Changeset 3758

Timestamp:

05/02/2006 10:08:34 PM (20 years ago)

Author:

ryan

Message:

nonce functions. #2678

Location:

trunk/wp-includes

Files:

• functions-compat.php (modified) (1 diff)
• functions.php (modified) (1 diff)
• pluggable-functions.php (modified) (2 diffs)

trunk/wp-includes/functions-compat.php

@@ -99 +99 @@
 }
 
+// From php.net
+if(!function_exists('http_build_query')) {
+   function http_build_query( $formdata, $numeric_prefix = null, $key = null ) {
+       $res = array();
+       foreach ((array)$formdata as $k=>$v) {
+           $tmp_key = urlencode(is_int($k) ? $numeric_prefix.$k : $k);
+           if ($key) $tmp_key = $key.'['.$tmp_key.']';
+           $res[] = ( ( is_array($v) || is_object($v) ) ? http_build_query($v, null, $tmp_key) : $tmp_key."=".urlencode($v) );
+       }
+       $separator = ini_get('arg_separator.output');
+       return implode($separator, $res);
+   }
+}
 ?>

trunk/wp-includes/functions.php

@@ -1664 +1664 @@
 }
 
+function wp_nonce_url($actionurl, $action = -1) {
+    return add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl);
+}
+
+function wp_nonce_field($action = -1) {
+    echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />';
+}
+
 ?>

trunk/wp-includes/pluggable-functions.php

@@ -229 +229 @@
 
 if ( !function_exists('check_admin_referer') ) :
-function check_admin_referer() {
+function check_admin_referer($action = -1) {
+    global $pagenow;
     $adminurl = strtolower(get_settings('siteurl')).'/wp-admin';
     $referer = strtolower($_SERVER['HTTP_REFERER']);
-    if (!strstr($referer, $adminurl))
-        die(__('Sorry, you need to <a href="http://codex.wordpress.org/Enable_Sending_Referrers">enable sending referrers</a> for this feature to work.'));
+    if ( !wp_verify_nonce($_REQUEST['_wpnonce'], $action) ) {
+        $html  = "<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>\n<html xmlns='http://www.w3.org/1999/xhtml' lang='en' xml:lang='en'>\n\n";
+        $html .= "<head>\n\t<title>" . __('WordPress Confirmation') . "</title>\n";
+        $html .= "</head>\n<body>\n";
+        if ( $_POST ) {
+            $q = http_build_query($_POST);
+            $q = explode( ini_get('arg_separator.output'), $q);
+            $html .= "\t<form method='post' action='$pagenow'>\n";
+            foreach ( (array) $q as $a ) {
+                $v = substr(strstr($a, '='), 1);
+                $k = substr($a, 0, -(strlen($v)+1));
+                $html .= "\t\t<input type='hidden' name='" . wp_specialchars( urldecode($k), 1 ) . "' value='" . wp_specialchars( urldecode($v), 1 ) . "' />\n";
+            }
+            $html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n";
+            $html .= "\t\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t</form>\n";
+        } else {
+            $html .= "\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n";
+        }
+        $html .= "</body>\n</html>";
+
+        die($html);
+    }
     do_action('check_admin_referer');
-}
-endif;
+}endif;
 
 if ( !function_exists('check_ajax_referer') ) :
@@ -461 +481 @@
 endif;
 
+if ( !function_exists('wp_verify_nonce') ) :
+function wp_verify_nonce($nonce, $action = -1) {
+    $user = wp_get_current_user();
+    $uid = $user->id;
+
+    $i = ceil(time() / 43200);
+
+    //Allow for expanding range, but only do one check if we can
+    if( substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10) == $nonce || substr(md5(($i - 1) . DB_PASSWORD . $action . $uid), -12, 10) == $nonce )
+        return true;
+    return false;
+}
+endif;
+
+if ( !function_exists('wp_create_nonce') ) :
+function wp_create_nonce($action = -1) {
+    $user = wp_get_current_user();
+    $uid = $user->id;
+
+    $i = ceil(time() / 43200);
+    
+    return substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10);
+}
+endif;
+
 ?>