Opened 9 years ago
Closed 8 years ago
#36231 closed defect (bug) (worksforme)
Nonce validation fails if JSON body contains "_wpnonce"
Reported by: | rmccue | Owned by: | rmccue |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.4 |
Component: | REST API | Keywords: | |
Focuses: | Cc: |
Description
PHP parses the request body into $_POST
regardless of content type. When sending JSON data that includes &_wpnonce=
in the data (e.g. data containing a URL), PHP will parse the nonce out, but will include a bunch of garbage data due to the JSON data after it.
We should 1) check $_GET
and $_POST
separately instead of via $_REQUEST
, and 2) only check $_POST
if the content-type matches application/x-www-url-formencoded
or multipart/form-data
.
Change History (7)
This ticket was mentioned in Slack in #core by chriscct7. View the logs.
9 years ago
This ticket was mentioned in Slack in #core by mike. View the logs.
9 years ago
This ticket was mentioned in Slack in #core-restapi by rmccue. View the logs.
9 years ago
Note: See
TracTickets for help on using
tickets.
Hmm. Unable to replicate now; can anyone else? Might have been a PEBKAC.