Ticket #2678: nonce.4.diff
| File nonce.4.diff, 7.9 KB (added by , 20 years ago) |
|---|
-
wp-includes/functions-compat.php
98 98 } 99 99 } 100 100 101 // From php.net 102 if(!function_exists('http_build_query')) { 103 function http_build_query( $formdata, $numeric_prefix = null, $key = null ) { 104 $res = array(); 105 foreach ((array)$formdata as $k=>$v) { 106 $tmp_key = urlencode(is_int($k) ? $numeric_prefix.$k : $k); 107 if ($key) $tmp_key = $key.'['.$tmp_key.']'; 108 $res[] = ( ( is_array($v) || is_object($v) ) ? http_build_query($v, null, $tmp_key) : $tmp_key."=".urlencode($v) ); 109 } 110 $separator = ini_get('arg_separator.output'); 111 return implode($separator, $res); 112 } 113 } 101 114 ?> -
wp-includes/functions.php
1663 1663 return $installed; 1664 1664 } 1665 1665 1666 function wp_verify_nonce($nonce, $action = -1) { 1667 global $current_user; 1668 $uid = isset($current_user->id)? $current_user->id : 0; 1669 1670 $i = ceil(time() / 43200); 1671 1672 //Allow for expanding range, but only do one check if we can 1673 if( substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10) == $nonce || substr(md5(($i - 1) . DB_PASSWORD . $action . $uid), -12, 10) == $nonce ) 1674 return true; 1675 return false; 1676 } 1677 1678 function wp_create_nonce($action = -1) { 1679 global $current_user; 1680 $uid = isset($current_user->id)? $current_user->id : 0; 1681 1682 $i = ceil(time() / 43200); 1683 1684 return substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10); 1685 } 1686 1687 function wp_nonce_url($actionurl, $action = -1) { 1688 return add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl); 1689 } 1690 1691 function wp_nonce_field($action = -1) { 1692 echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />'; 1693 } 1694 1666 1695 ?> -
wp-includes/pluggable-functions.php
228 228 endif; 229 229 230 230 if ( !function_exists('check_admin_referer') ) : 231 function check_admin_referer() { 231 function check_admin_referer($action = -1) { 232 global $pagenow; 232 233 $adminurl = strtolower(get_settings('siteurl')).'/wp-admin'; 233 234 $referer = strtolower($_SERVER['HTTP_REFERER']); 234 if (!strstr($referer, $adminurl)) 235 die(__('Sorry, you need to <a href="http://codex.wordpress.org/Enable_Sending_Referrers">enable sending referrers</a> for this feature to work.')); 235 if ( !wp_verify_nonce($_REQUEST['_wpnonce'], $action) ) { 236 $html = "<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>\n<html xmlns='http://www.w3.org/1999/xhtml' lang='en' xml:lang='en'>\n\n"; 237 $html .= "<head>\n\t<title>" . __('WordPress Confirmation') . "</title>\n"; 238 $html .= "</head>\n<body>\n"; 239 if ( $_POST ) { 240 $q = http_build_query($_POST); 241 $q = explode( ini_get('arg_separator.output'), $q); 242 $html .= "\t<form method='post' action='$pagenow'>\n"; 243 foreach ( (array) $q as $a ) { 244 $v = substr(strstr($a, '='), 1); 245 $k = substr($a, 0, -(strlen($v)+1)); 246 $html .= "\t\t<input type='hidden' name='" . wp_specialchars( urldecode($k), 1 ) . "' value='" . wp_specialchars( urldecode($v), 1 ) . "' />\n"; 247 } 248 $html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n"; 249 $html .= "\t\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t</form>\n"; 250 } else { 251 $html .= "\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n"; 252 } 253 $html .= "</body>\n</html>"; 254 255 die($html); 256 } 236 257 do_action('check_admin_referer'); 237 } 238 endif; 258 }endif; 239 259 240 260 if ( !function_exists('check_ajax_referer') ) : 241 261 function check_ajax_referer() { -
wp-admin/inline-uploading.php
2 2 3 3 require_once('admin.php'); 4 4 5 check_admin_referer( );5 check_admin_referer('inlineuploading'); 6 6 7 7 header('Content-Type: text/html; charset=' . get_option('blog_charset')); 8 8 … … 41 41 42 42 wp_delete_attachment($attachment); 43 43 44 header("Location: ". basename(__FILE__)."?post=$post&all=$all&action=view&start=$start");44 header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=$start", 'inlineuploading')); 45 45 die; 46 46 47 47 case 'save': … … 100 100 add_post_meta($id, '_wp_attachment_metadata', array()); 101 101 } 102 102 103 header("Location: ". basename(__FILE__)."?post=$post&all=$all&action=view&start=0");103 header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=0", 'inlineuploading')); 104 104 die(); 105 105 106 106 case 'upload': … … 139 139 $attachments = $wpdb->get_results("SELECT ID, post_date, post_title, post_mime_type, guid FROM $wpdb->posts WHERE post_type = 'attachment' $and_type $and_post $and_user ORDER BY $sort LIMIT $start, $double", ARRAY_A); 140 140 141 141 if ( count($attachments) == 0 ) { 142 header("Location: ". basename(__FILE__)."?post=$post&action=upload");142 header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&action=upload", 'inlineuploading') ); 143 143 die; 144 144 } elseif ( count($attachments) > $num ) { 145 145 $next = $start + count($attachments) - $num; -
wp-admin/post.php
121 121 break; 122 122 123 123 case 'delete': 124 check_admin_referer( );124 check_admin_referer('deletepost'); 125 125 126 126 $post_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']); 127 127 -
wp-admin/edit-form-advanced.php
173 173 <?php 174 174 if (current_user_can('upload_files')) { 175 175 $uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID); 176 $uploading_iframe_src = "inline-uploading.php?action=view&post=$uploading_iframe_ID";176 $uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&post=$uploading_iframe_ID", 'inlineuploading'); 177 177 $uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src); 178 178 if ( false != $uploading_iframe_src ) 179 179 echo '<iframe id="uploading" border="0" src="' . $uploading_iframe_src . '">' . __('This feature requires iframe support.') . '</iframe>'; -
wp-admin/edit.php
211 211 212 212 case 'control_delete': 213 213 ?> 214 <td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href=' post.php?action=delete&post=$id' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>214 <td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href='" . wp_nonce_url("post.php?action=delete&post=$id", 'deletepost') . "' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td> 215 215 <?php 216 216 break; 217 217