WordPress.org

Make WordPress Core

Changeset 37145


Ignore:
Timestamp:
03/30/2016 06:35:37 PM (3 years ago)
Author:
jorbin
Message:

Add Nonce to updating wporg_favorites user meta field

Location:
trunk/src/wp-admin
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/ajax-actions.php

    r37143 r37145  
    27602760
    27612761    if ( ! $post = get_post( (int) $_REQUEST['post_id'] ) )
    2762         wp_send_json_error();
     2762        wp_send_json_error(111);
    27632763
    27642764    if ( ! current_user_can( 'read_post', $post->ID ) )
    2765         wp_send_json_error();
     2765        wp_send_json_error(222);
    27662766
    27672767    // Really just pre-loading the cache here.
    27682768    if ( ! $revisions = wp_get_post_revisions( $post->ID, array( 'check_enabled' => false ) ) )
    2769         wp_send_json_error();
     2769        wp_send_json_error(333);
    27702770
    27712771    $return = array();
     
    33183318    }
    33193319
     3320    check_ajax_referer( 'save_wporg_username_' . get_current_user_id() );
     3321
    33203322    $username = isset( $_REQUEST['username'] ) ? wp_unslash( $_REQUEST['username'] ) : false;
    33213323
  • trunk/src/wp-admin/includes/class-wp-plugin-install-list-table.php

    r36964 r37145  
    171171
    172172            case 'favorites':
    173                 $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
    174                 update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
     173                $action = 'save_wporg_username_' . get_current_user_id();
     174                if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $action ) ) {
     175                    $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
     176                    update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
     177                } else {
     178                    $user = get_user_option( 'wporg_favorites' );
     179                }
    175180                if ( $user )
    176181                    $args['user'] = $user;
  • trunk/src/wp-admin/includes/plugin-install.php

    r36618 r37145  
    301301 */
    302302function install_plugins_favorites_form() {
    303     $user = ! empty( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
     303    $user   = get_user_option( 'wporg_favorites' );
     304    $action = 'save_wporg_username_' . get_current_user_id();
    304305    ?>
    305306    <p class="install-help"><?php _e( 'If you have marked plugins as favorites on WordPress.org, you can browse them here.' ); ?></p>
     
    310311            <input type="search" id="user" name="user" value="<?php echo esc_attr( $user ); ?>" />
    311312            <input type="submit" class="button" value="<?php esc_attr_e( 'Get Favorites' ); ?>" />
     313            <input type="hidden" id="wporg-username-nonce" name="_wpnonce" value="<?php echo esc_attr( wp_create_nonce( $action ) ); ?>" />
    312314        </p>
    313315    </form>
  • trunk/src/wp-admin/js/theme.js

    r36858 r37145  
    15491549    saveUsername: function ( event ) {
    15501550        var username = $( '#wporg-username-input' ).val(),
     1551            nonce = $( '#wporg-username-nonce' ).val(),
    15511552            request = { browse: 'favorites', user: username },
    15521553            that = this;
     
    15631564        return wp.ajax.send( 'save-wporg-username', {
    15641565            data: {
     1566                _wpnonce: nonce,
    15651567                username: username
    15661568            },
  • trunk/src/wp-admin/theme-install.php

    r36858 r37145  
    157157        <div class="favorites-form">
    158158            <?php
    159             $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
    160             update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
     159            $action = 'save_wporg_username_' . get_current_user_id();
     160            if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $action ) ) {
     161                $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
     162                update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
     163            } else {
     164                $user = get_user_option( 'wporg_favorites' );
     165            }
    161166            ?>
    162167            <p class="install-help"><?php _e( 'If you have marked themes as favorites on WordPress.org, you can browse them here.' ); ?></p>
     
    164169            <p>
    165170                <label for="wporg-username-input"><?php _e( 'Your WordPress.org username:' ); ?></label>
     171                <input type="hidden" id="wporg-username-nonce" name="_wpnonce" value="<?php echo esc_attr( wp_create_nonce( $action ) ); ?>" />
    166172                <input type="search" id="wporg-username-input" value="<?php echo esc_attr( $user ); ?>" />
    167173                <input type="button" class="button button-secondary favorites-form-submit" value="<?php esc_attr_e( 'Get Favorites' ); ?>" />
Note: See TracChangeset for help on using the changeset viewer.