- XML-RPC: Switch to `wp_safe_remote()` when fetching a pingback URL.
- HTML API: Prevent `WP_HTML_Tag_Processor` instances being unserialized and add some extra logic for validating pattern and template file paths.
- KSES: Optimize PCRE pattern detecting numeric character references.
- Customize: Improve escaping approach used for nav menu attributes.
- Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
- Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
- Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.
Merges [61879-61885,61887,61890,61913] to the 5.8 branch.
Props johnbillion, xknown, dmsnell, jorbin, peterwilson, desrosj, westonruter, jonsurrell, aurdasjb.
Built from https://develop.svn.wordpress.org/branches/5.8@61952
git-svn-id: http://core.svn.wordpress.org/branches/5.8@61234 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- REST API: Increase the specificity of capability checks for collections when the `edit` context is in use.
- Menus: Prevent HTML in menu item titles from being rendered unexpectedly.
Merges [60814], [60815], [60816] to the 5.8 branch.
Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, phillsav, rmccue, timothyblynjacobs, vortfu, westonruter , whyisjake, zieladam.
Built from https://develop.svn.wordpress.org/branches/5.8@60828
git-svn-id: http://core.svn.wordpress.org/branches/5.8@60164 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The WordPress Importer plugin now requires PHP 7.2 or higher. The plugin’s unit tests were removed as of [59769] in favor of running only within the plugin’s repository on GitHub instead.
[59769] was made during the 6.8 release cycle, so all WP <= 6.7 branches still checkout the latest revision for the plugin before running the PHPUnit test suite.
This change modifies the `env:install` script to download version `0.9.0` of the plugin (which is the last version of the Importer plugin that supports PHP < 7.2) when a qualifying version is being tested.
Merges [60748] to the 5.8 branch.
Props @swissspidy.
See #63983.
Built from https://develop.svn.wordpress.org/branches/5.8@60756
git-svn-id: http://core.svn.wordpress.org/branches/5.8@60092 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.
This updates the `ca-bundle.crt` file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).
Partially merges [59740] and [59969] to the 5.8 branch.
Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
See #62811, #62711.
Built from https://develop.svn.wordpress.org/branches/5.8@60002
git-svn-id: http://core.svn.wordpress.org/branches/5.8@59344 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Install: When populating options, maybe_serialize instead of always serialize.
- Uploads: Check for and verify ZIP archives.
Merges [57388] and [57389] to the 5.8 branch.
Props costdev, peterwilsoncc, azaozz, tykoted, johnbillion, desrosj, afragen, jorbin, xknown.
Built from https://develop.svn.wordpress.org/branches/5.8@57397
git-svn-id: http://core.svn.wordpress.org/branches/5.8@56903 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- REST API: Limit `search_columns` for users without `list_users`.
- Comments: Prevent users who can not see a post from seeing comments on it.
- Application Passwords: Prevent the use of some pseudo protocols in application passwords.
- Restrict media shortcode ajax to certain type
- REST API: Ensure no-cache headers are sent when methods are overriden.
- Prevent unintended behavior when certain objects are unserialized.
Merges [56833], [56834], [56835], [56836], [56837], and [56838] to the 5.8 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.
Built from https://develop.svn.wordpress.org/branches/5.8@56884
git-svn-id: http://core.svn.wordpress.org/branches/5.8@56395 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Editor: Bump @wordpress packages for the 5.9 branch,
- Media: Refactor search by filename within the admin,
- REST API: Lockdown post parameter of the terms endpoint,
- Customize: Escape blogname option in underscores templates,
- Query: Validate relation in `WP_Date_Query`,
- Users: Revert use of shared objects for current user,
- Posts, Post types: Apply KSES to post-by-email content,
- General: Validate host on "Are you sure?" screen,
- Posts, Post types: Remove emails from post-by-email logs,
- Pings/trackbacks: Apply KSES to all trackbacks,
- Mail: Reset PHPMailer properties between use,
- Comments: Apply kses when editing comments,
- Widgets: Escape RSS error messages for display.
Merges [54521-54530] to the 5.8 branch.
Props audrasjb, costdev, cu121, dd32, davidbaumwald, ehtis, johnbillion, johnjamesjacoby, martinkrcho, matveb, oztaser, paulkevan, peterwilsoncc, ravipatel, SergeyBiryukov, talldanwp, timothyblynjacobs, tykoted, voldemortensen, vortfu, xknown.
Built from https://develop.svn.wordpress.org/branches/5.8@54548
git-svn-id: http://core.svn.wordpress.org/branches/5.8@54103 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add strings for use in future maintenance/security releases to indicate the security support status of the version of WordPress.
Two strings are introduced:
* indicating the version of WordPress is not receiving security updates, and,
* indicating the version of WordPress will shortly stop receiving security updates.
