Make WordPress Core

Ticket #23165: 23165.approach-a-unfinished.patch

File 23165.approach-a-unfinished.patch, 19.7 KB (added by bpetty, 12 years ago)
  • wp-admin/comment.php

    diff --git wp-admin/comment.php wp-admin/comment.php
    index de5483e..a0a85b8 100644
    if ( $comment->comment_approved != '0' ) { // if not unapproved 
    191191</tr>
    192192</table>
    193193
    194 <?php wp_nonce_field( $nonce_action ); ?>
     194<?php wp_nonce_field( $nonce_action, $nonce_action ); ?>
    195195<input type='hidden' name='action' value='<?php echo esc_attr($formaction); ?>' />
    196196<input type='hidden' name='c' value='<?php echo esc_attr($comment->comment_ID); ?>' />
    197197<input type='hidden' name='noredir' value='1' />
    case 'editedcomment' : 
    274274        $comment_id = absint( $_POST['comment_ID'] );
    275275        $comment_post_id = absint( $_POST['comment_post_ID'] );
    276276
    277         check_admin_referer( 'update-comment_' . $comment_id );
     277        check_admin_referer( 'update-comment_' . $comment_id, '_wpnonce-update-comment' );
    278278
    279279        edit_comment();
    280280
  • wp-admin/custom-background.php

    diff --git wp-admin/custom-background.php wp-admin/custom-background.php
    index a924eca..acee451 100644
    if ( current_theme_supports( 'custom-background', 'default-color' ) ) 
    328328</tbody>
    329329</table>
    330330
    331 <?php wp_nonce_field('custom-background'); ?>
     331<?php wp_nonce_field( 'custom-background', '_wpnonce-custom-background-save-options' ); ?>
    332332<?php submit_button( null, 'primary', 'save-background-options' ); ?>
    333333</form>
    334334
  • wp-admin/custom-header.php

    diff --git wp-admin/custom-header.php wp-admin/custom-header.php
    index 14f01df..0650bd6 100644
    class Custom_Image_Header { 
    149149                $step = (int) $_GET['step'];
    150150                if ( $step < 1 || 3 < $step ||
    151151                        ( 2 == $step && ! wp_verify_nonce( $_REQUEST['_wpnonce-custom-header-upload'], 'custom-header-upload' ) ) ||
    152                         ( 3 == $step && ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'custom-header-crop-image' ) )
     152                        ( 3 == $step && ! wp_verify_nonce( $_REQUEST['_wpnonce-custom-header-crop-image'], 'custom-header-crop-image' ) )
    153153                )
    154154                        return 1;
    155155
    wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?> 
    726726        <?php if ( empty( $_POST ) && isset( $_GET['file'] ) ) { ?>
    727727        <input type="hidden" name="create-new-attachment" value="true" />
    728728        <?php } ?>
    729         <?php wp_nonce_field( 'custom-header-crop-image' ) ?>
     729        <?php wp_nonce_field( 'custom-header-crop-image', '_wpnonce-custom-header-crop-image' ) ?>
    730730
    731731        <p class="submit">
    732732        <?php submit_button( __( 'Crop and Publish' ), 'primary', 'submit', false ); ?>
    wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?> 
    784784         * @since 2.1.0
    785785         */
    786786        function step_3() {
    787                 check_admin_referer( 'custom-header-crop-image' );
     787                check_admin_referer( 'custom-header-crop-image', '_wpnonce-custom-header-crop-image' );
    788788
    789789                if ( ! current_theme_supports( 'custom-header', 'uploads' ) )
    790790                        wp_die( __( 'Cheatin&#8217; uh?' ) );
  • wp-admin/edit-comments.php

    diff --git wp-admin/edit-comments.php wp-admin/edit-comments.php
    index 174cd9a..afd8b76 100644
    $pagenum = $wp_list_table->get_pagenum(); 
    1717$doaction = $wp_list_table->current_action();
    1818
    1919if ( $doaction ) {
    20         check_admin_referer( 'bulk-comments' );
     20        check_admin_referer( 'bulk-comments', '_wpnonce-bulk-comments' );
    2121
    2222        if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
    2323                $comment_status = $wpdb->escape( $_REQUEST['comment_status'] );
  • wp-admin/edit-form-advanced.php

