Commit Graph

1808 Commits

Author SHA1 Message Date
Peter Wilson f888c5cbbb Login and Registration: Improve messaging for invalid log-out nonces.
Clarify messaging of when `wp_nonce_ays('log-out')` is called due to an invalid log out nonce. The HTML title now describes the action being taken rather than using the generic text "something went wrong".

Props davidkryzaniak, hellofromTonya, peterwilsoncc.
Fixes #52600.


Built from https://develop.svn.wordpress.org/trunk@52088


git-svn-id: http://core.svn.wordpress.org/trunk@51680 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-09 23:09:00 +00:00
hellofromTonya 8853582220 General: Convert `wp_list_filter()` into a wrapper for `wp_filter_object_list()`.
The code in `wp_list_filter()` was a duplicate of `wp_filter_object_list()`, minus the `WP_List_Util::pluck()` (used when `$field` is configured).

In testing the wrapper, discovered an edge case (and potential bug) in `WP_List_Util::filter()` where if the operator matches an empty array was returned without resetting the output property. Without that property being set correctly, `WP_List_Util::get_output()` was not correct. This commit also fixes this by resetting the property to an empty array.  

Follow-up to [15686], [17427], [38928], [51044].

Props pbearne, sergeybiryukov, hellofromTonya.
Fixes #53988.
Built from https://develop.svn.wordpress.org/trunk@52066


git-svn-id: http://core.svn.wordpress.org/trunk@51658 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-09 01:10:59 +00:00
John Blackbourn 4c3a23ba40 Docs: Fix some docblock syntax errors and add a missing canonical reference.
See #53399, #52867, #38942, #53668

Built from https://develop.svn.wordpress.org/trunk@52034


git-svn-id: http://core.svn.wordpress.org/trunk@51626 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-08 10:44:59 +00:00
antpb c1f6817cad Media: Remove security messaging in media upload failures.
Previously, when uploading a media item type that is not supported, the default error message claims that the reason it cannot upload is due to security reasons. This is not always true. Now the warning says that the type is not allowed, which is always true.

Props antpb, Presskopp, peterwilsoncc, desrosj, iluy, circlecube, mikeschroder.
Fixes #53626.


Built from https://develop.svn.wordpress.org/trunk@52032


git-svn-id: http://core.svn.wordpress.org/trunk@51624 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-07 23:29:56 +00:00
John Blackbourn c274d3c520 Docs: Miscellaneous docblock improvements.
See #53399

Built from https://develop.svn.wordpress.org/trunk@51957


git-svn-id: http://core.svn.wordpress.org/trunk@51546 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-10-30 20:17:01 +00:00
John Blackbourn 0775153e27 Date/Time: Improve the docblocks for various date and time related functions.
See #53399, #28992, #40653

Built from https://develop.svn.wordpress.org/trunk@51950


git-svn-id: http://core.svn.wordpress.org/trunk@51539 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-10-29 16:51:56 +00:00
hellofromTonya 4471c3787c FileSystem API: Fix autovivification deprecation notice in `recurse_dirsize()`.
>PHP natively allows for autovivification (auto-creation of arrays from falsey values). This feature is very useful and used in a lot of PHP projects, especially if the variable is undefined. However, there is a little oddity that allows creating an array from a `false` and `null` value.

The above quote is from the PHP 8.1 RFC and the (accepted) RFC changes the behaviour described above to deprecated auto creation of arrays from `false`. As it is deprecated, it _will_ still work for the time being, but as of PHP 9.0, this will become a Fatal Error, so we may as well fix it now.

The `recurse_dirsize()` function retrieves a transient and places it in the `$directory_cache` variable, but the `get_transient()` function in WP returns `false` when the transient doesn't exist, which subsequently can lead to the above mentioned deprecation notice.

By verifying that the `$directory_cache` variable is an array before assigning to it and initializing it to an empty array, if it's not, we prevent the deprecation notice, as well as harden the function against potentially corrupted transients where this transient would not return the expected array format, but some other variable type.

