Ticket #2678: nonce.5.diff
| File nonce.5.diff, 14.5 KB (added by , 20 years ago) |
|---|
-
wp-includes/functions-compat.php
98 98 } 99 99 } 100 100 101 // From php.net 102 if(!function_exists('http_build_query')) { 103 function http_build_query( $formdata, $numeric_prefix = null, $key = null ) { 104 $res = array(); 105 foreach ((array)$formdata as $k=>$v) { 106 $tmp_key = urlencode(is_int($k) ? $numeric_prefix.$k : $k); 107 if ($key) $tmp_key = $key.'['.$tmp_key.']'; 108 $res[] = ( ( is_array($v) || is_object($v) ) ? http_build_query($v, null, $tmp_key) : $tmp_key."=".urlencode($v) ); 109 } 110 $separator = ini_get('arg_separator.output'); 111 return implode($separator, $res); 112 } 113 } 101 114 ?> -
wp-includes/functions.php
1663 1663 return $installed; 1664 1664 } 1665 1665 1666 function wp_nonce_url($actionurl, $action = -1) { 1667 return add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl); 1668 } 1669 1670 function wp_nonce_field($action = -1) { 1671 echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />'; 1672 } 1673 1666 1674 ?> -
wp-includes/pluggable-functions.php
228 228 endif; 229 229 230 230 if ( !function_exists('check_admin_referer') ) : 231 function check_admin_referer() { 231 function check_admin_referer($action = -1) { 232 global $pagenow; 232 233 $adminurl = strtolower(get_settings('siteurl')).'/wp-admin'; 233 234 $referer = strtolower($_SERVER['HTTP_REFERER']); 234 if (!strstr($referer, $adminurl)) 235 die(__('Sorry, you need to <a href="http://codex.wordpress.org/Enable_Sending_Referrers">enable sending referrers</a> for this feature to work.')); 235 if ( !wp_verify_nonce($_REQUEST['_wpnonce'], $action) ) { 236 $html = "<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>\n<html xmlns='http://www.w3.org/1999/xhtml' lang='en' xml:lang='en'>\n\n"; 237 $html .= "<head>\n\t<title>" . __('WordPress Confirmation') . "</title>\n"; 238 $html .= "</head>\n<body>\n"; 239 if ( $_POST ) { 240 $q = http_build_query($_POST); 241 $q = explode( ini_get('arg_separator.output'), $q); 242 $html .= "\t<form method='post' action='$pagenow'>\n"; 243 foreach ( (array) $q as $a ) { 244 $v = substr(strstr($a, '='), 1); 245 $k = substr($a, 0, -(strlen($v)+1)); 246 $html .= "\t\t<input type='hidden' name='" . wp_specialchars( urldecode($k), 1 ) . "' value='" . wp_specialchars( urldecode($v), 1 ) . "' />\n"; 247 } 248 $html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n"; 249 $html .= "\t\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t</form>\n"; 250 } else { 251 $html .= "\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n"; 252 } 253 $html .= "</body>\n</html>"; 254 255 die($html); 256 } 236 257 do_action('check_admin_referer'); 237 } 238 endif; 258 }endif; 239 259 240 260 if ( !function_exists('check_ajax_referer') ) : 241 261 function check_ajax_referer() { … … 460 480 } 461 481 endif; 462 482 483 if ( !function_exists('wp_verify_nonce') ) : 484 function wp_verify_nonce($nonce, $action = -1) { 485 $user = wp_get_current_user(); 486 $uid = $user->id; 487 488 $i = ceil(time() / 43200); 489 490 //Allow for expanding range, but only do one check if we can 491 if( substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10) == $nonce || substr(md5(($i - 1) . DB_PASSWORD . $action . $uid), -12, 10) == $nonce ) 492 return true; 493 return false; 494 } 495 endif; 496 497 if ( !function_exists('wp_create_nonce') ) : 498 function wp_create_nonce($action = -1) { 499 $user = wp_get_current_user(); 500 $uid = $user->id; 501 502 $i = ceil(time() / 43200); 503 504 return substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10); 505 } 506 endif; 507 463 508 ?> -
wp-admin/inline-uploading.php
