Make WordPress Core

Changeset 37146


Ignore:
Timestamp:
03/30/2016 06:40:18 PM (8 years ago)
Author:
jorbin
Message:

Add Nonce to updating wporg_favorites user meta field

Merges [37145] to the 4.4 branch

Location:
branches/4.4
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • branches/4.4

  • branches/4.4/src/wp-admin/includes/ajax-actions.php

    r37144 r37146  
    27532753
    27542754    if ( ! $post = get_post( (int) $_REQUEST['post_id'] ) )
    2755         wp_send_json_error();
     2755        wp_send_json_error(111);
    27562756
    27572757    if ( ! current_user_can( 'read_post', $post->ID ) )
    2758         wp_send_json_error();
     2758        wp_send_json_error(222);
    27592759
    27602760    // Really just pre-loading the cache here.
    27612761    if ( ! $revisions = wp_get_post_revisions( $post->ID, array( 'check_enabled' => false ) ) )
    2762         wp_send_json_error();
     2762        wp_send_json_error(333);
    27632763
    27642764    $return = array();
     
    33113311    }
    33123312
     3313    check_ajax_referer( 'save_wporg_username_' . get_current_user_id() );
     3314
    33133315    $username = isset( $_REQUEST['username'] ) ? wp_unslash( $_REQUEST['username'] ) : false;
    33143316
  • branches/4.4/src/wp-admin/includes/class-wp-plugin-install-list-table.php

    r35241 r37146  
    171171
    172172            case 'favorites':
    173                 $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
    174                 update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
     173                $action = 'save_wporg_username_' . get_current_user_id();
     174                if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $action ) ) {
     175                    $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
     176                    update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
     177                } else {
     178                    $user = get_user_option( 'wporg_favorites' );
     179                }
    175180                if ( $user )
    176181                    $args['user'] = $user;
  • branches/4.4/src/wp-admin/includes/plugin-install.php

    r35567 r37146  
    301301 */
    302302function install_plugins_favorites_form() {
    303     $user = ! empty( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
     303    $user   = get_user_option( 'wporg_favorites' );
     304    $action = 'save_wporg_username_' . get_current_user_id();
    304305    ?>
    305306    <p class="install-help"><?php _e( 'If you have marked plugins as favorites on WordPress.org, you can browse them here.' ); ?></p>
     
    310311            <input type="search" id="user" name="user" value="<?php echo esc_attr( $user ); ?>" />
    311312            <input type="submit" class="button" value="<?php esc_attr_e( 'Get Favorites' ); ?>" />
     313            <input type="hidden" id="wporg-username-nonce" name="_wpnonce" value="<?php echo esc_attr( wp_create_nonce( $action ) ); ?>" />
    312314        </p>
    313315    </form>
  • branches/4.4/src/wp-admin/js/theme.js

    r35647 r37146  
    15211521    saveUsername: function ( event ) {
    15221522        var username = $( '#wporg-username-input' ).val(),
     1523            nonce = $( '#wporg-username-nonce' ).val(),
    15231524            request = { browse: 'favorites', user: username },
    15241525            that = this;
     
    15351536        return wp.ajax.send( 'save-wporg-username', {
    15361537            data: {
     1538                _wpnonce: nonce,
    15371539                username: username
    15381540            },
  • branches/4.4/src/wp-admin/theme-install.php

    r35527 r37146  
    149149        <div class="favorites-form">
    150150            <?php
    151             $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
    152             update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
     151            $action = 'save_wporg_username_' . get_current_user_id();
     152            if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $action ) ) {
     153                $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
     154                update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
     155            } else {
     156                $user = get_user_option( 'wporg_favorites' );
     157            }
    153158            ?>
    154159            <p class="install-help"><?php _e( 'If you have marked themes as favorites on WordPress.org, you can browse them here.' ); ?></p>
     
    156161            <p>
    157162                <label for="user"><?php _e( 'Your WordPress.org username:' ); ?></label>
     163                <input type="hidden" id="wporg-username-nonce" name="_wpnonce" value="<?php echo esc_attr( wp_create_nonce( $action ) ); ?>" />
    158164                <input type="search" id="wporg-username-input" value="<?php echo esc_attr( $user ); ?>" />
    159165                <input type="button" class="button button-secondary favorites-form-submit" value="<?php esc_attr_e( 'Get Favorites' ); ?>" />
Note: See TracChangeset for help on using the changeset viewer.