WordPress.org

Make WordPress Core

Changeset 46486


Ignore:
Timestamp:
10/14/2019 05:33:34 PM (4 weeks ago)
Author:
whyisjake
Message:

Administration: Ensure that admin referer nonce is valid.

Coding standards, ensure that nonce is valid with identical, rather then equal operator.

Backports [46477] to the 5.2 branch.
Props vortfu, xknown, whyisjake.

Location:
branches/5.2
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/5.2

  • branches/5.2/src/wp-includes/pluggable.php

    r46473 r46486  
    10931093     */
    10941094    function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
    1095         if ( -1 == $action ) {
     1095        if ( -1 === $action ) {
    10961096            _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
    10971097        }
     
    11121112        do_action( 'check_admin_referer', $action, $result );
    11131113
    1114         if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
     1114        if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
    11151115            wp_nonce_ays( $action );
    11161116            die();
  • branches/5.2/tests/phpunit/tests/auth.php

    r43571 r46486  
    2525        self::$user_id = self::$_user->ID;
    2626
    27         require_once( ABSPATH . WPINC . '/class-phpass.php' );
     27        require_once ABSPATH . WPINC . '/class-phpass.php';
    2828        self::$wp_hasher = new PasswordHash( 8, true );
    2929    }
     
    166166    }
    167167
     168    public function test_check_admin_referer_with_default_action_as_string_not_doing_it_wrong() {
     169        // A valid nonce needs to be set so the check doesn't die()
     170        $_REQUEST['_wpnonce'] = wp_create_nonce( '-1' );
     171        $result               = check_admin_referer( '-1' );
     172        $this->assertSame( 1, $result );
     173
     174        unset( $_REQUEST['_wpnonce'] );
     175    }
     176
    168177    /**
    169178     * @ticket 36361
Note: See TracChangeset for help on using the changeset viewer.