WordPress.org

Make WordPress Core


Ignore:
Timestamp:
05/16/2017 12:16:02 PM (4 years ago)
Author:
ocean90
Message:

Customize: Ignore invalid customization sessions.

Merge of [40704] to the 4.4 branch.

Location:
branches/4.4
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.4

  • branches/4.4/src/wp-includes/class-wp-customize-manager.php

    r37769 r40708  
    364364
    365365        show_admin_bar( false );
     366
     367        /*
     368         * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
     369         * application will inject the customize_preview_nonce query parameter into all Ajax requests.
     370         * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
     371         * a user when a valid nonce isn't present.
     372         */
     373        $has_post_data_nonce = (
     374            check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
     375            ||
     376            check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
     377            ||
     378            check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
     379        );
     380        if ( ! $has_post_data_nonce ) {
     381            unset( $_POST['customized'] );
     382            unset( $_REQUEST['customized'] );
     383        }
    366384
    367385        if ( ! current_user_can( 'customize' ) ) {
Note: See TracChangeset for help on using the changeset viewer.