mirror of
https://github.com/gosticks/wordpress-develop.git
synced 2026-07-01 07:40:07 +00:00
Media: Prevent CSRF setting attachment thumbnails.
Props martinkrcho, paulkevan, peterwilsoncc, xknown, peterwilsoncc. git-svn-id: https://develop.svn.wordpress.org/trunk@55764 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
@@ -106,6 +106,7 @@ VideoDetails = MediaDetails.extend(/** @lends wp.media.view.MediaFrame.VideoDeta
|
||||
|
||||
wp.ajax.send( 'set-attachment-thumbnail', {
|
||||
data : {
|
||||
_ajax_nonce: wp.media.view.settings.nonce.setAttachmentThumbnail,
|
||||
urls: urls,
|
||||
thumbnail_id: attachment.get( 'id' )
|
||||
}
|
||||
|
||||
@@ -2771,6 +2771,10 @@ function wp_ajax_set_attachment_thumbnail() {
|
||||
wp_send_json_error();
|
||||
}
|
||||
|
||||
if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
|
||||
wp_send_json_error();
|
||||
}
|
||||
|
||||
$post_ids = array();
|
||||
// For each URL, try to find its corresponding post ID.
|
||||
foreach ( $_POST['urls'] as $url ) {
|
||||
|
||||
@@ -4528,7 +4528,8 @@ function wp_enqueue_media( $args = array() ) {
|
||||
/** This filter is documented in wp-admin/includes/media.php */
|
||||
'captions' => ! apply_filters( 'disable_captions', '' ),
|
||||
'nonce' => array(
|
||||
'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
|
||||
'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
|
||||
'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ),
|
||||
),
|
||||
'post' => array(
|
||||
'id' => 0,
|
||||
|
||||
Reference in New Issue
Block a user