Make WordPress Core

Opened 3 years ago

Closed 19 months ago

Last modified 19 months ago

#54106 closed defect (bug) (fixed)

wp_nonce_field in get forms

Reported by: msolution's profile msolution Owned by: pbearne's profile pbearne
Milestone: 6.1 Priority: normal
Severity: normal Version:
Component: General Keywords: has-unit-tests has-patch has-testing-info
Focuses: administration Cc:

Description

hey,
while testing one of plugins came across this issue.
recreate the issue:

  1. create an admin side form with method=get
  2. add wp_nonce_field() to the form, which in turn also gets wp_referer_field()
  3. every time u submit, the hidden field _wp_http_referer gets an additional version of _wp_http_referer in the value.
  4. there comes a time where the form is huge and it wont submit.

Solution:
we should have remove_query_arg() inside the function wp_referer_field(), to remove any instance of _wp_http_referer in the $_SERVER[REQUEST_URI]

Hope this helps.

Attachments (1)

54106.txt (1.2 KB) - added by msolution 3 years ago.
A simple WordPress admin panel, which i was required to make the form method as get. It has a walker class listing items, the search form is what im talking about, after too many searches

Download all attachments as: .zip

Change History (28)

This ticket was mentioned in Slack in #core-test by hellofromtonya. View the logs.


3 years ago

#2 @justinahinon
3 years ago

Hello @msolution, thanks for opening the ticket.

Could you add more details to reproduce the issue? Where are you adding the admin form?
Do you mind adding a code snippet?

@msolution
3 years ago

A simple WordPress admin panel, which i was required to make the form method as get. It has a walker class listing items, the search form is what im talking about, after too many searches

#3 @pbearne
2 years ago

  • Owner set to pbearne
  • Status changed from new to assigned

This ticket was mentioned in PR #2242 on WordPress/wordpress-develop by pbearne.


2 years ago
#4

  • Keywords has-patch has-unit-tests added

now removes _wp_http_referer from the url when creating a hidden input for _wp_http_referer

Trac ticket: https://core.trac.wordpress.org/ticket/54106

#5 @pbearne
2 years ago

  • Milestone changed from Awaiting Review to 6.0

This ticket was mentioned in Slack in #core by mike. View the logs.


2 years ago

#7 @kirasong
2 years ago

  • Keywords needs-patch needs-refresh added; has-patch removed

This ticket was checked into at a bug scrub for 6.0 today.

It looks like the PR has some changes requested, and needs a refresh against trunk.

I'm going to update the keywords, and also move it out of the milestone for that reason.

If it's ready before RC, feel free to move it back in for consideration.

Thanks for all your work here!

#8 @kirasong
2 years ago

  • Milestone changed from 6.0 to 6.1

#9 @mukesh27
20 months ago

  • Keywords changes-requested has-patch added; needs-patch removed

Hi, @pbearne I left some feedback on PR Can you please address the PR feedback so it can move forward? It near to merge for 6.1 milestone.

#10 @mukesh27
20 months ago

  • Keywords needs-refresh changes-requested removed

Thanks @pbearne for addressing the PR feedback. PR is ready for the second review. @davidbaumwald Can you please re-review it?

Last edited 20 months ago by mukesh27 (previous) (diff)

mukeshpanchal27 commented on PR #2242:


20 months ago
#11

@dream-encode @costdev Can you please re-review?

This ticket was mentioned in Slack in #core by audrasjb. View the logs.


20 months ago

#14 @audrasjb
20 months ago

As per today's bug scrub, the current PR looks ready to go.
Thanks @Clorith for having a quick look on this with me :)

robinwpdeveloper commented on PR #2242:


20 months ago
#15

LGTM as well.
Thanks @pbearne

#16 @mukesh27
19 months ago

Thanks to @audrasjb and @Clorith for the reviews. I was wondering if it was on your list for 6.1? 

This ticket was mentioned in Slack in #core by chaion07. View the logs.


19 months ago

#18 @chaion07
19 months ago

  • Keywords changes-requested added

@msolution thank you for reporting this. We reviewed the ticket during a recent bug-scrub session. Based on the feedback received we are making the following changes:

  1. Adding keyword changes-requested since @mukesh27 had reviewed the PR recently
  2. We are optimistic to see this land in 6.1 so hoping for the next steps to be executed ASAP!

Cheers!

