Merge tag '4.0-nonce-update' into develop

1.4.2 release for WordPress 4.0 compatibility

mailchimp.php

@@ -3,7 +3,7 @@
 Plugin Name: MailChimp
 Plugin URI: http://www.mailchimp.com/plugins/mailchimp-wordpress-plugin/
 Description: The MailChimp plugin allows you to quickly and easily add a signup form for your MailChimp list.
-Version: 1.4.1
+Version: 1.4.2
 Author: MailChimp and Crowd Favorite
 Author URI: http://mailchimp.com/api/
 */
@@ -25,7 +25,7 @@
 */
 
 // Version constant for easy CSS refreshes
-define('MCSF_VER', '1.4.1');
+define('MCSF_VER', '1.4.2');
 
 // What's our permission (capability) threshold
 define('MCSF_CAP_THRESHOLD', 'manage_options');
@@ -269,7 +269,7 @@ function mailchimpSF_main_css() {
 	ul.mc_list li {
 		font-size: 12px;
 	}
-	.ui-datepicker-year {
+	#ui-datepicker-div .ui-datepicker-year {
 		display: none;
 	}
 	#ui-datepicker-div.show .ui-datepicker-year {
@@ -352,7 +352,7 @@ function mailchimpSF_auth_nonce_key($salt = null) {
 	if (is_null($salt)) {
 		$salt = mailchimpSF_auth_nonce_salt();
 	}
-	return md5('social_authentication'.AUTH_KEY.$salt);
+	return 'social_authentication' . md5( AUTH_KEY . $salt );
 }
 
 function mailchimpSF_auth_nonce_salt() {
@@ -364,7 +364,8 @@ function mailchimpSF_authorize() {
 	$proxy = apply_filters('mailchimp_authorize_url', $api->getApiUrl('authorize'));
 	if (strpos($proxy, 'socialize-this') !== false) {
 		$salt = mailchimpSF_auth_nonce_salt();
-		$id = wp_create_nonce(mailchimpSF_auth_nonce_key($salt));
+		$id = mailchimpSF_create_nonce( mailchimpSF_auth_nonce_key( $salt ) );
+
 		$url = home_url('index.php');
 		$args = array(
 			'mcsf_action' => 'authorized',
@@ -393,7 +394,8 @@ function mailchimpSF_authorized() {
 
 	$nonce = stripslashes($_POST['id']);
 	$salt = stripslashes($_GET['salt']);
-	if (wp_verify_nonce($nonce, mailchimpSF_auth_nonce_key($salt)) === false) {
+
+	if (mailchimpSF_verify_nonce( $nonce, mailchimpSF_auth_nonce_key( $salt ) ) === false) {
 		wp_die('Cheatin’ huh?');
 	}
 
@@ -1520,4 +1522,70 @@ function mailchimpSF_where_am_i() {
 }
 
 
-?>
+/**
+ * MODIFIED VERSION of wp_verify_nonce from WP Core. Core was not overridden to prevent problems when replacing 
+ * something universally.
+ *
+ * Verify that correct nonce was used with time limit.
+ *
+ * The user is given an amount of time to use the token, so therefore, since the
+ * UID and $action remain the same, the independent variable is the time.
+ *
+ * @param string $nonce Nonce that was used in the form to verify
+ * @param string|int $action Should give context to what is taking place and be the same when nonce was created.
+ * @return bool Whether the nonce check passed or failed.
+ */
+function mailchimpSF_verify_nonce($nonce, $action = -1) {
+	$user = wp_get_current_user();
+	$uid = (int) $user->ID;
+	if ( ! $uid ) {
+		$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
+	}
+
+	if ( empty( $nonce ) ) {
+		return false;
+	}
+
+	$token = 'MAILCHIMP';
+	$i = wp_nonce_tick();
+
+	// Nonce generated 0-12 hours ago
+	$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 );
+	if ( hash_equals( $expected, $nonce ) ) {
+		return 1;
+	}
+
+	// Nonce generated 12-24 hours ago
+	$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
+	if ( hash_equals( $expected, $nonce ) ) {
+		return 2;
+	}
+
+	// Invalid nonce
+	return false;
+}
+
+
+/**
+ * MODIFIED VERSION of wp_create_nonce from WP Core. Core was not overridden to prevent problems when replacing 
+ * something universally.
+ *
+ * Creates a cryptographic token tied to a specific action, user, and window of time.
+ *
+ * @param string $action Scalar value to add context to the nonce.
+ * @return string The token.
+ */
+function mailchimpSF_create_nonce($action = -1) {
+	$user = wp_get_current_user();
+	$uid = (int) $user->ID;
+	if ( ! $uid ) {
+		/** This filter is documented in wp-includes/pluggable.php */
+		$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
+	}
+
+	$token = 'MAILCHIMP';
+	$i = wp_nonce_tick();
+
+	return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
+}
+

mailchimp_widget.php

@@ -270,7 +270,7 @@ function mailchimpSF_signup_form($args = array()) {
 	</form><!-- /mc_signup_form -->
 </div><!-- /mc_signup_container -->
 	<?php
-	if (!empty($before_widget)) {
+	if (!empty($after_widget)) {
 		echo $after_widget;
 	}
 }

readme.txt

@@ -2,8 +2,8 @@
 Contributors: crowdfavorite
 Tags: mailchimp, email, newsletter, signup, marketing, plugin, widget
 Requires at least: 2.8
-Tested up to: 3.7.1
-Stable tag: 1.4.1
+Tested up to: 4.0
+Stable tag: 1.4.2
 
 == Description ==
 
@@ -141,7 +141,11 @@ Maybe! Look in the /po/ directory in our plugin package and see if your language
 
 == Upgrade Notice ==
 
+= 1.4.2 =
+add customized wp_nonces functions for post-back behavior to fix 4.0 callbacks
 
+= 1.4.1 =
+Fix for checkbox weirdness on 3.8
 
 = 1.4 =
 Added Developer Mode "Kitchen Sink" to aid in styling without having to authenticate a MailChimp account.