Includes adding dedicated unit tests for both the PHP 8.1 issue, as well as the hardening against corrupted transients.

Includes some girl-scouting: touching up a parameter description and some code layout.

Refs:
* https://wiki.php.net/rfc/autovivification_false
* https://developer.wordpress.org/reference/functions/get_transient/

Follow-up to [49212], [49744].

Props jrf, hellofromTonya.
See #53635.
Built from https://develop.svn.wordpress.org/trunk@51911


git-svn-id: http://core.svn.wordpress.org/trunk@51504 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-10-15 22:53:58 +00:00
hellofromTonya 82141be0d8 FileSystem API: Fix infinite loop on Windows for `clean_dirsize_cache()`.
When the PHP native `dirname()` function is used on a Windows disk name - i.e. `C:\`-, it will return the same, i.e, it will return `C:\` again.

The `clean_dirsize_cache()` function didn't have guard clause against this, which meant that on Windows based systems and IIS servers, this function would result in WordPress getting stuck into an infinite loop.

The adjustment to the `while` part of the function fix this by checking if the return value of the `dirname()` function call is the same as the original path passed to `dirname()`, which effectively fixes the infinite loop.

A number of other improvements made:

1. Add input validation for the `$path` parameter to guard against invalid variable types being passed into the function.

2. Guard against an empty `$path` parameter, which would result in an infinite loop on both Windows as well as *nix based systems.

In both these cases, a PHP notice will now be thrown.

3. When a non-empty string, which isn't a path would previously be passed, the `dirname()` function would transform that to a `.` and the `.` key in the transient cache would be cleared out.
This was a bug as there is no relation between a non-path string and the root directory of file system.

This bug has been fixed by checking that something could actually be a path and handling received non-empty, non-path input parameters in a special way, i.e only removing the cache key for the passed string and bowing out from further processing.

Unfortunately, no tests can be added to guard against the infinite loop.

For the other fixes, we have added appropriate unit tests. 

Follow-up up [49212], [49616], [49744].

Props jrf, hellofromTonya, raubvogel, sergeybiryukov, codezen8, sjlevy, drosmog, teachlynx, ekojr, bartoszgrzesik, joegasper, janthiel, josephdickson, ocean90, audrasjb.
Fixes #52241.
Built from https://develop.svn.wordpress.org/trunk@51910


git-svn-id: http://core.svn.wordpress.org/trunk@51503 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-10-15 22:25:01 +00:00
John Blackbourn 41995176f6 Docs: Miscellaneous inline documentation improvements, including:
* Document the post statuses global as an array of `stdClass` objects
* Document the taxonomies global as an array of `WP_Taxonomy` objects
* Document the return value of the post count functions as `stdClass` objects
* Fix some typos

See #53399

Built from https://develop.svn.wordpress.org/trunk@51885


git-svn-id: http://core.svn.wordpress.org/trunk@51478 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-10-04 20:44:02 +00:00
hellofromTonya b8322a053e Code Modernization: Fix null to non-nullable deprecation in `wp_privacy_anonymize_ip()`.
The `wp_privacy_anonymize_ip()` function expects a string for the `$ip_addr` parameter, but did not do any input validation.

One of the pre-existing test cases, passed `null` to the function, leading to a `substr_count(): Passing null to parameter #1 ($haystack) of type string is deprecated` notice on PHP 8.1.

Fixed now by doing a cursory check on the variable at the start of the function and bowing out early for a number of cases (`null`, `false`, `0`, `''`) which would all result in the same `0.0.0.0` output anyway.

Follow-up [42971].

