ThemeShaper Forums » Thematic

Thematic sets widgets without checking referer

(2 posts)
  • Started 9 years ago by greenshady
  • Latest reply from Chris
  • This topic is not resolved
  1. When Thematic sets the default widgets, it uses this code to see if the theme was just activated:

    if ( isset( $_GET['activated'] ) ) {
    	update_option( 'sidebars_widgets', apply_filters('thematic_preset_widgets',$preset_widgets ));
    }

    However, this check should make sure we're coming from the themes page. Currently, appending something like ?something&activated=true to the end of a site's URL should reset the widgets to the defaults.

    I'd have to look more into it, but I believe you should run the code like so:

    if ( is_admin() && isset( $_GET['activated'] ) {
    	check_admin_referer( 'switch-theme_thematic' ); // Correct?
    	update_option( 'sidebars_widgets', apply_filters('thematic_preset_widgets',$preset_widgets ));
    }

    I've been doing security audits of my own plugins/themes and remember seeing this in Thematic a while back.

    Posted 9 years ago #
  2. Hi Justin,

    thanks for your help. I'll check this tomorrow.

    Chris

    Posted 9 years ago #

RSS feed for this topic

Reply

You must log in to post.