Make WordPress Core

Changeset 40705


Ignore:
Timestamp:
05/16/2017 12:13:07 PM (8 years ago)
Author:
ocean90
Message:

Customize: Ignore invalid customization sessions.

Merge of [40704] to the 4.7 branch.

Location:
branches/4.7
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/4.7

  • branches/4.7/src/wp-admin/customize.php

    r40369 r40705  
    156156                <div class="accordion-section-title">
    157157                    <span class="preview-notice"><?php
    158                         echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name' ) . '</strong>' );
     158                        echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name', 'display' ) . '</strong>' );
    159159                    ?></span>
    160160                    <button type="button" class="customize-help-toggle dashicons dashicons-editor-help" aria-expanded="false"><span class="screen-reader-text"><?php _e( 'Help' ); ?></span></button>
  • branches/4.7/src/wp-admin/js/customize-controls.js

    r40420 r40705  
    45804580        });
    45814581
     4582        // Ensure preview nonce is included with every customized request, to allow post data to be read.
     4583        $.ajaxPrefilter( function injectPreviewNonce( options ) {
     4584            if ( ! /wp_customize=on/.test( options.data ) ) {
     4585                return;
     4586            }
     4587            options.data += '&' + $.param({
     4588                customize_preview_nonce: api.settings.nonce.preview
     4589            });
     4590        });
     4591
    45824592        // Refresh the nonces if the preview sends updated nonces over.
    45834593        api.previewer.bind( 'nonce', function( nonce ) {
  • branches/4.7/src/wp-includes/class-wp-customize-manager.php

    r40384 r40705  
    483483        if ( ! preg_match( '/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/', $this->_changeset_uuid ) ) {
    484484            $this->wp_die( -1, __( 'Invalid changeset UUID' ) );
     485        }
     486
     487        /*
     488         * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
     489         * application will inject the customize_preview_nonce query parameter into all Ajax requests.
     490         * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
     491         * a user when a valid nonce isn't present.
     492         */
     493        $has_post_data_nonce = (
     494            check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
     495            ||
     496            check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
     497            ||
     498            check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
     499        );
     500        if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
     501            unset( $_POST['customized'] );
     502            unset( $_REQUEST['customized'] );
    485503        }
    486504
Note: See TracChangeset for help on using the changeset viewer.