Merge branch 'trunk' into fix/59516-improve-wp-query-cache-hits

WordPress · Feb 4, 2025 · dcdf2f5 · dcdf2f5
2 parents 62db25a + 7d10dd7
commit dcdf2f5
Show file tree

Hide file tree

Showing 17 changed files with 241 additions and 45 deletions.
diff --git a/src/wp-admin/includes/class-wp-importer.php b/src/wp-admin/includes/class-wp-importer.php
@@ -195,7 +195,13 @@ public function cmpr_strlen( $a, $b ) {
 	 * @param bool   $head
 	 * @return array
 	 */
-	public function get_page( $url, $username = '', $password = '', $head = false ) {
+	public function get_page(
+		$url,
+		$username = '',
+		#[\SensitiveParameter]
+		$password = '',
+		$head = false
+	) {
 		// Increase the timeout.
 		add_filter( 'http_request_timeout', array( $this, 'bump_request_timeout' ) );
 

diff --git a/src/wp-admin/includes/class-wp-list-table.php b/src/wp-admin/includes/class-wp-list-table.php
@@ -763,11 +763,11 @@ protected function months_dropdown( $post_type ) {
 			return;
 		}
 
-		$m = isset( $_GET['m'] ) ? (int) $_GET['m'] : 0;
+		$selected_month = isset( $_GET['m'] ) ? (int) $_GET['m'] : 0;
 		?>
 		<label for="filter-by-date" class="screen-reader-text"><?php echo get_post_type_object( $post_type )->labels->filter_by_date; ?></label>
 		<select name="m" id="filter-by-date">
-			<option<?php selected( $m, 0 ); ?> value="0"><?php _e( 'All dates' ); ?></option>
+			<option<?php selected( $selected_month, 0 ); ?> value="0"><?php _e( 'All dates' ); ?></option>
 		<?php
 		foreach ( $months as $arc_row ) {
 			if ( 0 === (int) $arc_row->year ) {
@@ -779,7 +779,7 @@ protected function months_dropdown( $post_type ) {
 
 			printf(
 				"<option %s value='%s'>%s</option>\n",
-				selected( $m, $year . $month, false ),
+				selected( $selected_month, $year . $month, false ),
 				esc_attr( $arc_row->year . $month ),
 				/* translators: 1: Month name, 2: 4-digit year. */
 				sprintf( __( '%1$s %2$d' ), $wp_locale->get_month( $month ), $year )

diff --git a/src/wp-admin/includes/upgrade.php b/src/wp-admin/includes/upgrade.php
@@ -44,7 +44,16 @@
 	 *     @type string $password_message The explanatory message regarding the password.
 	 * }
 	 */
-	function wp_install( $blog_title, $user_name, $user_email, $is_public, $deprecated = '', $user_password = '', $language = '' ) {
+	function wp_install(
+		$blog_title,
+		$user_name,
+		$user_email,
+		$is_public,
+		$deprecated = '',
+		#[\SensitiveParameter]
+		$user_password = '',
+		$language = ''
+	) {
 		if ( ! empty( $deprecated ) ) {
 			_deprecated_argument( __FUNCTION__, '2.6.0' );
 		}
@@ -563,7 +572,13 @@ function wp_install_maybe_enable_pretty_permalinks() {
 	 * @param string $password   Administrator's password. Note that a placeholder message is
 	 *                           usually passed instead of the actual password.
 	 */
-	function wp_new_blog_notification( $blog_title, $blog_url, $user_id, $password ) {
+	function wp_new_blog_notification(
+		$blog_title,
+		$blog_url,
+		$user_id,
+		#[\SensitiveParameter]
+		$password
+	) {
 		$user      = new WP_User( $user_id );
 		$email     = $user->user_email;
 		$name      = $user->user_login;

diff --git a/src/wp-includes/blocks.php b/src/wp-includes/blocks.php
@@ -2638,7 +2638,7 @@ static function ( $format ) {
 			$query['s'] = $block->context['query']['search'];
 		}
 		if ( ! empty( $block->context['query']['parents'] ) && is_post_type_hierarchical( $query['post_type'] ) ) {
-			$query['post_parent__in'] = array_filter( array_map( 'intval', $block->context['query']['parents'] ) );
+			$query['post_parent__in'] = array_unique( array_map( 'intval', $block->context['query']['parents'] ) );
 		}
 	}
 

