From a03376e798eb87b9729ab7d1c8c29c33085e049e Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sun, 28 Aug 2016 17:14:52 +0000 Subject: [PATCH] Security: Trigger a `_doing_it_wrong()` when `check_ajax_referer()` is called without its first parameter. This brings it inline with `check_admin_referer()`. Fixes #36361 git-svn-id: https://develop.svn.wordpress.org/trunk@38420 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/pluggable.php | 4 ++++ tests/phpunit/tests/auth.php | 28 ++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php index 1e6b220f01..dc10c7f393 100644 --- a/src/wp-includes/pluggable.php +++ b/src/wp-includes/pluggable.php @@ -1080,6 +1080,10 @@ if ( !function_exists('check_ajax_referer') ) : * 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago. */ function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) { + if ( -1 == $action ) { + _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '4.7' ); + } + $nonce = ''; if ( $query_arg && isset( $_REQUEST[ $query_arg ] ) ) diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php index 94d77388f1..581e856f64 100644 --- a/tests/phpunit/tests/auth.php +++ b/tests/phpunit/tests/auth.php @@ -149,6 +149,34 @@ class Tests_Auth extends WP_UnitTestCase { $this->assertEquals( $count, did_action( $this->nonce_failure_hook ) ); } + /** + * @ticket 36361 + */ + public function test_check_admin_referer_with_no_action_triggers_doing_it_wrong() { + $this->setExpectedIncorrectUsage( 'check_admin_referer' ); + + // A valid nonce needs to be set so the check doesn't die() + $_REQUEST['_wpnonce'] = wp_create_nonce( -1 ); + $result = check_admin_referer(); + $this->assertSame( 1, $result ); + + unset( $_REQUEST['_wpnonce'] ); + } + + /** + * @ticket 36361 + */ + public function test_check_ajax_referer_with_no_action_triggers_doing_it_wrong() { + $this->setExpectedIncorrectUsage( 'check_ajax_referer' ); + + // A valid nonce needs to be set so the check doesn't die() + $_REQUEST['_wpnonce'] = wp_create_nonce( -1 ); + $result = check_ajax_referer(); + $this->assertSame( 1, $result ); + + unset( $_REQUEST['_wpnonce'] ); + } + function test_password_length_limit() { $limit = str_repeat( 'a', 4096 );