Props jrf, hellofromTonya.
See #53635.
Built from https://develop.svn.wordpress.org/trunk@51793


git-svn-id: http://core.svn.wordpress.org/trunk@51400 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-09-09 22:56:56 +00:00
Sergey Biryukov e1e1d021ea General: Only use `_jsonp_wp_die_handler()` for JSONP REST API requests.
Props mdawaffe, peterwilsoncc.
Built from https://develop.svn.wordpress.org/trunk@51740


git-svn-id: http://core.svn.wordpress.org/trunk@51348 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-09-08 17:16:57 +00:00
desrosj 5090761b4f Coding Standards: Apply some minor alignment fixes.
These are updates caused by running `composer format`.

Follow up to [51501], [51599], [51618], [51653].
See #53359, #50542, #53238, #53668, #53690.
Built from https://develop.svn.wordpress.org/trunk@51693


git-svn-id: http://core.svn.wordpress.org/trunk@51299 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-30 14:09:58 +00:00
Andrew Ozz 94a990de99 Media: Fix `wp_unique_filename()` to check for name collisions with all alternate file names when an image may be converted after uploading. This includes possible collinions with pre-existing images whose sub-sizes/thumbnails are regenerated.
Props ianmjones, azaozz.
Fixes #53668.
Built from https://develop.svn.wordpress.org/trunk@51653


git-svn-id: http://core.svn.wordpress.org/trunk@51259 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-24 20:52:03 +00:00
Sergey Biryukov 532bd808c9 Code Modernization: Check the input type in `validate_file()`.
This fixes a `preg_match_all(): Passing null to parameter #2 ($subject) of type string is deprecated` notice on PHP 8.1.

The behavior for `null` and `string` input is covered by the existing `Tests_Functions::test_validate_file()` test.

Effect: Errors down by 238, assertions up by 1920, failures down by 1.

Props jrf, hellofromTonya, SergeyBiryukov.
See #53635.
Built from https://develop.svn.wordpress.org/trunk@51625


git-svn-id: http://core.svn.wordpress.org/trunk@51231 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-16 22:53:02 +00:00
gziolo 2f6eb9d25e Blocks: Add support for `variations in `block.json` file
We integrated variations with block types and the corresponding REST API endpoint in #52688. It's a follow-up patch to add missing support to the `block.json` metadata file when using `register_block_type`.

Some fields for variations are translatable.Therefore, i18n schema was copied over from Gutenberg: https://github.com/WordPress/gutenberg/blob/trunk/packages/blocks/src/api/i18n-block.json. The accompanying implementation was adapted as `translate_settings_using_i18n_schema`.

Props: gwwar, swissspidy, schlessera, jorgefilipecosta.
Fixes #53238.


Built from https://develop.svn.wordpress.org/trunk@51599


git-svn-id: http://core.svn.wordpress.org/trunk@51210 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-11 09:08:01 +00:00
Sergey Biryukov 04f4e911dc Coding Standards: Silence a WPCS warning in `date_i18n()`.
This fixes a "Calling `current_time()` with a `$type` of `timestamp` or `U` is strongly discouraged as it will not return a Unix (UTC) timestamp" warning.

Props jrf.
See #53359.
Built from https://develop.svn.wordpress.org/trunk@51557


git-svn-id: http://core.svn.wordpress.org/trunk@51168 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-05 14:49:57 +00:00
John Blackbourn ea60cd8191 Docs: Descriptive improvements and corrections for various docblocks.
See #53399

Built from https://develop.svn.wordpress.org/trunk@51300


git-svn-id: http://core.svn.wordpress.org/trunk@50909 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-07-01 21:12:58 +00:00
iandunn 3801e9818a Media: Revert r51211 to restore `ms-files.php` assets.
r51211 accidentally introduced a fatal error for Multisite instances with `ms_files_rewriting` enabled. Reverting removes the error, and the original purpose of the commit can be solved in another way.

Props otto42, barry, ryelle, azaozz.
Fixes #53492. See #53475.

