mirror of
https://github.com/gosticks/wordpress-develop.git
synced 2026-07-01 15:50:09 +00:00
Customize: Igore invalid customization sessions.
git-svn-id: https://develop.svn.wordpress.org/trunk@40704 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
@@ -486,6 +486,24 @@ final class WP_Customize_Manager {
|
||||
$this->wp_die( -1, __( 'Invalid changeset UUID' ) );
|
||||
}
|
||||
|
||||
/*
|
||||
* Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
|
||||
* application will inject the customize_preview_nonce query parameter into all Ajax requests.
|
||||
* For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
|
||||
* a user when a valid nonce isn't present.
|
||||
*/
|
||||
$has_post_data_nonce = (
|
||||
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
|
||||
||
|
||||
check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
|
||||
||
|
||||
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
|
||||
);
|
||||
if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
|
||||
unset( $_POST['customized'] );
|
||||
unset( $_REQUEST['customized'] );
|
||||
}
|
||||
|
||||
/*
|
||||
* If unauthenticated then require a valid changeset UUID to load the preview.
|
||||
* In this way, the UUID serves as a secret key. If the messenger channel is present,
|
||||
|
||||
Reference in New Issue
Block a user