WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#15243 closed defect (bug) (worksforme)

Incorrect user is set when using Ajax Nonces over HTTPS Connection

Reported by: jeremysawesome Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0.1
Component: General Keywords: reporter-feedback
Focuses: Cc:

Description

When using ajax nonces over a HTTPS connection the wp_verify_nonce function calculates an incorrect nonce and fails. This only occurs when a user is logged into WordPress. Somehow WordPress is unable to identify the right user when an ajax request comes in over https. The wp_hash function then calculates the nonce incorrectly and therefore the nonce check fails.

I've tested this by doing the following:
Added this code to both wp_create_nonce and wp_verify_nonce functions:

   echo '<pre>';
   echo print_r(array(
      'user_id'=>$uid,
      'i'=>$i,
      'action'=>$action,
      'wp_hash'=>substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10)
   ));
   echo '</pre>';

I then ran several tests from the frontend of a site using ajax on both an HTTP and HTTPS connection. I tested the HTTPS connection while not logged in and while logged in, then again for the HTTP connection. Pay special attention to the wp_hash that get's calculated for each connection. You will notice that the hash is correct for every test except when logged in to wordpress and connecting over https.

Here are the results:

Attempt 1 OVER HTTPS:
   ---------- When not logged in wp_create_nonce ----------
   Array
   (
       [user_id] => 0
       [i] => 29810
       [action] => dna_wpec_reps_nonce
       [wp_hash] => d0a78cb732
   )

   ---------- When not logged in wp_verify_nonce ----------
   Array
   (
       [user_id] => 0
       [i] => 29810
       [action] => dna_wpec_reps_nonce
       [nonce] => d0a78cb732
       [wp_hash] => d0a78cb732
   )

   ---------- When logged in wp_create_nonce ----------
   Array
   (
       [user_id] => 1
       [i] => 29810
       [action] => dna_wpec_reps_nonce
       [wp_hash] => 75855d4e1d
   )

   ---------- When logged in wp_verify_nonce ----------
   Array
   (
       [user_id] => 0
       [i] => 29810
       [action] => dna_wpec_reps_nonce
       [nonce] => 75855d4e1d
       [wp_hash] => d0a78cb732
   )

OVER HTTP://

   ---------- When not logged in wp_create_nonce ----------
   Array
   (
      [user_id] => 0
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => d0a78cb732
   )


   ---------- When not logged in wp_verify_nonce ----------
   Array
   (
      [user_id] => 0
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => d0a78cb732
   )

   ---------- When logged in wp_create_nonce ----------
   Array
   (
      [user_id] => 1
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => 75855d4e1d
   )

   ---------- When logged in wp_verify_nonce ----------
   Array
   (
      [user_id] => 1
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => 75855d4e1d
   )

Change History (4)

comment:1 jeremysawesome3 years ago

Here is also a second attempt that illustrates the same issue:

Attempt 2 OVER HTTPS:
   ---------- When not logged in wp_create_nonce ----------
   Array
   (
      [user_id] => 0
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => d0a78cb732
   )

   ---------- When not logged in wp_verify_nonce ----------
   Array
   (
      [user_id] => 0
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => d0a78cb732
   )

   ---------- When logged in wp_create_nonce ----------
   Array
   (
      [user_id] => 1
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => 75855d4e1d
   )

   ---------- When logged in wp_verify_nonce ----------
   Array
   (
      [user_id] => 0
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => d0a78cb732
   )

Attempt 2 OVER HTTP:
   ---------- When not logged in wp_create_nonce ----------
   Array
   (
      [user_id] => 0
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => d0a78cb732
   )

   ---------- When not logged in wp_verify_nonce ----------
   Array
   (
      [user_id] => 0
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => d0a78cb732
   )

   ---------- When logged in wp_create_nonce ----------
   Array
   (
      [user_id] => 1
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => 75855d4e1d
   )

   ---------- When logged in wp_verify_nonce ----------
   Array
   (
      [user_id] => 1
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => 75855d4e1d
   )

comment:2 jonbyrd3 years ago

I ran into this problem myself, but I was having errors on the HTTP requests. I tracked the error through the wp_get_current_user() function and found that the $current_user global variable was being modified by a random plugin.

The only change required is $user->id; needs to be $user->ID; in pluggable.php
Or you can locate the plugin that's causing the error and remove it.

comment:3 nacin3 years ago

  • Keywords reporter-feedback added; ajax user nonce verify https fail secure removed

comment:4 nacin3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.