This commit updates `wp_resolve_post_date()` to use a regular expression for parsing the date string into year, month, and day matches. This approach handles missing leading zeros more reliably than `substr()` while remaining performant (see #57683).
It also adds checks and type-casting to `wp_checkdate()` variables before passing them into PHP's `checkdate()` function to avoid the potential for a `TypeError` in PHP 8 and newer (see #54186).
Lastly, it includes 2 new unit tests (with data providers) to cover an array of valid and invalid date formats (YYYY-MM-DD, YYYY-MM-DD HH:MM:SS, ISO 8601, RSS, leap years, malformed inputs, etc...)
Props alordiel, desrosj, johnbillion, johnjamesjacoby, johnregan3, modius5150, nacin, pbearne.
Fixes#26798.
Built from https://develop.svn.wordpress.org/trunk@61172
git-svn-id: http://core.svn.wordpress.org/trunk@60508 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Several PHP functions that have not been doing anything since PHP 8.0/8.1, specifically:
* `finfo_close()` since the `ext/fileinfo` migration in PHP 8.1
* `xml_parser_free()` since the `ext/xml` migration in PHP 8.0
* `curl_close()` since the `ext/curl` migration in PHP 8.0
* `curl_share_close()` since the `ext/curl` migration in PHP 8.0
* `imagedestroy()` since the `ext/gd` migration in PHP 8.0
will be deprecated in PHP 8.5 and will thus be throwing warnings.
This commit adds conditional checks to only call these functions on the relevant PHP versions.
Reference: [https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_no-op_functions_from_the_resource_to_object_conversion PHP RFC: Deprecations for PHP 8.5: Deprecate no-op functions from the resource to object conversion].
Props TobiasBg, SergeyBiryukov.
See #63061.
Built from https://develop.svn.wordpress.org/trunk@60703
git-svn-id: http://core.svn.wordpress.org/trunk@60039 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Corrects the type for the `$time` and `$previous_time` parameters in the filter to indicate the times are expressed as strings. The values are generated from a call to `microtime()` which returns the time as a string in the form `msec sec`.
Props tillkruess, westonruter.
Fixes#63194.
Built from https://develop.svn.wordpress.org/trunk@60128
git-svn-id: http://core.svn.wordpress.org/trunk@59464 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Application passwords that aren't hashed using BLAKE2b should be checked using `wp_check_password()` rather than assuming they were hashed with phpass. This provides full back compat support for application passwords that were created via an overridden `wp_hash_password()` function that uses an alternative hashing algorithm.
Props snicco, debarghyabanerjee, peterwilsoncc, jorbin, johnbillion.
Fixes#63203
Built from https://develop.svn.wordpress.org/trunk@60123
git-svn-id: http://core.svn.wordpress.org/trunk@59459 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Includes:
* Standardizing on the `bool` type for the `$gmt` parameter between `current_time()` and `date_i18n()`.
* Documenting `null` as an acceptable value for `$timestamp` and `$timezone` parameters in `wp_date()`.
* Removing a redundant note on the `$gmt` parameter for the `date_i18n` filter, as defaults are normally only documented for function parameters.
Follow-up to [1001], [9616], [28109], [45901].
Props dilipbheda.
Fixes#63207.
Built from https://develop.svn.wordpress.org/trunk@60119
git-svn-id: http://core.svn.wordpress.org/trunk@59455 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This reduces the hash length from 32 bytes to 30 so the overall length of an activation key after encoding, prefixing, and prepending a timestamp fits into 60 bytes.
A key is also introduced for domain separation. This doesn't affect the output length.
Props dd32, paragoninitiativeenterprises, peterwilsoncc, johnbillion
Fixes#21022
Built from https://develop.svn.wordpress.org/trunk@59904
git-svn-id: http://core.svn.wordpress.org/trunk@59246 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Passwords and security keys that were saved in prior versions of WordPress will continue to work. Each user's password will be opportunistically rehashed and resaved when they next subsequently log in using a valid password.
The following new functions have been introduced:
* `wp_password_needs_rehash()`
* `wp_fast_hash()`
* `wp_verify_fast_hash()`
The following new filters have been introduced:
* `password_needs_rehash`
* `wp_hash_password_algorithm`
* `wp_hash_password_options`
Props ayeshrajans, bgermann, dd32, deadduck169, desrosj, haozi, harrym, iandunn, jammycakes, joehoyle, johnbillion, mbijon, mojorob, mslavco, my1xt, nacin, otto42, paragoninitiativeenterprises, paulkevan, rmccue, ryanhellyer, scribu, swalkinshaw, synchro, th23, timothyblynjacobs, tomdxw, westi, xknown.
