Customize: Ignore invalid customization sessions.

Merge of [40704] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@40711


git-svn-id: http://core.svn.wordpress.org/branches/4.1@40574 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Dominik Schilling 2017-05-16 12:20:25 +00:00
parent 03ff944f46
commit f1dd14eb48
4 changed files with 30 additions and 2 deletions

View File

@ -149,7 +149,7 @@ do_action( 'customize_controls_print_scripts' );
echo sprintf( __( 'You are previewing %s' ), '<strong class="theme-name">' . $wp_customize->theme()->display('Name') . '</strong>' ); echo sprintf( __( 'You are previewing %s' ), '<strong class="theme-name">' . $wp_customize->theme()->display('Name') . '</strong>' );
} else { } else {
/* translators: %s is the site/panel title in the Customize pane */ /* translators: %s is the site/panel title in the Customize pane */
echo sprintf( __( 'You are customizing %s' ), '<strong class="theme-name site-title">' . get_bloginfo( 'name' ) . '</strong>' ); echo sprintf( __( 'You are customizing %s' ), '<strong class="theme-name site-title">' . get_bloginfo( 'name', 'display' ) . '</strong>' );
} }
?></span> ?></span>
</div> </div>

View File

@ -2003,6 +2003,16 @@
} }
}); });
// Ensure preview nonce is included with every customized request, to allow post data to be read.
$.ajaxPrefilter( function injectPreviewNonce( options ) {
if ( ! /wp_customize=on/.test( options.data ) ) {
return;
}
options.data += '&' + $.param({
customize_preview_nonce: api.settings.nonce.preview
});
});
// Refresh the nonces if the preview sends updated nonces over. // Refresh the nonces if the preview sends updated nonces over.
api.previewer.bind( 'nonce', function( nonce ) { api.previewer.bind( 'nonce', function( nonce ) {
$.extend( this.nonce, nonce ); $.extend( this.nonce, nonce );

File diff suppressed because one or more lines are too long

View File

@ -175,6 +175,24 @@ final class WP_Customize_Manager {
$this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null ); $this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null );
/*
* Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
* application will inject the customize_preview_nonce query parameter into all Ajax requests.
* For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
* a user when a valid nonce isn't present.
*/
$has_post_data_nonce = (
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
||
check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
||
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
);
if ( ! $has_post_data_nonce ) {
unset( $_POST['customized'] );
unset( $_REQUEST['customized'] );
}
if ( $this->is_theme_active() ) { if ( $this->is_theme_active() ) {
// Once the theme is loaded, we'll validate it. // Once the theme is loaded, we'll validate it.
add_action( 'after_setup_theme', array( $this, 'after_setup_theme' ) ); add_action( 'after_setup_theme', array( $this, 'after_setup_theme' ) );