Changeset 3758 for trunk/wp-includes/pluggable-functions.php

Timestamp:

05/02/2006 10:08:34 PM (20 years ago)

Author:

ryan

Message:

nonce functions. #2678

File:

• trunk/wp-includes/pluggable-functions.php (modified) (2 diffs)

trunk/wp-includes/pluggable-functions.php

@@ -229 +229 @@
 
 if ( !function_exists('check_admin_referer') ) :
-function check_admin_referer() {
+function check_admin_referer($action = -1) {
+    global $pagenow;
     $adminurl = strtolower(get_settings('siteurl')).'/wp-admin';
     $referer = strtolower($_SERVER['HTTP_REFERER']);
-    if (!strstr($referer, $adminurl))
-        die(__('Sorry, you need to <a href="http://codex.wordpress.org/Enable_Sending_Referrers">enable sending referrers</a> for this feature to work.'));
+    if ( !wp_verify_nonce($_REQUEST['_wpnonce'], $action) ) {
+        $html  = "<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>\n<html xmlns='http://www.w3.org/1999/xhtml' lang='en' xml:lang='en'>\n\n";
+        $html .= "<head>\n\t<title>" . __('WordPress Confirmation') . "</title>\n";
+        $html .= "</head>\n<body>\n";
+        if ( $_POST ) {
+            $q = http_build_query($_POST);
+            $q = explode( ini_get('arg_separator.output'), $q);
+            $html .= "\t<form method='post' action='$pagenow'>\n";
+            foreach ( (array) $q as $a ) {
+                $v = substr(strstr($a, '='), 1);
+                $k = substr($a, 0, -(strlen($v)+1));
+                $html .= "\t\t<input type='hidden' name='" . wp_specialchars( urldecode($k), 1 ) . "' value='" . wp_specialchars( urldecode($v), 1 ) . "' />\n";
+            }
+            $html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n";
+            $html .= "\t\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t</form>\n";
+        } else {
+            $html .= "\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n";
+        }
+        $html .= "</body>\n</html>";
+
+        die($html);
+    }
     do_action('check_admin_referer');
-}
-endif;
+}endif;
 
 if ( !function_exists('check_ajax_referer') ) :
@@ -461 +481 @@
 endif;
 
+if ( !function_exists('wp_verify_nonce') ) :
+function wp_verify_nonce($nonce, $action = -1) {
+    $user = wp_get_current_user();
+    $uid = $user->id;
+
+    $i = ceil(time() / 43200);
+
+    //Allow for expanding range, but only do one check if we can
+    if( substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10) == $nonce || substr(md5(($i - 1) . DB_PASSWORD . $action . $uid), -12, 10) == $nonce )
+        return true;
+    return false;
+}
+endif;
+
+if ( !function_exists('wp_create_nonce') ) :
+function wp_create_nonce($action = -1) {
+    $user = wp_get_current_user();
+    $uid = $user->id;
+
+    $i = ceil(time() / 43200);
+    
+    return substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10);
+}
+endif;
+
 ?>