Changeset 7375
- Timestamp:
- 03/18/2008 02:43:20 AM (17 years ago)
- Location:
- trunk
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-admin/admin-ajax.php
r7352 r7375 461 461 break; 462 462 case 'autosave' : // The name of this action is hardcoded in edit_post() 463 check_ajax_referer( 'autosave', 'autosavenonce');463 $nonce_age = check_ajax_referer( 'autosave', 'autosavenonce'); 464 464 global $current_user; 465 465 … … 520 520 if ( $do_lock && $id && is_numeric($id) ) 521 521 wp_set_post_lock( $id ); 522 523 if ( $nonce_age == 2 ) 524 $supplemental['replace-autosavenonce'] = wp_create_nonce('autosave'); 522 525 523 526 $x = new WP_Ajax_Response( array( -
trunk/wp-includes/js/autosave.js
r7162 r7375 25 25 message = res.responses[0].data; // The saved message or error. 26 26 // someone else is editing: disable autosave, set errors 27 if ( res.responses[0].supplemental && 'disable' == res.responses[0].supplemental['disable_autosave'] ) { 28 autosave = function() {}; 29 res = { errors: true }; 27 if ( res.responses[0].supplemental ) { 28 if ( 'disable' == res.responses[0].supplemental['disable_autosave'] ) { 29 autosave = function() {}; 30 res = { errors: true }; 31 } 32 jQuery.each(res.responses[0].supplemental, function(selector, value) { 33 if ( selector.match(/^replace-/) ) { 34 jQuery('#'+selector.replace('replace-', '')).val(value); 35 } 36 }); 30 37 } 31 38 -
trunk/wp-includes/pluggable.php
r7333 r7375 625 625 * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5) 626 626 */ 627 function check_admin_referer($action = -1, $query_arg = '_wpnonce' 627 function check_admin_referer($action = -1, $query_arg = '_wpnonce') { 628 628 $adminurl = strtolower(get_option('siteurl')).'/wp-admin'; 629 629 $referer = strtolower(wp_get_referer()); 630 if ( !wp_verify_nonce($_REQUEST[$query_arg], $action) &&631 !(-1 == $action && strpos($referer, $adminurl) !== false)) {630 $result = wp_verify_nonce($_REQUEST[$query_arg], $action); 631 if ( !$result && !(-1 == $action && strpos($referer, $adminurl) !== false) ) { 632 632 wp_nonce_ays($action); 633 633 die(); 634 634 } 635 do_action('check_admin_referer', $action); 635 do_action('check_admin_referer', $action, $result); 636 return $result; 636 637 }endif; 637 638 … … 645 646 * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5) 646 647 */ 647 function check_ajax_referer( $action = -1, $query_arg = false ) {648 function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) { 648 649 if ( $query_arg ) 649 650 $nonce = $_REQUEST[$query_arg]; … … 651 652 $nonce = $_REQUEST['_ajax_nonce'] ? $_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce']; 652 653 653 if ( !wp_verify_nonce( $nonce, $action ) ) 654 $result = wp_verify_nonce( $nonce, $action ); 655 656 if ( $die && false == $result ) 654 657 die('-1'); 655 658 656 do_action('check_ajax_referer'); 659 do_action('check_ajax_referer', $action, $result); 660 661 return $result; 657 662 } 658 663 endif; … … 938 943 endif; 939 944 945 if ( !function_exists('wp_nonce_tick') ) : 946 /** 947 * wp_nonce_tick() - Get the time-dependent variable for nonce creation 948 * 949 * A nonce has a lifespan of two ticks. Nonces in their second tick may be updated, e.g. by autosave. 950 * 951 * @since 2.5 952 * 953 * @return int 954 */ 955 function wp_nonce_tick() { 956 $nonce_life = apply_filters('nonce_life', 86400) / 2; 957 958 return ceil(time() / ( $nonce_life / 2 )); 959 } 960 endif; 961 940 962 if ( !function_exists('wp_verify_nonce') ) : 941 963 /** … … 955 977 $uid = (int) $user->id; 956 978 957 $i = ceil(time() / 43200); 958 959 //Allow for expanding range, but only do one check if we can 960 if( substr(wp_hash($i . $action . $uid), -12, 10) == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce ) 961 return true; 979 $i = wp_nonce_tick(); 980 981 // Nonce generated 0-12 hours ago 982 if ( substr(wp_hash($i . $action . $uid), -12, 10) == $nonce ) 983 return 1; 984 // Nonce generated 12-24 hours ago 985 if ( substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce ) 986 return 2; 987 // Invalid nonce 962 988 return false; 963 989 } … … 977 1003 $uid = (int) $user->id; 978 1004 979 $i = ceil(time() / 43200);1005 $i = wp_nonce_tick(); 980 1006 981 1007 return substr(wp_hash($i . $action . $uid), -12, 10);
Note: See TracChangeset
for help on using the changeset viewer.