From 41369b1cedb896bb172e4b72cc125266085d8bdd Mon Sep 17 00:00:00 2001 From: Rachel Baker Date: Wed, 29 Jun 2016 03:02:07 +0000 Subject: [PATCH] REST API: Include a refreshed nonce in a `X-WP-Nonce` header when responding to an authenticated request. Props adamsilverstein, welcher, markjaquith, aidvu. Fixes #35662. Built from https://develop.svn.wordpress.org/trunk@37905 git-svn-id: http://core.svn.wordpress.org/trunk@37846 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/rest-api.php | 13 +++++++++---- wp-includes/version.php | 2 +- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/wp-includes/rest-api.php b/wp-includes/rest-api.php index ebcf6a91f5..13bfa596ec 100644 --- a/wp-includes/rest-api.php +++ b/wp-includes/rest-api.php @@ -548,10 +548,12 @@ function rest_output_link_header() { * * @since 4.4.0 * - * @global mixed $wp_rest_auth_cookie + * @global mixed $wp_rest_auth_cookie + * @global WP_REST_Server $wp_rest_server REST server instance. * - * @param WP_Error|mixed $result Error from another authentication handler, null if we should handle it, - * or another value if not. + * @param WP_Error|mixed $result Error from another authentication handler, + * null if we should handle it, or another value + * if not. * @return WP_Error|mixed|bool WP_Error if the cookie is invalid, the $result, otherwise true. */ function rest_cookie_check_errors( $result ) { @@ -559,7 +561,7 @@ function rest_cookie_check_errors( $result ) { return $result; } - global $wp_rest_auth_cookie; + global $wp_rest_auth_cookie, $wp_rest_server; /* * Is cookie authentication being used? (If we get an auth @@ -592,6 +594,9 @@ function rest_cookie_check_errors( $result ) { return new WP_Error( 'rest_cookie_invalid_nonce', __( 'Cookie nonce is invalid' ), array( 'status' => 403 ) ); } + // Send a refreshed nonce in header. + $wp_rest_server->send_header( 'X-WP-Nonce', wp_create_nonce( 'wp_rest' ) ); + return true; } diff --git a/wp-includes/version.php b/wp-includes/version.php index ea264b1e6c..4e371e4abe 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.6-alpha-37904'; +$wp_version = '4.6-alpha-37905'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.