Built from https://develop.svn.wordpress.org/trunk@51223


git-svn-id: http://core.svn.wordpress.org/trunk@50832 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-06-23 22:20:59 +00:00
Andrew Ozz e93093f7ed Media: Prevent uploading and show an error message when the server doesn't support editing of WebP files and image sub-sizes cannot be created.
Props adamsilverstein, desrosj, azaozz
Fixes #53475
Built from https://develop.svn.wordpress.org/trunk@51211


git-svn-id: http://core.svn.wordpress.org/trunk@50820 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-06-22 23:12:57 +00:00
jorgefilipecosta 6db7930147 Ports theme.json changes for beta 3.
- Add _wp_to_kebab_case function
- Add CSS Custom Properties within preset classes.

Props nosolosw.
See #53397.
Built from https://develop.svn.wordpress.org/trunk@51198


git-svn-id: http://core.svn.wordpress.org/trunk@50807 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-06-22 09:51:00 +00:00
Sergey Biryukov e127bcde70 Themes: Make sure `get_file_data()` recognizes headers prefixed by `<?php` tag.
This allows for using headers in the format of `<?php // Template Name: Something ?>`, which previously could not be recognized correctly.

Props dd32, m_uysl, thomas-vitale, boblinthorst.
Fixes #33387.
Built from https://develop.svn.wordpress.org/trunk@51182


git-svn-id: http://core.svn.wordpress.org/trunk@50791 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-06-18 14:03:58 +00:00
Sergey Biryukov b964d532e2 Docs: Add a `@since` note to `wp_parse_id_list()` and `wp_parse_slug_list()` about using `wp_parse_list()`.
Follow-up to [44546], [49941].

Props joyously, dlh, pbiron.
See #52628.
Built from https://develop.svn.wordpress.org/trunk@51055


git-svn-id: http://core.svn.wordpress.org/trunk@50664 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-06-01 21:21:57 +00:00
Sergey Biryukov 972d2bc117 Docs: Improve documentation for `wp_list_filter()` and `wp_filter_object_list()`.
This should make the purpose and behavior of these functions more obvious without reading the code.

Props ribaricplusplus.
Fixes #52808.
Built from https://develop.svn.wordpress.org/trunk@51044


git-svn-id: http://core.svn.wordpress.org/trunk@50653 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-28 18:04:57 +00:00
desrosj 4a7c797d92 General: Correct the inline code examples for `_wp_array_get()` and `_wp_array_set().
Props thomasplevy, SergeyBiryukov.
Fixes #53264.
Built from https://develop.svn.wordpress.org/trunk@51041


git-svn-id: http://core.svn.wordpress.org/trunk@50650 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-27 19:36:59 +00:00
Sergey Biryukov a30afc155e General: Avoid a PHP warning when checking the `mbstring.func_overload` PHP value.
This avoids "A non-numeric value encountered" warning when `mbstring.func_overload` is set to something other than a numeric string, e.g. an empty string instead of the default `'0'` value.

Props djbu.
Fixes #53282.
Built from https://develop.svn.wordpress.org/trunk@51032


git-svn-id: http://core.svn.wordpress.org/trunk@50641 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-26 16:05:59 +00:00
Sergey Biryukov 8f47c944d8 General: Some documentation and test improvements for the `_wp_array_set()`:
* Update the function DocBlock per the documentation standards.
* Move the unit tests to a more appropriate place.
* Rename and reorder the tests for consistency with `_wp_array_get()` tests.

Follow-up to [50958], [50962], [50964].

See #53175, #52625.
Built from https://develop.svn.wordpress.org/trunk@50965


git-svn-id: http://core.svn.wordpress.org/trunk@50574 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-24 12:25:55 +00:00
youknowriad 6c0578055c General: Add _wp_array_set function.
This adds the _wp_array_set function, which is the counterpart of the existing _wp_array_get.
This utility is to be used by the Global Settings work.

Props nosolosw, jorgefilipecosta.
See #53175.

Built from https://develop.svn.wordpress.org/trunk@50958


git-svn-id: http://core.svn.wordpress.org/trunk@50567 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-24 08:30:56 +00:00
Sergey Biryukov 5354201954 Media: Avoid an infinite loop between `wp_getimagesize()` and `wp_get_image_mime()`.
As a result of the recent changes, both functions were calling each other if the `exif` PHP extension is not available.