Additional thanks go to the Roots team, Soatok, Calvin Alkan, and Raphael Ahrens.
Fixes#21022, #44628
Built from https://develop.svn.wordpress.org/trunk@59828
git-svn-id: http://core.svn.wordpress.org/trunk@59170 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset improves a bunch of error messages, notably replacing the good old cryptic "Something went wrong" message with more helpful information.
Props peterwilsoncc, netweb, karmatosed, JoshuaWold, mrtortai, audrasjb, sukhendu2002, joedolson.
Fixes#43622.
Built from https://develop.svn.wordpress.org/trunk@59790
git-svn-id: http://core.svn.wordpress.org/trunk@59132 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The intention of these headers is to prevent any form of caching, whether that's in the browser or in an intermediate cache such as a proxy server. These directives instruct an intermediate cache to not store the response in their cache for any user – not just for logged-in users.
This does not affect the caching behaviour of assets within a page such as images, CSS, and JavaScript files.
Props kkmuffme, devansh2002, johnbillion.
Fixes#61942
Built from https://develop.svn.wordpress.org/trunk@59724
git-svn-id: http://core.svn.wordpress.org/trunk@59066 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This sets the same referrer policy of `strict-origin-when-cross-origin` that's used in the admin area to prevent a referrer being sent to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within the URL.
The header can be disabled if necessary by removing the `wp_admin_headers` action from the `login_init` hook.
Props kkmuffme, sagarlakhani, albatross10
Fixes#62273
See #42036
Built from https://develop.svn.wordpress.org/trunk@59712
git-svn-id: http://core.svn.wordpress.org/trunk@59054 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Partially reverts [59479] and [59461], which previously tried to move some functions from `wp-admin/includes/plugin.php` to `wp-includes/functions.php` so they are available early, so that `get_plugin_data()` can be used.
However, other functions from that file are often used by plugins without necessarily checking whether they are available, easily causing fatal errors. Requiring this file directly is a safer approach to avoid such errors.
Props peterwilsoncc, dd32, swissspidy, johnbillion.
Fixes#62244.
Built from https://develop.svn.wordpress.org/trunk@59488
git-svn-id: http://core.svn.wordpress.org/trunk@58874 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This is a follow-up to [59461], which moved `get_plugin_data()` from `wp-admin/includes/plugin.php` to `wp-includes/functions.php` so it's available during the plugin loading process.
Related functions like `is_plugin_active()` are often used together and should therefore be moved as well, to improve backward compatibility for plugins which load `wp-admin/includes/plugin.php` only conditionally.
Props johnbillion, dd32, swissspidy.
See #62244.
Built from https://develop.svn.wordpress.org/trunk@59479
git-svn-id: http://core.svn.wordpress.org/trunk@58865 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This addresses several instances of `gmdate( 'w' )` being used directly as an integer, when it's actually a numeric string. The issue is remediated by casting the value to `int` before use.
Affected functions:
* `get_calendar()`
* `get_weekstartend()`
Follow-up to [508], [1632].
Props justlevine.
See #52217.
Built from https://develop.svn.wordpress.org/trunk@59471
git-svn-id: http://core.svn.wordpress.org/trunk@58857 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In #34114, just-in-time (JIT) translation loading was implemented for projects hosted on WordPress.org. This is now expanded to all other plugins/themes.
Projects with a custom `Text Domain` and `Domain Path` header no longer need to call `load_plugin_textdomain()` or `load_theme_textdomain()`.
This reduces the risk of calling them too late, after some translation calls already happened, and generally makes it easier to properly internationalize a plugin or theme.
This moves the `get_plugin_data()` from `wp-admin/includes/plugin.php` to `wp-includes/functions.php` so it's available during the plugin loading process.
Props swissspidy.
Fixes#62244.
Built from https://develop.svn.wordpress.org/trunk@59461
git-svn-id: http://core.svn.wordpress.org/trunk@58847 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When uploading `wav` files in the editor, Chrome and other browsers identify the mime type of the file as `audio/wav`. Firefox, however, identifies the mime type as `audio/x-wav`.
