Make WordPress Core

Changeset 49379


Ignore:
Timestamp:
10/29/2020 05:33:43 PM (4 years ago)
Author:
whyisjake
Message:

Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Props xknown, zieladam, peterwilsoncc, whyisjake

Location:
branches/5.5/src
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/5.5/src/js/_enqueues/admin/custom-background.js

    r48168 r49379  
    127127                // Grab the selected attachment.
    128128                var attachment = frame.state().get('selection').first();
     129                var nonceValue = $( '#_wpnonce' ).val() || '';
    129130
    130131                // Run an Ajax request to set the background image.
     
    132133                    action: 'set-background-image',
    133134                    attachment_id: attachment.id,
     135                    _ajax_nonce: nonceValue,
    134136                    size: 'full'
    135137                }).done( function() {
  • branches/5.5/src/js/_enqueues/deprecated/media-gallery.js

    r48168 r49379  
    1212     */
    1313    $( 'body' ).bind( 'click.wp-gallery', function(e) {
    14         var target = $( e.target ), id, img_size;
     14        var target = $( e.target ), id, img_size, nonceValue;
    1515
    1616        if ( target.hasClass( 'wp-set-header' ) ) {
     
    2222            id = target.data( 'attachment-id' );
    2323            img_size = $( 'input[name="attachments[' + id + '][image-size]"]:checked').val();
     24            nonceValue = $( '#_wpnonce' ).val() && '';
    2425
    2526            /**
     
    2930                action: 'set-background-image',
    3031                attachment_id: id,
     32                _ajax_nonce: nonceValue,
    3133                size: img_size
    3234            }, function() {
  • branches/5.5/src/wp-admin/includes/class-custom-background.php

    r47550 r49379  
    582582     */
    583583    public function wp_set_background_image() {
     584        check_ajax_referer( 'custom-background' );
     585
    584586        if ( ! current_user_can( 'edit_theme_options' ) || ! isset( $_POST['attachment_id'] ) ) {
    585587            exit;
Note: See TracChangeset for help on using the changeset viewer.