Skip to content

Commit

Permalink
Initial merge with WP 6.3.2
Browse files Browse the repository at this point in the history
  • Loading branch information
patrickebates committed Oct 13, 2023
1 parent 9b0d9af commit ba169f6
Show file tree
Hide file tree
Showing 76 changed files with 3,545 additions and 587 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Project Nami
===============

### Version: `3.3.1` ###
### Version: `3.3.2` ###

### Description: ###
In its current form, Project Nami is basically WordPress powered by Microsoft SQL Server. **All** WordPress core features and functions are supported.
Expand Down
27 changes: 26 additions & 1 deletion wp-admin/about.php
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,32 @@

<div class="about__section changelog has-subtle-background-color">
<div class="column">
<h2><?php _e( 'Maintenance Release' ); ?></h2>
<h2><?php _e( 'Maintenance and Security Releases' ); ?></h2>
<p>
<?php
printf(
/* translators: 1: WordPress version number, 2: Plural number of bugs. More than one security issue. */
_n(
'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.',
41
),
'6.3.2',
'41'
);
?>
<?php
printf(
/* translators: %s: HelpHub URL. */
__( 'For more information, see <a href="%s">the release notes</a>.' ),
sprintf(
/* translators: %s: WordPress version. */
esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
sanitize_title( '6.3.2' )
)
);
?>
</p>
<p>
<?php
printf(
Expand Down
18 changes: 17 additions & 1 deletion wp-admin/includes/ajax-actions.php
Original file line number Diff line number Diff line change
Expand Up @@ -3882,13 +3882,29 @@ function wp_ajax_parse_media_shortcode() {

$shortcode = wp_unslash( $_POST['shortcode'] );

// Only process previews for media related shortcodes:
$found_shortcodes = get_shortcode_tags_in_content( $shortcode );
$media_shortcodes = array(
'audio',
'embed',
'playlist',
'video',
'gallery',
);

$other_shortcodes = array_diff( $found_shortcodes, $media_shortcodes );

if ( ! empty( $other_shortcodes ) ) {
wp_send_json_error();
}

if ( ! empty( $_POST['post_ID'] ) ) {
$post = get_post( (int) $_POST['post_ID'] );
}

// The embed shortcode requires a post.
if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) {
if ( 'embed' === $shortcode ) {
if ( in_array( 'embed', $found_shortcodes, true ) ) {
wp_send_json_error();
}
} else {
Expand Down
68 changes: 52 additions & 16 deletions wp-admin/includes/class-plugin-upgrader.php
Original file line number Diff line number Diff line change
Expand Up @@ -274,6 +274,8 @@ public function upgrade( $plugin, $args = array() ) {
* @since 2.8.0
* @since 3.7.0 The `$args` parameter was added, making clearing the plugin update cache optional.
*
* @global string $wp_version The WordPress version string.
*
* @param string[] $plugins Array of paths to plugin files relative to the plugins directory.
* @param array $args {
* Optional. Other arguments for upgrading several plugins at once.
Expand All @@ -283,6 +285,8 @@ public function upgrade( $plugin, $args = array() ) {
* @return array|false An array of results indexed by plugin file, or false if unable to connect to the filesystem.
*/
public function bulk_upgrade( $plugins, $args = array() ) {
global $wp_version;

$defaults = array(
'clear_update_cache' => true,
);
Expand Down Expand Up @@ -343,23 +347,55 @@ public function bulk_upgrade( $plugins, $args = array() ) {

$this->skin->plugin_active = is_plugin_active( $plugin );

$result = $this->run(
array(
'package' => $r->package,
'destination' => WP_PLUGIN_DIR,
'clear_destination' => true,
'clear_working' => true,
'is_multi' => true,
'hook_extra' => array(
'plugin' => $plugin,
'temp_backup' => array(
'slug' => dirname( $plugin ),
'src' => WP_PLUGIN_DIR,
'dir' => 'plugins',
if ( isset( $r->requires ) && ! is_wp_version_compatible( $r->requires ) ) {
$result = new WP_Error(
'incompatible_wp_required_version',
sprintf(
/* translators: 1: Current WordPress version, 2: WordPress version required by the new plugin version. */
__( 'Your WordPress version is %1$s, however the new plugin version requires %2$s.' ),
$wp_version,
$r->requires
)
);

$this->skin->before( $result );
$this->skin->error( $result );
$this->skin->after();
} elseif ( isset( $r->requires_php ) && ! is_php_version_compatible( $r->requires_php ) ) {
$result = new WP_Error(
'incompatible_php_required_version',
sprintf(
/* translators: 1: Current PHP version, 2: PHP version required by the new plugin version. */
__( 'The PHP version on your server is %1$s, however the new plugin version requires %2$s.' ),
PHP_VERSION,
$r->requires_php
)
);