The issue is now resolved by calling the `getimagesize()` PHP function directly, instead of the `wp_getimagesize()` wrapper.

Follow-up to [50146], [50810], [50814], [50815], [50818-50821].

See #35725.
Built from https://develop.svn.wordpress.org/trunk@50822


git-svn-id: http://core.svn.wordpress.org/trunk@50431 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-07 09:33:01 +00:00
Sergey Biryukov 0778849c12 Media: Some documentation and test improvements for WebP support:
* Document that WebP constants are only defined in PHP 7.1+.
* Correct the `$filename` parameter type in `wp_get_webp_info()`.
* Use a consistent message when skipping tests due to the lack of WebP support.
* Remove unnecessary `else` branches after `markTestSkipped()`.
* Replace `assertEquals()` with more appropriate assertions.

Follow-up to [50810].

See #35725.
Built from https://develop.svn.wordpress.org/trunk@50814


git-svn-id: http://core.svn.wordpress.org/trunk@50423 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-05 17:08:01 +00:00
Adam Silverstein 524030edfa Images: enable WebP support.
Add support for uploading, editing and saving WebP images when supported by the server.

Add 'image/webp' to supported mime types. Correctly identify WebP images and sizes even when PHP doesn't support WebP. Resize uploaded WebP files (when supported) and use for front end markup.

Props markoheijne, blobfolio, Clorith, joemcgill, atjn, desrosj, spacedmonkey, marylauc, mikeschroder, hellofromtonya, flixos90.
Fixes #35725.


Built from https://develop.svn.wordpress.org/trunk@50810


git-svn-id: http://core.svn.wordpress.org/trunk@50419 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-04 14:44:58 +00:00
John Blackbourn 52679edbff Docs: Add examples of possible names for various hooks whose name contains a dynamic portion.
This provides greater discoverability of such hooks in search results on the Code Reference site as well as increased clarity when reading the source.

See #50734, #52628

Built from https://develop.svn.wordpress.org/trunk@50505


git-svn-id: http://core.svn.wordpress.org/trunk@50118 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-03-07 12:32:09 +00:00
Peter Wilson c463e94a33 Security: move Content-Security-Policy script loaders.
Move `wp_get_script_tag()`, `wp_print_script_tag()`, `wp_print_inline_script_tag()` and `wp_get_inline_script_tag()` functions from `functions.php` to `script-loader.php`.

Relocate related tests to `dependencies` sub-directory.

Follow up to [50167].
Props adamsilverstein, hellofromTonya, SergeyBiryukov.
Fixes #39941.

Built from https://develop.svn.wordpress.org/trunk@50409


git-svn-id: http://core.svn.wordpress.org/trunk@50020 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-23 02:00:06 +00:00
Adam Silverstein a506e02edd Security: add Content-Security-Policy script loaders.
Add new functions `wp_get_script_tag`, `wp_print_script_tag`, `wp_print_inline_script_tag` and `wp_get_inline_script_tag` that support script attributes. Enables passing attributes such as `async` or `nonce`, creating a path forward for enabling a Content-Security-Policy in core, plugins and themes.

Props tomdxw, johnbillion, jadeddragoon, jrchamp, mallorydxw, epicfaace, alinod, enricocarraro, ocean90.
Fixes #39941.



Built from https://develop.svn.wordpress.org/trunk@50167


git-svn-id: http://core.svn.wordpress.org/trunk@49846 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-02 20:55:05 +00:00
Sergey Biryukov aab7206ff8 Media: Move `wp_getimagesize()` to `wp-includes/media.php`, for consistency with other media functions.
Follow-up to [50146].

See #49889.
Built from https://develop.svn.wordpress.org/trunk@50148


git-svn-id: http://core.svn.wordpress.org/trunk@49827 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-02 17:10:04 +00:00
antpb f80e5d0919 Media: Avoid suppressing errors when using `getimagesize()`.
Previously, all logic utilizing `getimagesize()` was supressing errors making it difficult to debug usage of the function. 

