From a8e8ed65500a46ff8a27b8918785153d66b5e47a Mon Sep 17 00:00:00 2001
From: Andrew Nacin <nacin@git.wordpress.org>
Date: Tue, 5 Aug 2014 06:49:22 +0000
Subject: [PATCH] Verify the MAC earlier in WP_Customize_Widgets. props duck_.

git-svn-id: https://develop.svn.wordpress.org/trunk@29377 602fd350-edb4-49c9-b593-d223f7449a82
---
 .../class-wp-customize-widgets.php            | 29 +++++++++----------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/src/wp-includes/class-wp-customize-widgets.php b/src/wp-includes/class-wp-customize-widgets.php
index 0875658b44..3634dabbf0 100644
--- a/src/wp-includes/class-wp-customize-widgets.php
+++ b/src/wp-includes/class-wp-customize-widgets.php
@@ -1150,21 +1150,19 @@ final class WP_Customize_Widgets {
 	}
 
 	/**
-	 * Get a widget instance's hash key.
+	 * Get MAC for a serialized widget instance string.
 	 *
-	 * Serialize an instance and hash it with the AUTH_KEY; when a JS value is
-	 * posted back to save, this instance hash key is used to ensure that the
-	 * serialized_instance was not tampered with, but that it had originated
-	 * from WordPress and so is sanitized.
+	 * Allows values posted back from JS to be rejected if any tampering of the
+	 * data has occurred.
 	 *
 	 * @since 3.9.0
 	 * @access protected
 	 *
-	 * @param array $instance Widget instance.
-	 * @return string Widget instance's hash key.
+	 * @param string $serialized_instance Widget instance.
+	 * @return string MAC for serialized widget instance.
 	 */
-	protected function get_instance_hash_key( $instance ) {
-		return wp_hash( serialize( $instance ) );
+	protected function get_instance_hash_key( $serialized_instance ) {
+		return wp_hash( $serialized_instance );
 	}
 
 	/**
@@ -1192,18 +1190,19 @@ final class WP_Customize_Widgets {
 		}
 
 		$decoded = base64_decode( $value['encoded_serialized_instance'], true );
-
 		if ( false === $decoded ) {
 			return null;
 		}
-		$instance = unserialize( $decoded );
 
+		if ( $this->get_instance_hash_key( $decoded ) !== $value['instance_hash_key'] ) {
+			return null;
+		}
+
+		$instance = unserialize( $decoded );
 		if ( false === $instance ) {
 			return null;
 		}
-		if ( $this->get_instance_hash_key( $instance ) !== $value['instance_hash_key'] ) {
-			return null;
-		}
+
 		return $instance;
 	}
 
@@ -1224,7 +1223,7 @@ final class WP_Customize_Widgets {
 				'encoded_serialized_instance'   => base64_encode( $serialized ),
 				'title'                         => empty( $value['title'] ) ? '' : $value['title'],
 				'is_widget_customizer_js_value' => true,
-				'instance_hash_key'             => $this->get_instance_hash_key( $value ),
+				'instance_hash_key'             => $this->get_instance_hash_key( $serialized ),
 			);
 		}
 		return $value;