2 2 3 3 require_once('admin.php'); 4 4 5 check_admin_referer( );5 check_admin_referer('inlineuploading'); 6 6 7 7 header('Content-Type: text/html; charset=' . get_option('blog_charset')); 8 8 … … 41 41 42 42 wp_delete_attachment($attachment); 43 43 44 header("Location: ". basename(__FILE__)."?post=$post&all=$all&action=view&start=$start");44 header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=$start", 'inlineuploading')); 45 45 die; 46 46 47 47 case 'save': … … 100 100 add_post_meta($id, '_wp_attachment_metadata', array()); 101 101 } 102 102 103 header("Location: ". basename(__FILE__)."?post=$post&all=$all&action=view&start=0");103 header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=0", 'inlineuploading')); 104 104 die(); 105 105 106 106 case 'upload': … … 139 139 $attachments = $wpdb->get_results("SELECT ID, post_date, post_title, post_mime_type, guid FROM $wpdb->posts WHERE post_type = 'attachment' $and_type $and_post $and_user ORDER BY $sort LIMIT $start, $double", ARRAY_A); 140 140 141 141 if ( count($attachments) == 0 ) { 142 header("Location: ". basename(__FILE__)."?post=$post&action=upload");142 header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&action=upload", 'inlineuploading') ); 143 143 die; 144 144 } elseif ( count($attachments) > $num ) { 145 145 $next = $start + count($attachments) - $num; -
wp-admin/post.php
24 24 switch($action) { 25 25 case 'postajaxpost': 26 26 case 'post': 27 check_admin_referer( );27 check_admin_referer('add-post'); 28 28 29 29 $post_ID = 'post' == $action ? write_post() : edit_post(); 30 30 … … 78 78 break; 79 79 80 80 case 'editattachment': 81 check_admin_referer();82 83 81 $post_id = (int) $_POST['post_ID']; 84 82 83 check_admin_referer('update-attachment' . $post_id); 84 85 85 // Don't let these be changed 86 86 unset($_POST['guid']); 87 87 $_POST['post_type'] = 'attachment'; … … 96 96 add_post_meta($post_id, '_wp_attachment_metadata', $newmeta); 97 97 98 98 case 'editpost': 99 check_admin_referer(); 99 $post_ID = (int) $_POST['post_ID']; 100 check_admin_referer('update-post' . $post_ID); 100 101 101 102 $post_ID = edit_post(); 102 103 … … 121 122 break; 122 123 123 124 case 'delete': 124 check_admin_referer();125 126 125 $post_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']); 126 check_admin_referer('delete-post' . $post_id); 127 127 128 128 $post = & get_post($post_id); 129 129 -
wp-admin/edit-link-form.php
2 2 if ( ! empty($link_id) ) { 3 3 $heading = __('Edit Bookmark'); 4 4 $submit_text = __('Save Changes »'); 5 $form = '<form name="editlink" id="editlink" method="post" action="link.php">'; 5 $form = '<form name="editlink" id="editlink" method="post" action="link.php">'; 6 $nonce_action = 'update-bookmark' . $link_id; 6 7 } else { 7 8 $heading = __('Create Bookmark'); 8 9 $submit_text = __('Add Bookmark »'); 9 10 $form = '<form name="addlink" id="addlink" method="post" action="link.php">'; 11 $nonce_action = 'add-bookmark'; 10 12 } 11 13 12 14 function xfn_check($class, $value = '', $type = 'check') { … … 31 33 <div class="wrap"> 32 34 <h2><?php echo $heading ?></h2> 33 35 <?php echo $form ?> 34 36 <?php wp_nonce_field($nonce_action); ?> 37 35 38 <div id="poststuff"> 36 39 <div id="moremeta"> 37 40 <div id="grabit" class="dbx-group"> -
wp-admin/edit-form-advanced.php
22 22 $form_action = 'post'; 23 23 $temp_ID = -1 * time(); 24 24 $form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />"; 25 wp_nonce_field('add-post'); 25 26 } else { 26 27 $form_action = 'editpost'; 27 28 $form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />"; 29 wp_nonce_field('update-post' . $post_ID); 28 30 } 29 31 30 32 $form_pingback = '<input type="hidden" name="post_pingback" value="' . get_option('default_pingback_flag') . '" id="post_pingback" />'; … … 173 175 <?php 174 176 if (current_user_can('upload_files')) { 175 177 $uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID); 176 $uploading_iframe_src = "inline-uploading.php?action=view&post=$uploading_iframe_ID";178 $uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&post=$uploading_iframe_ID", 'inlineuploading'); 177 179 $uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src); 178 180 if ( false != $uploading_iframe_src ) 179 181 echo '<iframe id="uploading" border="0" src="' . $uploading_iframe_src . '">' . __('This feature requires iframe support.') . '</iframe>'; -
wp-admin/edit.php
211 211 212 212 case 'control_delete': 213 213 ?> 214 <td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href=' post.php?action=delete&post=$id' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>214 <td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href='" . wp_nonce_url("post.php?action=delete&post=$id", 'delete-post' . $post->ID) . "' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td> 215 215 <?php 216 216 break; 217 217 -
