Commit Graph

15844 Commits

Author SHA1 Message Date
John Blackbourn f3529cb89d Bump 4.1 branch to version 4.1.21.
Built from https://develop.svn.wordpress.org/branches/4.1@42324


git-svn-id: http://core.svn.wordpress.org/branches/4.1@42153 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 19:02:55 +00:00
John Blackbourn 7f0c6cb620 Hardening: Remove the ability to upload JavaScript files for users who do not have the `unfiltered_html` capability.
Merges [42261] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@42299


git-svn-id: http://core.svn.wordpress.org/branches/4.1@42128 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:38:28 +00:00
John Blackbourn 348148eee2 Hardening: Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
Merges [42260] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@42298


git-svn-id: http://core.svn.wordpress.org/branches/4.1@42127 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:37:18 +00:00
John Blackbourn e16db41a65 Hardening: Add escaping to the language attributes used on `html` elements.
Merges [42259] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@42297


git-svn-id: http://core.svn.wordpress.org/branches/4.1@42126 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:36:53 +00:00
Dion Hulse 3c4befe52b WPDB: Check that `AUTH_SALT` is not empty, Fix a PHP notice when `AUTH_SALT` is undefined.
Props jsonfry, mkomar, pento.
Merges [42119] and [42120] to the 4.1 branch.
Fixes #42431 and #42401 for 4.1.

Built from https://develop.svn.wordpress.org/branches/4.1@42237


git-svn-id: http://core.svn.wordpress.org/branches/4.1@42066 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-27 01:13:21 +00:00
Gary Pendergast 1466683d48 Bump 4.1 branch to version 4.1.20.
Built from https://develop.svn.wordpress.org/branches/4.1@42076


git-svn-id: http://core.svn.wordpress.org/branches/4.1@41905 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 13:43:26 +00:00
Gary Pendergast 16391a9641 Database: Restore numbered placeholders in `wpdb::prepare()`.
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.

Merges [41662], [42056] to the 4.2 branch.
See #41925.


Built from https://develop.svn.wordpress.org/branches/4.1@42064


git-svn-id: http://core.svn.wordpress.org/branches/4.1@41893 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 12:53:27 +00:00
Aaron Campbell 6b3afa9678 Bump 4.1 branch to version 4.1.19.
Built from https://develop.svn.wordpress.org/branches/4.1@41517


git-svn-id: http://core.svn.wordpress.org/branches/4.1@41350 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 20:07:25 +00:00
Aaron Campbell 89333247c9 Database: Hardening to bring `wpdb::prepare()` inline with documentation.
`wpdb::prepare()` supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.

Merges [41496] to 4.1 branch.


Built from https://develop.svn.wordpress.org/branches/4.1@41504


git-svn-id: http://core.svn.wordpress.org/branches/4.1@41337 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 18:33:25 +00:00
Aaron Campbell 68b9288c14 Database: Don’t trigger `_doing_it_wrong()` for null values in `wpdb::prepare()`.
While `wpdb::prepare()` does not support null values (see #12819) they still appear in the wild like in the WordPress Importer and other plugins.

Merges [41483] to 4.1 branch.


Built from https://develop.svn.wordpress.org/branches/4.1@41491


git-svn-id: http://core.svn.wordpress.org/branches/4.1@41324 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 16:26:18 +00:00
Aaron Campbell 688d186ddd Database: Hardening for `wpdb::prepare()`
Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.

Merges [41470] to 4.1 branch.


Built from https://develop.svn.wordpress.org/branches/4.1@41478


git-svn-id: http://core.svn.wordpress.org/branches/4.1@41311 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 15:03:53 +00:00
Dominik Schilling acc424ed10 TinyMCE: Improve the previews for shortcodes.
Merge of [41395] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@41442


git-svn-id: http://core.svn.wordpress.org/branches/4.1@41275 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 12:44:54 +00:00
Dominik Schilling 900cd482a4 Editor: Prevent adding `javascript:` and `data:` URLs through the inline link dialog.
Merge of [41393] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@41407


git-svn-id: http://core.svn.wordpress.org/branches/4.1@41240 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 10:19:51 +00:00
Aaron Campbell 9eb95c11ff Bump 4.1 branch to version 4.1.18.
Built from https://develop.svn.wordpress.org/branches/4.1@40754


git-svn-id: http://core.svn.wordpress.org/branches/4.1@40612 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 21:53:24 +00:00
Pascal Birchler f4aa87318c Media: Simplify upload error message construction.
Merges [40736] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@40743


git-svn-id: http://core.svn.wordpress.org/branches/4.1@40601 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 18:04:19 +00:00
Dominik Schilling f1dd14eb48 Customize: Ignore invalid customization sessions.
Merge of [40704] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@40711


git-svn-id: http://core.svn.wordpress.org/branches/4.1@40574 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 12:20:25 +00:00
Pascal Birchler 03ff944f46 Adjust post meta checks
Merges [40692] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@40699


