WordPress.org

Make WordPress Core

Opened 9 years ago

Closed 7 years ago

#14044 closed enhancement (invalid)

check_admin_referer is a template tag only

Reported by: hakre Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0
Component: Security Keywords: has-patch dev-feedback needs-testing gsoc
Focuses: Cc:
PR Number:

Description

when a plugin author wants to check (e.g. in the init hook) if a certain admin_referer is available or not, the plugin needs to write it's own admin referer implementation because the existing function

check_admin_referer()

can only be used to check for, but not agains (if it's not the appropriate refer, the script will die.

this is mainly because that function is to be used as a admin "template tag" only.

useful would be a function that will return a boolean value instead of dieing / continuing execution.

this can be done by moving the decision out of check_admin_referer() into a new function check_admin_referer_test() and leave the die in there.

this will make plugin coding more safe because right now no such function exists and that done it's hard to check pre-conditions like proper form submits in init.

Attachments (1)

14044.diff (917 bytes) - added by wojtek.szkutnik 9 years ago.

Download all attachments as: .zip

Change History (6)

#1 @wojtek.szkutnik
9 years ago

  • Cc wojtek.szkutnik@… added
  • Keywords has-patch needs-testing added; needs-patch removed

How about adding another argument?

#2 @wojtek.szkutnik
9 years ago

  • Keywords gsoc added

#3 @nacin
9 years ago

  • Component changed from General to Security
  • Milestone changed from Awaiting Review to Future Release

Use case?

#4 @gazouteast
9 years ago

@nacin

Use Case = comments 6 & 7 here -
http://studioslice.com/2010/04/18/community-submitted-news-ver-11-is-out/

Plugin is in repo here - http://wordpress.org/extend/plugins/community-submitted-news/

Looks as if plugin authors are using the admin-only check to validate form submission by non-registered users. I've seen this on a couple of other plugins too, but can't remember their names as it was pre-WP3

Gaz

#5 @nacin
7 years ago

  • Milestone Future Release deleted
  • Resolution set to invalid
  • Status changed from new to closed

check_admin_referer() only checks the referer if action = -1, which is not supported.

So the equivalent non-die function is wp_verify_nonce().

Note: See TracTickets for help on using tickets.