Changeset 38420

Timestamp:

08/28/2016 05:14:52 PM (7 years ago)

Author:

johnbillion

Message:

Security: Trigger a _doing_it_wrong() when check_ajax_referer() is called without its first parameter. This brings it inline with check_admin_referer().

Fixes #36361

Location:

trunk

Files:

• src/wp-includes/pluggable.php (modified) (1 diff)
• tests/phpunit/tests/auth.php (modified) (1 diff)

trunk/src/wp-includes/pluggable.php

@@ -1081 +1081 @@
  */
 function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
+    if ( -1 == $action ) {
+        _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '4.7' );
+    }
+
     $nonce = '';
 

trunk/tests/phpunit/tests/auth.php

@@ -150 +150 @@
     }
 
+    /**
+     * @ticket 36361
+     */
+    public function test_check_admin_referer_with_no_action_triggers_doing_it_wrong() {
+        $this->setExpectedIncorrectUsage( 'check_admin_referer' );
+
+        // A valid nonce needs to be set so the check doesn't die()
+        $_REQUEST['_wpnonce'] = wp_create_nonce( -1 );
+        $result = check_admin_referer();
+        $this->assertSame( 1, $result );
+
+        unset( $_REQUEST['_wpnonce'] );
+    }
+
+    /**
+     * @ticket 36361
+     */
+    public function test_check_ajax_referer_with_no_action_triggers_doing_it_wrong() {
+        $this->setExpectedIncorrectUsage( 'check_ajax_referer' );
+
+        // A valid nonce needs to be set so the check doesn't die()
+        $_REQUEST['_wpnonce'] = wp_create_nonce( -1 );
+        $result = check_ajax_referer();
+        $this->assertSame( 1, $result );
+
+        unset( $_REQUEST['_wpnonce'] );
+    }
+
     function test_password_length_limit() {
         $limit = str_repeat( 'a', 4096 );