Add blog_id to the `wp-settings-*` cookie (used for storing user state) to prevent it being overloaded on sub-domain sites. Fixes #29095.

Built from https://develop.svn.wordpress.org/trunk@29362


git-svn-id: http://core.svn.wordpress.org/trunk@29138 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Andrew Ozz 2014-08-02 20:09:16 +00:00
parent 28170e0d82
commit 9662554bfb
4 changed files with 135 additions and 78 deletions

View File

@ -3,25 +3,27 @@
// utility functions // utility functions
var wpCookies = { var wpCookies = {
// The following functions are from Cookie.js class in TinyMCE, Moxiecode, used under LGPL. // The following functions are from Cookie.js class in TinyMCE 3, Moxiecode, used under LGPL.
each : function(obj, cb, scope) { each: function( obj, cb, scope ) {
var n, l; var n, l;
if ( !obj ) if ( ! obj ) {
return 0; return 0;
}
scope = scope || obj; scope = scope || obj;
if ( typeof(obj.length) != 'undefined' ) { if ( typeof( obj.length ) !== 'undefined' ) {
for ( n = 0, l = obj.length; n < l; n++ ) { for ( n = 0, l = obj.length; n < l; n++ ) {
if ( cb.call(scope, obj[n], n, obj) === false ) if ( cb.call( scope, obj[n], n, obj ) === false ) {
return 0; return 0;
}
} }
} else { } else {
for ( n in obj ) { for ( n in obj ) {
if ( obj.hasOwnProperty(n) ) { if ( obj.hasOwnProperty(n) ) {
if ( cb.call(scope, obj[n], n, obj) === false ) { if ( cb.call( scope, obj[n], n, obj ) === false ) {
return 0; return 0;
} }
} }
@ -34,17 +36,18 @@ var wpCookies = {
* Get a multi-values cookie. * Get a multi-values cookie.
* Returns a JS object with the name: 'value' pairs. * Returns a JS object with the name: 'value' pairs.
*/ */
getHash : function(name) { getHash: function( name ) {
var all = this.get(name), ret; var cookie = this.get( name ), values;
if ( all ) { if ( cookie ) {
this.each( all.split('&'), function(pair) { this.each( cookie.split('&'), function( pair ) {
pair = pair.split('='); pair = pair.split('=');
ret = ret || {}; values = values || {};
ret[pair[0]] = pair[1]; values[pair[0]] = pair[1];
}); });
} }
return ret;
return values;
}, },
/** /**
@ -52,45 +55,47 @@ var wpCookies = {
* *
* 'values_obj' is the JS object that is stored. It is encoded as URI in wpCookies.set(). * 'values_obj' is the JS object that is stored. It is encoded as URI in wpCookies.set().
*/ */
setHash : function(name, values_obj, expires, path, domain, secure) { setHash: function( name, values_obj, expires, path, domain, secure ) {
var str = ''; var str = '';
this.each(values_obj, function(val, key) { this.each( values_obj, function( val, key ) {
str += (!str ? '' : '&') + key + '=' + val; str += ( ! str ? '' : '&' ) + key + '=' + val;
}); });
this.set(name, str, expires, path, domain, secure); this.set( name, str, expires, path, domain, secure );
}, },
/** /**
* Get a cookie. * Get a cookie.
