Adding custom fields is broken since [25433]

[ocean90]

In 3.6:

function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
	if ( $query_arg )
		$nonce = $_REQUEST[$query_arg];
	else
		$nonce = isset($_REQUEST['_ajax_nonce']) ? $_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce'];

	$result = wp_verify_nonce( $nonce, $action );

	if ( $die && false == $result ) {
		if ( defined( 'DOING_AJAX' ) && DOING_AJAX )
			wp_die( -1 );
		else
			die( '-1' );
	}

	do_action('check_ajax_referer', $action, $result);

	return $result;
}

in Trunk:

function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
	$nonce = '';

	if ( $query_arg && isset( $_REQUEST[$query_arg] ) )
		$nonce = $_REQUEST[$query_arg];

	if ( isset( $_REQUEST['_ajax_nonce'] ) )
		$nonce = $_REQUEST['_ajax_nonce'];

	if ( isset( $_REQUEST['_wpnonce'] ) )
		$nonce = $_REQUEST['_wpnonce'];

	$result = wp_verify_nonce( $nonce, $action );

	if ( $die && false == $result ) {
		if ( defined( 'DOING_AJAX' ) && DOING_AJAX )
			wp_die( -1 );
		else
			die( '-1' );
	}

	do_action('check_ajax_referer', $action, $result);

	return $result;
}

When adding a custom field the following data is send:

_ajax_nonce:0
action:add-meta
metakeyselect:#NONE#
metakeyinput:foo
metavalue:bar
_ajax_nonce-add-meta:ca03740878
post_id:1

As you can see, we have two nonces here, one is 0. Through the change in [25433], the real nonce will be overwritten.

[ocean90]

25369.patch​ changes the block to elseif.

[wonderboymusic]

In 25550:

Use elseif when slurping the nonce in check_ajax_referer() to avoid accidentally overwriting it.

Fail wonderboymusic in [25433].
Props ocean90.
Fixes #25369.
See [25433].