Ticket #2678: nonce.diff
| File nonce.diff, 8.9 KB (added by ryan, 6 years ago) |
|---|
-
wp-includes/functions-compat.php
98 98 } 99 99 } 100 100 101 // From php.net 102 if(!function_exists('http_build_query')) { 103 function http_build_query( $formdata, $numeric_prefix = null, $key = null ) { 104 $res = array(); 105 foreach ((array)$formdata as $k=>$v) { 106 $tmp_key = urlencode(is_int($k) ? $numeric_prefix.$k : $k); 107 if ($key) $tmp_key = $key.'['.$tmp_key.']'; 108 $res[] = ( ( is_array($v) || is_object($v) ) ? http_build_query($v, null, $tmp_key) : $tmp_key."=".urlencode($v) ); 109 } 110 $separator = ini_get('arg_separator.output'); 111 return implode($separator, $res); 112 } 113 } 101 114 ?> -
wp-includes/functions.php
1663 1663 return $installed; 1664 1664 } 1665 1665 1666 function wp_nonce_url($actionurl, $action = -1) { 1667 return add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl); 1668 } 1669 1670 function wp_nonce_field($action = -1) { 1671 echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />'; 1672 } 1673 1666 1674 ?> -
wp-includes/pluggable-functions.php
228 228 endif; 229 229 230 230 if ( !function_exists('check_admin_referer') ) : 231 function check_admin_referer() { 231 function check_admin_referer($action = -1) { 232 global $pagenow; 232 233 $adminurl = strtolower(get_settings('siteurl')).'/wp-admin'; 233 234 $referer = strtolower($_SERVER['HTTP_REFERER']); 234 if (!strstr($referer, $adminurl)) 235 die(__('Sorry, you need to <a href="http://codex.wordpress.org/Enable_Sending_Referrers">enable sending referrers</a> for this feature to work.')); 235 if ( !wp_verify_nonce($_REQUEST['_wpnonce'], $action) ) { 236 $html = "<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>\n<html xmlns='http://www.w3.org/1999/xhtml' lang='en' xml:lang='en'>\n\n"; 237 $html .= "<head>\n\t<title>" . __('WordPress Confirmation') . "</title>\n"; 238 $html .= "</head>\n<body>\n"; 239 if ( $_POST ) { 240 $q = http_build_query($_POST); 241 $q = explode( ini_get('arg_separator.output'), $q); 242 $html .= "\t<form method='post' action='$pagenow'>\n"; 243 foreach ( (array) $q as $a ) { 244 $v = substr(strstr($a, '='), 1); 245 $k = substr($a, 0, -(strlen($v)+1)); 246 $html .= "\t\t<input type='hidden' name='" . wp_specialchars( urldecode($k), 1 ) . "' value='" . wp_specialchars( urldecode($v), 1 ) . "' />\n"; 247 } 248 $html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n"; 249 $html .= "\t\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t</form>\n"; 250 } else { 251 $html .= "\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n"; 252 } 253 $html .= "</body>\n</html>"; 254 255 die($html); 256 } 236 257 do_action('check_admin_referer'); 237 } 238 endif; 258 }endif; 239 259 240 260 if ( !function_exists('check_ajax_referer') ) : 241 261 function check_ajax_referer() { … … 460 480 } 461 481 endif; 462 482 483 if ( !function_exists('wp_verify_nonce') ) : 484 function wp_verify_nonce($nonce, $action = -1) { 485 $user = wp_get_current_user(); 486 $uid = $user->id; 487 488 $i = ceil(time() / 43200); 489 490 //Allow for expanding range, but only do one check if we can 491 if( substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10) == $nonce || substr(md5(($i - 1) . DB_PASSWORD . $action . $uid), -12, 10) == $nonce ) 492 return true; 493 return false; 494 } 495 endif; 496 497 if ( !function_exists('wp_create_nonce') ) : 498 function wp_create_nonce($action = -1) { 499 $user = wp_get_current_user(); 500 $uid = $user->id; 501 502 $i = ceil(time() / 43200); 503 504 return substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10); 505 } 506 endif; 507 463 508 ?> -
wp-admin/inline-uploading.php
2 2 3 3 require_once('admin.php'); 4 4 5 check_admin_referer( );5 check_admin_referer('inlineuploading'); 6 6 7 7 header('Content-Type: text/html; charset=' . get_option('blog_charset')); 8 8 … … 41 41 42 42 wp_delete_attachment($attachment); 43 43 44 header("Location: ". basename(__FILE__)."?post=$post&all=$all&action=view&start=$start");44 header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=$start", 'inlineuploading')); 45 45 die; 46 46 47 47 case 'save': … … 100 100 add_post_meta($id, '_wp_attachment_metadata', array()); 101 101 } 102 102 103 header("Location: ". basename(__FILE__)."?post=$post&all=$all&action=view&start=0");103 header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=0", 'inlineuploading')); 104 104 die(); 105 105 106 106 case 'upload': … … 139 139 $attachments = $wpdb->get_results("SELECT ID, post_date, post_title, post_mime_type, guid FROM $wpdb->posts WHERE post_type = 'attachment' $and_type $and_post $and_user ORDER BY $sort LIMIT $start, $double", ARRAY_A); 140 140 141 141 if ( count($attachments) == 0 ) { 142 header("Location: ". basename(__FILE__)."?post=$post&action=upload");142 header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&action=upload", 'inlineuploading') ); 143 143 die; 144 144 } elseif ( count($attachments) > $num ) { 145 145 $next = $start + count($attachments) - $num; -
wp-admin/post.php
24 24 switch($action) { 25 25 case 'postajaxpost': 26 26 case 'post': 27 check_admin_referer( );27 check_admin_referer('post'); 28 28 29 29 $post_ID = 'post' == $action ? write_post() : edit_post(); 30 30 … … 96 96 add_post_meta($post_id, '_wp_attachment_metadata', $newmeta); 97 97 98 98 case 'editpost': 99 check_admin_referer(); 99 $post_ID = (int) $_POST['post_ID']; 100 check_admin_referer('editpost' . $post_ID); 100 101 101 102 $post_ID = edit_post(); 102 103 … … 121 122 break; 122 123 123 124 case 'delete': 124 check_admin_referer( );125 check_admin_referer('deletepost'); 125 126 126 127 $post_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']); 127 128 -
wp-admin/edit-form-advanced.php
22 22 $form_action = 'post'; 23 23 $temp_ID = -1 * time(); 24 24 $form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />"; 25 wp_nonce_field('post'); 25 26 } else { 26 27 $form_action = 'editpost'; 27 28 $form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />"; 29 wp_nonce_field('editpost' . $post_ID); 28 30 } 29 31 30 32 $form_pingback = '<input type="hidden" name="post_pingback" value="' . get_option('default_pingback_flag') . '" id="post_pingback" />'; … … 173 175 <?php 174 176 if (current_user_can('upload_files')) { 175 177 $uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID); 176 $uploading_iframe_src = "inline-uploading.php?action=view&post=$uploading_iframe_ID";178 $uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&post=$uploading_iframe_ID", 'inlineuploading'); 177 179 $uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src); 178 180 if ( false != $uploading_iframe_src ) 179 181 echo '<iframe id="uploading" border="0" src="' . $uploading_iframe_src . '">' . __('This feature requires iframe support.') . '</iframe>'; -
wp-admin/edit.php
211 211 212 212 case 'control_delete': 213 213 ?> 214 <td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href=' post.php?action=delete&post=$id' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>214 <td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href='" . wp_nonce_url("post.php?action=delete&post=$id", 'deletepost') . "' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td> 215 215 <?php 216 216 break; 217 217