*/ */
get : function(name) { get: function( name ) {
var e, b, var e, b,
cookie = document.cookie, cookie = document.cookie,
p = name + '='; p = name + '=';
if ( !cookie ) if ( ! cookie ) {
return; return;
}
b = cookie.indexOf('; ' + p); b = cookie.indexOf( '; ' + p );
if ( b == -1 ) { if ( b === -1 ) {
b = cookie.indexOf(p); b = cookie.indexOf(p);
if ( b !== 0 ) if ( b !== 0 ) {
return null; return null;
}
} else { } else {
b += 2; b += 2;
} }
e = cookie.indexOf( ';', b ); e = cookie.indexOf( ';', b );
if ( e == -1 ) if ( e === -1 ) {
e = cookie.length; e = cookie.length;
}
return decodeURIComponent( cookie.substring(b + p.length, e) ); return decodeURIComponent( cookie.substring( b + p.length, e ) );
}, },
/** /**
@ -99,13 +104,13 @@ var wpCookies = {
* The 'expires' arg can be either a JS Date() object set to the expiration date (back-compat) * The 'expires' arg can be either a JS Date() object set to the expiration date (back-compat)
* or the number of seconds until expiration * or the number of seconds until expiration
*/ */
set : function(name, value, expires, path, domain, secure) { set: function( name, value, expires, path, domain, secure ) {
var d = new Date(); var d = new Date();
if ( typeof(expires) == 'object' && expires.toGMTString ) { if ( typeof( expires ) === 'object' && expires.toGMTString ) {
expires = expires.toGMTString(); expires = expires.toGMTString();
} else if ( parseInt(expires, 10) ) { } else if ( parseInt( expires, 10 ) ) {
d.setTime( d.getTime() + ( parseInt(expires, 10) * 1000 ) ); // time must be in miliseconds d.setTime( d.getTime() + ( parseInt( expires, 10 ) * 1000 ) ); // time must be in miliseconds
expires = d.toGMTString(); expires = d.toGMTString();
} else { } else {
expires = ''; expires = '';
@ -123,41 +128,68 @@ var wpCookies = {
* *
* This is done by setting it to an empty value and setting the expiration time in the past. * This is done by setting it to an empty value and setting the expiration time in the past.
*/ */
remove : function(name, path) { remove: function( name, path ) {
this.set(name, '', -1000, path); this.set( name, '', -1000, path );
} }
}; };
// Returns the value as string. Second arg or empty string is returned when value is not set. // Returns the value as string. Second arg or empty string is returned when value is not set.
function getUserSetting( name, def ) { function getUserSetting( name, def ) {
var obj = getAllUserSettings(); var settings = getAllUserSettings();
if ( obj.hasOwnProperty(name) ) if ( settings.hasOwnProperty( name ) ) {
return obj[name]; return settings[name];
}
if ( typeof def != 'undefined' ) if ( typeof def !== 'undefined' ) {
return def; return def;
}
return ''; return '';
} }
// Both name and value must be only ASCII letters, numbers or underscore // Both name and value must be only ASCII letters, numbers or underscore
// and the shorter, the better (cookies can store maximum 4KB). Not suitable to store text. // and the shorter, the better (cookies can store maximum 4KB). Not suitable to store text.
// The value is converted and stored as string.
function setUserSetting( name, value, _del ) { function setUserSetting( name, value, _del ) {
if ( 'object' !== typeof userSettings ) if ( 'object' !== typeof userSettings ) {
return false; return false;
var cookie = 'wp-settings-' + userSettings.uid, all = wpCookies.getHash(cookie) || {}, path = userSettings.url,
n = name.toString().replace(/[^A-Za-z0-9_]/, ''), v = value.toString().replace(/[^A-Za-z0-9_]/, '');
if ( _del ) {
delete all[n];
} else {
all[n] = v;
} }
wpCookies.setHash(cookie, all, 31536000, path); var uid = userSettings.uid,
wpCookies.set('wp-settings-time-'+userSettings.uid, userSettings.time, 31536000, path); oldUid = uid.lastIndexOf('-') > 0 ? uid.substring( 0, uid.lastIndexOf('-') ) : 0,
settings = wpCookies.getHash( 'wp-settings-' + uid ),
path = userSettings.url;
name = name.toString().replace( /[^A-Za-z0-9_]/, '' );
if ( typeof value === 'number' ) {
value = parseInt( value, 10 );
} else {
value = value.toString().replace( /[^A-Za-z0-9_]/, '' );
}
if ( oldUid ) {
if ( ! settings ) {
settings = wpCookies.getHash( 'wp-settings-' + oldUid );
}
// Delete old cookies
if ( wpCookies.get( 'wp-settings-time-' + oldUid ) ) {
wpCookies.remove( 'wp-settings-' + oldUid, path );
wpCookies.remove( 'wp-settings-time-' + oldUid, path );
}
}
settings = settings || {};
if ( _del ) {
delete settings[name];
} else {
settings[name] = value;
}
wpCookies.setHash( 'wp-settings-' + uid, settings, 31536000, path );
wpCookies.set( 'wp-settings-time-' + uid, userSettings.time, 31536000, path );
return name; return name;
} }
@ -168,8 +200,18 @@ function deleteUserSetting( name ) {
// Returns all settings as js object. // Returns all settings as js object.