This commit updates the `'wav'` mime type key in `wp_get_mime_types()` to support `x-wav` so that uploading wav files work in Firefox. Previously, the editor reported an unsupported mime type error.
Props imranh920, ramonopoly.
Fixes #61948.
Built from https://develop.svn.wordpress.org/trunk@59389
git-svn-id: http://core.svn.wordpress.org/trunk@58775 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Relocate the defintion of `absint()` to `load.php` to allow it to be available to `get_current_blog_id()` and `get_current_network_id()`. These functions may be called by caching drop-ins, prior to the loading of `functions.php`.
Props flixos90, geekofshire, johnjamesjacoby, sergeybiryukov, wonderboymusic.
Fixes#40682.
Built from https://develop.svn.wordpress.org/trunk@59242
git-svn-id: http://core.svn.wordpress.org/trunk@58634 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Cache the unmodified `$wp_version` value as a static. This retains the current behaviour during the upgrade process `$wp_version` referencing the version of WordPress being upgraded from.
Follow up to [58848].
Props Cybr, debarghyabanerjee, mukesh27, costdev, SergeyBiryukov, TobiasBg, desrosj, azaozz.
Fixes#61782.
Built from https://develop.svn.wordpress.org/trunk@59192
git-svn-id: http://core.svn.wordpress.org/trunk@58587 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Removes the automatic addition of `rel="noopener noreferrer"` from links targeting a new tab or window, `target='_blank'`. Since this was introduced, supported browsers have changed their security policies and no longer allow the opened link to have JavaScript access to the previous tab.
Deprecates:
* `wp_targeted_link_rel()`
* `wp_targeted_link_rel_callback()`
* `wp_init_targeted_link_rel_filters()`: converted to a noop function
* `wp_remove_targeted_link_rel_filters()`: converted to a noop function
The deprecated functions are retained in `formatting.php` as in `SHORTINIT` mode the file is included while `deprecated.php` is not.
This also removes the `noopener` from links hard coded within the WordPress dashboard linking to documentation and other resources.
Props audrasjb, azaozz, dhruval04, dorzki, neo2k23, presskopp, sabernhardt, swissspidy, tobiasbg.
Fixes#53843.
Built from https://develop.svn.wordpress.org/trunk@59120
git-svn-id: http://core.svn.wordpress.org/trunk@58516 1a063a9b-81f0-0310-95a4-ce76da25c4cd
PHP 8.4 deprecates the use of `trigger_errror()` with `E_USER_ERROR` as the error level, as there are a number of gotchas to this way of creating a `Fatal Error` (`finally` blocks not executing, destructors not executing). The recommended replacements are either to use exceptions or to do a hard `exit`.
WP has its own `wp_trigger_error()` function, which under the hood calls `trigger_error()`. If passed `E_USER_ERROR` as the `$error_level`, this will hit the PHP 8.4 deprecation.
Now, there were basically three options:
* Silence the deprecation until PHP 9.0 and delay properly solving this until then. This would lead to an awkward solution, as prior to PHP 8.0, error silencing would apply to all errors, while, as of PHP 8.0, it will no longer apply to fatal errors. It also would only buy us some time and wouldn't actually solve anything.
* Use `exit($status)` when `wp_trigger_error()` is called with `E_USER_ERROR`. This would make the code untestable and would disable handling of these errors via custom error handlers, which makes this an undesirable solution.
* Throw an exception when `wp_trigger_error()` is called with `E_USER_ERROR`. This makes for the most elegant solution with the least BC-breaking impact, though it does open it up to the error potential being "caught" via a `try-catch`. That's not actually a bad thing and is likely to only happen for those errors which can be worked around, in which case, it's a bonus that that's now possible.
The third option is implemented which:
* Introduces a new `WP_Exception` class.
* Starts using `WP_Exception` in the `wp_trigger_error()` function when the `$error_level` is set to `E_USER_ERROR`.
This change is covered by pre-existing tests, which have been updated to expect the exception instead of a PHP error.
Why not use `WP_Error`?
Well, for one, this would lead to completely different behaviour (BC).
As `WP_Error` doesn't extend `Exception`, the program would not be stopped, but would continue running, which would be a much bigger breaking change and carries security risks. `WP_Error` also doesn't natively trigger displaying/logging of the error message, so in that case, it would still need an `exit` with the error message, bringing us back to point 2 above.