A new `wp_getimagesize()` function has been added to allow the errors to no longer be suppressed when `WP_DEBUG` is enabled.

Props Howdy_McGee, SergeyBiryukov, mukesh27, davidbaumwald, noisysocks, hellofromTonya.
Fixes #49889.

Built from https://develop.svn.wordpress.org/trunk@50146


git-svn-id: http://core.svn.wordpress.org/trunk@49825 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-02 16:53:04 +00:00
Sergey Biryukov 22188b3e85 Users: Move `retrieve_password()` to `wp-includes/user.php`, for consistency with other user functions.
Follow-up to [25231], [50129].

Props jfarthing84, dimadin.
See #34281, #31039.
Built from https://develop.svn.wordpress.org/trunk@50140


git-svn-id: http://core.svn.wordpress.org/trunk@49819 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-02 12:37:03 +00:00
Felix Arntz dbfbf5501a Security, Site Health: Make migrating a site to HTTPS a one-click interaction.
Switching a WordPress site from HTTP to HTTPS has historically been a tedious task. While on the surface the Site Address and WordPress Address have to be updated, existing content still remains using HTTP URLs where hard-coded in the database. Furthermore, updating _two_ URLs to migrate to HTTPS is still a fairly unintuitive step which is not clearly explained.

This changeset simplifies migration from HTTP to HTTPS and, where possible, makes it a one-click interaction.

* Automatically replace insecure versions of the Site Address (`home_url()`) with its HTTPS counterpart on the fly if the site has been migrated from HTTP to HTTPS. This is accomplished by introducing a `https_migration_required` option and enabling it when the `home_url()` is accordingly changed.
    * A new `wp_replace_insecure_home_url()` function is hooked into various pieces of content to replace URLs accordingly.
    * The migration only kicks in when the Site Address (`home_url()`) and WordPress Address (`site_url()`) match, which is the widely common case. Configurations where these differ are often maintained by more advanced users, where this migration routine would be less essential - something to potentially iterate on in the future though.
    * The migration does not actually update content in the database. More savvy users that prefer to do that can prevent the migration logic from running by either deleting the `https_migration_required` option or using the new `wp_should_replace_insecure_home_url` filter.
    * For fresh sites that do not have any content yet at the point of changing the URLs to HTTPS, the migration will also be skipped since it would not be relevant.
* Expose a primary action in the Site Health recommendation, if HTTPS is already supported by the environment, built on top of the HTTPS detection mechanism from [49904]. When clicked, the default behavior is to update `home_url()` and `site_url()` in one go to their HTTPS counterpart.
    * A new `wp_update_urls_to_https()` function takes care of the update routine.
    * A new `update_https` meta capability is introduced to control access.
    * If the site's URLs are controlled by constants, this update is not automatically possible, so in these scenarios the user is informed about that in the HTTPS status check in Site Health.
* Allow hosting providers to modify the URLs linked to in the HTTPS status check in Site Health, similar to how that is possible for the URLs around updating the PHP version.
    * A `WP_UPDATE_HTTPS_URL` environment variable or `wp_update_https_url` filter can be used to provide a custom URL with guidance about updating the site to use HTTPS.
    * A `WP_DIRECT_UPDATE_HTTPS_URL` environment variable or `wp_direct_update_https_url` filter can be used to provide a custom URL for the primary CTA to update the site to use HTTPS.

Props flixos90, timothyblynjacobs.
Fixes #51437.

Built from https://develop.svn.wordpress.org/trunk@50131


git-svn-id: http://core.svn.wordpress.org/trunk@49810 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-02 00:10:01 +00:00
Adam Silverstein 315b1c185d Users: enable admins to send users a reset password link.
Add a feature so Admins can send users a 'password reset' email. This doesn't change the password or force a password change. It only emails the user the password reset link.

