Index: wp-includes/functions-compat.php =================================================================== --- wp-includes/functions-compat.php (revision 3749) +++ wp-includes/functions-compat.php (working copy) @@ -98,4 +98,17 @@ } } +// From php.net +if(!function_exists('http_build_query')) { + function http_build_query( $formdata, $numeric_prefix = null, $key = null ) { + $res = array(); + foreach ((array)$formdata as $k=>$v) { + $tmp_key = urlencode(is_int($k) ? $numeric_prefix.$k : $k); + if ($key) $tmp_key = $key.'['.$tmp_key.']'; + $res[] = ( ( is_array($v) || is_object($v) ) ? http_build_query($v, null, $tmp_key) : $tmp_key."=".urlencode($v) ); + } + $separator = ini_get('arg_separator.output'); + return implode($separator, $res); + } +} ?> Index: wp-includes/functions.php =================================================================== --- wp-includes/functions.php (revision 3749) +++ wp-includes/functions.php (working copy) @@ -1663,4 +1663,12 @@ return $installed; } +function wp_nonce_url($actionurl, $action = -1) { + return add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl); +} + +function wp_nonce_field($action = -1) { + echo ''; +} + ?> Index: wp-includes/pluggable-functions.php =================================================================== --- wp-includes/pluggable-functions.php (revision 3749) +++ wp-includes/pluggable-functions.php (working copy) @@ -228,14 +228,34 @@ endif; if ( !function_exists('check_admin_referer') ) : -function check_admin_referer() { +function check_admin_referer($action = -1) { + global $pagenow; $adminurl = strtolower(get_settings('siteurl')).'/wp-admin'; $referer = strtolower($_SERVER['HTTP_REFERER']); - if (!strstr($referer, $adminurl)) - die(__('Sorry, you need to enable sending referrers for this feature to work.')); + if ( !wp_verify_nonce($_REQUEST['_wpnonce'], $action) ) { + $html = "\n\n\n"; + $html .= "\n\t" . __('WordPress Confirmation') . "\n"; + $html .= "\n\n"; + if ( $_POST ) { + $q = http_build_query($_POST); + $q = explode( ini_get('arg_separator.output'), $q); + $html .= "\t
\n"; + foreach ( (array) $q as $a ) { + $v = substr(strstr($a, '='), 1); + $k = substr($a, 0, -(strlen($v)+1)); + $html .= "\t\t\n"; + } + $html .= "\t\t\n"; + $html .= "\t\t

" . __('Are you sure you want to do this?') . "

\n\t\t

No

\n\t
\n"; + } else { + $html .= "\t

" . __('Are you sure you want to do this?') . "

\n\t\t

No " . __('Yes') . "

\n"; + } + $html .= "\n"; + + die($html); + } do_action('check_admin_referer'); -} -endif; +}endif; if ( !function_exists('check_ajax_referer') ) : function check_ajax_referer() { @@ -460,4 +480,29 @@ } endif; +if ( !function_exists('wp_verify_nonce') ) : +function wp_verify_nonce($nonce, $action = -1) { + $user = wp_get_current_user(); + $uid = $user->id; + + $i = ceil(time() / 43200); + + //Allow for expanding range, but only do one check if we can + if( substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10) == $nonce || substr(md5(($i - 1) . DB_PASSWORD . $action . $uid), -12, 10) == $nonce ) + return true; + return false; +} +endif; + +if ( !function_exists('wp_create_nonce') ) : +function wp_create_nonce($action = -1) { + $user = wp_get_current_user(); + $uid = $user->id; + + $i = ceil(time() / 43200); + + return substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10); +} +endif; + ?> Index: wp-admin/inline-uploading.php =================================================================== --- wp-admin/inline-uploading.php (revision 3749) +++ wp-admin/inline-uploading.php (working copy) @@ -2,7 +2,7 @@ require_once('admin.php'); -check_admin_referer(); +check_admin_referer('inlineuploading'); header('Content-Type: text/html; charset=' . get_option('blog_charset')); @@ -41,7 +41,7 @@ wp_delete_attachment($attachment); -header("Location: ".basename(__FILE__)."?post=$post&all=$all&action=view&start=$start"); +header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=$start", 'inlineuploading')); die; case 'save': @@ -100,7 +100,7 @@ add_post_meta($id, '_wp_attachment_metadata', array()); } -header("Location: ".basename(__FILE__)."?post=$post&all=$all&action=view&start=0"); +header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=0", 'inlineuploading')); die(); case 'upload': @@ -139,7 +139,7 @@ $attachments = $wpdb->get_results("SELECT ID, post_date, post_title, post_mime_type, guid FROM $wpdb->posts WHERE post_type = 'attachment' $and_type $and_post $and_user ORDER BY $sort LIMIT $start, $double", ARRAY_A); if ( count($attachments) == 0 ) { - header("Location: ".basename(__FILE__)."?post=$post&action=upload"); + header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&action=upload", 'inlineuploading') ); die; } elseif ( count($attachments) > $num ) { $next = $start + count($attachments) - $num; Index: wp-admin/post.php =================================================================== --- wp-admin/post.php (revision 3749) +++ wp-admin/post.php (working copy) @@ -24,7 +24,7 @@ switch($action) { case 'postajaxpost': case 'post': - check_admin_referer(); + check_admin_referer('post'); $post_ID = 'post' == $action ? write_post() : edit_post(); @@ -96,7 +96,8 @@ add_post_meta($post_id, '_wp_attachment_metadata', $newmeta); case 'editpost': - check_admin_referer(); + $post_ID = (int) $_POST['post_ID']; + check_admin_referer('editpost' . $post_ID); $post_ID = edit_post(); @@ -121,7 +122,7 @@ break; case 'delete': - check_admin_referer(); + check_admin_referer('deletepost'); $post_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']); Index: wp-admin/edit-form-advanced.php =================================================================== --- wp-admin/edit-form-advanced.php (revision 3749) +++ wp-admin/edit-form-advanced.php (working copy) @@ -22,9 +22,11 @@ $form_action = 'post'; $temp_ID = -1 * time(); $form_extra = ""; + wp_nonce_field('post'); } else { $form_action = 'editpost'; $form_extra = ""; + wp_nonce_field('editpost' . $post_ID); } $form_pingback = ''; @@ -173,7 +175,7 @@ ' . __('This feature requires iframe support.') . ''; Index: wp-admin/edit.php =================================================================== --- wp-admin/edit.php (revision 3749) +++ wp-admin/edit.php (working copy) @@ -211,7 +211,7 @@ case 'control_delete': ?> - ID) ) { echo "" . __('Delete') . ""; } ?> + ID) ) { echo "" . __('Delete') . ""; } ?>