function getAllUserSettings() { function getAllUserSettings() {
if ( 'object' !== typeof userSettings ) if ( 'object' !== typeof userSettings ) {
return {}; return {};
}
return wpCookies.getHash('wp-settings-' + userSettings.uid) || {}; var uid = userSettings.uid,
settings = wpCookies.getHash( 'wp-settings-' + uid );
// Try the old format cookie
if ( ! settings && uid.lastIndexOf('-') > 0 ) {
uid = uid.substring( 0, uid.lastIndexOf('-') );
settings = wpCookies.getHash( 'wp-settings-' + uid );
}
return settings || {};
} }

View File

@ -1 +1 @@
function getUserSetting(a,b){var c=getAllUserSettings();return c.hasOwnProperty(a)?c[a]:"undefined"!=typeof b?b:""}function setUserSetting(a,b,c){if("object"!=typeof userSettings)return!1;var d="wp-settings-"+userSettings.uid,e=wpCookies.getHash(d)||{},f=userSettings.url,g=a.toString().replace(/[^A-Za-z0-9_]/,""),h=b.toString().replace(/[^A-Za-z0-9_]/,"");return c?delete e[g]:e[g]=h,wpCookies.setHash(d,e,31536e3,f),wpCookies.set("wp-settings-time-"+userSettings.uid,userSettings.time,31536e3,f),a}function deleteUserSetting(a){return setUserSetting(a,"",1)}function getAllUserSettings(){return"object"!=typeof userSettings?{}:wpCookies.getHash("wp-settings-"+userSettings.uid)||{}}var wpCookies={each:function(a,b,c){var d,e;if(!a)return 0;if(c=c||a,"undefined"!=typeof a.length){for(d=0,e=a.length;e>d;d++)if(b.call(c,a[d],d,a)===!1)return 0}else for(d in a)if(a.hasOwnProperty(d)&&b.call(c,a[d],d,a)===!1)return 0;return 1},getHash:function(a){var b,c=this.get(a);return c&&this.each(c.split("&"),function(a){a=a.split("="),b=b||{},b[a[0]]=a[1]}),b},setHash:function(a,b,c,d,e,f){var g="";this.each(b,function(a,b){g+=(g?"&":"")+b+"="+a}),this.set(a,g,c,d,e,f)},get:function(a){var b,c,d=document.cookie,e=a+"=";if(d){if(c=d.indexOf("; "+e),-1==c){if(c=d.indexOf(e),0!==c)return null}else c+=2;return b=d.indexOf(";",c),-1==b&&(b=d.length),decodeURIComponent(d.substring(c+e.length,b))}},set:function(a,b,c,d,e,f){var g=new Date;"object"==typeof c&&c.toGMTString?c=c.toGMTString():parseInt(c,10)?(g.setTime(g.getTime()+1e3*parseInt(c,10)),c=g.toGMTString()):c="",document.cookie=a+"="+encodeURIComponent(b)+(c?"; expires="+c:"")+(d?"; path="+d:"")+(e?"; domain="+e:"")+(f?"; secure":"")},remove:function(a,b){this.set(a,"",-1e3,b)}}; function getUserSetting(a,b){var c=getAllUserSettings();return c.hasOwnProperty(a)?c[a]:"undefined"!=typeof b?b:""}function setUserSetting(a,b,c){if("object"!=typeof userSettings)return!1;var d=userSettings.uid,e=d.lastIndexOf("-")>0?d.substring(0,d.lastIndexOf("-")):0,f=wpCookies.getHash("wp-settings-"+d),g=userSettings.url;return a=a.toString().replace(/[^A-Za-z0-9_]/,""),b="number"==typeof b?parseInt(b,10):b.toString().replace(/[^A-Za-z0-9_]/,""),e&&(f||(f=wpCookies.getHash("wp-settings-"+e)),wpCookies.get("wp-settings-time-"+e)&&(wpCookies.remove("wp-settings-"+e,g),wpCookies.remove("wp-settings-time-"+e,g))),f=f||{},c?delete f[a]:f[a]=b,wpCookies.setHash("wp-settings-"+d,f,31536e3,g),wpCookies.set("wp-settings-time-"+d,userSettings.time,31536e3,g),a}function deleteUserSetting(a){return setUserSetting(a,"",1)}function getAllUserSettings(){if("object"!