Make WordPress Core


Ignore:
Timestamp:
10/09/2007 10:49:42 PM (17 years ago)
Author:
ryan
Message:

jquery for list manipulation. Round one, fight. Props mdawaffe. fixes #4805

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/pluggable.php

    r6180 r6213  
    347347
    348348if ( !function_exists('check_ajax_referer') ) :
    349 function check_ajax_referer() {
    350     $current_name = '';
    351     if ( ( $current = wp_get_current_user() ) && $current->ID )
    352         $current_name = $current->data->user_login;
    353     if ( !$current_name )
    354         die('-1');
    355 
    356     $cookie = explode('; ', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie
    357     foreach ( $cookie as $tasty ) {
    358         if ( false !== strpos($tasty, USER_COOKIE) )
    359             $user = substr(strstr($tasty, '='), 1);
    360         if ( false !== strpos($tasty, PASS_COOKIE) )
    361             $pass = substr(strstr($tasty, '='), 1);
    362     }
    363 
    364     if ( $current_name != $user || !wp_login( $user, $pass, true ) )
    365         die('-1');
     349function check_ajax_referer( $action = -1 ) {
     350    $nonce = $_REQUEST['_ajax_nonce'] ? $_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce'];
     351    if ( !wp_verify_nonce( $nonce, $action ) ) {
     352        $current_name = '';
     353        if ( ( $current = wp_get_current_user() ) && $current->ID )
     354            $current_name = $current->data->user_login;
     355        if ( !$current_name )
     356            die('-1');
     357
     358        $cookie = explode('; ', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie
     359        foreach ( $cookie as $tasty ) {
     360            if ( false !== strpos($tasty, USER_COOKIE) )
     361                $user = substr(strstr($tasty, '='), 1);
     362            if ( false !== strpos($tasty, PASS_COOKIE) )
     363                $pass = substr(strstr($tasty, '='), 1);
     364        }
     365
     366        if ( $current_name != $user || !wp_login( $user, $pass, true ) )
     367            die('-1');
     368    }
    366369    do_action('check_ajax_referer');
    367370}
Note: See TracChangeset for help on using the changeset viewer.