Changeset 40707 for branches/4.5/src/wp-includes/class-wp-customize-manager.php

Timestamp:

05/16/2017 12:15:06 PM (7 years ago)

Author:

ocean90

Message:

Customize: Ignore invalid customization sessions.

Merge of [40704] to the 4.5 branch.

Location:

branches/4.5

Files:

• . (modified) (1 prop)
• src/wp-includes/class-wp-customize-manager.php (modified) (1 diff)

branches/4.5/src/wp-includes/class-wp-customize-manager.php

@@ -386 +386 @@
 
         show_admin_bar( false );
+
+        /*
+         * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
+         * application will inject the customize_preview_nonce query parameter into all Ajax requests.
+         * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
+         * a user when a valid nonce isn't present.
+         */
+        $has_post_data_nonce = (
+            check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
+            ||
+            check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
+            ||
+            check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
+        );
+        if ( ! $has_post_data_nonce ) {
+            unset( $_POST['customized'] );
+            unset( $_REQUEST['customized'] );
+        }
 
         if ( ! current_user_can( 'customize' ) ) {