From df2c8294964bd85b7da37af346ecda64135646fa Mon Sep 17 00:00:00 2001 From: mashiro Date: Fri, 15 Nov 2019 00:11:02 +0800 Subject: [PATCH 1/2] add nonce check for api --- functions.php | 2 +- header.php | 4 ++-- inc/api.php | 16 ++++++++++++++-- js/sakura-app.js | 2 +- style.css | 2 +- 5 files changed, 19 insertions(+), 7 deletions(-) diff --git a/functions.php b/functions.php index 2076dea..d6bd51d 100644 --- a/functions.php +++ b/functions.php @@ -7,7 +7,7 @@ * @package Sakura */ -define( 'SAKURA_VERSION', '3.3.0' ); +define( 'SAKURA_VERSION', '3.3.1' ); define( 'BUILD_VERSION', '3' ); define( 'JSDELIVR_VERSION', '3.6.7' ); diff --git a/header.php b/header.php index 7d6118d..8f05888 100644 --- a/header.php +++ b/header.php @@ -77,9 +77,9 @@ window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)} -> +> Plz rename the theme folder name as Sakura!
请将主题文件夹名改为 Sakura!'; ?> - 主题需要 PHP 的 curl 支持!请在 `php.ini` 里开启或者联系你的主机商。
The theme requires PHP\'s curl support! Please turn on in `php.ini` or contact your hosting provider.' ?>; + 主题需要 PHP 的 curl 支持!请在 `php.ini` 里开启或者联系你的主机商。
The theme requires PHP\'s curl support! Please turn on in `php.ini` or contact your hosting provider.'; ?>
get_file_params(); - + if ( !check_ajax_referer('wp_rest', '_wpnonce', false) ) { + $output = array( + 'status' => 403, + 'success' => false, + 'message' => 'Unauthorized client.', + 'link' => "https://view.moezx.cc/images/2019/11/14/step04.md.png", + 'proxy' => akina_option('cmt_image_proxy') . "https://view.moezx.cc/images/2019/11/14/step04.md.png", + ); + $result = new WP_REST_Response($output, 403); + $result->set_headers(array('Content-Type' => 'application/json')); + return $result; + } + switch (akina_option("img_upload_api")) { case 'imgur': $image = file_get_contents($_FILES["cmt_img_file"]["tmp_name"]); diff --git a/js/sakura-app.js b/js/sakura-app.js index b0bbe4a..db66148 100644 --- a/js/sakura-app.js +++ b/js/sakura-app.js @@ -182,7 +182,7 @@ function attach_image() { var formData = new FormData(); formData.append('cmt_img_file', f); $.ajax({ - url: '/wp-json/sakura/v1/image/upload', + url: '/wp-json/sakura/v1/image/upload/?_wpnonce='+$('body').attr('nonce-data'), type: 'POST', processData: false, contentType: false, diff --git a/style.css b/style.css index 680b6e7..b10bb5e 100644 --- a/style.css +++ b/style.css @@ -5,7 +5,7 @@ Theme URI: https://2heng.xin/theme-sakura/ Author: Mashiro, Louie, Fuzzz Author URI: http://2heng.xin Description: A branch of theme Akina -Version: 3.3.0 +Version: 3.3.1 License: GNU General Public License v2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html Text Domain: sakura From 3ac9b3a8f5243307a640f91f20dd7c9e5c7d2373 Mon Sep 17 00:00:00 2001 From: Mashiro Date: Fri, 15 Nov 2019 00:14:07 +0800 Subject: [PATCH 2/2] Update api.php --- inc/api.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inc/api.php b/inc/api.php index aac1307..da10ac0 100644 --- a/inc/api.php +++ b/inc/api.php @@ -28,7 +28,7 @@ function upload_image(WP_REST_Request $request) * -F "cmt_img_file=@screenshot.jpg" \ * https://dev.2heng.xin/wp-json/sakura/v1/image/upload */ - // $file = $req->get_file_params(); + // $file = $request->get_file_params(); if ( !check_ajax_referer('wp_rest', '_wpnonce', false) ) { $output = array( 'status' => 403, @@ -266,4 +266,4 @@ EOS; 'Cache-Control' => 'max-age=3600')); // json 缓存控制 return $result; -} \ No newline at end of file +}