Opened 10 months ago

Closed 8 months ago

#21277 closed enhancement (fixed)

Remove unused nonce fields in site-themes.php and site-users.php

Reported by: jeremyfelt Owned by: nacin
Priority: normal Milestone: 3.5
Component: Network Admin Version: 3.1
Severity: trivial Keywords: has-patch commit
Cc:

Description

In 16242 from 14897, check_admin_referer( 'edit-site' ) was removed during a massive reorg of site-themes.php. Additional nonce checks were added via the nonce audit in 15969, but the nonce field generation for the original edit-site was never removed. This currently results in the generation of two hidden inputs with name="_wp_nonce".

check_admin_referer( 'edit-site' ) was also removed for site-users.php in 16560, but the 2 associated nonce field(s) remained. A 3rd 'edit-site' nonce field was added in 16585 when a new form was added, but that has been unnecessary.

The attached patch removes all 4 instances of wp_nonce_field( 'edit-site' ) across site-themes.php and site-users.php as they are no longer required in either.

Attachments (1)

21277.diff (1.7 KB) - added by jeremyfelt 10 months ago.

Download all attachments as: .zip

Change History (3)

jeremyfelt10 months ago

comment:1   nacin8 months ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 3.5

comment:2   nacin8 months ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In [21903]:

Remove unused edit-site nonce fields from site-users and site-themes. props jeremyfelt, fixes #21277.

Note: See TracTickets for help on using tickets.