Make WordPress Core

Opened 9 years ago

Closed 8 years ago

#36231 closed defect (bug) (worksforme)

Nonce validation fails if JSON body contains "_wpnonce"

Reported by: rmccue's profile rmccue Owned by: rmccue's profile rmccue
Milestone: Priority: normal
Severity: normal Version: 4.4
Component: REST API Keywords:
Focuses: Cc:

Description

PHP parses the request body into $_POST regardless of content type. When sending JSON data that includes &_wpnonce= in the data (e.g. data containing a URL), PHP will parse the nonce out, but will include a bunch of garbage data due to the JSON data after it.

We should 1) check $_GET and $_POST separately instead of via $_REQUEST, and 2) only check $_POST if the content-type matches application/x-www-url-formencoded or multipart/form-data.

Change History (7)

#1 @kirasong
9 years ago

  • Owner set to rmccue
  • Status changed from new to assigned

This ticket was mentioned in Slack in #core by chriscct7. View the logs.


9 years ago

This ticket was mentioned in Slack in #core by mike. View the logs.


9 years ago

This ticket was mentioned in Slack in #core-restapi by rmccue. View the logs.


9 years ago

#5 @rmccue
9 years ago

Hmm. Unable to replicate now; can anyone else? Might have been a PEBKAC.

#6 @kirasong
9 years ago

  • Milestone changed from 4.5 to Future Release

Per @rmccue's note, and proximity to RC, punting to Future Release.

Feel free to re-add if a patch/approach is found.

#7 @rmccue
8 years ago

  • Keywords needs-patch removed
  • Milestone Future Release deleted
  • Resolution set to worksforme
  • Status changed from assigned to closed

This one appears to be invalid; tested at WCEU contributor day, thanks to @aidvu.

Note: See TracTickets for help on using tickets.