WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 3 years ago

#11953 closed defect (bug) (fixed)

wp_nonce_field() does not pass the result of wp_referer_field()

Reported by: webduo Owned by: ryan
Milestone: 3.2 Priority: normal
Severity: normal Version: 2.9.1
Component: Security Keywords: has-patch commit
Focuses: Cc:

Description

When using wp_nonce_field in "no echo mode" ($echo argument is set to false) and with the $referer variable set to true (which is the default) the result of wp_referer_field function is not added to $nonce_field which is returned at the end of wp_nonce_field.

I'd expect wp_nonce_field to return the same content what it echoes, but now it outputs two fields and passes just one (without the referer field). So:

wp_nonce_field('some-action-name');

results in something like

<input type="hidden" id="_wpnonce" name="_wpnonce" value="123456789a" />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/options-general.php?page=some-action-name" />

where

wp_nonce_field('some-action-name', '_wpnonce', true, false);

returns only

<input type="hidden" id="_wpnonce" name="_wpnonce" value="123456789a" />

Attachments (3)

wp_nonce_field-2.9.1.patch (384 bytes) - added by webduo 4 years ago.
wp_nonce_field function patch for wordpress 2.9.1 tag
11953.diff (653 bytes) - added by scribu 3 years ago.
11953.2.diff (1.3 KB) - added by scribu 3 years ago.

Download all attachments as: .zip

Change History (16)

webduo4 years ago

wp_nonce_field function patch for wordpress 2.9.1 tag

comment:1 webduo4 years ago

This issue could be solved in few other ways, so the attached patch is only a suggestion. Regards.

comment:2 follow-up: nacin4 years ago

Makes sense to me, but I'm wondering about how this will play into back compat.

comment:3 nacin4 years ago

  • Keywords has-patch dev-feedback added
  • Milestone changed from Unassigned to Future Release

comment:4 neoxx4 years ago

  • Summary changed from wp_nonce_filed() does not pass the result of wp_referer_field() to wp_nonce_field() does not pass the result of wp_referer_field()

comment:5 ZephyrWest3 years ago

This still hasn't been fixed as of 3.0.4... Is this going to make it into 3.1?

comment:6 philipwalton3 years ago

I ran into this bug today in my development. May I ask why it hasn't been implemented yet? If there is testing that needs to be done, I'm willing to help out in any way I can.

comment:7 in reply to: ↑ 2 scribu3 years ago

Patch looks good to me.

As for backwards compat, check_admin_referer() wouldn't have worked anyway.

Version 0, edited 3 years ago by scribu (next)

comment:8 scribu3 years ago

  • Keywords dev-feedback removed
  • Milestone changed from Future Release to 3.2

comment:9 scribu3 years ago

  • Keywords needs-refresh added

scribu3 years ago

comment:10 scribu3 years ago

  • Keywords needs-refresh removed

comment:11 ryan3 years ago

The phpdoc detailing this behavior would also need to be removed. Those who have been following the phpdoc would get duplicate fields, as scribu mentions, which seems acceptable.

scribu3 years ago

comment:12 scribu3 years ago

  • Keywords commit added

Removed docblock.

comment:13 ryan3 years ago

  • Resolution set to fixed
  • Status changed from new to closed

In [18130]:

Properly return referrer when referer = true and echo = false. Props scribu, webduo. fixes #11953

Note: See TracTickets for help on using tickets.