From 70a97d6789c7740f8659d7e0ef848838d6961960 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 6 Mar 2017 13:58:33 +0000 Subject: [PATCH] Press This: Verify intent before fetching in-page resources using Press This. Props vortfu Merges [40195] to the 4.6 branch. Built from https://develop.svn.wordpress.org/branches/4.6@40197 git-svn-id: http://core.svn.wordpress.org/branches/4.6@40136 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/class-wp-press-this.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/wp-admin/includes/class-wp-press-this.php b/wp-admin/includes/class-wp-press-this.php index e4e03c7c50..6eedc00235 100644 --- a/wp-admin/includes/class-wp-press-this.php +++ b/wp-admin/includes/class-wp-press-this.php @@ -721,7 +721,11 @@ class WP_Press_This { * making PT fully backward compatible with the older bookmarklet. */ if ( empty( $_POST ) && ! empty( $data['u'] ) ) { - $data = $this->source_data_fetch_fallback( $data['u'], $data ); + if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( $_GET['_wpnonce'], 'scan-site' ) ) { + $data = $this->source_data_fetch_fallback( $data['u'], $data ); + } else { + $data['errors'] = 'missing nonce'; + } } else { foreach ( array( '_images', '_embeds' ) as $type ) { if ( empty( $_POST[ $type ] ) ) { @@ -1237,7 +1241,7 @@ class WP_Press_This { $site_data = array( 'v' => ! empty( $data['v'] ) ? $data['v'] : '', 'u' => ! empty( $data['u'] ) ? $data['u'] : '', - 'hasData' => ! empty( $data ), + 'hasData' => ! empty( $data ) && ! isset( $data['errors'] ), ); if ( ! empty( $images ) ) { @@ -1369,8 +1373,9 @@ class WP_Press_This {
- + +