WordPress.org

Make WordPress Core

Changeset 6138


Ignore:
Timestamp:
09/19/07 19:32:34 (7 years ago)
Author:
ryan
Message:

Extra protection in check_ajax_referer from mdawaffe. fixes #4939

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/pluggable.php

    r6136 r6138  
    350350if ( !function_exists('check_ajax_referer') ) : 
    351351function check_ajax_referer() { 
     352    $current_name = ''; 
     353    if ( ( $current = wp_get_current_user() ) && $current->ID ) 
     354        $current_name = $current->data->user_login; 
     355    if ( !$current_name ) 
     356        die('-1'); 
     357 
    352358    $cookie = explode('; ', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie 
    353359    foreach ( $cookie as $tasty ) { 
     
    357363            $pass = substr(strstr($tasty, '='), 1); 
    358364    } 
    359     if ( !wp_login( $user, $pass, true ) ) 
     365 
     366    if ( $current_name != $user || !wp_login( $user, $pass, true ) ) 
    360367        die('-1'); 
    361368    do_action('check_ajax_referer'); 
Note: See TracChangeset for help on using the changeset viewer.