From b343d482215025aa7da34c71219796361b9b4f7e Mon Sep 17 00:00:00 2001 From: Andrew Ozz Date: Wed, 13 Aug 2014 02:46:18 +0000 Subject: [PATCH] Fix the `wp-settings-*` cookies used in getUserSetting()/setUserSetting(). They should be set without `COOKIE_DOMAIN` to work properly for sub-domains. Fixes #29095. git-svn-id: https://develop.svn.wordpress.org/trunk@29478 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/js/utils.js | 34 +++++++------------------------ src/wp-includes/option.php | 31 +++++++++++++--------------- src/wp-includes/script-loader.php | 3 ++- 3 files changed, 23 insertions(+), 45 deletions(-) diff --git a/src/wp-includes/js/utils.js b/src/wp-includes/js/utils.js index 29acaead81..d7d8f0187f 100644 --- a/src/wp-includes/js/utils.js +++ b/src/wp-includes/js/utils.js @@ -128,8 +128,8 @@ var wpCookies = { * * This is done by setting it to an empty value and setting the expiration time in the past. */ - remove: function( name, path ) { - this.set( name, '', -1000, path ); + remove: function( name, path, domain, secure ) { + this.set( name, '', -1000, path, domain, secure ); } }; @@ -157,9 +157,9 @@ function setUserSetting( name, value, _del ) { } var uid = userSettings.uid, - oldUid = uid.lastIndexOf('-') > 0 ? uid.substring( 0, uid.lastIndexOf('-') ) : 0, settings = wpCookies.getHash( 'wp-settings-' + uid ), - path = userSettings.url; + path = userSettings.url, + secure = !! userSettings.secure; name = name.toString().replace( /[^A-Za-z0-9_]/, '' ); @@ -169,17 +169,6 @@ function setUserSetting( name, value, _del ) { value = value.toString().replace( /[^A-Za-z0-9_]/, '' ); } - if ( oldUid ) { - if ( ! settings ) { - settings = wpCookies.getHash( 'wp-settings-' + oldUid ); - } - // Delete old cookies - if ( wpCookies.get( 'wp-settings-time-' + oldUid ) ) { - wpCookies.remove( 'wp-settings-' + oldUid, path ); - wpCookies.remove( 'wp-settings-time-' + oldUid, path ); - } - } - settings = settings || {}; if ( _del ) { @@ -188,8 +177,8 @@ function setUserSetting( name, value, _del ) { settings[name] = value; } - wpCookies.setHash( 'wp-settings-' + uid, settings, 31536000, path ); - wpCookies.set( 'wp-settings-time-' + uid, userSettings.time, 31536000, path ); + wpCookies.setHash( 'wp-settings-' + uid, settings, 31536000, path, '', secure ); + wpCookies.set( 'wp-settings-time-' + uid, userSettings.time, 31536000, path, '', secure ); return name; } @@ -204,14 +193,5 @@ function getAllUserSettings() { return {}; } - var uid = userSettings.uid, - settings = wpCookies.getHash( 'wp-settings-' + uid ); - - // Try the old format cookie - if ( ! settings && uid.lastIndexOf('-') > 0 ) { - uid = uid.substring( 0, uid.lastIndexOf('-') ); - settings = wpCookies.getHash( 'wp-settings-' + uid ); - } - - return settings || {}; + return wpCookies.getHash( 'wp-settings-' + userSettings.uid ) || {}; } diff --git a/src/wp-includes/option.php b/src/wp-includes/option.php index bbbfef83bd..c6417dbead 100644 --- a/src/wp-includes/option.php +++ b/src/wp-includes/option.php @@ -726,17 +726,16 @@ function wp_user_settings() { } $settings = (string) get_user_option( 'user-settings', $user_id ); - $uid = $user_id . '-' . get_current_blog_id(); - if ( isset( $_COOKIE['wp-settings-' . $uid] ) ) { - $cookie = preg_replace( '/[^A-Za-z0-9=&_]/', '', $_COOKIE['wp-settings-' . $uid] ); + if ( isset( $_COOKIE['wp-settings-' . $user_id] ) ) { + $cookie = preg_replace( '/[^A-Za-z0-9=&_]/', '', $_COOKIE['wp-settings-' . $user_id] ); // No change or both empty if ( $cookie == $settings ) return; $last_saved = (int) get_user_option( 'user-settings-time', $user_id ); - $current = isset( $_COOKIE['wp-settings-time-' . $uid]) ? preg_replace( '/[^0-9]/', '', $_COOKIE['wp-settings-time-' . $uid] ) : 0; + $current = isset( $_COOKIE['wp-settings-time-' . $user_id]) ? preg_replace( '/[^0-9]/', '', $_COOKIE['wp-settings-time-' . $user_id] ) : 0; // The cookie is newer than the saved value. Update the user_option and leave the cookie as-is if ( $current > $last_saved ) { @@ -748,9 +747,9 @@ function wp_user_settings() { // The cookie is not set in the current browser or the saved value is newer. $secure = ( 'https' === parse_url( site_url(), PHP_URL_SCHEME ) ); - setcookie( 'wp-settings-' . $uid, $settings, time() + YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN, $secure ); - setcookie( 'wp-settings-time-' . $uid, time(), time() + YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN, $secure ); - $_COOKIE['wp-settings-' . $uid] = $settings; + setcookie( 'wp-settings-' . $user_id, $settings, time() + YEAR_IN_SECONDS, SITECOOKIEPATH, null, $secure ); + setcookie( 'wp-settings-time-' . $user_id, time(), time() + YEAR_IN_SECONDS, SITECOOKIEPATH, null, $secure ); + $_COOKIE['wp-settings-' . $user_id] = $settings; } /** @@ -846,20 +845,19 @@ function get_all_user_settings() { } $user_settings = array(); - $uid = $user_id . '-' . get_current_blog_id(); - if ( isset( $_COOKIE['wp-settings-' . $uid] ) ) { - $cookie = preg_replace( '/[^A-Za-z0-9=&_]/', '', $_COOKIE['wp-settings-' . $uid] ); - } elseif ( isset( $_COOKIE['wp-settings-' . $user_id] ) ) { + if ( isset( $_COOKIE['wp-settings-' . $user_id] ) ) { $cookie = preg_replace( '/[^A-Za-z0-9=&_]/', '', $_COOKIE['wp-settings-' . $user_id] ); - } - if ( ! empty( $cookie ) && strpos( $cookie, '=' ) ) { // '=' cannot be 1st char - parse_str( $cookie, $user_settings ); + if ( strpos( $cookie, '=' ) ) { // '=' cannot be 1st char + parse_str( $cookie, $user_settings ); + } } else { $option = get_user_option( 'user-settings', $user_id ); - if ( $option && is_string( $option ) ) + + if ( $option && is_string( $option ) ) { parse_str( $option, $user_settings ); + } } $_updated_user_settings = $user_settings; @@ -914,9 +912,8 @@ function delete_all_user_settings() { return; } - $uid = $user_id . '-' . get_current_blog_id(); update_user_option( $user_id, 'user-settings', '', false ); - setcookie( 'wp-settings-' . $uid, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH ); + setcookie( 'wp-settings-' . $user_id, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH ); } /** diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php index 393ff6f421..49308afc50 100644 --- a/src/wp-includes/script-loader.php +++ b/src/wp-includes/script-loader.php @@ -72,8 +72,9 @@ function wp_default_scripts( &$scripts ) { $scripts->add( 'utils', "/wp-includes/js/utils$suffix.js" ); did_action( 'init' ) && $scripts->localize( 'utils', 'userSettings', array( 'url' => (string) SITECOOKIEPATH, - 'uid' => get_current_user_id() . '-' . get_current_blog_id(), + 'uid' => (string) get_current_user_id(), 'time' => (string) time(), + 'secure' => (string) ( 'https' === parse_url( site_url(), PHP_URL_SCHEME ) ), ) ); $scripts->add( 'common', "/wp-admin/js/common$suffix.js", array('jquery', 'hoverIntent', 'utils'), false, 1 );