    diff --git wp-admin/edit-form-advanced.php wp-admin/edit-form-advanced.php
    index 7d142d9..c5706fe 100644
    if ( isset( $post_new_file ) && current_user_can( $post_type_object->cap->create 
    297297<div id="message" class="updated"><p><?php echo $message; ?></p></div>
    298298<?php endif; ?>
    299299<form name="post" action="post.php" method="post" id="post"<?php do_action('post_edit_form_tag'); ?>>
    300 <?php wp_nonce_field($nonce_action); ?>
     300<?php wp_nonce_field( $nonce_action, 'edit_form_advanced_nonce' ); ?>
    301301<input type="hidden" id="user-id" name="user_ID" value="<?php echo (int) $user_ID ?>" />
    302302<input type="hidden" id="hiddenaction" name="action" value="<?php echo esc_attr( $form_action ) ?>" />
    303303<input type="hidden" id="originalaction" name="originalaction" value="<?php echo esc_attr( $form_action ) ?>" />
  • wp-admin/edit-form-comment.php

    diff --git wp-admin/edit-form-comment.php wp-admin/edit-form-comment.php
    index 14a2966..fb7f00a 100644
    if ( !defined('ABSPATH') ) 
    1111        die('-1');
    1212?>
    1313<form name="post" action="comment.php" method="post" id="post">
    14 <?php wp_nonce_field('update-comment_' . $comment->comment_ID) ?>
     14<?php wp_nonce_field( 'update-comment_' . $comment->comment_ID, '_wpnonce-update-comment') ?>
    1515<div class="wrap">
    1616<?php screen_icon(); ?>
    1717<h2><?php _e('Edit Comment'); ?></h2>
  • wp-admin/edit-link-form.php

    diff --git wp-admin/edit-link-form.php wp-admin/edit-link-form.php
    index 6d81ec0..143aa10 100644
    if ( !empty($form) ) 
    7171if ( !empty($link_added) )
    7272        echo $link_added;
    7373
    74 wp_nonce_field( $nonce_action );
     74wp_nonce_field( $nonce_action, '_wpnonce-edit-link' );
    7575wp_nonce_field( 'closedpostboxes', 'closedpostboxesnonce', false );
    7676wp_nonce_field( 'meta-box-order', 'meta-box-order-nonce', false ); ?>
    7777
  • wp-admin/edit-tag-form.php

    diff --git wp-admin/edit-tag-form.php wp-admin/edit-tag-form.php
    index 034642a..53c4c9e 100644
    do_action($taxonomy . '_pre_edit_form', $tag, $taxonomy); ?> 
    3434<input type="hidden" name="action" value="editedtag" />
    3535<input type="hidden" name="tag_ID" value="<?php echo esc_attr($tag->term_id) ?>" />
    3636<input type="hidden" name="taxonomy" value="<?php echo esc_attr($taxonomy) ?>" />
    37 <?php wp_original_referer_field(true, 'previous'); wp_nonce_field('update-tag_' . $tag_ID); ?>
     37<?php wp_original_referer_field( true, 'previous' ); wp_nonce_field( 'update-tag_' . $tag_ID, '_wpnonce-edit-tag' ); ?>
    3838        <table class="form-table">
    3939                <tr class="form-field form-required">
    4040                        <th scope="row" valign="top"><label for="name"><?php _ex('Name', 'Taxonomy Name'); ?></label></th>
  • wp-admin/edit-tags.php

    diff --git wp-admin/edit-tags.php wp-admin/edit-tags.php
    index 7250a66..efb08d7 100644
    case 'delete': 
    9494break;
    9595
    9696case 'bulk-delete':
    97         check_admin_referer( 'bulk-tags' );
     97        check_admin_referer( 'bulk-tags', '_wpnonce-bulk-tags' );
    9898
    9999        if ( !current_user_can( $tax->cap->delete_terms ) )
    100100                wp_die( __( 'Cheatin&#8217; uh?' ) );
    break; 
    133133
    134134case 'editedtag':
    135135        $tag_ID = (int) $_POST['tag_ID'];
    136         check_admin_referer( 'update-tag_' . $tag_ID );
     136        check_admin_referer( 'update-tag_' . $tag_ID, '_wpnonce-edit-tag' );
    137137
    138138        if ( !current_user_can( $tax->cap->edit_terms ) )
    139139                wp_die( __( 'Cheatin&#8217; uh?' ) );
  • wp-admin/edit.php

