Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Addressed feedback by adding whitelisted nonce actions

This commit is contained in:
roykho 2021-01-21 12:08:20 -08:00
parent 21f872e766
commit d550cce434
No known key found for this signature in database
GPG Key ID: 7B36C0EA25795714
1 changed files with 11 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
includes/admin/class-wc-admin-notices.php
View File

@ -79,28 +79,27 @@ class WC_Admin_Notices {
$url_parts = ! empty( $action->query ) ? wp_parse_url( $action->query ) : '';
if ( ! isset( $url_parts['query'] ) ) {
$response->data['actions'][ $action_key ] = $action;
continue;
}
wp_parse_str( $url_parts['query'], $params );
if ( array_key_exists( '_nonce_action', $params ) && array_key_exists( '_nonce_name', $params ) ) {
$_params = $params;
$org_params = $params;
unset( $_params['_nonce_action'] );
unset( $_params['_nonce_name'] );
// Check to make sure we're acting on the whitelisted nonce actions.
if ( 'wc_db_update' !== $params['_nonce_action'] && 'woocommerce_hide_notices_nonce' !== $params['_nonce_action'] ) {
continue;
}
unset( $org_params['_nonce_action'] );
unset( $org_params['_nonce_name'] );
$url = $url_parts['scheme'] . '://' . $url_parts['host'] . $url_parts['path'];
$parsed_query = wp_nonce_url(
add_query_arg(
$_params,
$url
),
$params['_nonce_action'],
$params['_nonce_name']
);
$nonce = array( $params['_nonce_name'] => wp_create_nonce( $params['_nonce_action'] ) );
$merged_params = array_merge( $nonce, $org_params );
$parsed_query = add_query_arg( $merged_params, $url );
$response->data['actions'][ $action_key ]->query = html_entity_decode( $parsed_query );
$response->data['actions'][ $action_key ]->url = html_entity_decode( $parsed_query );