Verify the MAC earlier in WP_Customize_Widgets. props duck_.

nacin · nacin · commit a8e8ed65500a · 2014-08-05T06:49:22.000Z
git-svn-id: https://develop.svn.wordpress.org/trunk@29377 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/class-wp-customize-widgets.php b/src/wp-includes/class-wp-customize-widgets.php
@@ -1150,21 +1150,19 @@ public function tally_sidebars_via_dynamic_sidebar_calls( $has_widgets, $sidebar
 	}
 
 	/**
-	 * Get a widget instance's hash key.
+	 * Get MAC for a serialized widget instance string.
 	 *
-	 * Serialize an instance and hash it with the AUTH_KEY; when a JS value is
-	 * posted back to save, this instance hash key is used to ensure that the
-	 * serialized_instance was not tampered with, but that it had originated
-	 * from WordPress and so is sanitized.
+	 * Allows values posted back from JS to be rejected if any tampering of the
+	 * data has occurred.
 	 *
 	 * @since 3.9.0
 	 * @access protected
 	 *
-	 * @param array $instance Widget instance.
-	 * @return string Widget instance's hash key.
+	 * @param string $serialized_instance Widget instance.
+	 * @return string MAC for serialized widget instance.
 	 */
-	protected function get_instance_hash_key( $instance ) {
-		return wp_hash( serialize( $instance ) );
+	protected function get_instance_hash_key( $serialized_instance ) {
+		return wp_hash( $serialized_instance );
 	}
 
 	/**
@@ -1192,18 +1190,19 @@ public function sanitize_widget_instance( $value ) {
 		}
 
 		$decoded = base64_decode( $value['encoded_serialized_instance'], true );
-
 		if ( false === $decoded ) {
 			return null;
 		}
-		$instance = unserialize( $decoded );
 
-		if ( false === $instance ) {
+		if ( $this->get_instance_hash_key( $decoded ) !== $value['instance_hash_key'] ) {
 			return null;
 		}
-		if ( $this->get_instance_hash_key( $instance ) !== $value['instance_hash_key'] ) {
+
+		$instance = unserialize( $decoded );
+		if ( false === $instance ) {
 			return null;
 		}
+
 		return $instance;
 	}
 
@@ -1224,7 +1223,7 @@ public function sanitize_widget_js_instance( $value ) {
 				'encoded_serialized_instance'   => base64_encode( $serialized ),
 				'title'                         => empty( $value['title'] ) ? '' : $value['title'],
 				'is_widget_customizer_js_value' => true,
-				'instance_hash_key'             => $this->get_instance_hash_key( $value ),
+				'instance_hash_key'             => $this->get_instance_hash_key( $serialized ),
 			);
 		}
 		return $value;

Original file line number	Diff line number	Diff line change
`@@ -1150,21 +1150,19 @@ public function tally_sidebars_via_dynamic_sidebar_calls( $has_widgets, $sidebar`
`1150`	`1150`	`}`
`1151`	`1151`
`1152`	`1152`	`/**`
`1153`		`- * Get a widget instance's hash key.`
	`1153`	`+ * Get MAC for a serialized widget instance string.`
`1154`	`1154`	`*`
`1155`		`- * Serialize an instance and hash it with the AUTH_KEY; when a JS value is`
`1156`		`- * posted back to save, this instance hash key is used to ensure that the`
`1157`		`- * serialized_instance was not tampered with, but that it had originated`
`1158`		`- * from WordPress and so is sanitized.`
	`1155`	`+ * Allows values posted back from JS to be rejected if any tampering of the`
	`1156`	`+ * data has occurred.`
`1159`	`1157`	`*`
`1160`	`1158`	`* @since 3.9.0`
`1161`	`1159`	`* @access protected`
`1162`	`1160`	`*`
`1163`		`- * @param array $instance Widget instance.`
`1164`		`- * @return string Widget instance's hash key.`
	`1161`	`+ * @param string $serialized_instance Widget instance.`
	`1162`	`+ * @return string MAC for serialized widget instance.`
`1165`	`1163`	`*/`
`1166`		`- protected function get_instance_hash_key( $instance ) {`
`1167`		`- return wp_hash( serialize( $instance ) );`
	`1164`	`+ protected function get_instance_hash_key( $serialized_instance ) {`
	`1165`	`+ return wp_hash( $serialized_instance );`
`1168`	`1166`	`}`
`1169`	`1167`
`1170`	`1168`	`/**`
`@@ -1192,18 +1190,19 @@ public function sanitize_widget_instance( $value ) {`
`1192`	`1190`	`}`
`1193`	`1191`
`1194`	`1192`	`$decoded = base64_decode( $value['encoded_serialized_instance'], true );`
`1195`		`-`
`1196`	`1193`	`if ( false === $decoded ) {`
`1197`	`1194`	`return null;`
`1198`	`1195`	`}`
`1199`		`- $instance = unserialize( $decoded );`
`1200`	`1196`
`1201`		`- if ( false === $instance ) {`
	`1197`	`+ if ( $this->get_instance_hash_key( $decoded ) !== $value['instance_hash_key'] ) {`
`1202`	`1198`	`return null;`
`1203`	`1199`	`}`
`1204`		`- if ( $this->get_instance_hash_key( $instance ) !== $value['instance_hash_key'] ) {`
	`1200`	`+`
	`1201`	`+ $instance = unserialize( $decoded );`
	`1202`	`+ if ( false === $instance ) {`
`1205`	`1203`	`return null;`
`1206`	`1204`	`}`
	`1205`	`+`
`1207`	`1206`	`return $instance;`
`1208`	`1207`	`}`
`1209`	`1208`
`@@ -1224,7 +1223,7 @@ public function sanitize_widget_js_instance( $value ) {`
`1224`	`1223`	`'encoded_serialized_instance' => base64_encode( $serialized ),`
`1225`	`1224`	`'title' => empty( $value['title'] ) ? '' : $value['title'],`
`1226`	`1225`	`'is_widget_customizer_js_value' => true,`
`1227`		`- 'instance_hash_key' => $this->get_instance_hash_key( $value ),`
	`1226`	`+ 'instance_hash_key' => $this->get_instance_hash_key( $serialized ),`
`1228`	`1227`	`);`
`1229`	`1228`	`}`
`1230`	`1229`	`return $value;`