diff --git a/src/wp-includes/class-wp-application-passwords.php b/src/wp-includes/class-wp-application-passwords.php
@@ -459,7 +459,10 @@ protected static function set_user_application_passwords( $user_id, $passwords )
 	 * @param string $raw_password The raw application password.
 	 * @return string The chunked password.
 	 */
-	public static function chunk_password( $raw_password ) {
+	public static function chunk_password(
+		#[\SensitiveParameter]
+		$raw_password
+	) {
 		$raw_password = preg_replace( '/[^a-z\d]/i', '', $raw_password );
 
 		return trim( chunk_split( $raw_password, 4, ' ' ) );

diff --git a/src/wp-includes/class-wp-block-styles-registry.php b/src/wp-includes/class-wp-block-styles-registry.php
@@ -93,6 +93,11 @@ public function register( $block_name, $style_properties ) {
 		$block_style_name = $style_properties['name'];
 		$block_names      = is_string( $block_name ) ? array( $block_name ) : $block_name;
 
+		// Ensure there is a label defined.
+		if ( empty( $style_properties['label'] ) ) {
+			$style_properties['label'] = $block_style_name;
+		}
+
 		foreach ( $block_names as $name ) {
 			if ( ! isset( $this->registered_block_styles[ $name ] ) ) {
 				$this->registered_block_styles[ $name ] = array();

diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php
@@ -285,7 +285,11 @@ public function addTwoNumbers( $args ) {
 	 * @param string $password User's password.
 	 * @return WP_User|false WP_User object if authentication passed, false otherwise.
 	 */
-	public function login( $username, $password ) {
+	public function login(
+		$username,
+		#[\SensitiveParameter]
+		$password
+	) {
 		if ( ! $this->is_enabled ) {
 			$this->error = new IXR_Error( 405, sprintf( __( 'XML-RPC services are disabled on this site.' ) ) );
 			return false;
@@ -330,7 +334,11 @@ public function login( $username, $password ) {
 	 * @param string $password User's password.
 	 * @return bool Whether authentication passed.
 	 */
-	public function login_pass_ok( $username, $password ) {
+	public function login_pass_ok(
+		$username,
+		#[\SensitiveParameter]
+		$password
+	) {
 		return (bool) $this->login( $username, $password );
 	}
 

diff --git a/src/wp-includes/class-wpdb.php b/src/wp-includes/class-wpdb.php
@@ -749,7 +749,13 @@ class wpdb {
 	 * @param string $dbname     Database name.
 	 * @param string $dbhost     Database host.
 	 */
-	public function __construct( $dbuser, $dbpassword, $dbname, $dbhost ) {
+	public function __construct(
+		$dbuser,
+		#[\SensitiveParameter]
+		$dbpassword,
+		$dbname,
+		$dbhost
+	) {
 		if ( WP_DEBUG && WP_DEBUG_DISPLAY ) {
 			$this->show_errors();
 		}

diff --git a/src/wp-includes/ms-functions.php b/src/wp-includes/ms-functions.php
@@ -938,7 +938,16 @@ function wpmu_signup_user( $user, $user_email, $meta = array() ) {
  * @param array  $meta       Optional. Signup meta data. By default, contains the requested privacy setting and lang_id.
  * @return bool
  */
-function wpmu_signup_blog_notification( $domain, $path, $title, $user_login, $user_email, $key, $meta = array() ) {
+function wpmu_signup_blog_notification(
+	$domain,
+	$path,
+	$title,
+	$user_login,
+	$user_email,
+	#[\SensitiveParameter]
+	$key,
+	$meta = array()
+) {
 	/**
 	 * Filters whether to bypass the new site email notification.
 	 *
@@ -1073,7 +1082,13 @@ function wpmu_signup_blog_notification( $domain, $path, $title, $user_login, $us
  * @param array  $meta       Optional. Signup meta data. Default empty array.
  * @return bool
  */
-function wpmu_signup_user_notification( $user_login, $user_email, $key, $meta = array() ) {
+function wpmu_signup_user_notification(
+	$user_login,
+	$user_email,
+	#[\SensitiveParameter]
+	$key,
+	$meta = array()
+) {
 	/**
 	 * Filters whether to bypass the email notification for new user sign-up.
 	 *
@@ -1175,7 +1190,10 @@ function wpmu_signup_user_notification( $user_login, $user_email, $key, $meta =
  * @param string $key The activation key provided to the user.
  * @return array|WP_Error An array containing information about the activated user and/or blog.
  */
-function wpmu_activate_signup( $key ) {
+function wpmu_activate_signup(
+	#[\SensitiveParameter]
+	$key
+) {
 	global $wpdb;
 