$this->skin->before( $result );
$this->skin->error( $result );
$this->skin->after();
} else {
add_filter( 'upgrader_source_selection', array( $this, 'check_package' ) );
$result = $this->run(
array(
'package' => $r->package,
'destination' => WP_PLUGIN_DIR,
'clear_destination' => true,
'clear_working' => true,
'is_multi' => true,
'hook_extra' => array(
'plugin' => $plugin,
'temp_backup' => array(
'slug' => dirname( $plugin ),
'src' => WP_PLUGIN_DIR,
'dir' => 'plugins',
),
),
),
)
);
)
);
remove_filter( 'upgrader_source_selection', array( $this, 'check_package' ) );
}

$results[ $plugin ] = $result;

Expand Down
13 changes: 13 additions & 0 deletions wp-admin/includes/class-wp-comments-list-table.php
Original file line number Diff line number Diff line change
Expand Up @@ -651,6 +651,19 @@ public function single_row( $item ) {

$this->user_can = current_user_can( 'edit_comment', $comment->comment_ID );

$edit_post_cap = $post ? 'edit_post' : 'edit_posts';
if (
current_user_can( $edit_post_cap, $comment->comment_post_ID ) ||
(
empty( $post->post_password ) &&
current_user_can( 'read_post', $comment->comment_post_ID )
)
) {
// The user has access to the post
} else {
return false;
}

echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>";
$this->single_row_columns( $comment );
echo "</tr>\n";
Expand Down
14 changes: 14 additions & 0 deletions wp-admin/includes/class-wp-list-table.php
Original file line number Diff line number Diff line change
Expand Up @@ -824,6 +824,20 @@ protected function comments_bubble( $post_id, $pending_comments ) {
$pending_comments_number
);

$post_object = get_post( $post_id );
$edit_post_cap = $post_object ? 'edit_post' : 'edit_posts';
if (
current_user_can( $edit_post_cap, $post_id ) ||
(
empty( $post_object->post_password ) &&
current_user_can( 'read_post', $post_id )
)
) {
// The user has access to the post and thus can see comments
} else {
return false;
}

if ( ! $approved_comments && ! $pending_comments ) {
// No comments at all.
printf(
Expand Down
3 changes: 1 addition & 2 deletions wp-admin/includes/class-wp-upgrader.php
Original file line number Diff line number Diff line change
Expand Up @@ -1206,8 +1206,7 @@ public function delete_temp_backup() {
if ( ! $wp_filesystem->delete( $temp_backup_dir, true ) ) {
$errors->add(
'temp_backup_delete_failed',
sprintf( $this->strings['temp_backup_delete_failed'] ),
$args['slug']
sprintf( $this->strings['temp_backup_delete_failed'], $args['slug'] )
);
continue;
}
Expand Down
11 changes: 10 additions & 1 deletion wp-admin/includes/dashboard.php
Original file line number Diff line number Diff line change
Expand Up @@ -1103,7 +1103,16 @@ function wp_dashboard_recent_comments( $total_items = 5 ) {

echo '<ul id="the-comment-list" data-wp-lists="list:comment">';
foreach ( $comments as $comment ) {
_wp_dashboard_recent_comments_row( $comment );
$comment_post = get_post( $comment->comment_post_ID );
if (
current_user_can( 'edit_post', $comment->comment_post_ID ) ||
(
empty( $comment_post->post_password ) &&
current_user_can( 'read_post', $comment->comment_post_ID )
)
) {
_wp_dashboard_recent_comments_row( $comment );
}
}
echo '</ul>';

Expand Down
82 changes: 68 additions & 14 deletions wp-admin/includes/user.php
Original file line number Diff line number Diff line change
Expand Up @@ -636,6 +636,7 @@ function admin_created_user_email( $text ) {
*
* @since 5.6.0
* @since 6.2.0 Allow insecure HTTP connections for the local environment.
* @since 6.3.2 Validates the success and reject URLs to prevent javascript pseudo protocol being executed.
*
* @param array $request {
* The array of request data. All arguments are optional and may be empty.
Expand All @@ -649,27 +650,24 @@ function admin_created_user_email( $text ) {
* @return true|WP_Error True if the request is valid, a WP_Error object contains errors if not.
*/
function wp_is_authorize_application_password_request_valid( $request, $user ) {
$error = new WP_Error();
$is_local = 'local' === wp_get_environment_type();

if ( ! empty( $request['success_url'] ) ) {
$scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME );
$error = new WP_Error();