    diff --git wp-admin/edit.php wp-admin/edit.php
    index 9eae3cf..b430cb7 100644
    if ( 'post' != $post_type ) { 
    4646$doaction = $wp_list_table->current_action();
    4747
    4848if ( $doaction ) {
    49         check_admin_referer('bulk-posts');
     49        check_admin_referer( 'bulk-posts', '_wpnonce-bulk-posts' );
    5050
    5151        $sendback = remove_query_arg( array('trashed', 'untrashed', 'deleted', 'ids'), wp_get_referer() );
    5252        if ( ! $sendback )
  • wp-admin/includes/class-wp-list-table.php

    diff --git wp-admin/includes/class-wp-list-table.php wp-admin/includes/class-wp-list-table.php
    index 8a22bd4..33fb1b2 100644
    class WP_List_Table { 
    759759         * @access protected
    760760         */
    761761        function display_tablenav( $which ) {
    762                 if ( 'top' == $which )
    763                         wp_nonce_field( 'bulk-' . $this->_args['plural'] );
     762                if ( 'top' == $which ) {
     763                        $nonce_action = 'bulk-' . $this->_args['plural'];
     764                        wp_nonce_field( $nonce_action, '_wpnonce-' . $nonce_action );
     765                }
    764766?>
    765767        <div class="tablenav <?php echo esc_attr( $which ); ?>">
    766768
  • wp-admin/includes/dashboard.php

    diff --git wp-admin/includes/dashboard.php wp-admin/includes/dashboard.php
    index 0df8109..0b9a6b7 100644
    function wp_dashboard_quick_press() { 
    557557                        <input type="hidden" name="action" id="quickpost-action" value="post-quickpress-save" />
    558558                        <input type="hidden" name="post_ID" value="<?php echo $post_ID; ?>" />
    559559                        <input type="hidden" name="post_type" value="post" />
    560                         <?php wp_nonce_field('add-post'); ?>
     560                        <?php wp_nonce_field( 'add-post', '_wpnonce-add-post' ); ?>
    561561                        <?php submit_button( __( 'Save Draft' ), 'button', 'save', false, array( 'id' => 'save-post' ) ); ?>
    562562                        <input type="reset" value="<?php esc_attr_e( 'Reset' ); ?>" class="button" />
    563563                        <br class="clear" />
  • wp-admin/link-manager.php

    diff --git wp-admin/link-manager.php wp-admin/link-manager.php
    index 92194f0..6e4e136 100644
    $wp_list_table = _get_list_table('WP_Links_List_Table'); 
    1717$doaction = $wp_list_table->current_action();
    1818
    1919if ( $doaction && isset( $_REQUEST['linkcheck'] ) ) {
    20         check_admin_referer( 'bulk-bookmarks' );
     20        check_admin_referer( 'bulk-bookmarks', '_wpnonce-bulk-bookmarks' );
    2121
    2222        if ( 'delete' == $doaction ) {
    2323                $bulklinks = (array) $_REQUEST['linkcheck'];
  • wp-admin/link.php

    diff --git wp-admin/link.php wp-admin/link.php
    index d12d229..bffce01 100644
    $this_file = admin_url('link-manager.php'); 
    2828
    2929switch ($action) {
    3030        case 'deletebookmarks' :
    31                 check_admin_referer('bulk-bookmarks');
     31                check_admin_referer( 'bulk-bookmarks', '_wpnonce-bulk-bookmarks' );
    3232
    3333                //for each link id (in $linkcheck[]) change category to selected value
    3434                if (count($linkcheck) == 0) {
    switch ($action) { 
    4949                break;
    5050
    5151        case 'move' :
    52                 check_admin_referer('bulk-bookmarks');
     52                check_admin_referer( 'bulk-bookmarks', '_wpnonce-bulk-bookmarks' );
    5353
    5454                //for each link id (in $linkcheck[]) change category to selected value
    5555                if (count($linkcheck) == 0) {
    switch ($action) { 
    6565                break;
    6666
    6767        case 'add' :
    68                 check_admin_referer('add-bookmark');
     68                check_admin_referer( 'add-bookmark', '_wpnonce-edit-link' );
    6969
    7070                $redir = wp_get_referer();
    7171                if ( add_link() )
    switch ($action) { 
    7777
    7878        case 'save' :
    7979                $link_id = (int) $_POST['link_id'];
    80                 check_admin_referer('update-bookmark_' . $link_id);
     80                check_admin_referer( 'update-bookmark_' . $link_id, '_wpnonce-edit-link' );
    8181
    8282                edit_link($link_id);
    8383
  • wp-admin/network/site-themes.php