=typeof userSettings)return{};var a=userSettings.uid,b=wpCookies.getHash("wp-settings-"+a);return!b&&a.lastIndexOf("-")>0&&(a=a.substring(0,a.lastIndexOf("-")),b=wpCookies.getHash("wp-settings-"+a)),b||{}}var wpCookies={each:function(a,b,c){var d,e;if(!a)return 0;if(c=c||a,"undefined"!=typeof a.length){for(d=0,e=a.length;e>d;d++)if(b.call(c,a[d],d,a)===!1)return 0}else for(d in a)if(a.hasOwnProperty(d)&&b.call(c,a[d],d,a)===!1)return 0;return 1},getHash:function(a){var b,c=this.get(a);return c&&this.each(c.split("&"),function(a){a=a.split("="),b=b||{},b[a[0]]=a[1]}),b},setHash:function(a,b,c,d,e,f){var g="";this.each(b,function(a,b){g+=(g?"&":"")+b+"="+a}),this.set(a,g,c,d,e,f)},get:function(a){var b,c,d=document.cookie,e=a+"=";if(d){if(c=d.indexOf("; "+e),-1===c){if(c=d.indexOf(e),0!==c)return null}else c+=2;return b=d.indexOf(";",c),-1===b&&(b=d.length),decodeURIComponent(d.substring(c+e.length,b))}},set:function(a,b,c,d,e,f){var g=new Date;"object"==typeof c&&c.toGMTString?c=c.toGMTString():parseInt(c,10)?(g.setTime(g.getTime()+1e3*parseInt(c,10)),c=g.toGMTString()):c="",document.cookie=a+"="+encodeURIComponent(b)+(c?"; expires="+c:"")+(d?"; path="+d:"")+(e?"; domain="+e:"")+(f?"; secure":"")},remove:function(a,b){this.set(a,"",-1e3,b)}};

View File

@ -713,29 +713,30 @@ function set_transient( $transient, $value, $expiration = 0 ) {
*/ */
function wp_user_settings() { function wp_user_settings() {
if ( ! is_admin() ) if ( ! is_admin() || defined( 'DOING_AJAX' ) ) {
return; return;
}
if ( defined('DOING_AJAX') ) if ( ! $user_id = get_current_user_id() ) {
return; return;
}
if ( ! $user_id = get_current_user_id() ) if ( is_super_admin() && ! is_user_member_of_blog() ) {
return;
if ( is_super_admin() && ! is_user_member_of_blog() )
return; return;
}
$settings = (string) get_user_option( 'user-settings', $user_id ); $settings = (string) get_user_option( 'user-settings', $user_id );
$uid = $user_id . '-' . get_current_blog_id();
if ( isset( $_COOKIE['wp-settings-' . $user_id] ) ) { if ( isset( $_COOKIE['wp-settings-' . $uid] ) ) {
$cookie = preg_replace( '/[^A-Za-z0-9=&_]/', '', $_COOKIE['wp-settings-' . $user_id] ); $cookie = preg_replace( '/[^A-Za-z0-9=&_]/', '', $_COOKIE['wp-settings-' . $uid] );
// No change or both empty // No change or both empty
if ( $cookie == $settings ) if ( $cookie == $settings )
return; return;
$last_saved = (int) get_user_option( 'user-settings-time', $user_id ); $last_saved = (int) get_user_option( 'user-settings-time', $user_id );
$current = isset( $_COOKIE['wp-settings-time-' . $user_id]) ? preg_replace( '/[^0-9]/', '', $_COOKIE['wp-settings-time-' . $user_id] ) : 0; $current = isset( $_COOKIE['wp-settings-time-' . $uid]) ? preg_replace( '/[^0-9]/', '', $_COOKIE['wp-settings-time-' . $uid] ) : 0;
// The cookie is newer than the saved value. Update the user_option and leave the cookie as-is // The cookie is newer than the saved value. Update the user_option and leave the cookie as-is
