From 69112517eda75e6758122dd8f1b2c5412fecda75 Mon Sep 17 00:00:00 2001
From: nacin <nacin@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Tue, 26 Jun 2012 18:48:18 +0000
Subject: [PATCH] Refresh nonces in the customizer. props koopersmith. see
 #20876.

git-svn-id: http://core.svn.wordpress.org/trunk@21135 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/customize.php                     |  7 ++++-
 wp-admin/js/customize-controls.dev.js      | 33 +++++++++++++++-------
 wp-includes/class-wp-customize-manager.php | 13 ++++++++-
 wp-includes/js/customize-preview.dev.js    |  7 ++++-
 wp-login.php                               | 30 +++++++++-----------
 5 files changed, 60 insertions(+), 30 deletions(-)

diff --git a/wp-admin/customize.php b/wp-admin/customize.php
index 3e6a67508..09c5b6789 100644
--- a/wp-admin/customize.php
+++ b/wp-admin/customize.php
@@ -7,6 +7,8 @@
  * @since 3.4.0
  */
 
+define( 'IFRAME_REQUEST', true );
+
 require_once( './admin.php' );
 if ( ! current_user_can( 'edit_theme_options' ) )
 	wp_die( __( 'Cheatin&#8217; uh?' ) );
@@ -65,7 +67,6 @@ do_action( 'customize_controls_print_scripts' );
 <body class="<?php echo esc_attr( $body_class ); ?>">
 <div class="wp-full-overlay expanded">
 	<form id="customize-controls" class="wrap wp-full-overlay-sidebar">
-		<?php wp_nonce_field( 'customize_controls-' . $wp_customize->get_stylesheet() ); ?>
 		<div id="customize-header-actions" class="wp-full-overlay-header">
 			<?php
 				$save_text = $wp_customize->is_theme_active() ? __( 'Save &amp; Publish' ) : __( 'Save &amp; Activate' );
@@ -175,6 +176,10 @@ do_action( 'customize_controls_print_scripts' );
 		),
 		'settings' => array(),
 		'controls' => array(),
+		'nonce'    => array(
+ 			'save'    => wp_create_nonce( 'save-customize_' . $wp_customize->get_stylesheet() ),
+ 			'preview' => wp_create_nonce( 'preview-customize_' . $wp_customize->get_stylesheet() )
+ 		),
 	);
 
 	foreach ( $wp_customize->settings() as $id => $setting ) {
diff --git a/wp-admin/js/customize-controls.dev.js b/wp-admin/js/customize-controls.dev.js
index cb4e6e20a..c37e43bd0 100644
--- a/wp-admin/js/customize-controls.dev.js
+++ b/wp-admin/js/customize-controls.dev.js
@@ -294,7 +294,8 @@
 			// This is the promise object.
 			deferred.promise( this );
 
-			this.previewer = params.previewer;
+			this.container = params.container;
+			this.signature = params.signature;
 
 			$.extend( params, { channel: api.PreviewFrame.uuid() });
 
@@ -338,7 +339,7 @@
 
 			this.request.done( function( response ) {
 				var location = self.request.getResponseHeader('Location'),
-					signature = 'WP_CUSTOMIZER_SIGNATURE',
+					signature = self.signature,
 					index;
 
 				// Check if the location response header differs from the current URL.
@@ -371,7 +372,7 @@
 				response = response.slice( 0, index ) + response.slice( index + signature.length );
 
 				// Create the iframe and inject the html content.
-				self.iframe = $('<iframe />').appendTo( self.previewer.container );
+				self.iframe = $('<iframe />').appendTo( self.container );
 
 				// Bind load event after the iframe has been added to the page;
 				// otherwise it will fire when injected into the DOM.
@@ -416,7 +417,7 @@
 					reject();
 
 				iframe = $('<iframe src="' + self.previewUrl() + '" />').hide();
-				iframe.appendTo( self.previewer.container );
+				iframe.appendTo( self.container );
 				iframe.load( function() {
 					self.triedLogin = true;
 
@@ -497,6 +498,7 @@
 
 			this.container   = api.ensure( params.container );
 			this.allowedUrls = params.allowedUrls;
+			this.signature   = params.signature;
 
 			params.url = window.location.href;
 
@@ -570,7 +572,8 @@
 				url:        this.url(),
 				previewUrl: this.previewUrl(),
 				query:      this.query() || {},
-				previewer:  this
+				container:  this.container,
+				signature:  this.signature
 			});
 
 			this.loading.done( function() {
@@ -583,6 +586,8 @@
 
 					self.targetWindow( this.targetWindow() );
 					self.channel( this.channel() );
+
+					self.send( 'active' );
 				});
 
 				this.send( 'sync', {
@@ -683,23 +688,26 @@
 			container:   '#customize-preview',
 			form:        '#customize-controls',
 			previewUrl:  api.settings.url.preview,
-			allowedUrls: api.settings.url.allowed
+			allowedUrls: api.settings.url.allowed,
+			signature:   'WP_CUSTOMIZER_SIGNATURE'
 		}, {
+
+			nonce: api.settings.nonce,
+
 			query: function() {
 				return {
 					wp_customize: 'on',
 					theme:        api.settings.theme.stylesheet,
-					customized:   JSON.stringify( api.get() )
+					customized:   JSON.stringify( api.get() ),
+					nonce:        this.nonce.preview
 				};
 			},
 
-			nonce: $('#_wpnonce').val(),
-
 			save: function() {
 				var self  = this,
 					query = $.extend( this.query(), {
 						action: 'customize_save',
-						nonce:  this.nonce
+						nonce:  this.nonce.save
 					}),
 					request = $.post( api.settings.url.ajax, query );
 
