WordPress.org

Make WordPress Core


Ignore:
Timestamp:
08/05/2014 06:49:22 AM (5 years ago)
Author:
nacin
Message:

Verify the MAC earlier in WP_Customize_Widgets. props duck_.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-customize-widgets.php

    r29159 r29377  
    11511151
    11521152    /**
    1153      * Get a widget instance's hash key.
    1154      *
    1155      * Serialize an instance and hash it with the AUTH_KEY; when a JS value is
    1156      * posted back to save, this instance hash key is used to ensure that the
    1157      * serialized_instance was not tampered with, but that it had originated
    1158      * from WordPress and so is sanitized.
     1153     * Get MAC for a serialized widget instance string.
     1154     *
     1155     * Allows values posted back from JS to be rejected if any tampering of the
     1156     * data has occurred.
    11591157     *
    11601158     * @since 3.9.0
    11611159     * @access protected
    11621160     *
    1163      * @param array $instance Widget instance.
    1164      * @return string Widget instance's hash key.
    1165      */
    1166     protected function get_instance_hash_key( $instance ) {
    1167         return wp_hash( serialize( $instance ) );
     1161     * @param string $serialized_instance Widget instance.
     1162     * @return string MAC for serialized widget instance.
     1163     */
     1164    protected function get_instance_hash_key( $serialized_instance ) {
     1165        return wp_hash( $serialized_instance );
    11681166    }
    11691167
     
    11931191
    11941192        $decoded = base64_decode( $value['encoded_serialized_instance'], true );
    1195 
    11961193        if ( false === $decoded ) {
    11971194            return null;
    11981195        }
     1196
     1197        if ( $this->get_instance_hash_key( $decoded ) !== $value['instance_hash_key'] ) {
     1198            return null;
     1199        }
     1200
    11991201        $instance = unserialize( $decoded );
    1200 
    12011202        if ( false === $instance ) {
    12021203            return null;
    12031204        }
    1204         if ( $this->get_instance_hash_key( $instance ) !== $value['instance_hash_key'] ) {
    1205             return null;
    1206         }
     1205
    12071206        return $instance;
    12081207    }
     
    12251224                'title'                         => empty( $value['title'] ) ? '' : $value['title'],
    12261225                'is_widget_customizer_js_value' => true,
    1227                 'instance_hash_key'             => $this->get_instance_hash_key( $value ),
     1226                'instance_hash_key'             => $this->get_instance_hash_key( $serialized ),
    12281227            );
    12291228        }
Note: See TracChangeset for help on using the changeset viewer.