Make WordPress Core

Changeset 42246 for trunk


Ignore:
Timestamp:
11/27/2017 03:43:11 AM (7 years ago)
Author:
dd32
Message:

Theme Editior: Base the nonce on a simpler combination of fields, for easier debugging & reading.

See #42609.
Fixes #42705.

Location:
trunk/src/wp-admin
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/file.php

    r42244 r42246  
    415415        }
    416416
    417         $real_file = $theme->get_stylesheet_directory() . '/' . $file;
    418         if ( ! wp_verify_nonce( $args['nonce'], 'edit-theme_' . $real_file . $stylesheet ) ) {
     417        if ( ! wp_verify_nonce( $args['nonce'], 'edit-theme_' . $stylesheet . '_' . $file ) ) {
    419418            return new WP_Error( 'nonce_failure' );
    420419        }
     
    451450        }
    452451
     452        $real_file = $theme->get_stylesheet_directory() . '/' . $file;
     453
    453454        $is_active = ( get_stylesheet() === $stylesheet || get_template() === $stylesheet );
     455
    454456    } else {
    455457        return new WP_Error( 'missing_theme_or_plugin' );
  • trunk/src/wp-admin/theme-editor.php

    r42228 r42246  
    115115    if ( is_wp_error( $r ) ) {
    116116        $edit_error = $r;
    117         if ( check_ajax_referer( 'edit-theme_' . $file . $stylesheet, 'nonce', false ) && isset( $_POST['newcontent'] ) ) {
     117        if ( check_ajax_referer( 'edit-theme_' . $stylesheet . '_' . $relative_file, 'nonce', false ) && isset( $_POST['newcontent'] ) ) {
    118118            $posted_content = wp_unslash( $_POST['newcontent'] );
    119119        }
     
    256256else : ?>
    257257    <form name="template" id="template" action="theme-editor.php" method="post">
    258         <?php wp_nonce_field( 'edit-theme_' . $file . $stylesheet, 'nonce' ); ?>
     258        <?php wp_nonce_field( 'edit-theme_' . $stylesheet . '_' . $relative_file, 'nonce' ); ?>
    259259        <div>
    260260            <label for="newcontent" id="theme-plugin-editor-label"><?php _e( 'Selected file content:' ); ?></label>
Note: See TracChangeset for help on using the changeset viewer.