Props to @mukesh27 @robinwpdeveloper & @hztyfoon

#19 @msolution
19 months ago

Dear @chaion07, @mukesh27, @robinwpdeveloper, @hztyfoon @pbearne @mikeschroder
thanks for looking into this, looking forward to this being included.

#20 @davidbaumwald
19 months ago

  • Focuses performance removed
  • Keywords needs-testing added; changes-requested removed

@adamsilverstein Indicated this is not performance related, and I tend to agree.

Also, this needs to be tested with the instructions at that top to see if the PR indeed does resolve the issue and that there aren't any unintended side effects.

I'm leaning toward punting this to 6.2 with 6.1 RC in a few days, but if this can be tested, I'm open to merging at that time.

#21 @costdev
19 months ago

  • Keywords has-testing-info added

Test Report

Patch tested: https://github.com/WordPress/wordpress-develop/pull/2242

Steps to Reproduce or Test

  1. Create a new file wp-content/plugins/test_54106.php with the following contents:
    <?php
    
    /**
     * Plugin Name: 54106
     * Description: Adds an admin notice to test <a href='https://core.trac.wordpress.org/ticket/54106'>54106</a>.
     * Author:      WordPress Core Contributors
     * Author URI:  https://make.wordpress.org/core
     * License:     GPLv2 or later
     * Version:     1.0.0
     */
    
    add_action(
            'admin_notices',
            function() {
                    printf(
                            '<div class="notice notice-info">%1$s%2$s<form method="GET">%3$s%4$s</form><br></div>',
                            '<p><strong>Testing instructions:</strong><br>Click "Submit" and note the entry for <code>_wp_http_referer</code> in the URL each time.</p>',
                            '<p><strong>Expected results:</strong><br>Without patch: <code>_wp_http_referer</code> is repeatedly appended to the URL.<br>With patch: <code>_wp_http_referer</code> is not repeatedly appended to the URL.</p>',
                            wp_nonce_field(),
                            '<input type="submit">'
                    );
            }
    );
    
  2. Navigate to Dashboard.
  3. 🐞 Submit the form in the admin notice. Then submit it again. Repeat as many times as you want to.

Expected Results

When reproducing a bug:

  • _wp_http_referer will be added multiple times to the URL and the hidden _wp_http_referer form field.

When testing a patch to validate it works as expected:

  • _wp_http_referer will not be added multiple times to the URL and the hidden _wp_http_referer form field.

Environment

  • Server: Apache (Linux)
  • WordPress: 6.1-beta2-54337-src
  • Browser: Chrome 106.0.0.0
  • OS: Windows 10
  • Theme: Twenty Twenty-Two
  • Plugins:
    • 54106 1.0.0

Actual Results

When reproducing a bug:

  • ❌ Issue reproduced. _wp_http_referer was added multiple times to the URL and the hidden _wp_http_referer form field.

When testing a patch to validate it works as expected:

  • ✅ Patch resolves the issue. _wp_http_referer was not added multiple times to the URL and the hidden _wp_http_referer form field.
Last edited 19 months ago by costdev (previous) (diff)

#22 @mukesh27
19 months ago

  • Keywords needs-testing removed

Test Report

I follow similar steps as above and it working fine.

Environment

  • Server: Linux 06484d457c81
  • WordPress: 6.1-beta3-54390-src
  • Browser: Chrome 106.0.5249.103
  • OS: Macos
  • Theme: Twenty Twenty-Two
  • Plugins:
    • 54106 1.0.0

#23 @audrasjb
19 months ago

Self assigning for final testing and commit.

audrasjb commented on PR #2242:


19 months ago
#24

Ah well… now it doesn't look good to me: this PR adds a new wpRefererFeld.php file in tests, but there's already a wpRefererField.php file :)

Ping @pbearne

mukeshpanchal27 commented on PR #2242:


19 months ago
#25

@audrasjb Can you please review it. It's ready for final review and merge.

#26 @audrasjb
19 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 54449:

General: Remove instances of _wp_http_referer from GET forms in the admin.

This changeset removes all instances of _wp_http_referer variable from the URL when creating a hidden input for _wp_http_referer. It prevents the hidden field from having an additional version of _wp_http_referer each time the form is submitted.

Props msolution, justinahinon, pbearne, mikeschroder, mukesh27, audrasjb, Clorith, chaion07, robinwpdeveloper, hztyfoon, davidbaumwald, costdev, adamsilverstein.
Fixes #54106.

Note: See TracTickets for help on using tickets.