Renew autosave nonce. Props andy. fixes #6266
git-svn-id: http://svn.automattic.com/wordpress/trunk@7375 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan
parent
be4ff0a9dc
commit
34d67f9907
|
|
@ -460,7 +460,7 @@ case 'add-user' :
|
||||||
$x->send();
|
$x->send();
|
||||||
break;
|
break;
|
||||||
case 'autosave' : // The name of this action is hardcoded in edit_post()
|
case 'autosave' : // The name of this action is hardcoded in edit_post()
|
||||||
check_ajax_referer( 'autosave', 'autosavenonce' );
|
$nonce_age = check_ajax_referer( 'autosave', 'autosavenonce');
|
||||||
global $current_user;
|
global $current_user;
|
||||||
|
|
||||||
$_POST['post_status'] = 'draft';
|
$_POST['post_status'] = 'draft';
|
||||||
|
|
@ -520,6 +520,9 @@ case 'autosave' : // The name of this action is hardcoded in edit_post()
|
||||||
if ( $do_lock && $id && is_numeric($id) )
|
if ( $do_lock && $id && is_numeric($id) )
|
||||||
wp_set_post_lock( $id );
|
wp_set_post_lock( $id );
|
||||||
|
|
||||||
|
if ( $nonce_age == 2 )
|
||||||
|
$supplemental['replace-autosavenonce'] = wp_create_nonce('autosave');
|
||||||
|
|
||||||
$x = new WP_Ajax_Response( array(
|
$x = new WP_Ajax_Response( array(
|
||||||
'what' => 'autosave',
|
'what' => 'autosave',
|
||||||
'id' => $id,
|
'id' => $id,
|
||||||
|
|
|
||||||
|
|
@ -24,10 +24,17 @@ function autosave_saved(response) {
|
||||||
if ( res && res.responses && res.responses.length ) {
|
if ( res && res.responses && res.responses.length ) {
|
||||||
message = res.responses[0].data; // The saved message or error.
|
message = res.responses[0].data; // The saved message or error.
|
||||||
// someone else is editing: disable autosave, set errors
|
// someone else is editing: disable autosave, set errors
|
||||||
if ( res.responses[0].supplemental && 'disable' == res.responses[0].supplemental['disable_autosave'] ) {
|
if ( res.responses[0].supplemental ) {
|
||||||
|
if ( 'disable' == res.responses[0].supplemental['disable_autosave'] ) {
|
||||||
autosave = function() {};
|
autosave = function() {};
|
||||||
res = { errors: true };
|
res = { errors: true };
|
||||||
}
|
}
|
||||||
|
jQuery.each(res.responses[0].supplemental, function(selector, value) {
|
||||||
|
if ( selector.match(/^replace-/) ) {
|
||||||
|
jQuery('#'+selector.replace('replace-', '')).val(value);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
// if no errors: add preview link and slug UI
|
// if no errors: add preview link and slug UI
|
||||||
if ( !res.errors ) {
|
if ( !res.errors ) {
|
||||||
|
|
|
||||||
|
|
@ -624,15 +624,16 @@ if ( !function_exists('check_admin_referer') ) :
|
||||||
* @param string $action Action nonce
|
* @param string $action Action nonce
|
||||||
* @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
|
* @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
|
||||||
*/
|
*/
|
||||||
function check_admin_referer($action = -1, $query_arg = '_wpnonce' ) {
|
function check_admin_referer($action = -1, $query_arg = '_wpnonce') {
|
||||||
$adminurl = strtolower(get_option('siteurl')).'/wp-admin';
|
$adminurl = strtolower(get_option('siteurl')).'/wp-admin';
|
||||||
$referer = strtolower(wp_get_referer());
|
$referer = strtolower(wp_get_referer());
|
||||||
if ( !wp_verify_nonce($_REQUEST[$query_arg], $action) &&
|
$result = wp_verify_nonce($_REQUEST[$query_arg], $action);
|
||||||
!(-1 == $action && strpos($referer, $adminurl) !== false)) {
|
if ( !$result && !(-1 == $action && strpos($referer, $adminurl) !== false) ) {
|
||||||
wp_nonce_ays($action);
|
wp_nonce_ays($action);
|
||||||
die();
|
die();
|
||||||
}
|
}
|
||||||
do_action('check_admin_referer', $action);
|
do_action('check_admin_referer', $action, $result);
