WordPress.org

Make WordPress Core

Changeset 29389


Ignore:
Timestamp:
08/06/2014 05:50:20 AM (5 years ago)
Author:
nacin
Message:

Verify the MAC earlier in WP_Customize_Widgets. props duck_.

Merges [29377] (and [29028]) to the 3.9 branch.

Location:
branches/3.9
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/3.9

  • branches/3.9/src/wp-includes/class-wp-customize-widgets.php

    r28143 r29389  
    11201120
    11211121    /**
    1122      * Get a widget instance's hash key.
    1123      *
    1124      * Serialize an instance and hash it with the AUTH_KEY; when a JS value is
    1125      * posted back to save, this instance hash key is used to ensure that the
    1126      * serialized_instance was not tampered with, but that it had originated
    1127      * from WordPress and so is sanitized.
     1122     * Get MAC for a serialized widget instance string.
     1123     *
     1124     * Allows values posted back from JS to be rejected if any tampering of the
     1125     * data has occurred.
    11281126     *
    11291127     * @since 3.9.0
    11301128     * @access protected
    11311129     *
    1132      * @param array $instance Widget instance.
    1133      * @return string Widget instance's hash key.
    1134      */
    1135     protected function get_instance_hash_key( $instance ) {
    1136         $hash = md5( AUTH_KEY . serialize( $instance ) );
    1137         return $hash;
     1130     * @param string $serialized_instance Widget instance.
     1131     * @return string MAC for serialized widget instance.
     1132     */
     1133    protected function get_instance_hash_key( $serialized_instance ) {
     1134        return wp_hash( $serialized_instance );
    11381135    }
    11391136
     
    11631160
    11641161        $decoded = base64_decode( $value['encoded_serialized_instance'], true );
    1165 
    11661162        if ( false === $decoded ) {
    11671163            return null;
    11681164        }
     1165
     1166        if ( $this->get_instance_hash_key( $decoded ) !== $value['instance_hash_key'] ) {
     1167            return null;
     1168        }
     1169
    11691170        $instance = unserialize( $decoded );
    1170 
    11711171        if ( false === $instance ) {
    11721172            return null;
    11731173        }
    1174         if ( $this->get_instance_hash_key( $instance ) !== $value['instance_hash_key'] ) {
    1175             return null;
    1176         }
     1174
    11771175        return $instance;
    11781176    }
     
    11951193                'title'                         => empty( $value['title'] ) ? '' : $value['title'],
    11961194                'is_widget_customizer_js_value' => true,
    1197                 'instance_hash_key'             => $this->get_instance_hash_key( $value ),
     1195                'instance_hash_key'             => $this->get_instance_hash_key( $serialized ),
    11981196            );
    11991197        }
Note: See TracChangeset for help on using the changeset viewer.