if ( 'http' === $scheme && ! $is_local ) {
if ( isset( $request['success_url'] ) ) {
$validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] );
if ( is_wp_error( $validated_success_url ) ) {
$error->add(
'invalid_redirect_scheme',
__( 'The success URL must be served over a secure connection.' )
$validated_success_url->get_error_code(),
$validated_success_url->get_error_message()
);
}
}

if ( ! empty( $request['reject_url'] ) ) {
$scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME );

if ( 'http' === $scheme && ! $is_local ) {
if ( isset( $request['reject_url'] ) ) {
$validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] );
if ( is_wp_error( $validated_reject_url ) ) {
$error->add(
'invalid_redirect_scheme',
__( 'The rejection URL must be served over a secure connection.' )
$validated_reject_url->get_error_code(),
$validated_reject_url->get_error_message()
);
}
}
Expand Down Expand Up @@ -698,3 +696,59 @@ function wp_is_authorize_application_password_request_valid( $request, $user ) {

return true;
}

/**
* Validates the redirect URL protocol scheme. The protocol can be anything except http and javascript.
*
* @since 6.3.2
*
* @param string $url - The redirect URL to be validated.
*
* @return true|WP_Error True if the redirect URL is valid, a WP_Error object otherwise.
*/
function wp_is_authorize_application_redirect_url_valid( $url ) {
$bad_protocols = array( 'javascript', 'data' );
if ( empty( $url ) ) {
return true;
}

// Based on https://www.rfc-editor.org/rfc/rfc2396#section-3.1
$valid_scheme_regex = '/^[a-zA-Z][a-zA-Z0-9+.-]*:/';
if ( ! preg_match( $valid_scheme_regex, $url ) ) {
return new WP_Error(
'invalid_redirect_url_format',
__( 'Invalid URL format.' )
);
}

/**
* Filters the list of invalid protocols used in applications redirect URLs.
*
* @since 6.3.2
*
* @param string[] $bad_protocols Array of invalid protocols.
* @param string $url The redirect URL to be validated.
*/
$invalid_protocols = array_map( 'strtolower', apply_filters( 'wp_authorize_application_redirect_url_invalid_protocols', $bad_protocols, $url ) );

$scheme = wp_parse_url( $url, PHP_URL_SCHEME );
$host = wp_parse_url( $url, PHP_URL_HOST );
$is_local = 'local' === wp_get_environment_type();

// validates if the proper URI format is applied to the $url
if ( empty( $host ) || empty( $scheme ) || in_array( strtolower( $scheme ), $invalid_protocols, true ) ) {
return new WP_Error(
'invalid_redirect_url_format',
__( 'Invalid URL format.' )
);
}

if ( 'http' === $scheme && ! $is_local ) {
return new WP_Error(
'invalid_redirect_scheme',
__( 'The URL must be served over a secure connection.' )
);
}

return true;
}
4 changes: 4 additions & 0 deletions wp-includes/Requests/src/Hooks.php
Original file line number Diff line number Diff line change
Expand Up @@ -96,4 +96,8 @@ public function dispatch($hook, $parameters = []) {

return true;
}

public function __wakeup() {
throw new \LogicException( __CLASS__ . ' should never be unserialized' );
}
}
14 changes: 14 additions & 0 deletions wp-includes/Requests/src/Iri.php
Original file line number Diff line number Diff line change
Expand Up @@ -717,6 +717,20 @@ public function is_valid() {
return true;
}

public function __wakeup() {
$class_props = get_class_vars( __CLASS__ );
$string_props = array( 'scheme', 'iuserinfo', 'ihost', 'port', 'ipath', 'iquery', 'ifragment' );
$array_props = array( 'normalization' );
foreach ( $class_props as $prop => $default_value ) {
if ( in_array( $prop, $string_props, true ) && ! is_string( $this->$prop ) ) {
throw new UnexpectedValueException();
} elseif ( in_array( $prop, $array_props, true ) && ! is_array( $this->$prop ) ) {
throw new UnexpectedValueException();
}
$this->$prop = null;
}
}

/**
* Set the entire IRI. Returns true on success, false on failure (if there
* are any invalid characters).
Expand Down
4 changes: 4 additions & 0 deletions wp-includes/Requests/src/Session.php
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,10 @@ public function request_multiple($requests, $options = []) {
return Requests::request_multiple($requests, $options);
}

public function __wakeup() {
throw new \LogicException( __CLASS__ . ' should never be unserialized' );
}

/**
* Merge a request's data with the default data
*
Expand Down
Loading

0 comments on commit ba169f6

Please sign in to comment.