From 71a6ac9a0df2ccab14f6d42d895d12ae423e684d Mon Sep 17 00:00:00 2001
From: Nikolay Bachiyski <nbachiyski@git.wordpress.org>
Date: Wed, 30 Mar 2016 18:30:40 +0000
Subject: [PATCH] Add nonce to AJAX action for script compression setting

Merges [37143] to the 4.4 branch


git-svn-id: https://develop.svn.wordpress.org/branches/4.4@37144 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/includes/ajax-actions.php | 2 ++
 src/wp-admin/includes/template.php     | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
index 58734452f9..4da1878051 100644
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@@ -197,8 +197,10 @@ function wp_ajax_wp_compression_test() {
 			echo $out;
 			wp_die();
 		} elseif ( 'no' == $_GET['test'] ) {
+			check_ajax_referer( 'update_can_compress_scripts' );
 			update_site_option('can_compress_scripts', 0);
 		} elseif ( 'yes' == $_GET['test'] ) {
+			check_ajax_referer( 'update_can_compress_scripts' );
 			update_site_option('can_compress_scripts', 1);
 		}
 	}
diff --git a/src/wp-admin/includes/template.php b/src/wp-admin/includes/template.php
index e65c7d0f23..42a57eef16 100644
--- a/src/wp-admin/includes/template.php
+++ b/src/wp-admin/includes/template.php
@@ -1784,6 +1784,7 @@ function _media_states( $post ) {
 function compression_test() {
 ?>
 	<script type="text/javascript">
+	var compressionNonce = <?php echo wp_json_encode( wp_create_nonce( 'update_can_compress_scripts' ) ); ?>;
 	var testCompression = {
 		get : function(test) {
 			var x;
@@ -1803,7 +1804,7 @@ function compression_test() {
 					}
 				};
 
-				x.open('GET', ajaxurl + '?action=wp-compression-test&test='+test+'&'+(new Date()).getTime(), true);
+				x.open('GET', ajaxurl + '?action=wp-compression-test&test='+test+'&_ajax_nonce='+compressionNonce+'&'+(new Date()).getTime(), true);
 				x.send('');
 			}
 		},