- Timestamp:
- 08/06/2014 05:50:20 AM (10 years ago)
- Location:
- branches/3.9
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/3.9
-
branches/3.9/src/wp-includes/class-wp-customize-widgets.php
r28143 r29389 1120 1120 1121 1121 /** 1122 * Get a widget instance's hash key. 1123 * 1124 * Serialize an instance and hash it with the AUTH_KEY; when a JS value is 1125 * posted back to save, this instance hash key is used to ensure that the 1126 * serialized_instance was not tampered with, but that it had originated 1127 * from WordPress and so is sanitized. 1122 * Get MAC for a serialized widget instance string. 1123 * 1124 * Allows values posted back from JS to be rejected if any tampering of the 1125 * data has occurred. 1128 1126 * 1129 1127 * @since 3.9.0 1130 1128 * @access protected 1131 1129 * 1132 * @param array $instance Widget instance. 1133 * @return string Widget instance's hash key. 1134 */ 1135 protected function get_instance_hash_key( $instance ) { 1136 $hash = md5( AUTH_KEY . serialize( $instance ) ); 1137 return $hash; 1130 * @param string $serialized_instance Widget instance. 1131 * @return string MAC for serialized widget instance. 1132 */ 1133 protected function get_instance_hash_key( $serialized_instance ) { 1134 return wp_hash( $serialized_instance ); 1138 1135 } 1139 1136 … … 1163 1160 1164 1161 $decoded = base64_decode( $value['encoded_serialized_instance'], true ); 1165 1166 1162 if ( false === $decoded ) { 1167 1163 return null; 1168 1164 } 1165 1166 if ( $this->get_instance_hash_key( $decoded ) !== $value['instance_hash_key'] ) { 1167 return null; 1168 } 1169 1169 1170 $instance = unserialize( $decoded ); 1170 1171 1171 if ( false === $instance ) { 1172 1172 return null; 1173 1173 } 1174 if ( $this->get_instance_hash_key( $instance ) !== $value['instance_hash_key'] ) { 1175 return null; 1176 } 1174 1177 1175 return $instance; 1178 1176 } … … 1195 1193 'title' => empty( $value['title'] ) ? '' : $value['title'], 1196 1194 'is_widget_customizer_js_value' => true, 1197 'instance_hash_key' => $this->get_instance_hash_key( $ value),1195 'instance_hash_key' => $this->get_instance_hash_key( $serialized ), 1198 1196 ); 1199 1197 }
Note: See TracChangeset
for help on using the changeset viewer.