    diff --git wp-admin/network/site-themes.php wp-admin/network/site-themes.php
    index b47a0c6..db3e719 100644
    if ( $action ) { 
    8383                                unset( $allowed_themes[$theme] );
    8484                        break;
    8585                case 'enable-selected':
    86                         check_admin_referer( 'bulk-themes' );
     86                        check_admin_referer( 'bulk-themes', '_wpnonce-bulk-themes' );
    8787                        if ( isset( $_POST['checked'] ) ) {
    8888                                $themes = (array) $_POST['checked'];
    8989                                $action = 'enabled';
    if ( $action ) { 
    9696                        }
    9797                        break;
    9898                case 'disable-selected':
    99                         check_admin_referer( 'bulk-themes' );
     99                        check_admin_referer( 'bulk-themes', '_wpnonce-bulk-themes' );
    100100                        if ( isset( $_POST['checked'] ) ) {
    101101                                $themes = (array) $_POST['checked'];
    102102                                $action = 'disabled';
  • wp-admin/network/site-users.php

    diff --git wp-admin/network/site-users.php wp-admin/network/site-users.php
    index 2064a76..522403a 100644
    if ( $action ) { 
    104104                case 'remove':
    105105                        if ( ! current_user_can( 'remove_users' )  )
    106106                                die(__('You can&#8217;t remove users.'));
    107                         check_admin_referer( 'bulk-users' );
     107                        check_admin_referer( 'bulk-users', '_wpnonce-bulk-users' );
    108108
    109109                        $update = 'remove';
    110110                        if ( isset( $_REQUEST['users'] ) ) {
    if ( $action ) { 
    122122                        break;
    123123
    124124                case 'promote':
    125                         check_admin_referer( 'bulk-users' );
     125                        check_admin_referer( 'bulk-users', '_wpnonce-bulk-users' );
    126126                        $editable_roles = get_editable_roles();
    127127                        if ( empty( $editable_roles[$_REQUEST['new_role']] ) )
    128128                                wp_die(__('You can&#8217;t give users that role.'));
  • wp-admin/network/themes.php

    diff --git wp-admin/network/themes.php wp-admin/network/themes.php
    index 04840ee..f76e6e4 100644
    if ( $action ) { 
    4949                        exit;
    5050                        break;
    5151                case 'enable-selected':
    52                         check_admin_referer('bulk-themes');
     52                        check_admin_referer( 'bulk-themes', '_wpnonce-bulk-themes' );
    5353                        $themes = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
    5454                        if ( empty($themes) ) {
    5555                                wp_safe_redirect( add_query_arg( 'error', 'none', $referer ) );
    if ( $action ) { 
    6262                        exit;
    6363                        break;
    6464                case 'disable-selected':
    65                         check_admin_referer('bulk-themes');
     65                        check_admin_referer( 'bulk-themes', '_wpnonce-bulk-themes' );
    6666                        $themes = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
    6767                        if ( empty($themes) ) {
    6868                                wp_safe_redirect( add_query_arg( 'error', 'none', $referer ) );
    if ( $action ) { 
    7575                        exit;
    7676                        break;
    7777                case 'update-selected' :
    78                         check_admin_referer( 'bulk-themes' );
     78                        check_admin_referer( 'bulk-themes', '_wpnonce-bulk-themes' );
    7979
    8080                        if ( isset( $_GET['themes'] ) )
    8181                                $themes = explode( ',', $_GET['themes'] );
    if ( $action ) { 
    104104                case 'delete-selected':
    105105                        if ( ! current_user_can( 'delete_themes' ) )
    106106                                wp_die( __('You do not have sufficient permissions to delete themes for this site.') );
    107                         check_admin_referer( 'bulk-themes' );
     107                        check_admin_referer( 'bulk-themes', '_wpnonce-bulk-themes' );
    108108
    109109                        $themes = isset( $_REQUEST['checked'] ) ? (array) $_REQUEST['checked'] : array();
    110110
  • wp-admin/network/users.php

