WordPress.org

Make WordPress Core

Opened 11 years ago

Closed 10 years ago

#11953 closed defect (bug) (fixed)

wp_nonce_field() does not pass the result of wp_referer_field()

Reported by: webduo Owned by: ryan
Milestone: 3.2 Priority: normal
Severity: normal Version: 2.9.1
Component: Security Keywords: has-patch commit
Focuses: Cc:

Description

When using wp_nonce_field in "no echo mode" ($echo argument is set to false) and with the $referer variable set to true (which is the default) the result of wp_referer_field function is not added to $nonce_field which is returned at the end of wp_nonce_field.

I'd expect wp_nonce_field to return the same content what it echoes, but now it outputs two fields and passes just one (without the referer field). So:

wp_nonce_field('some-action-name');

results in something like

<input type="hidden" id="_wpnonce" name="_wpnonce" value="123456789a" />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/options-general.php?page=some-action-name" />

where

wp_nonce_field('some-action-name', '_wpnonce', true, false);

returns only

<input type="hidden" id="_wpnonce" name="_wpnonce" value="123456789a" />

Attachments (3)

wp_nonce_field-2.9.1.patch (384 bytes) - added by webduo 11 years ago.
wp_nonce_field function patch for wordpress 2.9.1 tag
11953.diff (653 bytes) - added by scribu 10 years ago.
11953.2.diff (1.3 KB) - added by scribu 10 years ago.

Download all attachments as: .zip

Change History (16)

@webduo
11 years ago

wp_nonce_field function patch for wordpress 2.9.1 tag

#1 @webduo
11 years ago

This issue could be solved in few other ways, so the attached patch is only a suggestion. Regards.

#2 follow-up: @nacin
11 years ago

Makes sense to me, but I'm wondering about how this will play into back compat.

#3 @nacin
11 years ago

  • Keywords has-patch dev-feedback added
  • Milestone changed from Unassigned to Future Release

#4 @neoxx
11 years ago

  • Summary changed from wp_nonce_filed() does not pass the result of wp_referer_field() to wp_nonce_field() does not pass the result of wp_referer_field()

#5 @ZephyrWest
10 years ago

This still hasn't been fixed as of 3.0.4... Is this going to make it into 3.1?

#6 @philipwalton
10 years ago

I ran into this bug today in my development. May I ask why it hasn't been implemented yet? If there is testing that needs to be done, I'm willing to help out in any way I can.

#7 in reply to: ↑ 2 @scribu
10 years ago

Patch looks good to me.

As for backwards compatibility, check_admin_referer() wouldn't have worked anyway.

Worst case, the referer field is added twice.

Last edited 10 years ago by scribu (previous) (diff)

#8 @scribu
10 years ago

  • Keywords dev-feedback removed
  • Milestone changed from Future Release to 3.2

#9 @scribu
10 years ago

  • Keywords needs-refresh added

@scribu
10 years ago

#10 @scribu
10 years ago

  • Keywords needs-refresh removed

#11 @ryan
10 years ago

The phpdoc detailing this behavior would also need to be removed. Those who have been following the phpdoc would get duplicate fields, as scribu mentions, which seems acceptable.

@scribu
10 years ago

#12 @scribu
10 years ago

  • Keywords commit added

Removed docblock.

#13 @ryan
10 years ago

  • Resolution set to fixed
  • Status changed from new to closed

In [18130]:

Properly return referrer when referer = true and echo = false. Props scribu, webduo. fixes #11953

Note: See TracTickets for help on using tickets.