Opened 15 years ago
Closed 14 years ago
#11953 closed defect (bug) (fixed)
wp_nonce_field() does not pass the result of wp_referer_field()
Reported by: | webduo | Owned by: | ryan |
---|---|---|---|
Milestone: | 3.2 | Priority: | normal |
Severity: | normal | Version: | 2.9.1 |
Component: | Security | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
When using wp_nonce_field
in "no echo mode" ($echo argument is set to false) and with the $referer variable set to true (which is the default) the result of wp_referer_field
function is not added to $nonce_field which is returned at the end of wp_nonce_field
.
I'd expect wp_nonce_field
to return the same content what it echoes, but now it outputs two fields and passes just one (without the referer field). So:
wp_nonce_field('some-action-name');
results in something like
<input type="hidden" id="_wpnonce" name="_wpnonce" value="123456789a" /> <input type="hidden" name="_wp_http_referer" value="/wp-admin/options-general.php?page=some-action-name" />
where
wp_nonce_field('some-action-name', '_wpnonce', true, false);
returns only
<input type="hidden" id="_wpnonce" name="_wpnonce" value="123456789a" />
Attachments (3)
Change History (16)
#1
@
15 years ago
This issue could be solved in few other ways, so the attached patch is only a suggestion. Regards.
#2
follow-up:
↓ 7
@
15 years ago
Makes sense to me, but I'm wondering about how this will play into back compat.
#3
@
14 years ago
- Keywords has-patch dev-feedback added
- Milestone changed from Unassigned to Future Release
#4
@
14 years ago
- Summary changed from wp_nonce_filed() does not pass the result of wp_referer_field() to wp_nonce_field() does not pass the result of wp_referer_field()
#6
@
14 years ago
I ran into this bug today in my development. May I ask why it hasn't been implemented yet? If there is testing that needs to be done, I'm willing to help out in any way I can.
#7
in reply to:
↑ 2
@
14 years ago
Patch looks good to me.
As for backwards compatibility, check_admin_referer() wouldn't have worked anyway.
Worst case, the referer field is added twice.
wp_nonce_field function patch for wordpress 2.9.1 tag