- XML-RPC: Switch to `wp_safe_remote()` when fetching a pingback URL.
- HTML API: Prevent `WP_HTML_Tag_Processor` instances being unserialized and add some extra logic for validating pattern and template file paths.
- KSES: Optimize PCRE pattern detecting numeric character references.
- Customize: Improve escaping approach used for nav menu attributes.
- Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
- Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
- Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.
Merges [61879-61884,61886-61887,61890,61913] to the 4.9 branch.
Props johnbillion, xknown, dmsnell, jorbin, peterwilson, desrosj, westonruter, jonsurrell, audrasjb.
Built from https://develop.svn.wordpress.org/branches/4.9@62004
git-svn-id: http://core.svn.wordpress.org/branches/4.9@61286 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- REST API: Increase the specificity of capability checks for collections when the `edit` context is in use.
- Menus: Prevent HTML in menu item titles from being rendered unexpectedly.
Merges [60814], [60815], [60816] to the 4.9 branch.
Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, phillsav, rmccue, timothyblynjacobs, vortfu, westonruter , whyisjake, zieladam.
Built from https://develop.svn.wordpress.org/branches/4.9@60837
git-svn-id: http://core.svn.wordpress.org/branches/4.9@60173 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.
This updates the `ca-bundle.crt` file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).
Partially merges [46094], [58707], [59740] and [59969] to the 4.9 branch.
See #62811, #62711, #50828, #45807.
Built from https://develop.svn.wordpress.org/branches/4.9@60021
git-svn-id: http://core.svn.wordpress.org/branches/4.9@59357 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Install: When populating options, maybe_serialize instead of always serialize.
- Uploads: Check for and verify ZIP archives.
Merges [57388] and [57389] to the 4.9 branch.
Props costdev, peterwilsoncc, azaozz, tykoted, johnbillion, desrosj, afragen, jorbin, xknown.
Built from https://develop.svn.wordpress.org/branches/4.9@57406
git-svn-id: http://core.svn.wordpress.org/branches/4.9@56912 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Comments: Prevent users who can not see a post from seeing comments on it.
- Shortcodes: Restrict media shortcode ajax to certain type.
- REST API: Ensure no-cache headers are sent when methods are overridden.
- REST API: Limit `search_columns` for users without `list_users`.
- Prevent unintended behavior when certain objects are unserialized.
Merges [56834], [56835], [56836], [56838], and [56840] to the 4.9 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.
Built from https://develop.svn.wordpress.org/branches/4.9@56865
git-svn-id: http://core.svn.wordpress.org/branches/4.9@56376 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add strings for use in future maintenance/security releases to indicate the security support status of the version of WordPress.
Two strings are introduced:
* indicating the version of WordPress is not receiving security updates, and,
* indicating the version of WordPress will shortly stop receiving security updates.
This change does not make use of the strings, the purpose is to make them available to translators prior to dropping support of selected versions of WordPress.
Props costdev, chesio, robinwpdeveloper, desrosj, rudlinkon, mukesh27, sumitbagthariya16.
Merges [54322] to the 4.9 branch.
See #56532.
Built from https://develop.svn.wordpress.org/branches/4.9@54451
git-svn-id: http://core.svn.wordpress.org/branches/4.9@54010 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This backports several build and test tool improvements to the 4.9 branch. Most notably, this includes:
- The changes required to allow each workflow to be triggered by the `workflow_dispatch` event so that tests can be run on a schedule [50590].
- Splitting single site and multisite tests into parallel jobs [50379].
- Split slow tests into separate, parallel jobs for PHP <= 5.6 [50444].
- Better branch and path scoping for GitHub Action workflows when running on `pull_request` [50432,50479].
- Several `devDependency` updates.
Merges [50379,50387,50413,50416,50432,50435,50436,50444,50446,50473,50474,50476,50479,50485,50486,50487,50545,50579,50590] to the 4.9 branch.
See #50401, #51801, #51802, #52548, #52608, #52612, #52624, #52625, #52645, #52653, #52658, #52660, #52667.
Built from https://develop.svn.wordpress.org/branches/4.9@50625
git-svn-id: http://core.svn.wordpress.org/branches/4.9@50237 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates the 4.9 branch to support the latest LTS version of NodeJS (currently 14.x), allowing the same version to be used across all WordPress branches that receive security updates as a courtesy.
This also replaces the `npm-shrinkwrap.json` with a `package-lock.json` file. Lock files were not supported in earlier versions of NPM, but can now be used.
In addition to backporting the package updates that happened after branching 4.9, dependencies that were removed in future releases have also been updated to their latest versions.
Props desrosj, dd32, netweb, jorbin.
Merges [42460-42461,42463,42887,43320,43323,43977,44219,44233,44728,45321,45765,46404,46408-46409,47404,47867-47869,47872-47873,48705,49636,49933,49937,49939,50017,50126,50176,50185,50192] to the 4.9 branch.
See #52341.
Built from https://develop.svn.wordpress.org/branches/4.9@50202
git-svn-id: http://core.svn.wordpress.org/branches/4.9@49876 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.
Brings the changes from [49380,49382-49388] to the 4.9 branch.
Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.
Built from https://develop.svn.wordpress.org/branches/4.9@49397
git-svn-id: http://core.svn.wordpress.org/branches/4.9@49156 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.
Merges [47948-47951] to the 4.9 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/4.9@47967
git-svn-id: http://core.svn.wordpress.org/branches/4.9@47738 1a063a9b-81f0-0310-95a4-ce76da25c4cd
User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.
Brings the changes in [47633], [47634], [47635], [47637], and [47638] to the 4.9 branch.
Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, westonruter, whyisjake, whyisjake, xknown.
Built from https://develop.svn.wordpress.org/branches/4.9@47648
git-svn-id: http://core.svn.wordpress.org/branches/4.9@47423 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Brings r46893 to the 4.9 branch.
Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes,
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 4.9 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.9@46918
git-svn-id: http://core.svn.wordpress.org/branches/4.9@46718 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 5.0 branch.
Built from https://develop.svn.wordpress.org/branches/4.9@46493
git-svn-id: http://core.svn.wordpress.org/branches/4.9@46290 1a063a9b-81f0-0310-95a4-ce76da25c4cd
John Blackbourn