Multisite: Add a nonce to the "Cancel" URL when changing a site's admin email.

Props scottbasgaard. Fixes #36954. git-svn-id: https://develop.svn.wordpress.org/trunk@38006 602fd350-edb4-49c9-b593-d223f7449a82
2016-07-07 17:12:54 +00:00 · 2016-07-07 17:12:54 +00:00 · 8a7d81b627
parent f41d3cff7d
commit 8a7d81b627
2 changed files with 2 additions and 1 deletions
--- a/src/wp-admin/options-general.php
+++ b/src/wp-admin/options-general.php
@ -112,7 +112,7 @@ if ( $new_admin_email && $new_admin_email != get_option('admin_email') ) : ?>
 	);
 	printf(
 		' <a href="%1$s">%2$s</a>',
-		esc_url( admin_url( 'options.php?dismiss=new_admin_email' ) ),
+		esc_url( wp_nonce_url( admin_url( 'options.php?dismiss=new_admin_email' ), 'dismiss-' . get_current_blog_id() . '-new_admin_email' ) ),
 		__( 'Cancel' )
 	);
 ?></p>
--- a/src/wp-admin/options.php
+++ b/src/wp-admin/options.php
@ -66,6 +66,7 @@ if ( is_multisite() ) {
 		wp_redirect( admin_url( $redirect ) );
 		exit;
 	} elseif ( ! empty( $_GET['dismiss'] ) && 'new_admin_email' == $_GET['dismiss'] ) {
+		check_admin_referer( 'dismiss-' . get_current_blog_id() . '-new_admin_email' );
 		delete_option( 'adminhash' );
 		delete_option( 'new_admin_email' );
 		wp_redirect( admin_url( 'options-general.php?updated=true' ) );