sergiotarxz/Wordpress
sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Customize: Igore invalid customization sessions.

Browse Source 
git-svn-id: https://develop.svn.wordpress.org/trunk@40704 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Dominik Schilling (ocean90) 2017-05-16 12:06:32 +00:00
parent 1a25b3f43e
commit eedf5b2a60
3 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/wp-admin/customize.php
View File

@ -155,7 +155,7 @@ do_action( 'customize_controls_print_scripts' );
<div id="customize-info" class="accordion-section customize-info"> <div id="customize-info" class="accordion-section customize-info">
<div class="accordion-section-title"> <div class="accordion-section-title">
<span class="preview-notice"><?php <span class="preview-notice"><?php
echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name' ) . '</strong>' ); echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name', 'display' ) . '</strong>' );
?></span> ?></span>
<button type="button" class="customize-help-toggle dashicons dashicons-editor-help" aria-expanded="false"><span class="screen-reader-text"><?php _e( 'Help' ); ?></span></button> <button type="button" class="customize-help-toggle dashicons dashicons-editor-help" aria-expanded="false"><span class="screen-reader-text"><?php _e( 'Help' ); ?></span></button>
</div> </div>

10
src/wp-admin/js/customize-controls.js
View File

@ -4580,6 +4580,16 @@
} }
}); });
// Ensure preview nonce is included with every customized request, to allow post data to be read.
$.ajaxPrefilter( function injectPreviewNonce( options ) {
if ( ! /wp_customize=on/.test( options.data ) ) {
return;
}
options.data += '&' + $.param({
customize_preview_nonce: api.settings.nonce.preview
});
});
// Refresh the nonces if the preview sends updated nonces over. // Refresh the nonces if the preview sends updated nonces over.
api.previewer.bind( 'nonce', function( nonce ) { api.previewer.bind( 'nonce', function( nonce ) {
$.extend( this.nonce, nonce ); $.extend( this.nonce, nonce );

18
src/wp-includes/class-wp-customize-manager.php
View File

@ -486,6 +486,24 @@ final class WP_Customize_Manager {
$this->wp_die( -1, __( 'Invalid changeset UUID' ) ); $this->wp_die( -1, __( 'Invalid changeset UUID' ) );
} }
/*
* Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
* application will inject the customize_preview_nonce query parameter into all Ajax requests.
* For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
* a user when a valid nonce isn't present.
*/
$has_post_data_nonce = (
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
||
check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
||
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
);
if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
unset( $_POST['customized'] );
unset( $_REQUEST['customized'] );
}
/* /*
* If unauthenticated then require a valid changeset UUID to load the preview. * If unauthenticated then require a valid changeset UUID to load the preview.
* In this way, the UUID serves as a secret key. If the messenger channel is present, * In this way, the UUID serves as a secret key. If the messenger channel is present,