#8552 closed enhancement (duplicate)
Change notice text when wpnonce is missing
Reported by: | mastermind | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | minor | Version: | 2.7 |
Component: | Administration | Keywords: | |
Focuses: | Cc: |
Description
Each security-relevant request in the WP admin requires a "nonce" to be present, which is embedded into a form or attached to a URL. If the wpnonce is missing, WP asks, if the user really intends to perform the requested action. So far so good.
Now, I realize that in my test installation, the buttons "Yes" and "No" are missing. WP only asks "Are you sure you want to do this?".
Reproducable with a direct call to calling http://example.org/wp-admin/update-core.php?action=do-core-upgrade.
Tested with r78666.
Change History (6)
#2
@
16 years ago
- Milestone changed from 2.7 to 2.8
- Severity changed from major to minor
- Summary changed from Confirmation dialogue (when wpnonce is missing) lacks buttons to Change notice text when wpnonce is missing
- Type changed from defect to enhancement
#3
@
16 years ago
If this is so, then perhaps it should behave like in all the other situations (which explains why I couldn't reproduce it by deleting the _wpnonce from a URL): Simply say that the action has failed.
#4
@
15 years ago
- Milestone changed from 2.8 to Future Release
Punting to be evaluated in next development cycle due to time constraints.
You can't have the buttons because they're vulnerable to a CSRF attack (see here: #5838 ). Perhaps the text should be changed from "are you sure?" to something else.