 	$signup = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->signups WHERE activation_key = %s", $key ) );
@@ -1327,7 +1345,12 @@ function wp_delete_signup_on_user_delete( $id, $reassign, $user ) {
  * @param string $email     The new user's email address.
  * @return int|false Returns false on failure, or int $user_id on success.
  */
-function wpmu_create_user( $user_name, $password, $email ) {
+function wpmu_create_user(
+	$user_name,
+	#[\SensitiveParameter]
+	$password,
+	$email
+) {
 	$user_name = preg_replace( '/\s+/', '', sanitize_user( $user_name, true ) );
 
 	$user_id = wp_create_user( $user_name, $password, $email );
@@ -1611,7 +1634,14 @@ function domain_exists( $domain, $path, $network_id = 1 ) {
  * @param array  $meta     Optional. Signup meta data. By default, contains the requested privacy setting and lang_id.
  * @return bool Whether the email notification was sent.
  */
-function wpmu_welcome_notification( $blog_id, $user_id, $password, $title, $meta = array() ) {
+function wpmu_welcome_notification(
+	$blog_id,
+	$user_id,
+	#[\SensitiveParameter]
+	$password,
+	$title,
+	$meta = array()
+) {
 	$current_network = get_network();
 
 	/**
@@ -1845,7 +1875,12 @@ function wpmu_new_site_admin_notification( $site_id, $user_id ) {
  * @param array  $meta     Optional. Signup meta data. Default empty array.
  * @return bool
  */
-function wpmu_welcome_user_notification( $user_id, $password, $meta = array() ) {
+function wpmu_welcome_user_notification(
+	$user_id,
+	#[\SensitiveParameter]
+	$password,
+	$meta = array()
+) {
 	$current_network = get_network();
 
 	/**
@@ -2271,7 +2306,12 @@ function add_existing_user_to_blog( $details = false ) {
  * @param string $password User password. Ignored.
  * @param array  $meta     Signup meta data.
  */
-function add_new_user_to_blog( $user_id, $password, $meta ) {
+function add_new_user_to_blog(
+	$user_id,
+	#[\SensitiveParameter]
+	$password,
+	$meta
+) {
 	if ( ! empty( $meta['add_to_blog'] ) ) {
 		$blog_id = $meta['add_to_blog'];
 		$role    = $meta['new_role'];

diff --git a/src/wp-includes/pluggable-deprecated.php b/src/wp-includes/pluggable-deprecated.php
@@ -101,7 +101,15 @@ function get_user_by_email($email) {
  * @param string $siteurl Optional. Will be used instead of SITECOOKIEPATH if set
  * @param bool $remember Optional. Remember that the user is logged in
  */
-function wp_setcookie($username, $password = '', $already_md5 = false, $home = '', $siteurl = '', $remember = false) {
+function wp_setcookie(
+	$username,
+	#[\SensitiveParameter]
+	$password = '',
+	$already_md5 = false,
+	$home = '',
+	$siteurl = '',
+	$remember = false
+) {
 	_deprecated_function( __FUNCTION__, '2.5.0', 'wp_set_auth_cookie()' );
 	$user = get_user_by('login', $username);
 	wp_set_auth_cookie($user->ID, $remember);
@@ -168,7 +176,12 @@ function wp_get_cookie_login() {
  * @param string $deprecated Not used
  * @return bool True on successful check, false on login failure.
  */
-function wp_login($username, $password, $deprecated = '') {
+function wp_login(
+	$username,
+	#[\SensitiveParameter]
+	$password,
+	$deprecated = ''
+) {
 	_deprecated_function( __FUNCTION__, '2.5.0', 'wp_signon()' );
 	global $error;
 

diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php
@@ -598,7 +598,11 @@ function wp_mail( $to, $subject, $message, $headers = '', $attachments = array()
 	 * @return WP_User|WP_Error WP_User object if the credentials are valid,
 	 *                          otherwise WP_Error.
 	 */
-	function wp_authenticate( $username, $password ) {
+	function wp_authenticate(
+		$username,
+		#[\SensitiveParameter]
+		$password
+	) {
 		$username = sanitize_user( $username );
 		$password = trim( $password );
 