|
||||||
|
return $result;
|
||||||
}endif;
|
}endif;
|
||||||
|
|
||||||
if ( !function_exists('check_ajax_referer') ) :
|
if ( !function_exists('check_ajax_referer') ) :
|
||||||
|
|
@ -644,16 +645,20 @@ if ( !function_exists('check_ajax_referer') ) :
|
||||||
* @param string $action Action nonce
|
* @param string $action Action nonce
|
||||||
* @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
|
* @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
|
||||||
*/
|
*/
|
||||||
function check_ajax_referer( $action = -1, $query_arg = false ) {
|
function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
|
||||||
if ( $query_arg )
|
if ( $query_arg )
|
||||||
$nonce = $_REQUEST[$query_arg];
|
$nonce = $_REQUEST[$query_arg];
|
||||||
else
|
else
|
||||||
$nonce = $_REQUEST['_ajax_nonce'] ? $_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce'];
|
$nonce = $_REQUEST['_ajax_nonce'] ? $_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce'];
|
||||||
|
|
||||||
if ( !wp_verify_nonce( $nonce, $action ) )
|
$result = wp_verify_nonce( $nonce, $action );
|
||||||
|
|
||||||
|
if ( $die && false == $result )
|
||||||
die('-1');
|
die('-1');
|
||||||
|
|
||||||
do_action('check_ajax_referer');
|
do_action('check_ajax_referer', $action, $result);
|
||||||
|
|
||||||
|
return $result;
|
||||||
}
|
}
|
||||||
endif;
|
endif;
|
||||||
|
|
||||||
|
|
@ -937,6 +942,23 @@ function wp_new_user_notification($user_id, $plaintext_pass = '') {
|
||||||
}
|
}
|
||||||
endif;
|
endif;
|
||||||
|
|
||||||
|
if ( !function_exists('wp_nonce_tick') ) :
|
||||||
|
/**
|
||||||
|
* wp_nonce_tick() - Get the time-dependent variable for nonce creation
|
||||||
|
*
|
||||||
|
* A nonce has a lifespan of two ticks. Nonces in their second tick may be updated, e.g. by autosave.
|
||||||
|
*
|
||||||
|
* @since 2.5
|
||||||
|
*
|
||||||
|
* @return int
|
||||||
|
*/
|
||||||
|
function wp_nonce_tick() {
|
||||||
|
$nonce_life = apply_filters('nonce_life', 86400) / 2;
|
||||||
|
|
||||||
|
return ceil(time() / ( $nonce_life / 2 ));
|
||||||
|
}
|
||||||
|
endif;
|
||||||
|
|
||||||
if ( !function_exists('wp_verify_nonce') ) :
|
if ( !function_exists('wp_verify_nonce') ) :
|
||||||
/**
|
/**
|
||||||
* wp_verify_nonce() - Verify that correct nonce was used with time limit
|
* wp_verify_nonce() - Verify that correct nonce was used with time limit
|
||||||
|
|
@ -954,11 +976,15 @@ function wp_verify_nonce($nonce, $action = -1) {
|
||||||
$user = wp_get_current_user();
|
$user = wp_get_current_user();
|
||||||
$uid = (int) $user->id;
|
$uid = (int) $user->id;
|
||||||
|
|
||||||
$i = ceil(time() / 43200);
|
$i = wp_nonce_tick();
|
||||||
|
|
||||||
//Allow for expanding range, but only do one check if we can
|
// Nonce generated 0-12 hours ago
|
||||||
if( substr(wp_hash($i . $action . $uid), -12, 10) == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce )
|
if ( substr(wp_hash($i . $action . $uid), -12, 10) == $nonce )
|
||||||
return true;
|
return 1;
|
||||||
|
// Nonce generated 12-24 hours ago
|
||||||
|
if ( substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce )
|
||||||
|
return 2;
|
||||||
|
// Invalid nonce
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
endif;
|
endif;
|
||||||
|
|
@ -976,7 +1002,7 @@ function wp_create_nonce($action = -1) {
|
||||||
$user = wp_get_current_user();
|
$user = wp_get_current_user();
|
||||||
$uid = (int) $user->id;
|
$uid = (int) $user->id;
|
||||||
|
|
||||||
$i = ceil(time() / 43200);
|
$i = wp_nonce_tick();
|
||||||
|
|
||||||
return substr(wp_hash($i . $action . $uid), -12, 10);
|
return substr(wp_hash($i . $action . $uid), -12, 10);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue