Index: wp-includes/functions-compat.php =================================================================== --- wp-includes/functions-compat.php (revision 3754) +++ wp-includes/functions-compat.php (working copy) @@ -98,4 +98,17 @@ } } +// From php.net +if(!function_exists('http_build_query')) { + function http_build_query( $formdata, $numeric_prefix = null, $key = null ) { + $res = array(); + foreach ((array)$formdata as $k=>$v) { + $tmp_key = urlencode(is_int($k) ? $numeric_prefix.$k : $k); + if ($key) $tmp_key = $key.'['.$tmp_key.']'; + $res[] = ( ( is_array($v) || is_object($v) ) ? http_build_query($v, null, $tmp_key) : $tmp_key."=".urlencode($v) ); + } + $separator = ini_get('arg_separator.output'); + return implode($separator, $res); + } +} ?> Index: wp-includes/functions.php =================================================================== --- wp-includes/functions.php (revision 3754) +++ wp-includes/functions.php (working copy) @@ -1663,4 +1663,12 @@ return $installed; } +function wp_nonce_url($actionurl, $action = -1) { + return add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl); +} + +function wp_nonce_field($action = -1) { + echo ''; +} + ?> Index: wp-includes/pluggable-functions.php =================================================================== --- wp-includes/pluggable-functions.php (revision 3754) +++ wp-includes/pluggable-functions.php (working copy) @@ -228,14 +228,34 @@ endif; if ( !function_exists('check_admin_referer') ) : -function check_admin_referer() { +function check_admin_referer($action = -1) { + global $pagenow; $adminurl = strtolower(get_settings('siteurl')).'/wp-admin'; $referer = strtolower($_SERVER['HTTP_REFERER']); - if (!strstr($referer, $adminurl)) - die(__('Sorry, you need to enable sending referrers for this feature to work.')); + if ( !wp_verify_nonce($_REQUEST['_wpnonce'], $action) ) { + $html = "\n\n\n"; + $html .= "\n\t" . __('WordPress Confirmation') . "\n"; + $html .= "\n\n"; + if ( $_POST ) { + $q = http_build_query($_POST); + $q = explode( ini_get('arg_separator.output'), $q); + $html .= "\t
\n"; + foreach ( (array) $q as $a ) { + $v = substr(strstr($a, '='), 1); + $k = substr($a, 0, -(strlen($v)+1)); + $html .= "\t\t\n"; + } + $html .= "\t\t\n"; + $html .= "\t\t

" . __('Are you sure you want to do this?') . "

\n\t\t

No

\n\t
\n"; + } else { + $html .= "\t

" . __('Are you sure you want to do this?') . "

\n\t\t

No " . __('Yes') . "

\n"; + } + $html .= "\n"; + + die($html); + } do_action('check_admin_referer'); -} -endif; +}endif; if ( !function_exists('check_ajax_referer') ) : function check_ajax_referer() { @@ -460,4 +480,29 @@ } endif; +if ( !function_exists('wp_verify_nonce') ) : +function wp_verify_nonce($nonce, $action = -1) { + $user = wp_get_current_user(); + $uid = $user->id; + + $i = ceil(time() / 43200); + + //Allow for expanding range, but only do one check if we can + if( substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10) == $nonce || substr(md5(($i - 1) . DB_PASSWORD . $action . $uid), -12, 10) == $nonce ) + return true; + return false; +} +endif; + +if ( !function_exists('wp_create_nonce') ) : +function wp_create_nonce($action = -1) { + $user = wp_get_current_user(); + $uid = $user->id; + + $i = ceil(time() / 43200); + + return substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10); +} +endif; + ?> Index: wp-admin/inline-uploading.php =================================================================== --- wp-admin/inline-uploading.php (revision 3754) +++ wp-admin/inline-uploading.php (working copy) @@ -2,7 +2,7 @@ require_once('admin.php'); -check_admin_referer(); +check_admin_referer('inlineuploading'); header('Content-Type: text/html; charset=' . get_option('blog_charset')); @@ -41,7 +41,7 @@ wp_delete_attachment($attachment); -header("Location: ".basename(__FILE__)."?post=$post&all=$all&action=view&start=$start"); +header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=$start", 'inlineuploading')); die; case 'save': @@ -100,7 +100,7 @@ add_post_meta($id, '_wp_attachment_metadata', array()); } -header("Location: ".basename(__FILE__)."?post=$post&all=$all&action=view&start=0"); +header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=0", 'inlineuploading')); die(); case 'upload': @@ -139,7 +139,7 @@ $attachments = $wpdb->get_results("SELECT ID, post_date, post_title, post_mime_type, guid FROM $wpdb->posts WHERE post_type = 'attachment' $and_type $and_post $and_user ORDER BY $sort LIMIT $start, $double", ARRAY_A); if ( count($attachments) == 0 ) { - header("Location: ".basename(__FILE__)."?post=$post&action=upload"); + header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&action=upload", 'inlineuploading') ); die; } elseif ( count($attachments) > $num ) { $next = $start + count($attachments) - $num; Index: wp-admin/edit-comments.php =================================================================== --- wp-admin/edit-comments.php (revision 3754) +++ wp-admin/edit-comments.php (working copy) @@ -51,7 +51,7 @@

|

comment_post_ID) ) { echo " " . __('Edit') . ''; - echo ' | comment_author, 1)) . "' );\">" . __('Delete') . ' '; + echo ' | comment_author, 1)) . "' );\">" . __('Delete') . ' '; if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) { - echo ' | ' . __('Unapprove') . ' '; - echo ' | ' . __('Approve') . ' '; + echo ' | ' . __('Unapprove') . ' '; + echo ' | ' . __('Approve') . ' '; } echo " | comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), wp_specialchars( $comment->comment_author, 1 )) . "' );\">" . __('Spam') . " "; } @@ -150,8 +150,9 @@ } elseif ('edit' == $mode) { if ($comments) { - echo '
- + echo ' '; + wp_nonce_field('bulk-comments'); + echo '
Index: wp-admin/post.php =================================================================== --- wp-admin/post.php (revision 3754) +++ wp-admin/post.php (working copy) @@ -24,7 +24,7 @@ switch($action) { case 'postajaxpost': case 'post': - check_admin_referer(); + check_admin_referer('add-post'); $post_ID = 'post' == $action ? write_post() : edit_post(); @@ -78,10 +78,10 @@ break; case 'editattachment': - check_admin_referer(); - $post_id = (int) $_POST['post_ID']; + check_admin_referer('update-attachment' . $post_id); + // Don't let these be changed unset($_POST['guid']); $_POST['post_type'] = 'attachment'; @@ -96,7 +96,8 @@ add_post_meta($post_id, '_wp_attachment_metadata', $newmeta); case 'editpost': - check_admin_referer(); + $post_ID = (int) $_POST['post_ID']; + check_admin_referer('update-post' . $post_ID); $post_ID = edit_post(); @@ -121,9 +122,8 @@ break; case 'delete': - check_admin_referer(); - $post_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']); + check_admin_referer('delete-post' . $post_id); $post = & get_post($post_id); Index: wp-admin/admin-functions.php =================================================================== --- wp-admin/admin-functions.php (revision 3754) +++ wp-admin/admin-functions.php (working copy) @@ -709,7 +709,7 @@ - + "; } else { $form_action = 'editpost'; + $nonce_action = 'update-page' . $post_ID; $form_extra = ""; } @@ -23,6 +25,8 @@ '; } @@ -150,7 +154,7 @@ ' . __('This feature requires iframe support.') . ''; Index: wp-admin/comment.php =================================================================== --- wp-admin/comment.php (revision 3754) +++ wp-admin/comment.php (working copy) @@ -89,10 +89,9 @@ break; case 'deletecomment': - - check_admin_referer(); - $comment = (int) $_REQUEST['comment']; + check_admin_referer('delete-comment' . $comment); + $p = (int) $_REQUEST['p']; if ( isset($_REQUEST['noredir']) ) { $noredir = true; @@ -123,10 +122,9 @@ break; case 'unapprovecomment': - - check_admin_referer(); - $comment = (int) $_GET['comment']; + check_admin_referer('unapprove-comment' . $comment); + $p = (int) $_GET['p']; if (isset($_GET['noredir'])) { $noredir = true; @@ -151,10 +149,9 @@ break; case 'approvecomment': - - check_admin_referer(); - $comment = (int) $_GET['comment']; + check_admin_referer('approve-comment' . $comment); + $p = (int) $_GET['p']; if (isset($_GET['noredir'])) { $noredir = true; @@ -184,7 +181,7 @@ case 'editedcomment': - check_admin_referer(); + check_admin_referer('update-comment'); edit_comment(); Index: wp-admin/options-general.php =================================================================== --- wp-admin/options-general.php (revision 3754) +++ wp-admin/options-general.php (working copy) @@ -10,6 +10,7 @@

+
* ' . __('Name') . 'post_modified); ?> " . __('Edit') . ""; } ?>" . __('Delete') . ""; } ?>" . __('Delete') . ""; } ?>
Index: wp-admin/edit-link-form.php =================================================================== --- wp-admin/edit-link-form.php (revision 3754) +++ wp-admin/edit-link-form.php (working copy) @@ -2,11 +2,13 @@ if ( ! empty($link_id) ) { $heading = __('Edit Bookmark'); $submit_text = __('Save Changes »'); - $form = ''; + $form = ''; + $nonce_action = 'update-bookmark' . $link_id; } else { $heading = __('Create Bookmark'); $submit_text = __('Add Bookmark »'); $form = ''; + $nonce_action = 'add-bookmark'; } function xfn_check($class, $value = '', $type = 'check') { @@ -31,7 +33,8 @@

- + +
Index: wp-admin/options-misc.php =================================================================== --- wp-admin/options-misc.php (revision 3754) +++ wp-admin/options-misc.php (working copy) @@ -11,7 +11,7 @@

