WordPress.org

Make WordPress Core


Ignore:
Timestamp:
03/18/2008 02:43:20 AM (12 years ago)
Author:
ryan
Message:

Renew autosave nonce. Props andy. fixes #6266

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/pluggable.php

    r7333 r7375  
    625625 * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
    626626 */
    627 function check_admin_referer($action = -1, $query_arg = '_wpnonce' ) {
     627function check_admin_referer($action = -1, $query_arg = '_wpnonce') {
    628628    $adminurl = strtolower(get_option('siteurl')).'/wp-admin';
    629629    $referer = strtolower(wp_get_referer());
    630     if ( !wp_verify_nonce($_REQUEST[$query_arg], $action) &&
    631         !(-1 == $action && strpos($referer, $adminurl) !== false)) {
     630    $result = wp_verify_nonce($_REQUEST[$query_arg], $action);
     631    if ( !$result && !(-1 == $action && strpos($referer, $adminurl) !== false) ) {
    632632        wp_nonce_ays($action);
    633633        die();
    634634    }
    635     do_action('check_admin_referer', $action);
     635    do_action('check_admin_referer', $action, $result);
     636    return $result;
    636637}endif;
    637638
     
    645646 * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
    646647 */
    647 function check_ajax_referer( $action = -1, $query_arg = false ) {
     648function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
    648649    if ( $query_arg )
    649650        $nonce = $_REQUEST[$query_arg];
     
    651652        $nonce = $_REQUEST['_ajax_nonce'] ? $_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce'];
    652653
    653     if ( !wp_verify_nonce( $nonce, $action ) )
     654    $result = wp_verify_nonce( $nonce, $action );
     655
     656    if ( $die && false == $result )
    654657        die('-1');
    655658
    656     do_action('check_ajax_referer');
     659    do_action('check_ajax_referer', $action, $result);
     660
     661    return $result;
    657662}
    658663endif;
     
    938943endif;
    939944
     945if ( !function_exists('wp_nonce_tick') ) :
     946/**
     947 * wp_nonce_tick() - Get the time-dependent variable for nonce creation
     948 *
     949 * A nonce has a lifespan of two ticks. Nonces in their second tick may be updated, e.g. by autosave.
     950 *
     951 * @since 2.5
     952 *
     953 * @return int
     954 */
     955function wp_nonce_tick() {
     956    $nonce_life = apply_filters('nonce_life', 86400) / 2;
     957
     958    return ceil(time() / ( $nonce_life / 2 ));
     959}
     960endif;
     961
    940962if ( !function_exists('wp_verify_nonce') ) :
    941963/**
     
    955977    $uid = (int) $user->id;
    956978
    957     $i = ceil(time() / 43200);
    958 
    959     //Allow for expanding range, but only do one check if we can
    960     if( substr(wp_hash($i . $action . $uid), -12, 10) == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce )
    961         return true;
     979    $i = wp_nonce_tick();
     980
     981    // Nonce generated 0-12 hours ago
     982    if ( substr(wp_hash($i . $action . $uid), -12, 10) == $nonce )
     983        return 1;
     984    // Nonce generated 12-24 hours ago
     985    if ( substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce )
     986        return 2;
     987    // Invalid nonce
    962988    return false;
    963989}
     
    9771003    $uid = (int) $user->id;
    9781004
    979     $i = ceil(time() / 43200);
     1005    $i = wp_nonce_tick();
    9801006
    9811007    return substr(wp_hash($i . $action . $uid), -12, 10);
Note: See TracChangeset for help on using the changeset viewer.