@@ -733,6 +741,11 @@
 			}
 		});
 
+		// Refresh the nonces if the preview sends updated nonces over.
+ 		previewer.bind( 'nonce', function( nonce ) {
+ 			$.extend( this.nonce, nonce );
+ 		});
+
 		$.each( api.settings.settings, function( id, data ) {
 			api.create( id, id, data.value, {
 				transport: data.transport,
diff --git a/wp-includes/class-wp-customize-manager.php b/wp-includes/class-wp-customize-manager.php
index b561fb24e..7fa4af09f 100644
--- a/wp-includes/class-wp-customize-manager.php
+++ b/wp-includes/class-wp-customize-manager.php
@@ -17,6 +17,8 @@ final class WP_Customize_Manager {
 	protected $sections = array();
 	protected $controls = array();
 
+	protected $nonce_tick;
+
 	protected $customized;
 
 	private $_post_values;
@@ -308,6 +310,8 @@ final class WP_Customize_Manager {
 	 * @since 3.4.0
 	 */
 	public function customize_preview_init() {
+		$this->nonce_tick = check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce' );
+
 		$this->prepare_controls();
 
 		wp_enqueue_script( 'customize-preview' );
@@ -362,6 +366,13 @@ final class WP_Customize_Manager {
 			'channel' => esc_js( $_POST['customize_messenger_channel'] ),
 		);
 
+		if ( 2 == $this->nonce_tick ) {
+ 			$settings['nonce'] = array(
+ 				'save' => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ),
+ 				'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() )
+ 			);
+ 		}
+
 		foreach ( $this->settings as $id => $setting ) {
 			$settings['values'][ $id ] = $setting->js_value();
 		}
@@ -468,7 +479,7 @@ final class WP_Customize_Manager {
 		if ( ! $this->is_preview() )
 			die;
 
-		check_ajax_referer( 'customize_controls-' . $this->get_stylesheet(), 'nonce' );
+		check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce' );
 
 		// Do we have to switch themes?
 		if ( ! $this->is_theme_active() ) {
diff --git a/wp-includes/js/customize-preview.dev.js b/wp-includes/js/customize-preview.dev.js
index 28af66b8d..9caa6b684 100644
--- a/wp-includes/js/customize-preview.dev.js
+++ b/wp-includes/js/customize-preview.dev.js
@@ -88,7 +88,12 @@
 				preview.trigger( event, args );
 			});
 			preview.send( 'synced' );
-		})
+		});
+
+	 	preview.bind( 'active', function() {
+	 		if ( api.settings.nonce )
+	 			preview.send( 'nonce', api.settings.nonce );
+	 	});
 
 		preview.send( 'ready' );
 
diff --git a/wp-login.php b/wp-login.php
index 0b1df6078..50088db9e 100644
--- a/wp-login.php
+++ b/wp-login.php
@@ -39,7 +39,7 @@ if ( force_ssl_admin() && !is_ssl() ) {
  * @param WP_Error $wp_error Optional. WordPress Error Object
  */
 function login_header($title = 'Log In', $message = '', $wp_error = '') {
-	global $error, $interim_login, $current_site, $customize_login;
+	global $error, $interim_login, $current_site;
 
 	// Don't index any of these forms
 	add_action( 'login_head', 'wp_no_robots' );
@@ -68,9 +68,6 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
 		<meta name="viewport" content="width=320; initial-scale=0.9; maximum-scale=1.0; user-scalable=0;" /><?php
 	}
 
-	if ( $customize_login )
-		wp_enqueue_script( 'customize-base' );
-
 	do_action( 'login_enqueue_scripts' );
 	do_action( 'login_head' );
 
@@ -568,6 +565,8 @@ default:
 	$secure_cookie = '';
 	$interim_login = isset($_REQUEST['interim-login']);
 	$customize_login = isset( $_REQUEST['customize-login'] );
+	if ( $customize_login )
+		wp_enqueue_script( 'customize-base' );
 
 	// If the user wants ssl but the session is not ssl, force a secure cookie.
 	if ( !empty($_POST['log']) && !force_ssl_admin() ) {
@@ -604,21 +603,18 @@ default:
 	if ( !is_wp_error($user) && !$reauth ) {
 		if ( $interim_login ) {
 			$message = '<p class="message">' . __('You have logged in successfully.') . '</p>';
-			login_header( '', $message );
+			login_header( '', $message ); ?>
 
-			if ( ! $customize_login ) : ?>
-				<script type="text/javascript">setTimeout( function(){window.close()}, 8000);</script>
-				<p class="alignright">
-				<input type="button" class="button-primary" value="<?php esc_attr_e('Close'); ?>" onclick="window.close()" /></p>
-<?php		endif;
-
-			?></div><?php
-
-			do_action('login_footer');
-
-			if ( $customize_login ) : ?>
+			<?php if ( ! $customize_login ) : ?>
+			<script type="text/javascript">setTimeout( function(){window.close()}, 8000);</script>
+			<p class="alignright">
+			<input type="button" class="button-primary" value="<?php esc_attr_e('Close'); ?>" onclick="window.close()" /></p>
+			<?php endif; ?>
+			</div>
+			<?php do_action( 'login_footer' ); ?>
+			<?php if ( $customize_login ) : ?>
 				<script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script>
-<?php		endif; ?>
+			<?php endif; ?>
 			</body></html>
 <?php		exit;
 		}