@@ -2631,7 +2635,10 @@ function wp_hash( $data, $scheme = 'auth', $algo = 'md5' ) {
 	 * @param string $password Plain text user password to hash.
 	 * @return string The hash string of the password.
 	 */
-	function wp_hash_password( $password ) {
+	function wp_hash_password(
+		#[\SensitiveParameter]
+		$password
+	) {
 		global $wp_hasher;
 
 		if ( empty( $wp_hasher ) ) {
@@ -2667,7 +2674,12 @@ function wp_hash_password( $password ) {
 	 * @param string|int $user_id  Optional. User ID.
 	 * @return bool False, if the $password does not match the hashed password.
 	 */
-	function wp_check_password( $password, $hash, $user_id = '' ) {
+	function wp_check_password(
+		#[\SensitiveParameter]
+		$password,
+		$hash,
+		$user_id = ''
+	) {
 		global $wp_hasher;
 
 		// If the hash is still md5...
@@ -2863,7 +2875,11 @@ function wp_rand( $min = null, $max = null ) {
 	 * @param string $password The plaintext new user password.
 	 * @param int    $user_id  User ID.
 	 */
-	function wp_set_password( $password, $user_id ) {
+	function wp_set_password(
+		#[\SensitiveParameter]
+		$password,
+		$user_id
+	) {
 		global $wpdb;
 
 		$old_user_data = get_userdata( $user_id );

diff --git a/src/wp-includes/post-template.php b/src/wp-includes/post-template.php
@@ -1780,6 +1780,7 @@ function get_the_password_form( $post = 0 ) {
 	$invalid_password_html = '';
 	$aria                  = '';
 	$class                 = '';
+	$redirect_field        = '';
 
 	// If the referrer is the same as the current request, the user has entered an invalid password.
 	if ( ! empty( $post->ID ) && wp_get_raw_referer() === get_permalink( $post->ID ) && isset( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] ) ) {
@@ -1798,7 +1799,14 @@ function get_the_password_form( $post = 0 ) {
 		$class                 = ' password-form-error';
 	}
 
-	$output = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" class="post-password-form' . $class . '" method="post">' . $invalid_password_html . '
+	if ( ! empty( $post->ID ) ) {
+		$redirect_field = sprintf(
+			'<input type="hidden" name="redirect_to" value="%s" />',
+			esc_attr( get_permalink( $post->ID ) )
+		);
+	}
+
+	$output = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" class="post-password-form' . $class . '" method="post">' . $redirect_field . $invalid_password_html . '
 	<p>' . __( 'This content is password protected. To view it please enter your password below:' ) . '</p>
 	<p><label for="' . $field_id . '">' . __( 'Password:' ) . ' <input name="post_password" id="' . $field_id . '" type="password" spellcheck="false" required size="20"' . $aria . ' /></label> <input type="submit" name="Submit" value="' . esc_attr_x( 'Enter', 'post password form' ) . '" /></p></form>
 	';
@@ -1815,8 +1823,8 @@ function get_the_password_form( $post = 0 ) {
 	 * @since 5.8.0 Added the `$post` parameter.
 	 * @since 6.8.0 Added the `$invalid_password` parameter.
 	 *
-	 * @param string  $output The password form HTML output.
-	 * @param WP_Post $post   Post object.
+	 * @param string  $output           The password form HTML output.
+	 * @param WP_Post $post             Post object.
 	 * @param string  $invalid_password The invalid password message.
 	 */
 	return apply_filters( 'the_password_form', $output, $post, $invalid_password );

diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
@@ -1310,7 +1310,12 @@ public function check_username( $value, $request, $param ) {
 	 * @param string          $param   The parameter name.
 	 * @return string|WP_Error The sanitized password, if valid, otherwise an error.
 	 */
-	public function check_user_password( $value, $request, $param ) {
+	public function check_user_password(
+		#[\SensitiveParameter]
+		$value,
+		$request,
+		$param
+	) {
 		$password = (string) $value;
 
 		if ( empty( $password ) ) {