Changes from branches/3.9/src/wp-includes/class-wp-customize-widgets.php at r29389 to trunk/src/wp-includes/class-wp-customize-widgets.php at r28143

File:

• trunk/src/wp-includes/class-wp-customize-widgets.php (modified) (3 diffs)

trunk/src/wp-includes/class-wp-customize-widgets.php

@@ -1120 +1120 @@
 
     /**
-     * Get MAC for a serialized widget instance string.
-     *
-     * Allows values posted back from JS to be rejected if any tampering of the
-     * data has occurred.
+     * Get a widget instance's hash key.
+     *
+     * Serialize an instance and hash it with the AUTH_KEY; when a JS value is
+     * posted back to save, this instance hash key is used to ensure that the
+     * serialized_instance was not tampered with, but that it had originated
+     * from WordPress and so is sanitized.
      *
      * @since 3.9.0
      * @access protected
      *
-     * @param string $serialized_instance Widget instance.
-     * @return string MAC for serialized widget instance.
-     */
-    protected function get_instance_hash_key( $serialized_instance ) {
-        return wp_hash( $serialized_instance );
+     * @param array $instance Widget instance.
+     * @return string Widget instance's hash key.
+     */
+    protected function get_instance_hash_key( $instance ) {
+        $hash = md5( AUTH_KEY . serialize( $instance ) );
+        return $hash;
     }
 
@@ -1160 +1163 @@
 
         $decoded = base64_decode( $value['encoded_serialized_instance'], true );
+
         if ( false === $decoded ) {
             return null;
         }
-
-        if ( $this->get_instance_hash_key( $decoded ) !== $value['instance_hash_key'] ) {
-            return null;
-        }
-
         $instance = unserialize( $decoded );
+
         if ( false === $instance ) {
             return null;
         }
-
+        if ( $this->get_instance_hash_key( $instance ) !== $value['instance_hash_key'] ) {
+            return null;
+        }
         return $instance;
     }
@@ -1193 +1195 @@
                 'title'                         => empty( $value['title'] ) ? '' : $value['title'],
                 'is_widget_customizer_js_value' => true,
-                'instance_hash_key'             => $this->get_instance_hash_key( $serialized ),
+                'instance_hash_key'             => $this->get_instance_hash_key( $value ),
             );
         }