Skip to content
Permalink
Browse files

Customize: Igore invalid customization sessions.

Built from https://develop.svn.wordpress.org/trunk@40704


git-svn-id: http://core.svn.wordpress.org/trunk@40567 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information...
ocean90 committed May 16, 2017
1 parent 3d95e3a commit 3d10fef22d788f29aed745b0f5ff6f6baea69af3
@@ -155,7 +155,7 @@
<div id="customize-info" class="accordion-section customize-info">
<div class="accordion-section-title">
<span class="preview-notice"><?php
echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name' ) . '</strong>' );
echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name', 'display' ) . '</strong>' );
?></span>
<button type="button" class="customize-help-toggle dashicons dashicons-editor-help" aria-expanded="false"><span class="screen-reader-text"><?php _e( 'Help' ); ?></span></button>
</div>
@@ -4580,6 +4580,16 @@
}
});

// Ensure preview nonce is included with every customized request, to allow post data to be read.
$.ajaxPrefilter( function injectPreviewNonce( options ) {
if ( ! /wp_customize=on/.test( options.data ) ) {
return;
}
options.data += '&' + $.param({
customize_preview_nonce: api.settings.nonce.preview
});
});

// Refresh the nonces if the preview sends updated nonces over.
api.previewer.bind( 'nonce', function( nonce ) {
$.extend( this.nonce, nonce );

Large diffs are not rendered by default.

Oops, something went wrong.
@@ -486,6 +486,24 @@ public function setup_theme() {
$this->wp_die( -1, __( 'Invalid changeset UUID' ) );
}
/*
* Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
* application will inject the customize_preview_nonce query parameter into all Ajax requests.
* For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
* a user when a valid nonce isn't present.
*/
$has_post_data_nonce = (
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
||
check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
||
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
);
if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
unset( $_POST['customized'] );
unset( $_REQUEST['customized'] );
}
/*
* If unauthenticated then require a valid changeset UUID to load the preview.
* In this way, the UUID serves as a secret key. If the messenger channel is present,
@@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '4.8-beta1-40692';
$wp_version = '4.8-beta1-40704';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

0 comments on commit 3d10fef

Please sign in to comment.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.