WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#25369 closed defect (bug) (fixed)

Adding custom fields is broken since [25433]

Reported by: ocean90 Owned by: wonderboymusic
Milestone: 3.7 Priority: highest omg bbq
Severity: blocker Version:
Component: General Keywords: has-patch
Focuses: Cc:

Description

In 3.6:

function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
	if ( $query_arg )
		$nonce = $_REQUEST[$query_arg];
	else
		$nonce = isset($_REQUEST['_ajax_nonce']) ? $_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce'];

	$result = wp_verify_nonce( $nonce, $action );

	if ( $die && false == $result ) {
		if ( defined( 'DOING_AJAX' ) && DOING_AJAX )
			wp_die( -1 );
		else
			die( '-1' );
	}

	do_action('check_ajax_referer', $action, $result);

	return $result;
}

in Trunk:

function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
	$nonce = '';

	if ( $query_arg && isset( $_REQUEST[$query_arg] ) )
		$nonce = $_REQUEST[$query_arg];

	if ( isset( $_REQUEST['_ajax_nonce'] ) )
		$nonce = $_REQUEST['_ajax_nonce'];

	if ( isset( $_REQUEST['_wpnonce'] ) )
		$nonce = $_REQUEST['_wpnonce'];

	$result = wp_verify_nonce( $nonce, $action );

	if ( $die && false == $result ) {
		if ( defined( 'DOING_AJAX' ) && DOING_AJAX )
			wp_die( -1 );
		else
			die( '-1' );
	}

	do_action('check_ajax_referer', $action, $result);

	return $result;
}

When adding a custom field the following data is send:

_ajax_nonce:0
action:add-meta
metakeyselect:#NONE#
metakeyinput:foo
metavalue:bar
_ajax_nonce-add-meta:ca03740878
post_id:1

As you can see, we have two nonces here, one is 0. Through the change in [25433], the real nonce will be overwritten.

Attachments (1)

25369.patch (807 bytes) - added by ocean90 6 years ago.

Download all attachments as: .zip

Change History (3)

@ocean90
6 years ago

#1 @ocean90
6 years ago

  • Keywords has-patch added

25369.patch changes the block to elseif.

#2 @wonderboymusic
6 years ago

  • Owner set to wonderboymusic
  • Resolution set to fixed
  • Status changed from new to closed

In 25550:

Use elseif when slurping the nonce in check_ajax_referer() to avoid accidentally overwriting it.

Fail wonderboymusic in [25433].
Props ocean90.
Fixes #25369.
See [25433].

Note: See TracTickets for help on using tickets.