if ( $current > $last_saved ) { if ( $current > $last_saved ) {
@ -747,9 +748,9 @@ function wp_user_settings() {
// The cookie is not set in the current browser or the saved value is newer. // The cookie is not set in the current browser or the saved value is newer.
$secure = ( 'https' === parse_url( site_url(), PHP_URL_SCHEME ) ); $secure = ( 'https' === parse_url( site_url(), PHP_URL_SCHEME ) );
setcookie( 'wp-settings-' . $user_id, $settings, time() + YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN, $secure ); setcookie( 'wp-settings-' . $uid, $settings, time() + YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN, $secure );
setcookie( 'wp-settings-time-' . $user_id, time(), time() + YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN, $secure ); setcookie( 'wp-settings-time-' . $uid, time(), time() + YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN, $secure );
$_COOKIE['wp-settings-' . $user_id] = $settings; $_COOKIE['wp-settings-' . $uid] = $settings;
} }
/** /**
@ -781,8 +782,9 @@ function get_user_setting( $name, $default = false ) {
*/ */
function set_user_setting( $name, $value ) { function set_user_setting( $name, $value ) {
if ( headers_sent() ) if ( headers_sent() ) {
return false; return false;
}
$all_user_settings = get_all_user_settings(); $all_user_settings = get_all_user_settings();
$all_user_settings[$name] = $value; $all_user_settings[$name] = $value;
@ -803,8 +805,9 @@ function set_user_setting( $name, $value ) {
*/ */
function delete_user_setting( $names ) { function delete_user_setting( $names ) {
if ( headers_sent() ) if ( headers_sent() ) {
return false; return false;
}
$all_user_settings = get_all_user_settings(); $all_user_settings = get_all_user_settings();
$names = (array) $names; $names = (array) $names;
@ -817,8 +820,9 @@ function delete_user_setting( $names ) {
} }
} }
if ( $deleted ) if ( $deleted ) {
return wp_set_all_user_settings( $all_user_settings ); return wp_set_all_user_settings( $all_user_settings );
}
return false; return false;
} }
@ -833,22 +837,28 @@ function delete_user_setting( $names ) {
function get_all_user_settings() { function get_all_user_settings() {
global $_updated_user_settings; global $_updated_user_settings;
if ( ! $user_id = get_current_user_id() ) if ( ! $user_id = get_current_user_id() ) {
return array(); return array();
}
if ( isset( $_updated_user_settings ) && is_array( $_updated_user_settings ) ) if ( isset( $_updated_user_settings ) && is_array( $_updated_user_settings ) ) {
return $_updated_user_settings; return $_updated_user_settings;
}
$user_settings = array(); $user_settings = array();
if ( isset( $_COOKIE['wp-settings-' . $user_id] ) ) { $uid = $user_id . '-' . get_current_blog_id();
if ( isset( $_COOKIE['wp-settings-' . $uid] ) ) {
$cookie = preg_replace( '/[^A-Za-z0-9=&_]/', '', $_COOKIE['wp-settings-' . $uid] );
} elseif ( isset( $_COOKIE['wp-settings-' . $user_id] ) ) {
$cookie = preg_replace( '/[^A-Za-z0-9=&_]/', '', $_COOKIE['wp-settings-' . $user_id] ); $cookie = preg_replace( '/[^A-Za-z0-9=&_]/', '', $_COOKIE['wp-settings-' . $user_id] );
