Changeset 40199

Timestamp:

03/06/2017 02:01:39 PM (8 years ago)

Author:

johnbillion

Message:

Press This: Verify intent before fetching in-page resources using Press This.

Props vortfu

Merges [40195] to the 4.4 branch.

Location:

branches/4.4

Files:

• . (modified) (1 prop)
• src/wp-admin/includes/class-wp-press-this.php (modified) (3 diffs)

branches/4.4/src/wp-admin/includes/class-wp-press-this.php

@@ -711 +711 @@
              */
             if ( empty( $_POST ) && ! empty( $data['u'] ) ) {
-                $data = $this->source_data_fetch_fallback( $data['u'], $data );
+                if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( $_GET['_wpnonce'], 'scan-site' ) ) {
+                    $data = $this->source_data_fetch_fallback( $data['u'], $data );
+                } else {
+                    $data['errors'] = 'missing nonce';
+                }
             } else {
                 foreach ( array( '_images', '_embeds' ) as $type ) {
@@ -1251 +1255 @@
             'v' => ! empty( $data['v'] ) ? $data['v'] : '',
             'u' => ! empty( $data['u'] ) ? $data['u'] : '',
-            'hasData' => ! empty( $data ),
+            'hasData' => ! empty( $data ) && ! isset( $data['errors'] ),
         );
 
@@ -1383 +1387 @@
         <form method="GET">
             <label for="url-scan" class="screen-reader-text"><?php _e( 'Scan site for content' ); ?></label>
-            <input type="url" name="u" id="url-scan" class="scan-url" value="" placeholder="<?php esc_attr_e( 'Enter a URL to scan' ) ?>" />
+            <input type="url" name="u" id="url-scan" class="scan-url" value="<?php echo esc_attr( $site_data['u'] ) ?>" placeholder="<?php esc_attr_e( 'Enter a URL to scan' ) ?>" />
             <input type="submit" name="url-scan-submit" id="url-scan-submit" class="scan-submit" value="<?php esc_attr_e( 'Scan' ) ?>" />
+            <?php wp_nonce_field( 'scan-site' ); ?>
         </form>
     </div>