Require a non-empty $nonce value in wp_verify_nonce().

props ocean90. fixes #29217. git-svn-id: https://develop.svn.wordpress.org/trunk@29620 602fd350-edb4-49c9-b593-d223f7449a82
2014-08-26 07:38:51 +00:00 · 2014-08-26 07:38:51 +00:00 · bf0272c8b1
commit bf0272c8b1
parent 8f66ff570e
2 changed files with 12 additions and 0 deletions
--- a/src/wp-includes/pluggable.php
+++ b/src/wp-includes/pluggable.php
@ -1707,6 +1707,10 @@ function wp_verify_nonce($nonce, $action = -1) {
 		$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
 	}

+	if ( empty( $nonce ) ) {
+		return false;
+	}
+
 	$token = wp_get_session_token();
 	$i = wp_nonce_tick();

--- a/tests/phpunit/tests/auth.php
+++ b/tests/phpunit/tests/auth.php
@ -91,4 +91,12 @@ class Tests_Auth extends WP_UnitTestCase {
 		$password = "pass with vertial tab o_O\x0B";
 		$this->assertTrue( wp_check_password( 'pass with vertial tab o_O', wp_hash_password( $password ) ) );
 	}
+
+	/**
+	 * @ticket 29217
+	 */
+	function test_wp_verify_nonce_with_empty_arg() {
+		$this->assertFalse( wp_verify_nonce( '' ) );
+		$this->assertFalse( wp_verify_nonce( null ) );
+	}
 }