WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 7 years ago

#21277 closed enhancement (fixed)

Remove unused nonce fields in site-themes.php and site-users.php

Reported by: jeremyfelt Owned by: nacin
Milestone: 3.5 Priority: normal
Severity: trivial Version: 3.1
Component: Network Admin Keywords: has-patch commit
Focuses: multisite Cc:
PR Number:

Description

In 16242 from 14897, check_admin_referer( 'edit-site' ) was removed during a massive reorg of site-themes.php. Additional nonce checks were added via the nonce audit in 15969, but the nonce field generation for the original edit-site was never removed. This currently results in the generation of two hidden inputs with name="_wp_nonce".

check_admin_referer( 'edit-site' ) was also removed for site-users.php in 16560, but the 2 associated nonce field(s) remained. A 3rd 'edit-site' nonce field was added in 16585 when a new form was added, but that has been unnecessary.

The attached patch removes all 4 instances of wp_nonce_field( 'edit-site' ) across site-themes.php and site-users.php as they are no longer required in either.

Attachments (1)

21277.diff (1.7 KB) - added by jeremyfelt 8 years ago.

Download all attachments as: .zip

Change History (3)

@jeremyfelt
8 years ago

#1 @nacin
7 years ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 3.5

#2 @nacin
7 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In [21903]:

Remove unused edit-site nonce fields from site-users and site-themes. props jeremyfelt, fixes #21277.

Note: See TracTickets for help on using tickets.