.svn.wordpress.org/trunk@28658


git-svn-id: http://core.svn.wordpress.org/trunk@28476 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-04 05:35:16 +00:00
Drew Jaynes f609524261 Minor phpDoc fixes for the `got_rewrite`, `got_url_rewrite`, and `documentation_ignore_functions` hooks.
Props GaryJ.
See #26869.

Built from https://develop.svn.wordpress.org/trunk@28352


git-svn-id: http://core.svn.wordpress.org/trunk@28180 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-08 11:13:14 +00:00
Drew Jaynes 690481f8e8 Generalize the hook documentation for the `set-screen-option` filter.
The filter covers more than [items]_per_page screen options.

Fixes #26186.

Built from https://develop.svn.wordpress.org/trunk@27379


git-svn-id: http://core.svn.wordpress.org/trunk@27228 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-03 17:51:14 +00:00
Drew Jaynes 849ce35cb9 Inline documentation for hooks in wp-admin/includes/misc.php.
Props JoshuaAbenazer.
Fixes #26186

Built from https://develop.svn.wordpress.org/trunk@27375


git-svn-id: http://core.svn.wordpress.org/trunk@27224 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-03 17:20:16 +00:00
Sergey Biryukov f291730aec Avoid an undefined index notice in wp_doc_link_parse().
props pross for initial patch.
fixes #27214.
Built from https://develop.svn.wordpress.org/trunk@27323


git-svn-id: http://core.svn.wordpress.org/trunk@27175 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-02-27 23:16:13 +00:00
Andrew Ozz 335add2573 Autosave: refactor autosave.js, use heartbeat for transport and move all "Add/Edit Post" related functionality to post.js. See #25272.
Built from https://develop.svn.wordpress.org/trunk@26995


git-svn-id: http://core.svn.wordpress.org/trunk@26872 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-01-22 04:56:16 +00:00
Helen Hou-Sandí 60f3e98d51 Pass the $user_id to the `admin_color_scheme_picker` hook for context. props nacin. see #26607 for trunk.
Built from https://develop.svn.wordpress.org/trunk@26924


git-svn-id: http://core.svn.wordpress.org/trunk@26805 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-01-08 21:49:10 +00:00
Drew Jaynes cd8cedc40d First there were two, and now there are three -- in the @since versions that came before and that shall be. And so it will be, says nacin.
Props JustinSainton, SergeyBiryukov, DrewAPicture.
Fixes #26713.

Built from https://develop.svn.wordpress.org/trunk@26868


git-svn-id: http://core.svn.wordpress.org/trunk@26754 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-12-24 18:57:12 +00:00
Andrew Nacin 1fb828504e Avoid notices when default and light are not registered color schemes. see #26468.
Built from https://develop.svn.wordpress.org/trunk@26814


git-svn-id: http://core.svn.wordpress.org/trunk@26701 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-12-09 00:49:09 +00:00
Andrew Nacin 7dbfca1778 Nonces are already per-user. see #22862.
Built from https://develop.svn.wordpress.org/trunk@26793


git-svn-id: http://core.svn.wordpress.org/trunk@26680 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-12-08 07:05:10 +00:00
Andrew Nacin c09252b950 Core updates for the new color schemes.
* Update about page, there's now 8.
 * Display them four wide, not three, and ensure adequate spacing.
 * Use a dedicated nonce.
 * Push Light to the front in addition to Default.
 * Use user-profile.js on about.php. A few extra things are initialized but they are harmless.

see #26468, #26387.

Built from https://develop.svn.wordpress.org/trunk@26776


git-svn-id: http://core.svn.wordpress.org/trunk@26663 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-12-07 07:46:21 +00:00