From 6406e9bbeb308312a6535d71e3d436217151933f Mon Sep 17 00:00:00 2001
From: Ryan Boren <ryan@git.wordpress.org>
Date: Wed, 19 Sep 2007 19:32:34 +0000
Subject: [PATCH] Extra protection in check_ajax_referer from mdawaffe. fixes
 #4939

git-svn-id: https://develop.svn.wordpress.org/trunk@6138 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-includes/pluggable.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index 97be01b4a4..d6c20ce4f4 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -349,6 +349,12 @@ function check_admin_referer($action = -1) {
 
 if ( !function_exists('check_ajax_referer') ) :
 function check_ajax_referer() {
+	$current_name = '';
+	if ( ( $current = wp_get_current_user() ) && $current->ID )
+		$current_name = $current->data->user_login;
+	if ( !$current_name )
+		die('-1');
+
 	$cookie = explode('; ', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie
 	foreach ( $cookie as $tasty ) {
 		if ( false !== strpos($tasty, USER_COOKIE) )
@@ -356,7 +362,8 @@ function check_ajax_referer() {
 		if ( false !== strpos($tasty, PASS_COOKIE) )
 			$pass = substr(strstr($tasty, '='), 1);
 	}
-	if ( !wp_login( $user, $pass, true ) )
+
+	if ( $current_name != $user || !wp_login( $user, $pass, true ) )
 		die('-1');
 	do_action('check_ajax_referer');
 }