From 586484d120a69bb88e21fbd843a51d14696d88cb Mon Sep 17 00:00:00 2001
From: Aaron Jorbin <jorbin@git.wordpress.org>
Date: Wed, 30 Mar 2016 18:40:18 +0000
Subject: [PATCH] Add Nonce to updating wporg_favorites user meta field
Merges [37145] to the 4.4 branch
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@37146 602fd350-edb4-49c9-b593-d223f7449a82
---
src/wp-admin/includes/ajax-actions.php | 8 +++++---
.../includes/class-wp-plugin-install-list-table.php | 9 +++++++--
src/wp-admin/includes/plugin-install.php | 4 +++-
src/wp-admin/js/theme.js | 2 ++
src/wp-admin/theme-install.php | 10 ++++++++--
5 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
index 4da1878051..253ba5113a 100644
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@@ -2752,14 +2752,14 @@ function wp_ajax_get_revision_diffs() {
require ABSPATH . 'wp-admin/includes/revision.php';
if ( ! $post = get_post( (int) $_REQUEST['post_id'] ) )
- wp_send_json_error();
+ wp_send_json_error(111);
if ( ! current_user_can( 'read_post', $post->ID ) )
- wp_send_json_error();
+ wp_send_json_error(222);
// Really just pre-loading the cache here.
if ( ! $revisions = wp_get_post_revisions( $post->ID, array( 'check_enabled' => false ) ) )
- wp_send_json_error();
+ wp_send_json_error(333);
$return = array();
@set_time_limit( 0 );
@@ -3310,6 +3310,8 @@ function wp_ajax_save_wporg_username() {
wp_send_json_error();
}
+ check_ajax_referer( 'save_wporg_username_' . get_current_user_id() );
+
$username = isset( $_REQUEST['username'] ) ? wp_unslash( $_REQUEST['username'] ) : false;
if ( ! $username ) {
diff --git a/src/wp-admin/includes/class-wp-plugin-install-list-table.php b/src/wp-admin/includes/class-wp-plugin-install-list-table.php
index ba8445c1bd..1d0f6c9c20 100644
--- a/src/wp-admin/includes/class-wp-plugin-install-list-table.php
+++ b/src/wp-admin/includes/class-wp-plugin-install-list-table.php
@@ -170,8 +170,13 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
break;
case 'favorites':
- $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
- update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
+ $action = 'save_wporg_username_' . get_current_user_id();
+ if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $action ) ) {
+ $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
+ update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
+ } else {
+ $user = get_user_option( 'wporg_favorites' );
+ }
if ( $user )
$args['user'] = $user;
else
diff --git a/src/wp-admin/includes/plugin-install.php b/src/wp-admin/includes/plugin-install.php
index bb450e12ef..4a1375d753 100644
--- a/src/wp-admin/includes/plugin-install.php
+++ b/src/wp-admin/includes/plugin-install.php
@@ -300,7 +300,8 @@ function install_plugins_upload() {
*
*/
function install_plugins_favorites_form() {
- $user = ! empty( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
+ $user = get_user_option( 'wporg_favorites' );
+ $action = 'save_wporg_username_' . get_current_user_id();
?>
<p class="install-help"><?php _e( 'If you have marked plugins as favorites on WordPress.org, you can browse them here.' ); ?></p>
<form method="get">
@@ -309,6 +310,7 @@ function install_plugins_favorites_form() {
<label for="user"><?php _e( 'Your WordPress.org username:' ); ?></label>
<input type="search" id="user" name="user" value="<?php echo esc_attr( $user ); ?>" />
<input type="submit" class="button" value="<?php esc_attr_e( 'Get Favorites' ); ?>" />
+ <input type="hidden" id="wporg-username-nonce" name="_wpnonce" value="<?php echo esc_attr( wp_create_nonce( $action ) ); ?>" />
</p>
</form>
<?php
diff --git a/src/wp-admin/js/theme.js b/src/wp-admin/js/theme.js
index 1a91279bac..f151743955 100644
--- a/src/wp-admin/js/theme.js
+++ b/src/wp-admin/js/theme.js
@@ -1520,6 +1520,7 @@ themes.view.Installer = themes.view.Appearance.extend({
// Save the user's WordPress.org username and get his favorite themes.
saveUsername: function ( event ) {
var username = $( '#wporg-username-input' ).val(),
+ nonce = $( '#wporg-username-nonce' ).val(),
request = { browse: 'favorites', user: username },
that = this;
@@ -1534,6 +1535,7 @@ themes.view.Installer = themes.view.Appearance.extend({
return wp.ajax.send( 'save-wporg-username', {
data: {
+ _wpnonce: nonce,
username: username
},
success: function () {
diff --git a/src/wp-admin/theme-install.php b/src/wp-admin/theme-install.php
index 289f3954c3..b99a40f693 100644
--- a/src/wp-admin/theme-install.php
+++ b/src/wp-admin/theme-install.php
@@ -148,13 +148,19 @@ include(ABSPATH . 'wp-admin/admin-header.php');
<div class="favorites-form">
<?php
- $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
- update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
+ $action = 'save_wporg_username_' . get_current_user_id();
+ if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $action ) ) {
+ $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
+ update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
+ } else {
+ $user = get_user_option( 'wporg_favorites' );
+ }
?>
<p class="install-help"><?php _e( 'If you have marked themes as favorites on WordPress.org, you can browse them here.' ); ?></p>
<p>
<label for="user"><?php _e( 'Your WordPress.org username:' ); ?></label>
+ <input type="hidden" id="wporg-username-nonce" name="_wpnonce" value="<?php echo esc_attr( wp_create_nonce( $action ) ); ?>" />
<input type="search" id="wporg-username-input" value="<?php echo esc_attr( $user ); ?>" />
<input type="button" class="button button-secondary favorites-form-submit" value="<?php esc_attr_e( 'Get Favorites' ); ?>" />
</p>