Make WordPress Core


Ignore:
Timestamp:
05/16/2017 12:06:32 PM (8 years ago)
Author:
ocean90
Message:

Customize: Igore invalid customization sessions.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-customize-manager.php

    r40643 r40704  
    485485        if ( ! preg_match( '/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/', $this->_changeset_uuid ) ) {
    486486            $this->wp_die( -1, __( 'Invalid changeset UUID' ) );
     487        }
     488
     489        /*
     490         * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
     491         * application will inject the customize_preview_nonce query parameter into all Ajax requests.
     492         * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
     493         * a user when a valid nonce isn't present.
     494         */
     495        $has_post_data_nonce = (
     496            check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
     497            ||
     498            check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
     499            ||
     500            check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
     501        );
     502        if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
     503            unset( $_POST['customized'] );
     504            unset( $_REQUEST['customized'] );
    487505        }
    488506
Note: See TracChangeset for help on using the changeset viewer.