The feature appears in several places:
* A "Send Reset Link" button on user profile screen.
* A "Send password reset" option in the user list bulk action dropdown.
* A "Send password reset" quick action when hovering over a username in the user list.

Props Ipstenu, DrewAPicture, eventualo, wonderboymusic, knutsp, ericlewis, afercia, JoshuaWold, johnbillion, paaljoachim, hedgefield.
Fixes #34281.


Built from https://develop.svn.wordpress.org/trunk@50129


git-svn-id: http://core.svn.wordpress.org/trunk@49808 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-01 22:13:03 +00:00
whyisjake 5f532382aa Privacy: Ensure that exported user data reports can't be found with directory listings.
By moving from `.html` to `.php` files, we can prevent directory listings, and ensure that WordPress can load.

Fixes #52299.

Props lucasbustamante, xkon, freewebmentor, SergeyBiryukov, whyisjake. 

Built from https://develop.svn.wordpress.org/trunk@50037


git-svn-id: http://core.svn.wordpress.org/trunk@49738 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-27 23:46:58 +00:00
Felix Arntz 3716c8c20f Robots: Introduce Robots API.
This changeset introduces a filter-based Robots API, providing central control over the `robots` meta tag.

* Introduces `wp_robots()` function which should be called anywhere a `robots` meta tag should be included.
* Introduces `wp_robots` filter which allows adding or modifying directives for the `robots` meta tag. The `wp_robots()` function is entirely filter-based, i.e. if no filter is added to `wp_robots`, no directives will be present, and therefore the entire `robots` meta tag will be omitted.
* Introduces the following `wp_robots` filter functions which replace similar existing functions that were manually rendering a `robots` meta tag:
    * `wp_robots_noindex()` replaces `noindex()`, which has been deprecated.
    * `wp_robots_no_robots()` replaces `wp_no_robots()`, which has been deprecated.
    * `wp_robots_sensitive_page()` replaces `wp_sensitive_page_meta()`, which has been deprecated. Its rendering of the `referrer` meta tag has been moved to another new function `wp_strict_cross_origin_referrer()`.

Migration to the new functions is straightforward. For example, a call to `add_action( 'wp_head', 'wp_no_robots' )` should be replaced with `add_filter( 'wp_robots', 'wp_robots_no_robots' )`.

Plugins and themes that render their own `robots` meta tags are encouraged to switch to rely on the `wp_robots` filter in order to use the central management layer now provided by WordPress core.

Props adamsilverstein, flixos90, timothyblynjacobs, westonruter.
See #51511.

Built from https://develop.svn.wordpress.org/trunk@49992


git-svn-id: http://core.svn.wordpress.org/trunk@49693 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-21 01:37:00 +00:00
Sergey Biryukov c38bdce55b Docs: Correct description for `wp_parse_list()`.
The function simply converts a comma- or space-separated list of scalar values to an array and does not perform any sanitization on its own.

Follow-up to [44546].

Props johnjamesjacoby.
See #51800.
Built from https://develop.svn.wordpress.org/trunk@49941


git-svn-id: http://core.svn.wordpress.org/trunk@49640 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-06 17:25:07 +00:00
Sergey Biryukov 7ced0efbf4 Docs: Use more consistent descriptions for `void|false` return values.
See #51800.
Built from https://develop.svn.wordpress.org/trunk@49935


git-svn-id: http://core.svn.wordpress.org/trunk@49634 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-05 16:48:07 +00:00
Sergey Biryukov 37662df05e Docs: In various `@return` tags, list the expected type first, instead of `false` or `WP_Error`.
Follow-up to [46696], [47060], [49926], [49927].

