Make WordPress Core

Opened 6 years ago

Closed 4 years ago

#11953 closed defect (bug) (fixed)

wp_nonce_field() does not pass the result of wp_referer_field()

Reported by: webduo Owned by: ryan
Milestone: 3.2 Priority: normal
Severity: normal Version: 2.9.1
Component: Security Keywords: has-patch commit
Focuses: Cc:


When using wp_nonce_field in "no echo mode" ($echo argument is set to false) and with the $referer variable set to true (which is the default) the result of wp_referer_field function is not added to $nonce_field which is returned at the end of wp_nonce_field.

I'd expect wp_nonce_field to return the same content what it echoes, but now it outputs two fields and passes just one (without the referer field). So:


results in something like

<input type="hidden" id="_wpnonce" name="_wpnonce" value="123456789a" />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/options-general.php?page=some-action-name" />


wp_nonce_field('some-action-name', '_wpnonce', true, false);

returns only

<input type="hidden" id="_wpnonce" name="_wpnonce" value="123456789a" />

Attachments (3)

wp_nonce_field-2.9.1.patch (384 bytes) - added by webduo 6 years ago.
wp_nonce_field function patch for wordpress 2.9.1 tag
11953.diff (653 bytes) - added by scribu 4 years ago.
11953.2.diff (1.3 KB) - added by scribu 4 years ago.

Download all attachments as: .zip

Change History (16)

@webduo6 years ago

wp_nonce_field function patch for wordpress 2.9.1 tag

comment:1 @webduo6 years ago

This issue could be solved in few other ways, so the attached patch is only a suggestion. Regards.

comment:2 follow-up: @nacin6 years ago

Makes sense to me, but I'm wondering about how this will play into back compat.

comment:3 @nacin5 years ago

  • Keywords has-patch dev-feedback added
  • Milestone changed from Unassigned to Future Release

comment:4 @neoxx5 years ago

  • Summary changed from wp_nonce_filed() does not pass the result of wp_referer_field() to wp_nonce_field() does not pass the result of wp_referer_field()

comment:5 @ZephyrWest5 years ago

This still hasn't been fixed as of 3.0.4... Is this going to make it into 3.1?

comment:6 @philipwalton4 years ago

I ran into this bug today in my development. May I ask why it hasn't been implemented yet? If there is testing that needs to be done, I'm willing to help out in any way I can.

comment:7 in reply to: ↑ 2 @scribu4 years ago

Patch looks good to me.

As for backwards compatibility, check_admin_referer() wouldn't have worked anyway.

Worst case, the referer field is added twice.

Last edited 4 years ago by scribu (previous) (diff)

comment:8 @scribu4 years ago

  • Keywords dev-feedback removed
  • Milestone changed from Future Release to 3.2

comment:9 @scribu4 years ago

  • Keywords needs-refresh added

@scribu4 years ago

comment:10 @scribu4 years ago

  • Keywords needs-refresh removed

comment:11 @ryan4 years ago

The phpdoc detailing this behavior would also need to be removed. Those who have been following the phpdoc would get duplicate fields, as scribu mentions, which seems acceptable.

@scribu4 years ago

comment:12 @scribu4 years ago

  • Keywords commit added

Removed docblock.

comment:13 @ryan4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

In [18130]:

Properly return referrer when referer = true and echo = false. Props scribu, webduo. fixes #11953

Note: See TracTickets for help on using tickets.