Changeset 40712 for branches/4.0

Timestamp:

05/16/2017 12:19:44 PM (9 years ago)

Author:

ocean90

Message:

Customize: Ignore invalid customization sessions.

Merge of [40704] to the 4.0 branch.

Location:

branches/4.0

Files:

• . (modified) (1 prop)
• src/wp-admin/customize.php (modified) (1 diff)
• src/wp-admin/js/customize-controls.js (modified) (1 diff)
• src/wp-includes/class-wp-customize-manager.php (modified) (1 diff)

branches/4.0/src/wp-admin/customize.php

@@ -142 +142 @@
                         } else {
                             /* translators: %s is the site/panel title in the Customize pane */
-                            echo sprintf( __( 'You are customizing %s' ), '<strong class="theme-name site-title">' . get_bloginfo( 'name' ) . '</strong>' );
+                            echo sprintf( __( 'You are customizing %s' ), '<strong class="theme-name site-title">' . get_bloginfo( 'name', 'display' ) . '</strong>' );
                         }
                     ?></span>

branches/4.0/src/wp-admin/js/customize-controls.js

@@ -1087 +1087 @@
         });
 
+        // Ensure preview nonce is included with every customized request, to allow post data to be read.
+        $.ajaxPrefilter( function injectPreviewNonce( options ) {
+            if ( ! /wp_customize=on/.test( options.data ) ) {
+                return;
+            }
+            options.data += '&' + $.param({
+                customize_preview_nonce: api.settings.nonce.preview
+            });
+        });
+
         // Refresh the nonces if the preview sends updated nonces over.
         api.previewer.bind( 'nonce', function( nonce ) {

branches/4.0/src/wp-includes/class-wp-customize-manager.php

@@ -166 +166 @@
 
         $this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null );
+
+        /*
+         * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
+         * application will inject the customize_preview_nonce query parameter into all Ajax requests.
+         * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
+         * a user when a valid nonce isn't present.
+         */
+        $has_post_data_nonce = (
+            check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
+            ||
+            check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
+            ||
+            check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
+        );
+        if ( ! $has_post_data_nonce ) {
+            unset( $_POST['customized'] );
+            unset( $_REQUEST['customized'] );
+        }
 
         if ( $this->is_theme_active() ) {