Customize: Ignore invalid customization sessions.

Merge of [40704] to the 4.0 branch. Built from https://develop.svn.wordpress.org/branches/4.0@40712 git-svn-id: http://core.svn.wordpress.org/branches/4.0@40575 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 12:20:43 +00:00 · 2017-05-16 12:20:43 +00:00 · 89a35259c0
parent f7259c14e2
commit 89a35259c0
4 changed files with 30 additions and 2 deletions
--- a/wp-admin/customize.php
+++ b/wp-admin/customize.php
@ -141,7 +141,7 @@ do_action( 'customize_controls_print_scripts' );
 							echo sprintf( __( 'You are previewing %s' ), '<strong class="theme-name">' . $wp_customize->theme()->display('Name') . '</strong>' );
 						} else {
 							/* translators: %s is the site/panel title in the Customize pane */
-							echo sprintf( __( 'You are customizing %s' ), '<strong class="theme-name site-title">' . get_bloginfo( 'name' ) . '</strong>' );
+							echo sprintf( __( 'You are customizing %s' ), '<strong class="theme-name site-title">' . get_bloginfo( 'name', 'display' ) . '</strong>' );
 						}
 					?></span>
 				</div>
--- a/wp-admin/js/customize-controls.js
+++ b/wp-admin/js/customize-controls.js
@ -1086,6 +1086,16 @@
 			}
 		});

+		// Ensure preview nonce is included with every customized request, to allow post data to be read.
+		$.ajaxPrefilter( function injectPreviewNonce( options ) {
+			if ( ! /wp_customize=on/.test( options.data ) ) {
+				return;
+			}
+			options.data += '&' + $.param({
+				customize_preview_nonce: api.settings.nonce.preview
+			});
+		});
+
 		// Refresh the nonces if the preview sends updated nonces over.
 		api.previewer.bind( 'nonce', function( nonce ) {
 			$.extend( this.nonce, nonce );
--- a/wp-admin/js/customize-controls.min.js
+++ b/wp-admin/js/customize-controls.min.js
--- a/wp-includes/class-wp-customize-manager.php
+++ b/wp-includes/class-wp-customize-manager.php
@ -166,6 +166,24 @@ final class WP_Customize_Manager {

 		$this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null );

+		/*
+		 * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
+		 * application will inject the customize_preview_nonce query parameter into all Ajax requests.
+		 * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
+		 * a user when a valid nonce isn't present.
+		 */
+		$has_post_data_nonce = (
+			check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
+			||
+			check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
+			||
+			check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
+		);
+		if ( ! $has_post_data_nonce ) {
+			unset( $_POST['customized'] );
+			unset( $_REQUEST['customized'] );
+		}
+
 		if ( $this->is_theme_active() ) {
 			// Once the theme is loaded, we'll validate it.
 			add_action( 'after_setup_theme', array( $this, 'after_setup_theme' ) );