    diff --git wp-admin/network/users.php wp-admin/network/users.php
    index 1318355..85f1448 100644
    if ( isset( $_GET['action'] ) ) { 
    117117                                wp_die( __( 'You do not have permission to access this page.' ) );
    118118
    119119                        if ( ( isset( $_POST['action']) || isset($_POST['action2'] ) ) && isset( $_POST['allusers'] ) ) {
    120                                 check_admin_referer( 'bulk-users-network' );
     120                                check_admin_referer( 'bulk-users-network', '_wpnonce-bulk-users-network' );
    121121
    122122                                $doaction = $_POST['action'] != -1 ? $_POST['action'] : $_POST['action2'];
    123123                                $userfunction = '';
  • wp-admin/plugins.php

    diff --git wp-admin/plugins.php wp-admin/plugins.php
    index 7fc3036..e81fe92 100644
    if ( $action ) { 
    6565                        if ( ! current_user_can('activate_plugins') )
    6666                                wp_die(__('You do not have sufficient permissions to activate plugins for this site.'));
    6767
    68                         check_admin_referer('bulk-plugins');
     68                        check_admin_referer( 'bulk-plugins', '_wpnonce-bulk-plugins' );
    6969
    7070                        $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
    7171
    if ( $action ) { 
    101101                        break;
    102102                case 'update-selected' :
    103103
    104                         check_admin_referer( 'bulk-plugins' );
     104                        check_admin_referer( 'bulk-plugins', '_wpnonce-bulk-plugins' );
    105105
    106106                        if ( isset( $_GET['plugins'] ) )
    107107                                $plugins = explode( ',', $_GET['plugins'] );
    if ( $action ) { 
    174174                        if ( ! current_user_can('activate_plugins') )
    175175                                wp_die(__('You do not have sufficient permissions to deactivate plugins for this site.'));
    176176
    177                         check_admin_referer('bulk-plugins');
     177                        check_admin_referer( 'bulk-plugins', '_wpnonce-bulk-plugins' );
    178178
    179179                        $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
    180180                        // Do not deactivate plugins which are already deactivated.
    if ( $action ) { 
    205205                        if ( ! current_user_can('delete_plugins') )
    206206                                wp_die(__('You do not have sufficient permissions to delete plugins for this site.'));
    207207
    208                         check_admin_referer('bulk-plugins');
     208                        check_admin_referer( 'bulk-plugins', '_wpnonce-bulk-plugins' );
    209209
    210210                        //$_POST = from the plugin form; $_GET = from the FTP details screen.
    211211                        $plugins = isset( $_REQUEST['checked'] ) ? (array) $_REQUEST['checked'] : array();
  • wp-admin/post.php

    diff --git wp-admin/post.php wp-admin/post.php
    index c638c18..f777bfd 100644
    case 'postajaxpost': 
    100100case 'post':
    101101case 'post-quickpress-publish':
    102102case 'post-quickpress-save':
    103         check_admin_referer('add-' . $post_type);
     103        check_admin_referer( 'add-' . $post_type, '_wpnonce-add-' . $post_type );
    104104
    105105        if ( 'post-quickpress-publish' == $action )
    106106                $_POST['publish'] = 'publish'; // tell write_post() to publish
  • wp-admin/update.php

