Make WordPress Core

Opened 6 years ago

Closed 4 years ago

#11953 closed defect (bug) (fixed)

wp_nonce_field() does not pass the result of wp_referer_field()

Reported by: webduo Owned by: ryan
Milestone: 3.2 Priority: normal
Severity: normal Version: 2.9.1
Component: Security Keywords: has-patch commit
Focuses: Cc:


When using wp_nonce_field in "no echo mode" ($echo argument is set to false) and with the $referer variable set to true (which is the default) the result of wp_referer_field function is not added to $nonce_field which is returned at the end of wp_nonce_field.

I'd expect wp_nonce_field to return the same content what it echoes, but now it outputs two fields and passes just one (without the referer field). So:


results in something like

<input type="hidden" id="_wpnonce" name="_wpnonce" value="123456789a" />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/options-general.php?page=some-action-name" />


wp_nonce_field('some-action-name', '_wpnonce', true, false);

returns only

<input type="hidden" id="_wpnonce" name="_wpnonce" value="123456789a" />

Attachments (3)

wp_nonce_field-2.9.1.patch (384 bytes) - added by webduo 6 years ago.
wp_nonce_field function patch for wordpress 2.9.1 tag
11953.diff (653 bytes) - added by scribu 5 years ago.
11953.2.diff (1.3 KB) - added by scribu 4 years ago.

Download all attachments as: .zip

Change History (16)

6 years ago

wp_nonce_field function patch for wordpress 2.9.1 tag

#1 @webduo
6 years ago

This issue could be solved in few other ways, so the attached patch is only a suggestion. Regards.

#2 follow-up: @nacin
6 years ago

Makes sense to me, but I'm wondering about how this will play into back compat.

#3 @nacin
5 years ago

  • Keywords has-patch dev-feedback added
  • Milestone changed from Unassigned to Future Release

#4 @neoxx
5 years ago

  • Summary changed from wp_nonce_filed() does not pass the result of wp_referer_field() to wp_nonce_field() does not pass the result of wp_referer_field()

#5 @ZephyrWest
5 years ago

This still hasn't been fixed as of 3.0.4... Is this going to make it into 3.1?

#6 @philipwalton
5 years ago

I ran into this bug today in my development. May I ask why it hasn't been implemented yet? If there is testing that needs to be done, I'm willing to help out in any way I can.

#7 in reply to: ↑ 2 @scribu
5 years ago

Patch looks good to me.

As for backwards compatibility, check_admin_referer() wouldn't have worked anyway.

Worst case, the referer field is added twice.

Last edited 5 years ago by scribu (previous) (diff)

#8 @scribu
5 years ago

  • Keywords dev-feedback removed
  • Milestone changed from Future Release to 3.2

#9 @scribu
5 years ago

  • Keywords needs-refresh added

5 years ago

#10 @scribu
5 years ago

  • Keywords needs-refresh removed

#11 @ryan
4 years ago

The phpdoc detailing this behavior would also need to be removed. Those who have been following the phpdoc would get duplicate fields, as scribu mentions, which seems acceptable.

4 years ago

#12 @scribu
4 years ago

  • Keywords commit added

Removed docblock.

#13 @ryan
4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

In [18130]:

Properly return referrer when referer = true and echo = false. Props scribu, webduo. fixes #11953

Note: See TracTickets for help on using tickets.