}
if ( $cookie && strpos( $cookie, '=' ) ) // '=' cannot be 1st char if ( ! empty( $cookie ) && strpos( $cookie, '=' ) ) { // '=' cannot be 1st char
parse_str( $cookie, $user_settings ); parse_str( $cookie, $user_settings );
} else { } else {
$option = get_user_option( 'user-settings', $user_id ); $option = get_user_option( 'user-settings', $user_id );
if ( $option && is_string($option) ) if ( $option && is_string( $option ) )
parse_str( $option, $user_settings ); parse_str( $option, $user_settings );
} }
@ -867,22 +877,25 @@ function get_all_user_settings() {
function wp_set_all_user_settings( $user_settings ) { function wp_set_all_user_settings( $user_settings ) {
global $_updated_user_settings; global $_updated_user_settings;
if ( ! $user_id = get_current_user_id() ) if ( ! $user_id = get_current_user_id() ) {
return false; return false;
}
if ( is_super_admin() && ! is_user_member_of_blog() ) if ( is_super_admin() && ! is_user_member_of_blog() ) {
return; return;
}
$settings = ''; $settings = '';
foreach ( $user_settings as $name => $value ) { foreach ( $user_settings as $name => $value ) {
$_name = preg_replace( '/[^A-Za-z0-9_]+/', '', $name ); $_name = preg_replace( '/[^A-Za-z0-9_]+/', '', $name );
$_value = preg_replace( '/[^A-Za-z0-9_]+/', '', $value ); $_value = preg_replace( '/[^A-Za-z0-9_]+/', '', $value );
if ( ! empty( $_name ) ) if ( ! empty( $_name ) ) {
$settings .= $_name . '=' . $_value . '&'; $settings .= $_name . '=' . $_value . '&';
}
} }
$settings = rtrim($settings, '&'); $settings = rtrim( $settings, '&' );
parse_str( $settings, $_updated_user_settings ); parse_str( $settings, $_updated_user_settings );
update_user_option( $user_id, 'user-settings', $settings, false ); update_user_option( $user_id, 'user-settings', $settings, false );
@ -897,11 +910,13 @@ function wp_set_all_user_settings( $user_settings ) {
* @since 2.7.0 * @since 2.7.0
*/ */
function delete_all_user_settings() { function delete_all_user_settings() {
if ( ! $user_id = get_current_user_id() ) if ( ! $user_id = get_current_user_id() ) {
return; return;
}
$uid = $user_id . '-' . get_current_blog_id();
update_user_option( $user_id, 'user-settings', '', false ); update_user_option( $user_id, 'user-settings', '', false );
setcookie('wp-settings-' . $user_id, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH); setcookie( 'wp-settings-' . $uid, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH );
} }
/** /**

View File

@ -72,7 +72,7 @@ function wp_default_scripts( &$scripts ) {
$scripts->add( 'utils', "/wp-includes/js/utils$suffix.js" ); $scripts->add( 'utils', "/wp-includes/js/utils$suffix.js" );
did_action( 'init' ) && $scripts->localize( 'utils', 'userSettings', array( did_action( 'init' ) && $scripts->localize( 'utils', 'userSettings', array(
'url' => (string) SITECOOKIEPATH, 'url' => (string) SITECOOKIEPATH,
'uid' => (string) get_current_user_id(), 'uid' => get_current_user_id() . '-' . get_current_blog_id(),
'time' => (string) time(), 'time' => (string) time(),
) ); ) );