    diff --git wp-admin/update.php wp-admin/update.php
    index 687142e..822c6c7 100644
    if ( isset($_GET['action']) ) { 
    2323                if ( ! current_user_can( 'update_plugins' ) )
    2424                        wp_die( __( 'You do not have sufficient permissions to update plugins for this site.' ) );
    2525
    26                 check_admin_referer( 'bulk-update-plugins' );
     26                check_admin_referer( 'bulk-update-plugins', '_wpnonce-bulk-update-plugins' );
    2727
    2828                if ( isset( $_GET['plugins'] ) )
    2929                        $plugins = explode( ',', stripslashes($_GET['plugins']) );
    if ( isset($_GET['action']) ) { 
    170170                if ( ! current_user_can( 'update_themes' ) )
    171171                        wp_die( __( 'You do not have sufficient permissions to update themes for this site.' ) );
    172172
    173                 check_admin_referer( 'bulk-update-themes' );
     173                check_admin_referer( 'bulk-update-themes', '_wpnonce-bulk-update-themes' );
    174174
    175175                if ( isset( $_GET['themes'] ) )
    176176                        $themes = explode( ',', stripslashes($_GET['themes']) );
  • wp-admin/upload.php

    diff --git wp-admin/upload.php wp-admin/upload.php
    index 7d50d52..a05af95 100644
    $pagenum = $wp_list_table->get_pagenum(); 
    1919$doaction = $wp_list_table->current_action();
    2020
    2121if ( $doaction ) {
    22         check_admin_referer('bulk-media');
     22        check_admin_referer( 'bulk-media', '_wpnonce-bulk-media' );
    2323
    2424        if ( 'delete_all' == $doaction ) {
    2525                $post_ids = $wpdb->get_col( "SELECT ID FROM $wpdb->posts WHERE post_type='attachment' AND post_status = 'trash'" );
  • wp-admin/users.php

    diff --git wp-admin/users.php wp-admin/users.php
    index 6ea1765..b9db4b9 100644
    switch ( $wp_list_table->current_action() ) { 
    9595
    9696/* Bulk Dropdown menu Role changes */
    9797case 'promote':
    98         check_admin_referer('bulk-users');
     98        check_admin_referer( 'bulk-users', '_wpnonce-bulk-users' );
    9999
    100100        if ( ! current_user_can( 'promote_users' ) )
    101101                wp_die( __( 'You can&#8217;t edit that user.' ) );
    case 'delete': 
    191191        if ( is_multisite() )
    192192                wp_die( __('User deletion is not allowed from this screen.') );
    193193
    194         check_admin_referer('bulk-users');
     194        check_admin_referer( 'bulk-users', '_wpnonce-bulk-users' );
    195195
    196196        if ( empty($_REQUEST['users']) && empty($_REQUEST['user']) ) {
    197197                wp_redirect($redirect);
    break; 
    295295
    296296case 'remove':
    297297
    298         check_admin_referer('bulk-users');
     298        check_admin_referer( 'bulk-users', '_wpnonce-bulk-users' );
    299299
    300300        if ( ! is_multisite() )
    301301                wp_die( __( 'You can&#8217;t remove users.' ) );
  • wp-includes/functions.php

    diff --git wp-includes/functions.php wp-includes/functions.php
    index a41d32f..8fda660 100644
    function wp_nonce_url( $actionurl, $action = -1 ) { 
    11911191 * @return string Nonce field.
    11921192 */
    11931193function wp_nonce_field( $action = -1, $name = "_wpnonce", $referer = true , $echo = true ) {
     1194        if ( 1 >= func_num_args() )
     1195                _doing_it_wrong( __METHOD__, __( 'The action and name parameters are now required.' ), '3.6' );
     1196
    11941197        $name = esc_attr( $name );
    11951198        $nonce_field = '<input type="hidden" id="' . $name . '" name="' . $name . '" value="' . wp_create_nonce( $action ) . '" />';
    11961199
  • wp-includes/js/autosave.js

    diff --git wp-includes/js/autosave.js wp-includes/js/autosave.js
    index 3920d36..9077f67 100644
    jQuery(document).ready( function($) { 
    6161                        async: false,
    6262                        data: {
    6363                                action: 'wp-remove-post-lock',
    64                                 _wpnonce: $('#_wpnonce').val(),
     64                                _wpnonce: $('input[name="edit_form_advanced_nonce"]').val(),
    6565                                post_ID: $('#post_ID').val(),
    6666                                active_post_lock: $('#active_post_lock').val()
    6767                        }