Theme Editior: Base the nonce on a simpler combination of fields, for easier debugging & reading.
See #42609. Fixes #42705. Built from https://develop.svn.wordpress.org/trunk@42246 git-svn-id: http://core.svn.wordpress.org/trunk@42075 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
daacc37405
commit
271e08a26e
|
@ -414,8 +414,7 @@ function wp_edit_theme_plugin_file( $args ) {
|
||||||
return new WP_Error( 'non_existent_theme', __( 'The requested theme does not exist.' ) );
|
return new WP_Error( 'non_existent_theme', __( 'The requested theme does not exist.' ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
$real_file = $theme->get_stylesheet_directory() . '/' . $file;
|
if ( ! wp_verify_nonce( $args['nonce'], 'edit-theme_' . $stylesheet . '_' . $file ) ) {
|
||||||
if ( ! wp_verify_nonce( $args['nonce'], 'edit-theme_' . $real_file . $stylesheet ) ) {
|
|
||||||
return new WP_Error( 'nonce_failure' );
|
return new WP_Error( 'nonce_failure' );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -450,7 +449,10 @@ function wp_edit_theme_plugin_file( $args ) {
|
||||||
return new WP_Error( 'disallowed_theme_file', __( 'Sorry, that file cannot be edited.' ) );
|
return new WP_Error( 'disallowed_theme_file', __( 'Sorry, that file cannot be edited.' ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$real_file = $theme->get_stylesheet_directory() . '/' . $file;
|
||||||
|
|
||||||
$is_active = ( get_stylesheet() === $stylesheet || get_template() === $stylesheet );
|
$is_active = ( get_stylesheet() === $stylesheet || get_template() === $stylesheet );
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
return new WP_Error( 'missing_theme_or_plugin' );
|
return new WP_Error( 'missing_theme_or_plugin' );
|
||||||
}
|
}
|
||||||
|
|
|
@ -114,7 +114,7 @@ if ( 'POST' === $_SERVER['REQUEST_METHOD'] ) {
|
||||||
$r = wp_edit_theme_plugin_file( wp_unslash( $_POST ) );
|
$r = wp_edit_theme_plugin_file( wp_unslash( $_POST ) );
|
||||||
if ( is_wp_error( $r ) ) {
|
if ( is_wp_error( $r ) ) {
|
||||||
$edit_error = $r;
|
$edit_error = $r;
|
||||||
if ( check_ajax_referer( 'edit-theme_' . $file . $stylesheet, 'nonce', false ) && isset( $_POST['newcontent'] ) ) {
|
if ( check_ajax_referer( 'edit-theme_' . $stylesheet . '_' . $relative_file, 'nonce', false ) && isset( $_POST['newcontent'] ) ) {
|
||||||
$posted_content = wp_unslash( $_POST['newcontent'] );
|
$posted_content = wp_unslash( $_POST['newcontent'] );
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
@ -255,7 +255,7 @@ if ( $theme->errors() )
|
||||||
echo '<div class="error"><p>' . __('Oops, no such file exists! Double check the name and try again, merci.') . '</p></div>';
|
echo '<div class="error"><p>' . __('Oops, no such file exists! Double check the name and try again, merci.') . '</p></div>';
|
||||||
else : ?>
|
else : ?>
|
||||||
<form name="template" id="template" action="theme-editor.php" method="post">
|
<form name="template" id="template" action="theme-editor.php" method="post">
|
||||||
<?php wp_nonce_field( 'edit-theme_' . $file . $stylesheet, 'nonce' ); ?>
|
<?php wp_nonce_field( 'edit-theme_' . $stylesheet . '_' . $relative_file, 'nonce' ); ?>
|
||||||
<div>
|
<div>
|
||||||
<label for="newcontent" id="theme-plugin-editor-label"><?php _e( 'Selected file content:' ); ?></label>
|
<label for="newcontent" id="theme-plugin-editor-label"><?php _e( 'Selected file content:' ); ?></label>
|
||||||
<textarea cols="70" rows="30" name="newcontent" id="newcontent" aria-describedby="editor-keyboard-trap-help-1 editor-keyboard-trap-help-2 editor-keyboard-trap-help-3 editor-keyboard-trap-help-4"><?php echo $content; ?></textarea>
|
<textarea cols="70" rows="30" name="newcontent" id="newcontent" aria-describedby="editor-keyboard-trap-help-1 editor-keyboard-trap-help-2 editor-keyboard-trap-help-3 editor-keyboard-trap-help-4"><?php echo $content; ?></textarea>
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
*
|
*
|
||||||
* @global string $wp_version
|
* @global string $wp_version
|
||||||
*/
|
*/
|
||||||
$wp_version = '5.0-alpha-42244';
|
$wp_version = '5.0-alpha-42246';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||||
|
|
Loading…
Reference in New Issue