See #51800.
Built from https://develop.svn.wordpress.org/trunk@49929


git-svn-id: http://core.svn.wordpress.org/trunk@49628 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-04 17:18:04 +00:00
John Blackbourn dfe1f9b322 Docs: Promote many `bool` types to `true` or `false` where only that value is used.
See #51800

Built from https://develop.svn.wordpress.org/trunk@49927


git-svn-id: http://core.svn.wordpress.org/trunk@49626 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-03 22:04:04 +00:00
John Blackbourn 53da9208dd Docs: Various docblock corrections particularly relating to boolean types.
See #51800

Built from https://develop.svn.wordpress.org/trunk@49926


git-svn-id: http://core.svn.wordpress.org/trunk@49625 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-03 21:57:09 +00:00
Sergey Biryukov 3f05756219 Accessibility: Upgrade/Install: Add more contrast to input borders during installation.
This brings the accessibility improvements previously made for other areas of the admin in WordPress 5.3 to the installation screens too.

Follow-up to [46241-46244], [46247], [46248], [46293], [46425].

Props Maigret, audrasjb.
Fixes #51854.
Built from https://develop.svn.wordpress.org/trunk@49907


git-svn-id: http://core.svn.wordpress.org/trunk@49606 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-12-26 19:54:07 +00:00
John Blackbourn e7cc15b321 Upload: Introduce the `{$action}_overrides` filter that allows the overrides parameter for file uploads and file sideloads to be filtered.
The dynamic portion of the hook name, `$action`, refers to the post action.

Props iandunn, jakub.tyrcha, nacin, wonderboymusic, Mte90, johnbillion

Fixes #16849

Built from https://develop.svn.wordpress.org/trunk@49845


git-svn-id: http://core.svn.wordpress.org/trunk@49564 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-12-20 16:15:03 +00:00
John Blackbourn bf83c368fd Docs: Various docblock improvements.
See #51800

Built from https://develop.svn.wordpress.org/trunk@49790


git-svn-id: http://core.svn.wordpress.org/trunk@49513 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-12-10 23:59:03 +00:00
iandunn 4de6175227 Multisite: Cache absolute `dirsize` paths to avoid PHP 8 fatal.
r49212 greatly improved the performance of `get_dirsize()`, but also changed the structure of the data stored in the `dirsize_cache` transient. It stored relative paths instead of absolute ones, and also removed the unnecessary `size` array.

That difference in data structures led to a fatal error in the following environment:

* PHP 8
* Multisite
* A custom `WP_CONTENT_DIR` which is not a child of WP's `ABSPATH` folder (e.g., [https://roots.io/bedrock/ Bedrock])
* The `upload_space_check_disabled` option set to `0`

After upgrading to WP 5.6, the `dirsize_cache` transient still had data in the old format. When `wp-admin.php/index.php` was visited, `get_space_used()` received an `array` instead of an `int`, and tried to divide it by another `int`. PHP 7 would silently cast the arguments to match data types, but [https://wiki.php.net/rfc/arithmetic_operator_type_checks PHP 8 throws a fatal error]: 

`Uncaught TypeError: Unsupported operand types: array / int`

`recurse_dirsize()` was using `ABSPATH` to convert the absolute paths to relative ones, but some upload locations are not located under `ABSPATH`. In those cases, `$directory` and `$cache_path` were identical, and that triggered the early return of the old `array`, instead of the expected `int`. 

In order to avoid that, this commit restores the absolute paths, but without the `size` array. It also adds a type check when returning cached values. Using absolute paths without `size` has the result of overwriting the old data, so that it matches the new format. The type check and upgrade routine are additional safety measures.

Props peterwilsoncc, janthiel, helen, hellofromtonya, francina, pbiron.
Fixes #51913. See #19879.


Built from https://develop.svn.wordpress.org/trunk@49744


git-svn-id: http://core.svn.wordpress.org/trunk@49467 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-12-03 20:39:02 +00:00
John Blackbourn f4cda1b62f Docs: Upgrade more parameters in docblocks to used typed array notation.
See #51800, #41756

Built from https://develop.svn.wordpress.org/trunk@49693


git-svn-id: http://core.svn.wordpress.org/trunk@49416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-11-24 21:27:05 +00:00