Introducing `WP_Exception` provides (essentially) the same behaviour in that it retains the fatal error and error message displaying/logging behaviors. It also introduces a base Exception class, from which future exception classes can extend.
References:
* https://wiki.php.net/rfc/deprecations_php_8_4#deprecate_passing_e_user_error_to_trigger_error
* https://www.php.net/manual/en/migration80.incompatible.php
Follow-up to [56530].
Props jrf, hellofromTonya.
See #62061.
Built from https://develop.svn.wordpress.org/trunk@59107
git-svn-id: http://core.svn.wordpress.org/trunk@58503 1a063a9b-81f0-0310-95a4-ce76da25c4cd
It is recommended that for every option it is explicitly set whether to autoload it or not. This changeset updates relevant `update_option()` and `add_option()` calls.
Note that the `$autoload` parameter is only needed for `update_option()` if the option is potentially not present yet, i.e. the call will pass through to `add_option()`. Since WordPress core adds the majority of its options to the database during installation, only `update_option()` calls for dynamically added options need to be modified, which is what this changeset does.
As part of revisiting the autoload values for dynamically added WordPress core options, this changeset modifies some options to no longer be autoloaded, since they are only accessed in a few specific places that are not relevant for a regular request. These options are:
* `recently_activated`
* `_wp_suggested_policy_text_has_changed`
* `{upgradeLock}.lock`
* `dashboard_widget_options`
* `ftp_credentials`
* `adminhash`
* `nav_menu_options`
* `wp_force_deactivated_plugins`
* `delete_blog_hash`
* `allowedthemes`
* `{sessionId}_paused_extensions`
* `recovery_keys`
* `https_detection_errors`
* `fresh_site`
An upgrade routine is present as well that sets those options to no longer autoload for existing sites.
Props pbearne, flixos90, mukesh27, swissspidy, SergeyBiryukov, joemcgill, adamsilverstein.
Fixes#61103.
Built from https://develop.svn.wordpress.org/trunk@58975
git-svn-id: http://core.svn.wordpress.org/trunk@58371 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Prevents a potential type error when calling `current_time( 'timestamp' )` by casting `get_option( 'gmt_offset' )` to a float prior to performing calculations with the value.
This mainly accounts for incorrect storage of values, such as an empty string or city name.
Follow up to [45856], [55054], [55598].
Props hellofromtonya, peterwilsoncc, rarst, costdev, Nick_theGeek, SergeyBiryukov, johnbillion, desrosj, reputeinfosystems, audrasjb, oglekler.
Fixes#57035.
Built from https://develop.svn.wordpress.org/trunk@58923
git-svn-id: http://core.svn.wordpress.org/trunk@58319 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Automatically create a JPEG version of uploaded HEIC images if the server has
a version of Imagick that supports HEIC. Conversion is done silently through
the existing `WP_Image_Editor` infrastructure that creates multiple sizes of
uploaded images.
This allows users to view HEIC images in WP Admin and use them in their posts
and pages regardless of whether their browser supports HEIC. Browser support
for HEIC is relatively low (only Safari) while the occurrence of HEIC images is
relatively common. The original HEIC image can be downloaded via a link on
the attachment page.
Props adamsilverstein, noisysocks, swissspidy, spacedmonkey, peterwilsoncc.
Fixes#53645.
Built from https://develop.svn.wordpress.org/trunk@58849
git-svn-id: http://core.svn.wordpress.org/trunk@58245 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Removes the static storing the version number in `wp_get_wp_version()` to ensure the version number is reported correctly after a WordPress upgrade is completed.
Reverts [58827].
Props costdev, SergeyBiryukov, Cybr.
See #61782.
Built from https://develop.svn.wordpress.org/trunk@58848
git-svn-id: http://core.svn.wordpress.org/trunk@58244 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Update `is_wp_version_compatible()` to use `wp_get_wp_version()` introduced in [58813] to ensure the value of `$wp_version` has not been modified by a theme or plugin.
Props costdev, mukesh27, Cybr, sergeybiryukov.
Fixes#61781.
Built from https://develop.svn.wordpress.org/trunk@58843
git-svn-id: http://core.svn.wordpress.org/trunk@58239 1a063a9b-81f0-0310-95a4-ce76da25c4cd
