WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#4884 closed defect (bug) (fixed)

wp_nonce_url() is generating broken URLs

Reported by: Viper007Bond Owned by: markjaquith
Milestone: 2.3 Priority: highest omg bbq
Severity: blocker Version: 2.3
Component: General Keywords:
Focuses: Cc:

Description

wp_nonce_url() is generating bad URLs. For example, here is the activation URL for the "Hello Dolly" plugin:

plugins.php?action=activate&amp%3Bplugin=hello.php&_wpnonce=fbb5d56d32

Clicking that link takes you to a nonce confirmation screen which after clicking "Yes", leaves you without the action being taken (in this case, the plugin being activated).


PHP v5.2.1
Latest WP SVN ([6001])
WAMP environment
All plugins disabled

Attachments (1)

http_build_query.php (2.9 KB) - added by Viper007Bond 7 years ago.
PHP_Compat version

Download all attachments as: .zip

Change History (10)

comment:1 Viper007Bond7 years ago

[5999] probably is the cause.

Viper007Bond7 years ago

PHP_Compat version

comment:2 Viper007Bond7 years ago

If the _http_build_query() we currently is the problem, I just attached a version from the PHP_Compat project at php.net. It should replicate the PHP5 function perfectly.

comment:3 ryan7 years ago

  • Owner changed from anonymous to markjaquith

comment:4 follow-up: markjaquith7 years ago

  • Status changed from new to assigned

The PEAR one has issues (don't remember what -- just remember that it give different results than PHP5's function). [6005] should have fixed this, although I might end up moving that fix up the line to wp_nonce_url()

And this issue happens on PHP5 hosts, so it's not an issue with the compat function, but with http_build_query()'s handling of &

At any rate, & doesn't belong in a URL until we're ready to output it to HTML. I wouldn't expect http_build_query() to handle that. I'm going to leave this ticket open and track the issue here, as most of the instances I've found are using wp_nonce_url()

comment:5 in reply to: ↑ 4 Viper007Bond7 years ago

Replying to markjaquith:

And this issue happens on PHP5 hosts, so it's not an issue with the compat function

Oh, dur. lol

comment:6 Viper007Bond7 years ago

Still broken for plugins in subdirectories due to the slash.

plugins.php?action=deactivate&plugin=templatedia%252Ftemplatedia.php&_wpnonce=a1dd0b09dd

comment:7 markjaquith7 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [6008]) Eliminate double urlencode()ing in add_query_arg(). Move &-to-& conversion to wp_nonce_url(). fixes #4884

comment:8 markjaquith7 years ago

  • Keywords needs-patch removed

Problem was that we were doing urlencode_deep(), but http_build_query() also does that -- so we were double-encoding. The &-to-& conversion needs to stay -- but I moved it to wp_nonce_url().

comment:9 Viper007Bond7 years ago

Confirmed fixed. Thanks. :)

Note: See TracTickets for help on using tickets.