Make WordPress Core

Opened 16 years ago

Closed 14 years ago

Last modified 14 years ago

#8552 closed enhancement (duplicate)

Change notice text when wpnonce is missing

Reported by: mastermind's profile mastermind Owned by:
Milestone: Priority: normal
Severity: minor Version: 2.7
Component: Administration Keywords:
Focuses: Cc:

Description

Each security-relevant request in the WP admin requires a "nonce" to be present, which is embedded into a form or attached to a URL. If the wpnonce is missing, WP asks, if the user really intends to perform the requested action. So far so good.

Now, I realize that in my test installation, the buttons "Yes" and "No" are missing. WP only asks "Are you sure you want to do this?".

Reproducable with a direct call to calling http://example.org/wp-admin/update-core.php?action=do-core-upgrade.

Tested with r78666.

Change History (6)

#1 @filosofo
16 years ago

You can't have the buttons because they're vulnerable to a CSRF attack (see here: #5838 ). Perhaps the text should be changed from "are you sure?" to something else.

#2 @azaozz
16 years ago

  • Milestone changed from 2.7 to 2.8
  • Severity changed from major to minor
  • Summary changed from Confirmation dialogue (when wpnonce is missing) lacks buttons to Change notice text when wpnonce is missing
  • Type changed from defect to enhancement

#3 @mastermind
16 years ago

If this is so, then perhaps it should behave like in all the other situations (which explains why I couldn't reproduce it by deleting the _wpnonce from a URL): Simply say that the action has failed.

#4 @janeforshort
15 years ago

  • Milestone changed from 2.8 to Future Release

Punting to be evaluated in next development cycle due to time constraints.

#5 @solarissmoke
14 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

#15394 has a patch and is tagged for 3.2

#6 @dd32
14 years ago

  • Milestone Future Release deleted
Note: See TracTickets for help on using tickets.