add nonce check for api

This commit is contained in:
mashiro 2019-11-15 00:11:02 +08:00
parent 5ee344bc37
commit df2c829496
5 changed files with 19 additions and 7 deletions

View File

@ -7,7 +7,7 @@
* @package Sakura * @package Sakura
*/ */
define( 'SAKURA_VERSION', '3.3.0' ); define( 'SAKURA_VERSION', '3.3.1' );
define( 'BUILD_VERSION', '3' ); define( 'BUILD_VERSION', '3' );
define( 'JSDELIVR_VERSION', '3.6.7' ); define( 'JSDELIVR_VERSION', '3.6.7' );

View File

@ -77,9 +77,9 @@ window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}
</script> </script>
<?php endif; ?> <?php endif; ?>
</head> </head>
<body <?php body_class(); ?>> <body nonce-data="<?php echo wp_create_nonce( 'wp_rest' ); ?>" <?php body_class(); ?>>
<?php if(get_template_directory_uri() != get_site_url().'/wp-content/themes/Sakura') echo '<div style="position:fixed;height:100%;width:100%;top:0;left:0;font-size:20px;z-index:999999;background-color: #fff;">Plz rename the theme folder name as <span style="color:red">Sakura</span>!<br>请将主题文件夹名改为 <span style="color:red">Sakura</span></div>'; ?> <?php if(get_template_directory_uri() != get_site_url().'/wp-content/themes/Sakura') echo '<div style="position:fixed;height:100%;width:100%;top:0;left:0;font-size:20px;z-index:999999;background-color: #fff;">Plz rename the theme folder name as <span style="color:red">Sakura</span>!<br>请将主题文件夹名改为 <span style="color:red">Sakura</span></div>'; ?>
<?php if(!function_exists('curl_exec')) echo '<div style="position:fixed;height:100%;width:100%;top:0;left:0;font-size:20px;z-index:999999;background-color: #fff;">主题需要 PHP 的 curl 支持!请在 `php.ini` 里开启或者联系你的主机商。<br>The theme requires PHP\'s curl support! Please turn on in `php.ini` or contact your hosting provider.</div>' ?>; <?php if(!function_exists('curl_exec')) echo '<div style="position:fixed;height:100%;width:100%;top:0;left:0;font-size:20px;z-index:999999;background-color: #fff;">主题需要 PHP 的 curl 支持!请在 `php.ini` 里开启或者联系你的主机商。<br>The theme requires PHP\'s curl support! Please turn on in `php.ini` or contact your hosting provider.</div>'; ?>
<div class="scrollbar" id="bar"></div> <div class="scrollbar" id="bar"></div>
<section id="main-container"> <section id="main-container">
<?php <?php

View File

@ -17,7 +17,7 @@ add_action('rest_api_init', function () {
/** /**
* Image uploader response * Image uploader response
*/ */
function upload_image(WP_REST_Request $req) function upload_image(WP_REST_Request $request)
{ {
// see: https://developer.wordpress.org/rest-api/requests/ // see: https://developer.wordpress.org/rest-api/requests/
@ -29,6 +29,18 @@ function upload_image(WP_REST_Request $req)
* https://dev.2heng.xin/wp-json/sakura/v1/image/upload * https://dev.2heng.xin/wp-json/sakura/v1/image/upload
*/ */
// $file = $req->get_file_params(); // $file = $req->get_file_params();
if ( !check_ajax_referer('wp_rest', '_wpnonce', false) ) {
$output = array(
'status' => 403,
'success' => false,
'message' => 'Unauthorized client.',
'link' => "https://view.moezx.cc/images/2019/11/14/step04.md.png",
'proxy' => akina_option('cmt_image_proxy') . "https://view.moezx.cc/images/2019/11/14/step04.md.png",
);
$result = new WP_REST_Response($output, 403);
$result->set_headers(array('Content-Type' => 'application/json'));
return $result;
}
switch (akina_option("img_upload_api")) { switch (akina_option("img_upload_api")) {
case 'imgur': case 'imgur':

View File

@ -182,7 +182,7 @@ function attach_image() {
var formData = new FormData(); var formData = new FormData();
formData.append('cmt_img_file', f); formData.append('cmt_img_file', f);
$.ajax({ $.ajax({
url: '/wp-json/sakura/v1/image/upload', url: '/wp-json/sakura/v1/image/upload/?_wpnonce='+$('body').attr('nonce-data'),
type: 'POST', type: 'POST',
processData: false, processData: false,
contentType: false, contentType: false,

View File

@ -5,7 +5,7 @@ Theme URI: https://2heng.xin/theme-sakura/
Author: Mashiro, Louie, Fuzzz Author: Mashiro, Louie, Fuzzz
Author URI: http://2heng.xin Author URI: http://2heng.xin
Description: A branch of theme Akina Description: A branch of theme Akina
Version: 3.3.0 Version: 3.3.1
License: GNU General Public License v2 or later License: GNU General Public License v2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html License URI: http://www.gnu.org/licenses/gpl-2.0.html
Text Domain: sakura Text Domain: sakura