Make WordPress Core

Opened 14 years ago

Closed 13 years ago

#11953 closed defect (bug) (fixed)

wp_nonce_field() does not pass the result of wp_referer_field()

Reported by: webduo's profile webduo Owned by: ryan's profile ryan
Milestone: 3.2 Priority: normal
Severity: normal Version: 2.9.1
Component: Security Keywords: has-patch commit
Focuses: Cc:

Description

When using wp_nonce_field in "no echo mode" ($echo argument is set to false) and with the $referer variable set to true (which is the default) the result of wp_referer_field function is not added to $nonce_field which is returned at the end of wp_nonce_field.

I'd expect wp_nonce_field to return the same content what it echoes, but now it outputs two fields and passes just one (without the referer field). So:

wp_nonce_field('some-action-name');

results in something like

<input type="hidden" id="_wpnonce" name="_wpnonce" value="123456789a" />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/options-general.php?page=some-action-name" />

where

wp_nonce_field('some-action-name', '_wpnonce', true, false);

returns only

<input type="hidden" id="_wpnonce" name="_wpnonce" value="123456789a" />

Attachments (3)

wp_nonce_field-2.9.1.patch (384 bytes) - added by webduo 14 years ago.
wp_nonce_field function patch for wordpress 2.9.1 tag
11953.diff (653 bytes) - added by scribu 13 years ago.
11953.2.diff (1.3 KB) - added by scribu 13 years ago.

Download all attachments as: .zip

Change History (16)

@webduo
14 years ago

wp_nonce_field function patch for wordpress 2.9.1 tag

#1 @webduo
14 years ago

This issue could be solved in few other ways, so the attached patch is only a suggestion. Regards.

#2 follow-up: @nacin
14 years ago

Makes sense to me, but I'm wondering about how this will play into back compat.

#3 @nacin
14 years ago

  • Keywords has-patch dev-feedback added
  • Milestone changed from Unassigned to Future Release

#4 @neoxx
14 years ago

  • Summary changed from wp_nonce_filed() does not pass the result of wp_referer_field() to wp_nonce_field() does not pass the result of wp_referer_field()

#5 @ZephyrWest
13 years ago

This still hasn't been fixed as of 3.0.4... Is this going to make it into 3.1?

#6 @philipwalton
13 years ago

I ran into this bug today in my development. May I ask why it hasn't been implemented yet? If there is testing that needs to be done, I'm willing to help out in any way I can.

#7 in reply to: ↑ 2 @scribu
13 years ago

Patch looks good to me.

As for backwards compat, check_admin_referer() wouldn't have worked anyway.

Version 0, edited 13 years ago by scribu (next)

#8 @scribu
13 years ago

  • Keywords dev-feedback removed
  • Milestone changed from Future Release to 3.2

#9 @scribu
13 years ago

  • Keywords needs-refresh added

@scribu
13 years ago

#10 @scribu
13 years ago

  • Keywords needs-refresh removed

#11 @ryan
13 years ago

The phpdoc detailing this behavior would also need to be removed. Those who have been following the phpdoc would get duplicate fields, as scribu mentions, which seems acceptable.

@scribu
13 years ago

#12 @scribu
13 years ago

  • Keywords commit added

Removed docblock.

#13 @ryan
13 years ago

  • Resolution set to fixed
  • Status changed from new to closed

In [18130]:

Properly return referrer when referer = true and echo = false. Props scribu, webduo. fixes #11953

Note: See TracTickets for help on using tickets.