git-svn-id: http://core.svn.wordpress.org/branches/4.1@40562 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:53:19 +00:00
Pascal Birchler c17688406b Whitelist post arguments in XML-RPC
Merges [40677] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@40684


git-svn-id: http://core.svn.wordpress.org/branches/4.1@40547 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:26:26 +00:00
Pascal Birchler d4a45dc58d Bump 4.1 branch to version 4.1.17.
Built from https://develop.svn.wordpress.org/branches/4.1@40493


git-svn-id: http://core.svn.wordpress.org/branches/4.1@40369 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-20 16:27:26 +00:00
James Nylen d19df5f1e4 Bump 4.1 branch to version 4.1.16.
Built from https://develop.svn.wordpress.org/branches/4.1@40208


git-svn-id: http://core.svn.wordpress.org/branches/4.1@40147 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 16:35:25 +00:00
Aaron Campbell 0d1be6d9ca Strip control characters before validating redirect.
Merges [40183] to 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@40190


git-svn-id: http://core.svn.wordpress.org/branches/4.1@40129 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 13:45:27 +00:00
Dominik Schilling c5c1dce809 Embeds: URL encode YouTube video IDs for broader compatibility.
Merge of [40160] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@40167


git-svn-id: http://core.svn.wordpress.org/branches/4.1@40106 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 12:08:26 +00:00
Aaron Campbell c0abe8d804 Bump 4.1 branch to version 4.1.15.
Built from https://develop.svn.wordpress.org/branches/4.1@40002


git-svn-id: http://core.svn.wordpress.org/branches/4.1@39939 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 18:26:25 +00:00
Dominik Schilling 0a69a201ad Query: Ensure that queries work correctly with post type names with special characters.
Merge of [39952] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@39962


git-svn-id: http://core.svn.wordpress.org/branches/4.1@39899 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 13:52:26 +00:00
Aaron Campbell edd582c69e Bump 4.1 branch to version 4.1.14.
Built from https://develop.svn.wordpress.org/branches/4.1@39866


git-svn-id: http://core.svn.wordpress.org/branches/4.1@39803 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 16:58:53 +00:00
Joe McGill 8dd8485f19 Media: Fix exif_imagetype check in wp_get_image_mime
This is a follow up to [39831].

Merges [39850] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@39857


git-svn-id: http://core.svn.wordpress.org/branches/4.1@39794 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 16:44:24 +00:00
Joe McGill 6fd71daf13 Media: Improve image filetype checking.
This adds a new function `wp_get_image_mime()` which is used by
`wp_check_filetype_and_ext()` to validate image files using
`exif_imagetype()` if available instead of `getimagesize()`.

`getimagesize()` is less performant than `exif_imagetype()` and is
dependent on GD. If `exif_imagetype()` is not available, it falls back to
`getimagesize()` as before.

If `wp_check_filetype_and_ext()` can't validate the filetype, we now return
`false` for ext/MIME values.

Merges [39831] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@39838


git-svn-id: http://core.svn.wordpress.org/branches/4.1@39776 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 13:18:53 +00:00
Dominik Schilling cf41259781 Themes: Fix markup for theme name fallbacks.
Merge of [39807] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@39815


git-svn-id: http://core.svn.wordpress.org/branches/4.1@39753 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 11:12:20 +00:00
Jeremy Felt 335301e8f6 Multisite: Use `wp_rand()` in signup key creation.
Merges [39795] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@39802


git-svn-id: http://core.svn.wordpress.org/branches/4.1@39740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 05:35:19 +00:00
Dion Hulse e68653dd45 Update PHPMailer to 5.2.22.
The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.1 branch.
Fixes #37210 for 4.1.

Built from https://develop.svn.wordpress.org/branches/4.1@39790


git-svn-id: http://core.svn.wordpress.org/branches/4.1@39728 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 05:25:51 +00:00
Dion Hulse e754067ae9 Mail: Upgrade PHPMailer to 5.2.21.
Merges [39645], [36083], [33142], [33124] to the 4.1 branch.
See #37210.

Built from https://develop.svn.wordpress.org/branches/4.1@39727


git-svn-id: http://core.svn.wordpress.org/branches/4.1@39667 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-06 22:06:24 +00:00
Jeremy Felt 9a9ecd5c32 Bump 4.1 branch to 4.1.13.
Built from https://develop.svn.wordpress.org/branches/4.1@38554


git-svn-id: http://core.svn.wordpress.org/branches/4.1@38497 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-07 15:00:58 +00:00
Boone Gorges 3d28255a66 Bump 4.1 branch to 4.1.12.
Built from https://develop.svn.wordpress.org/branches/4.1@37832


git-svn-id: http://core.svn.wordpress.org/branches/4.1@37797 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 16:39:24 +00:00
Joe McGill 8bb91d40a2 Media: Improve handling of extensionless filenames.
Merge of [37756] to the 4.1 branch.

