WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#15969 closed defect (bug) (fixed)

Audit nonces

Reported by: ryan Owned by:
Priority: normal Milestone: 3.1
Component: Security Version:
Severity: normal Keywords: close
Cc:

Description

Audit for nonces, especially in network admin.

Attachments (3)

delete.diff (952 bytes) - added by PeteMall 2 years ago.
15969.diff (1.1 KB) - added by PeteMall 2 years ago.
Nonce checks for site-themes.
15969.2.diff (1.8 KB) - added by PeteMall 2 years ago.
Nonce checks for site-users.

Download all attachments as: .zip

Change History (15)

comment:1 ryan2 years ago

(In [17122]) nonce checks for ms themes. see #15969

PeteMall2 years ago

comment:2 nacin2 years ago

(In [17126]) bulk-themes nonce for network/themes.php deletion. props PeteMall, see #15969.

comment:3 nacin2 years ago

The nonce added in r17126 duplicates another check in that branch after the confirmation screen. Not sure which should go.

comment:4 nacin2 years ago

(In [17127]) Remove this check in favor of the one added in [17126]. see #15969.

comment:5 nacin2 years ago

site-themes.php and site-users.php need nonce checks. I checked the rest of the network admin.

PeteMall2 years ago

Nonce checks for site-themes.

comment:6 ryan2 years ago

(In [17134]) nonce checks for site-themes. Props PeteMall. see #15969

PeteMall2 years ago

Nonce checks for site-users.

comment:7 nacin2 years ago

  • Keywords has-patch commit added

comment:8 westi2 years ago

  • Keywords dev-reviewed added

Looks good here too. Committing.

comment:9 westi2 years ago

(In [17136]) Nonce checks for site-users. See #15969 props PeteMall.

comment:10 nacin2 years ago

If someone else can do a sweep of the network admin (I already have), that'd be great.

Please also sweep network-specific pieces in plugins.php and related pages.

comment:11 PeteMall2 years ago

  • Keywords close added; has-patch commit dev-reviewed removed

Nonces in the network admin look good to me.

comment:12 nacin2 years ago

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.