#24030 closed defect (bug) (fixed)
Add an action for when nonce verification fails
Reported by: | dd32 | Owned by: | Shelob9 |
---|---|---|---|
Milestone: | 4.4 | Priority: | normal |
Severity: | normal | Version: | 2.0.3 |
Component: | Security | Keywords: | has-patch 4.4-early |
Focuses: | Cc: |
Description
Currently when a plugin (or core) calls check_admin_referer()
there is no way for auditing (or debugging) plugins to hook in and record an event that the nonce check failed.
Previously it was possible to use the explain_nonce_$nonce
filter to do this, but that was removed in [21133].
If a plugin wants to record an event for a failing nonce, it'll need to call wp_verify_nonce() manually itself, and die afterwards, or call check_admin_referer()
after verifying the nonce itself for logging purposes.
I'd suggest either resurrecting the previous filter as an action (for back compat) or adding a new nonce failure hook.
Attachments (4)
Change History (15)
#2
@
11 years ago
- Component changed from General to Security
- Keywords needs-patch good-first-bug added
- Milestone changed from Awaiting Review to Future Release
This will also need hook documentation: https://make.wordpress.org/core/handbook/inline-documentation-standards/php-documentation-standards/
#3
@
11 years ago
- Keywords has-patch added; needs-patch removed
I'm presuming that the very complex filter that was removed in 21133 was removed for its complexity, so I have created a very simple action. I used it successfully to log actions that failed because the nonce wasn't correct. My specific test was copying the link for switching the theme to Twenty Eleven, and removing the last character from the nonce string before submitting it. I was able to log 'switch-theme_twentyeleven' using the action added in my patch 24030.diff
If something more complicated is needed, please let me know and I will take a stab at it.
#7
@
11 years ago
- Milestone changed from 3.9 to Future Release
There are existing hooks in check_(admin|ajax)_referer
, so we should be able to just append _failed
to those to get the other hook name.
Or, should this be done directly in wp_verify_nonce()?
#8
@
11 years ago
- Keywords dev-feedback needs-testing added
Uploaded a new patch that moves the action created by Shelob9 into wp_verify_nonce() per the last comment by nacin.
Also created a unit test case which makes sure this action is getting called and passing the $uid and $action
#9
@
9 years ago
- Keywords 4.4-early added; good-first-bug dev-feedback needs-testing removed
- Version changed from 3.4.1 to 2.0.3
I recently had a need for this.
24030.2.diff refreshes and tidies up the patch and tests from @garza.
#21190 was marked as a duplicate.