See #37111.
Built from https://develop.svn.wordpress.org/branches/4.1@37818


git-svn-id: http://core.svn.wordpress.org/branches/4.1@37783 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:57:40 +00:00
Nikolay Bachiyski 25df9d65a8 Admin: Escape attachment name in case it contains special characters
Merge of [37774] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@37790


git-svn-id: http://core.svn.wordpress.org/branches/4.1@37755 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:26:33 +00:00
Jeremy Felt 8d2141b7ee Admin: Allow for the consistent filtering of `auth_redirect_scheme`
Merge of [37651] to the 4.1 branch.

See #37047.

Built from https://develop.svn.wordpress.org/branches/4.1@37762


git-svn-id: http://core.svn.wordpress.org/branches/4.1@37727 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:13:23 +00:00
Dominik Schilling 2dbd645312 Bump 4.1 branch to 4.1.11.
Built from https://develop.svn.wordpress.org/branches/4.1@37388


git-svn-id: http://core.svn.wordpress.org/branches/4.1@37354 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-06 18:14:22 +00:00
Nikolay Bachiyski 58a1804e9c External Libraries: Update plupload from upstream
Built from https://develop.svn.wordpress.org/branches/4.1@37378


git-svn-id: http://core.svn.wordpress.org/branches/4.1@37344 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-06 17:57:22 +00:00
Nikolay Bachiyski 38154c01ce Taxonomies: make sure taxonomy functions work correctly with taxonomy names with special characters
The codex says that taxonomy names "should only contain lowercase letters and the underscore character", but that's not enforced. It's too late to enforce it, since some plugins haven't been following it and the official phpdoc doesn't mention this restriction.

Merge of [37133] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@37138


git-svn-id: http://core.svn.wordpress.org/branches/4.1@37105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-30 17:32:22 +00:00
Dominik Schilling e73593c805 HTTP: Improve detection of valid IP addresses.
Merge of [37115] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@37119


git-svn-id: http://core.svn.wordpress.org/branches/4.1@37086 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-30 15:52:33 +00:00
Nikolay Bachiyski 63bde8f97e Snoopy: use escapeshellarg instead of escapeshellcmd
We are escaping arguments, not commands, so we'd better use the semantically correct function, even though they are similar.

Merges [37094] to the 4.1 branch.

Built from https://develop.svn.wordpress.org/branches/4.1@37098


git-svn-id: http://core.svn.wordpress.org/branches/4.1@37065 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-30 14:10:23 +00:00
Dominik Schilling 7df345b1cc Bump 4.1 branch to 4.1.10.
Built from https://develop.svn.wordpress.org/branches/4.1@36458


git-svn-id: http://core.svn.wordpress.org/branches/4.1@36425 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 17:29:22 +00:00
Dominik Schilling 5b076e981c Better validation of the URL used in HTTP redirects.
Merges [36444] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@36450


git-svn-id: http://core.svn.wordpress.org/branches/4.1@36417 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 17:00:50 +00:00
Dominik Schilling ac434506e1 HTTP: `0.1.2.3` is not a valid IP.
Merges [36435] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@36439


git-svn-id: http://core.svn.wordpress.org/branches/4.1@36406 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 13:04:42 +00:00
Dominik Schilling 197d5128b2 Bump 4.1 branch to 4.1.9.
Built from https://develop.svn.wordpress.org/branches/4.1@36199


git-svn-id: http://core.svn.wordpress.org/branches/4.1@36166 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-06 18:50:23 +00:00
Aaron Jorbin e253e4e3d6 Theme: Escape error messages
[36185] for 4.1 branch

Built from https://develop.svn.wordpress.org/branches/4.1@36189


git-svn-id: http://core.svn.wordpress.org/branches/4.1@36156 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-06 17:26:50 +00:00
Dion Hulse 3ff8fa5386 Background Updates: Remove the 7am/7pm background update check.
This changeset is a more basic version of [36180], clearing the extra now redundant schedule.
As the functionality for this was introduced in 3.9, [28129] has been backported to 3.7/3.8, allowing the API TTL to be respected by those versions.

See #27772.
Fixes #35323.

Built from https://develop.svn.wordpress.org/trunk@36184


git-svn-id: http://core.svn.wordpress.org/branches/4.1@36151 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-06 13:24:33 +00:00
Helen Hou-Sandí a39030c223 Finish bumping the 4.1 branch to 4.1.8.
Built from https://develop.svn.wordpress.org/branches/4.1@34192


git-svn-id: http://core.svn.wordpress.org/branches/4.1@34160 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-15 14:51:36 +00:00
Dominik Schilling d38d60223d XMLRPC: Don't allow private posts to be sticky.
Merge of [33325], [33612], and [34135] to the 4.1 branch.

See #20662.
Built from https://develop.svn.wordpress.org/branches/4.1@34153


git-svn-id: http://core.svn.wordpress.org/branches/4.1@34121 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 23:01:22 +00:00
Nikolay Bachiyski 76e13dd238 Shortcodes: don't allow unclosed HTML elements in attributes
Merges [34134] for 4.1 branch

Built from https://develop.svn.wordpress.org/branches/4.1@34146


git-svn-id: http://core.svn.wordpress.org/branches/4.1@34114 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 22:48:48 +00:00