Skip to content

Commit 3d10fef

Browse files
committed
Customize: Igore invalid customization sessions.
Built from https://develop.svn.wordpress.org/trunk@40704 git-svn-id: http://core.svn.wordpress.org/trunk@40567 1a063a9b-81f0-0310-95a4-ce76da25c4cd
1 parent 3d95e3a commit 3d10fef

File tree

5 files changed

+32
-4
lines changed

5 files changed

+32
-4
lines changed

Diff for: wp-admin/customize.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -155,7 +155,7 @@
155155
<div id="customize-info" class="accordion-section customize-info">
156156
<div class="accordion-section-title">
157157
<span class="preview-notice"><?php
158-
echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name' ) . '</strong>' );
158+
echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name', 'display' ) . '</strong>' );
159159
?></span>
160160
<button type="button" class="customize-help-toggle dashicons dashicons-editor-help" aria-expanded="false"><span class="screen-reader-text"><?php _e( 'Help' ); ?></span></button>
161161
</div>

Diff for: wp-admin/js/customize-controls.js

+10
Original file line numberDiff line numberDiff line change
@@ -4580,6 +4580,16 @@
45804580
}
45814581
});
45824582

4583+
// Ensure preview nonce is included with every customized request, to allow post data to be read.
4584+
$.ajaxPrefilter( function injectPreviewNonce( options ) {
4585+
if ( ! /wp_customize=on/.test( options.data ) ) {
4586+
return;
4587+
}
4588+
options.data += '&' + $.param({
4589+
customize_preview_nonce: api.settings.nonce.preview
4590+
});
4591+
});
4592+
45834593
// Refresh the nonces if the preview sends updated nonces over.
45844594
api.previewer.bind( 'nonce', function( nonce ) {
45854595
$.extend( this.nonce, nonce );

Diff for: wp-admin/js/customize-controls.min.js

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: wp-includes/class-wp-customize-manager.php

+18
Original file line numberDiff line numberDiff line change
@@ -486,6 +486,24 @@ public function setup_theme() {
486486
$this->wp_die( -1, __( 'Invalid changeset UUID' ) );
487487
}
488488

489+
/*
490+
* Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
491+
* application will inject the customize_preview_nonce query parameter into all Ajax requests.
492+
* For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
493+
* a user when a valid nonce isn't present.
494+
*/
495+
$has_post_data_nonce = (
496+
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
497+
||
498+
check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
499+
||
500+
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
501+
);
502+
if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
503+
unset( $_POST['customized'] );
504+
unset( $_REQUEST['customized'] );
505+
}
506+
489507
/*
490508
* If unauthenticated then require a valid changeset UUID to load the preview.
491509
* In this way, the UUID serves as a secret key. If the messenger channel is present,

Diff for: wp-includes/version.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
*
55
* @global string $wp_version
66
*/
7-
$wp_version = '4.8-beta1-40692';
7+
$wp_version = '4.8-beta1-40704';
88

99
/**
1010
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

0 commit comments

Comments
 (0)