WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#33098 closed defect (bug) (fixed)

Re-authenticating after expired login on Edit Post screen breaks nonces

Reported by: ericlewis Owned by: iseulde
Milestone: 4.3 Priority: normal
Severity: critical Version: 4.0
Component: Login and Registration Keywords: has-patch
Focuses: Cc:

Description (last modified by ericlewis)

See screencast.

This changed in r29221 as a result of #20276, as nonces now include a user token which changes when a user is re-authenticated.

Attachments (6)

33098.mp4 (999.3 KB) - added by ericlewis 5 years ago.
33098.patch (3.9 KB) - added by iseulde 5 years ago.
33098.2.patch (4.5 KB) - added by iseulde 5 years ago.
33098.3.patch (5.0 KB) - added by azaozz 5 years ago.
33098.4.patch (5.2 KB) - added by iseulde 5 years ago.
33098.5.patch (5.1 KB) - added by azaozz 5 years ago.

Download all attachments as: .zip

Change History (18)

@ericlewis
5 years ago

#1 @ericlewis
5 years ago

  • Description modified (diff)

#2 @nacin
5 years ago

  • Milestone changed from Awaiting Review to 4.3
  • Severity changed from normal to critical

@krogsgard mentioned this to me recently. I wished we caught this then.

#3 @ocean90
5 years ago

Related: [32054]

#4 @iseulde
5 years ago

Related: #24447.

@iseulde
5 years ago

#5 @iseulde
5 years ago

  • Keywords has-patch added

The above patch should fix the problem with minimal changes. It no longer requires a valid nonce to refresh nonces. Ideally nonce refreshing should be baked in the Heartbeat API, but I think that's for a future release.

@iseulde
5 years ago

@azaozz
5 years ago

#6 @azaozz
5 years ago

In 33098.3.patch:

  • Move the nonces refresh to separate filter.
  • If nonces have expired, only include the nonce refresh in the response (prevents errors when other actions check nonces).

This still needs some polishing, better naming, etc. Also couple of places can be improved.

Last edited 5 years ago by azaozz (previous) (diff)

@iseulde
5 years ago

#7 @iseulde
5 years ago

Renamed the filter. Working great here.

#8 @obenland
5 years ago

  • Owner set to iseulde
  • Status changed from new to assigned

This ticket was mentioned in Slack in #core-editor by iseulde. View the logs.


5 years ago

@azaozz
5 years ago

#10 @azaozz
5 years ago

In 33098.5.patch: fix/tweak the logic when requesting nonces update (post.js).

This ticket was mentioned in Slack in #core by mark. View the logs.


5 years ago

#12 @azaozz
5 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 33468:

Fix updating of nonces on the Edit Post screen after the log in expires and the user logs in again.
Props iseulde, azaozz. Fixes #33098.

Note: See TracTickets for help on using tickets.