WordPress.org

Make WordPress Core

Ticket #16449: check-admin-referer-test.php

File check-admin-referer-test.php, 2.6 KB (added by markjaquith, 5 years ago)

Plugin to test the patch.

Line 
1<?php
2/*
3Plugin Name: Ticket #16449 Test
4Description: Tests the patch on #16449
5Version: 0.1
6Author: Mark Jaquith
7Author URI: http://coveredwebservices.com/
8*/
9
10class CWS_Check_Admin_Referer_Test_Plugin {
11
12        function __construct() {
13                add_action( 'admin_menu', array( $this, 'admin_menu' ) );
14        }
15
16        function admin_menu() {
17                $hook = add_submenu_page( 'tools.php', 'check_admin_referer()', 'check_admin_referer()', 'manage_options', 'check-admin-referer-test', array( $this, 'display_tools_page' ) );
18                add_action( 'load-' . $hook, array( $this, 'load_tools_page' ) );
19        }
20
21        function display_tools_page() {
22?>
23<div class="wrap">
24<?php screen_icon(); ?>
25<h2>check_admin_referer() Test</h2>
26<p>First, apply <a href="http://core.trac.wordpress.org/attachment/ticket/16449/incorrect_referer_check.patch">this patch</a>.</p>
27<?php $this->no_patch_message(); ?>
28<p>This will test the use of <code>check_admin_referer()</code> used without a string passed as its first parameter. <strong>You should never do this in core, or a plugin, or a theme.</strong> Click the button below. If the test passes, you will get a message telling you as such. If you get an "Are you sure?" screen, then the test failed.</p>
29<form action="" method="post">
30<!-- Do not ever use a form without a nonce! -->
31<input type="hidden" name="foo-bar" value="foo-bar" />
32<p class="submit"><input  class="button-primary" type="submit" value="Test check_admin_referer()" /></p>
33</form>
34</div>
35<?php
36        }
37
38        function load_tools_page() {
39                if ( isset( $_POST ) && $_POST ) {
40                        check_admin_referer(); // DO NOT EVER CALL THIS WITHOUT A STRING PASSED TO IT!
41                        wp_redirect( add_query_arg( 'passed_test', '1' ) );
42                        exit();
43                } elseif ( isset( $_GET['passed_test'] ) && $_GET['passed_test'] ) {
44                        add_action( 'admin_notices', array( $this, 'admin_notice' ) );
45                }
46        }
47
48        function admin_notice() {
49?>
50        <div class="updated"><p>The test passed!</p></div>
51<?php
52        }
53
54        function no_patch_message() {
55                $pluggable = @file_get_contents( ABSPATH . WPINC . '/pluggable.php' );
56                if ( !$pluggable ) {
57                        echo "<p><strong>I was not able to determine whether you have applied this patch.</strong></p>";
58                } else {
59                        if ( strpos( $pluggable, 'if ( !$result && !(-1 == $action && strpos($referer, $adminurl) === 0) ) {' ) === false ) {
60                                echo "<p><strong>It does not appear that you have applied <a href='http://core.trac.wordpress.org/attachment/ticket/16449/incorrect_referer_check.patch'>the patch</a>. Please do so!</p>";
61                        } else {
62                                echo "<p><strong>You have applied the patch &mdash; test away!</strong></p>";
63                        }
64                }
65        }
66}
67
68new CWS_Check_Admin_Referer_Test_Plugin;