This change does not make use of the strings, the purpose is to make them available to translators prior to dropping support of selected versions of WordPress.
Props costdev, chesio, robinwpdeveloper, desrosj, rudlinkon, mukesh27, sumitbagthariya16.
Merges [54322] to the 5.8 branch.
See #56532.
Built from https://develop.svn.wordpress.org/branches/5.8@54432
git-svn-id: http://core.svn.wordpress.org/branches/5.8@53991 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This avoids an `Uncaught ArgumentCountError: Too few arguments to function {closure}(), 1 passed` PHP fatal error when registering a block style with the `should_load_separate_core_block_assets` filter enabled.
Follow-up to [51471].
Props aristath, shimon246, jrf, gziolo, SergeyBiryukov.
Merges [54323] to the 5.8 branch.
Fixes#54323.
Built from https://develop.svn.wordpress.org/branches/5.8@51981
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51570 1a063a9b-81f0-0310-95a4-ce76da25c4cd
> The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.
>
> Most up-to-date CA cert trusted bundles, as provided by operating systems, contain this soon-to-be-expired certificate. The current CA cert bundles also contain an ISRG Root X1 self-signed certificate. This means that clients verifying certificate chains can find the alternative non-expired path to the ISRG Root X1 self-signed certificate in their trust store.
>
> Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers the untrusted chain and if that chain contains a path that leads to an expired trusted root certificate (DST Root CA X3), it will be selected for the certificate verification and the expiration will be reported.
References:
* [https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2]
* [https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ DST Root CA X3 Expiration (September 2021)]
Follow-up to [25224], [25426], [25569], [27307], [30491], [30765], [34283], [35919], [36570], [46094].
Props bradleyt, fierevere, SergeyBiryukov.
Merges [51883] to the 5.8 branch.
Fixes#54207. See #50828.
Built from https://develop.svn.wordpress.org/branches/5.8@51948
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51537 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This unpins the version of PHP 5.6.20 used when testing the 5.6 branch of PHP.
Using 5.6.20 was an intentional decision in [49162], as that patch version is the oldest version of PHP 5.6 still supported by WordPress. However, as of September 30, 2021, the `5.6.20` image contains a version of OpenSSL with an expired certificate, sometimes resulting in an expired trust chain.
Props Clorith, hellofromTonya, SergeyBiryukov, desrosj.
Fixes#54223.
Built from https://develop.svn.wordpress.org/branches/5.8@51889
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51482 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [51838], the test wrapper methods were not being called due to the names not being recognized as supported PHPUnit "hook" names for fixtures.
This commit:
- Fixes the problem by adding extra camelCase wrappers to the `WP_UnitTestCase` to call the methods in the right order.
- Adds wrappers for the `assertPreConditions()` and `assertPostConditions()` fixture methods to make the backport feature complete for the fixture wrappers.
Test wrapper methods call fix:
By adding method overloads for the PHPUnit native camelCase fixture methods and letting those call the (camelCase) parent method first and only calling the snake_case fixture methods after, the snake_case methods can be supported and the typical run order safeguarded.
As not all test classes will have declared snake_case fixture methods, the snake_case fixture methods are also declared in the `WP_UnitTestCase`. Why? This prevents having to wrap these method calls in `method_exists()` conditions checking for the existence of the snake_case methods in an unknown Test child class. And with the normal inheritance rules in combination with calling the method using `static`, the right method will be called anyway without fatal "calling undeclared method" errors.
Note: While it will be rare, there ''may'' be cases where a test class does not adhere to the normal execution order for fixtures, i.e. for the setup methods, parent first, own code second; and for the teardown methods, own code first, parent second. For example a test class which has "some code - `parent::setUp()` call - some more code" in their `setUp()` method. In those (rare) cases, the execution order of the code will now be changed, which may have side-effects. This rare case will be identified in the dev note.
Follow-up to [51838].
Props bjorsch, swisspidy, jrf, hellofromTonya.
See #53911.
Built from https://develop.svn.wordpress.org/branches/5.8@51861
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51460 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This backports the PHPUnit Polyfills package and related test infrastructure changes to make it easier for developers to continue testing on multiple versions WordPress while adding tests for newer versions of PHP, which require more modern PHPUnit practices.
One of the changes included is the addition of wrappers for the new snake_case fixture methods in PHPUnit. This allows the native camelCase standard in PHPUnit to be used, but allows for developers to transition to the new naming conventions.
Props hellofromTonya, jrf, SergeyBiryukov, johnbillion, netweb, schlessera, jeherve, lucatume, desrosj.
Merges [51559,51560,51810-51813,51828] to the 5.8 branch.
See #53911.
Built from https://develop.svn.wordpress.org/branches/5.8@51838
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51445 1a063a9b-81f0-0310-95a4-ce76da25c4cd
desrosj