Make WordPress Core

Opened 9 years ago

Closed 9 years ago

#27798 closed defect (bug) (fixed)

Nonce failure when installing theme via FTP filesystem method

Reported by: ocean90's profile ocean90 Owned by: nacin's profile nacin
Milestone: 3.9 Priority: highest omg bbq
Severity: blocker Version: 3.9
Component: Themes Keywords: has-patch
Focuses: Cc:


Original report:

To force FTP you can use

add_filter( 'filesystem_method', function( $method ) {
	return 'ftpext';
} );

Steps to reproduce:

  1. Go to wp-admin/theme-install.php
  2. Select a theme and install
  3. Enter FTP credentials (wp-admin/update.php?action=install-theme&theme=itek&_wpnonce=3cbbfc5a2d)
  4. Click "Proceed"
  5. Failure. (wp-admin/update.php?action=install-theme&theme=itek&_wpnonce=d1c34b4560)

Uploading via a ZIP works.

Attachments (4)

27798.patch (557 bytes) - added by ocean90 9 years ago.
27798.2.patch (7.9 KB) - added by ocean90 9 years ago.
27798.4.patch (10.0 KB) - added by ocean90 9 years ago.
27798.5.patch (10.6 KB) - added by ocean90 9 years ago.

Download all attachments as: .zip

Change History (10)

9 years ago

#1 @ocean90
9 years ago

  • Keywords dev-feedback added

27798.patch would fix this, but there are many other places where a theme specific nonce is currently used. I think we should revert to theme specific nonce again, if possible. Opinions?

#2 @ocean90
9 years ago

  • Priority changed from high to highest omg bbq
  • Severity changed from critical to blocker

if possible

It's not quite possible for the JSONP requests.

This ticket was mentioned in IRC in #wordpress-dev by Clorith. View the logs.

9 years ago

9 years ago

#4 @ocean90
9 years ago

  • Keywords has-patch added; needs-patch dev-feedback removed

27798.2.patch routes search through admin-ajax and uses themes_api().

  • Based on WP_Theme_Install_List_Table::install_theme_info()
  • Reverts [27961] for JSONP
  • Reverts parts of [27940] for num_ratings
  • Suppresses trigger_error() in themes_api() when DOING_AJAX
  • Fixes backToFilters which adds an anchor to URL

$theme->update_url can maybe ignored because unused

9 years ago

#5 @ocean90
9 years ago

27798.5.patch reverts parts of r28123. Themes API now supports theme=slug which will return the theme in $api->themes, so $api->info is available too.

9 years ago

#6 @nacin
9 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 28126:

Theme Installer: Revert to proxying through PHP for API requests.

This is to ensure we have valid installation nonces, though we've run into this as a problem previously (see #27639, #27581, #27055).

A tad slower, but we gained speed in 3.9 by simplifying the request made to the API.

props ocean90.
fixes #27798.

Note: See TracTickets for help on using tickets.