Customize: Igore invalid customization sessions.

Built from https://develop.svn.wordpress.org/trunk@40704 git-svn-id: http://core.svn.wordpress.org/trunk@40567 1a063a9b-81f0-0310-95a4-ce76da25c4cd
WordPress · May 16, 2017 · 3d10fef · 3d10fef
1 parent 3d95e3a
commit 3d10fef
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 4 deletions.
diff --git a/wp-admin/customize.php b/wp-admin/customize.php
@@ -155,7 +155,7 @@
 			<div id="customize-info" class="accordion-section customize-info">
 				<div class="accordion-section-title">
 					<span class="preview-notice"><?php
-						echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name' ) . '</strong>' );
+						echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name', 'display' ) . '</strong>' );
 					?></span>
 					<button type="button" class="customize-help-toggle dashicons dashicons-editor-help" aria-expanded="false"><span class="screen-reader-text"><?php _e( 'Help' ); ?></span></button>
 				</div>

diff --git a/wp-admin/js/customize-controls.js b/wp-admin/js/customize-controls.js
@@ -4580,6 +4580,16 @@
 			}
 		});
 
+		// Ensure preview nonce is included with every customized request, to allow post data to be read.
+		$.ajaxPrefilter( function injectPreviewNonce( options ) {
+			if ( ! /wp_customize=on/.test( options.data ) ) {
+				return;
+			}
+			options.data += '&' + $.param({
+				customize_preview_nonce: api.settings.nonce.preview
+			});
+		});
+
 		// Refresh the nonces if the preview sends updated nonces over.
 		api.previewer.bind( 'nonce', function( nonce ) {
 			$.extend( this.nonce, nonce );

diff --git a/wp-admin/js/customize-controls.min.js b/wp-admin/js/customize-controls.min.js
diff --git a/wp-includes/class-wp-customize-manager.php b/wp-includes/class-wp-customize-manager.php
@@ -486,6 +486,24 @@ public function setup_theme() {
 			$this->wp_die( -1, __( 'Invalid changeset UUID' ) );
 		}
 
+		/*
+		 * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
+		 * application will inject the customize_preview_nonce query parameter into all Ajax requests.
+		 * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
+		 * a user when a valid nonce isn't present.
+		 */
+		$has_post_data_nonce = (
+			check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
+			||
+			check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
+			||
+			check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
+		);
+		if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
+			unset( $_POST['customized'] );
+			unset( $_REQUEST['customized'] );
+		}
+
 		/*
 		 * If unauthenticated then require a valid changeset UUID to load the preview.
 		 * In this way, the UUID serves as a secret key. If the messenger channel is present,

diff --git a/wp-includes/version.php b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.8-beta1-40692';
+$wp_version = '4.8-beta1-40704';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.