wp-admin/link.php
29 29 30 30 switch ($action) { 31 31 case 'deletebookmarks' : 32 check_admin_referer( );32 check_admin_referer('delete-bookmarks'); 33 33 34 34 // check the current user's level first. 35 35 if (!current_user_can('manage_links')) … … 53 53 break; 54 54 55 55 case 'move' : 56 check_admin_referer( );56 check_admin_referer('move-bookmarks'); 57 57 58 58 // check the current user's level first. 59 59 if (!current_user_can('manage_links')) … … 72 72 break; 73 73 74 74 case 'add' : 75 check_admin_referer( );75 check_admin_referer('add-bookmark'); 76 76 77 77 add_link(); 78 78 … … 80 80 break; 81 81 82 82 case 'save' : 83 check_admin_referer();84 85 83 $link_id = (int) $_POST['link_id']; 84 check_admin_referer('update-bookmark' . $link_id); 85 86 86 edit_link($link_id); 87 87 88 88 wp_redirect($this_file); … … 90 90 break; 91 91 92 92 case 'delete' : 93 check_admin_referer(); 93 $link_id = (int) $_GET['link_id']; 94 check_admin_referer('delete-bookmark' . $link_id); 94 95 95 96 if (!current_user_can('manage_links')) 96 97 die(__("Cheatin' uh ?")); 97 98 98 $link_id = (int) $_GET['link_id'];99 100 99 wp_delete_link($link_id); 101 100 102 101 wp_redirect($this_file); -
wp-admin/link-manager.php
175 175 <?php 176 176 177 177 echo '<td><a href="link.php?link_id='.$link->link_id.'&action=edit" class="edit">'.__('Edit').'</a></td>'; 178 echo '<td><a href=" link.php?link_id='.$link->link_id.'&action=delete"'." class='delete' onclick=\"return deleteSomething( 'link', $link->link_id , '".sprintf(__("You are about to delete the "%s" bookmark to %s.\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($link->link_name, 1), wp_specialchars($link->link_url)).'\' );" class="delete">'.__('Delete').'</a></td>';178 echo '<td><a href="' . wp_nonce_url('link.php?link_id='.$link->link_id.'&action=delete', 'delete-bookmark' . $link->link_id ) . '"'." class='delete' onclick=\"return deleteSomething( 'link', $link->link_id , '".sprintf(__("You are about to delete the "%s" bookmark to %s.\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($link->link_name, 1), wp_specialchars($link->link_url)).'\' );" class="delete">'.__('Delete').'</a></td>'; 179 179 echo '<td align="center"><input type="checkbox" name="linkcheck[]" value="'.$link->link_id.'" /></td>'; 180 180 echo "\n </tr>\n"; 181 181 } -
wp-admin/categories.php
24 24 25 25 case 'addcat': 26 26 27 check_admin_referer( );27 check_admin_referer('add-category'); 28 28 29 29 if ( !current_user_can('manage_categories') ) 30 30 die (__('Cheatin’ uh?')); … … 35 35 break; 36 36 37 37 case 'delete': 38 $cat_ID = (int) $_GET['cat_ID']; 39 check_admin_referer('delete-category' . $cat_ID); 38 40 39 check_admin_referer();40 41 41 if ( !current_user_can('manage_categories') ) 42 42 die (__('Cheatin’ uh?')); 43 43 44 $cat_ID = (int) $_GET['cat_ID'];45 44 $cat_name = get_catname($cat_ID); 46 45 47 46 // Don't delete the default cats. … … 67 66 <div class="wrap"> 68 67 <h2><?php _e('Edit Category') ?></h2> 69 68 <form name="editcat" action="categories.php" method="post"> 69 <?php wp_nonce_field('update-category' . $category->cat_ID); ?> 70 70 <table class="editform" width="100%" cellspacing="2" cellpadding="5"> 71 71 <tr> 72 72 <th width="33%" scope="row" valign="top"><label for="cat_name"><?php _e('Category name:') ?></label></th> … … 99 99 break; 100 100 101 101 case 'editedcat': 102 check_admin_referer(); 102 $cat_ID = (int) $_POST['cat_ID']; 103 check_admin_referer('update-category' . $cat_ID); 103 104 104 105 if ( !current_user_can('manage_categories') ) 105 106 die (__('Cheatin’ uh?')); … … 157 158 <div class="wrap"> 158 159 <h2><?php _e('Add New Category') ?></h2> 159 160 <form name="addcat" id="addcat" action="categories.php" method="post"> 161 <?php wp_nonce_field('add-category'); ?> 160 162 <div class="alignleft"><?php _e('Name:') ?><br /> 161 163 <input type="text" name="cat_name" id="cat_name" value="" /></p> 162 164 <p><?php _e('Category parent:') ?><br />