- +
Index: wp-admin/edit-form-comment.php =================================================================== --- wp-admin/edit-form-comment.php (revision 3754) +++ wp-admin/edit-form-comment.php (working copy) @@ -6,6 +6,7 @@ ?> +comment_ID) ?>
Index: wp-admin/edit-form-advanced.php =================================================================== --- wp-admin/edit-form-advanced.php (revision 3754) +++ wp-admin/edit-form-advanced.php (working copy) @@ -22,9 +22,11 @@ $form_action = 'post'; $temp_ID = -1 * time(); $form_extra = ""; + wp_nonce_field('add-post'); } else { $form_action = 'editpost'; $form_extra = ""; + wp_nonce_field('update-post' . $post_ID); } $form_pingback = ''; @@ -173,7 +175,7 @@ ' . __('This feature requires iframe support.') . ''; Index: wp-admin/options-discussion.php =================================================================== --- wp-admin/options-discussion.php (revision 3754) +++ wp-admin/options-discussion.php (working copy) @@ -21,6 +21,7 @@

+
(These settings may be overridden for individual articles.)') ?>
    Index: wp-admin/edit.php =================================================================== --- wp-admin/edit.php (revision 3754) +++ wp-admin/edit.php (working copy) @@ -211,7 +211,7 @@ case 'control_delete': ?> -
+ $value) { @@ -89,6 +89,7 @@

+
ID) ) { echo "" . __('Delete') . ""; } ?>ID) ) { echo "ID) . "' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . ""; } ?>

+
Index: wp-admin/link-manager.php =================================================================== --- wp-admin/link-manager.php (revision 3754) +++ wp-admin/link-manager.php (working copy) @@ -110,6 +110,7 @@ + @@ -175,7 +176,7 @@ '.__('Edit').''; - echo '
'; + echo ''; echo ''; echo "\n \n"; } Index: wp-admin/options-permalink.php =================================================================== --- wp-admin/options-permalink.php (revision 3754) +++ wp-admin/options-permalink.php (working copy) @@ -57,8 +57,8 @@ $home_path = get_home_path(); -if ( isset($_POST) ) { - check_admin_referer(); +if ( isset($_POST['permalink_structure']) || isset($_POST['category_base']) ) { + check_admin_referer('update-permalink'); if ( isset($_POST['permalink_structure']) ) { $permalink_structure = $_POST['permalink_structure']; @@ -117,6 +117,7 @@ ); ?> +

.htaccess file were writable, we could do this automatically, but it isn’t so these are the mod_rewrite rules you should have in your .htaccess file. Click in the field and press CTRL + a to select all.') ?>

+

Index: wp-admin/page.php =================================================================== --- wp-admin/page.php (revision 3754) +++ wp-admin/page.php (working copy) @@ -24,7 +24,7 @@ switch($action) { case 'post': - + check_admin_referer('add-page'); $page_ID = write_post(); // Redirect. @@ -76,6 +76,7 @@ case 'editattachment': $page_id = $post_ID = (int) $_POST['post_ID']; + check_admin_referer('update-attachment' . $page_id); // Don't let these be changed unset($_POST['guid']); @@ -91,6 +92,9 @@ add_post_meta($page_id, '_wp_attachment_metadata', $newmeta); case 'editpost': + $page_ID = (int) $_POST['post_ID']; + check_admin_referer('update-page' . $page_ID); + $page_ID = edit_post(); if ($_POST['save']) { @@ -114,9 +118,8 @@ break; case 'delete': - check_admin_referer(); - $page_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']); + check_admin_referer('delete-page' . $page_id); $page = & get_post($page_id); Index: wp-admin/options-writing.php =================================================================== --- wp-admin/options-writing.php (revision 3754) +++ wp-admin/options-writing.php (working copy) @@ -10,6 +10,7 @@

+
link_id , '".sprintf(__("You are about to delete the "%s" bookmark to %s.\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($link->link_name, 1), wp_specialchars($link->link_url)).'\' );" class="delete">'.__('Delete').'link_id , '".sprintf(__("You are about to delete the "%s" bookmark to %s.\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($link->link_name, 1), wp_specialchars($link->link_url)).'\' );" class="delete">'.__('Delete').'
Index: wp-admin/categories.php =================================================================== --- wp-admin/categories.php (revision 3754) +++ wp-admin/categories.php (working copy) @@ -24,7 +24,7 @@ case 'addcat': - check_admin_referer(); + check_admin_referer('add-category'); if ( !current_user_can('manage_categories') ) die (__('Cheatin’ uh?')); @@ -35,13 +35,12 @@ break; case 'delete': + $cat_ID = (int) $_GET['cat_ID']; + check_admin_referer('delete-category' . $cat_ID); - check_admin_referer(); - if ( !current_user_can('manage_categories') ) die (__('Cheatin’ uh?')); - $cat_ID = (int) $_GET['cat_ID']; $cat_name = get_catname($cat_ID); // Don't delete the default cats. @@ -67,6 +66,7 @@

+ cat_ID); ?>
@@ -99,7 +99,8 @@ break; case 'editedcat': - check_admin_referer(); + $cat_ID = (int) $_POST['cat_ID']; + check_admin_referer('update-category' . $cat_ID); if ( !current_user_can('manage_categories') ) die (__('Cheatin’ uh?')); @@ -157,6 +158,7 @@

+