Administration: Ensure that admin referer nonce is valid.

Coding standards, ensure that nonce is valid with identical, rather then equal operator.

Props vortfu, xknown, whyisjake.


git-svn-id: https://develop.svn.wordpress.org/trunk@46477 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Jake Spurlock 2019-10-14 15:38:14 +00:00
parent f06c6bb20c
commit f53a78fda7
2 changed files with 13 additions and 3 deletions

View File

@ -1106,7 +1106,7 @@ if ( ! function_exists( 'check_admin_referer' ) ) :
* 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago. * 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
*/ */
function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) { function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
if ( -1 == $action ) { if ( -1 === $action ) {
_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' ); _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
} }
@ -1125,7 +1125,7 @@ if ( ! function_exists( 'check_admin_referer' ) ) :
*/ */
do_action( 'check_admin_referer', $action, $result ); do_action( 'check_admin_referer', $action, $result );
if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) { if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
wp_nonce_ays( $action ); wp_nonce_ays( $action );
die(); die();
} }

View File

@ -24,7 +24,7 @@ class Tests_Auth extends WP_UnitTestCase {
self::$user_id = self::$_user->ID; self::$user_id = self::$_user->ID;
require_once( ABSPATH . WPINC . '/class-phpass.php' ); require_once ABSPATH . WPINC . '/class-phpass.php';
self::$wp_hasher = new PasswordHash( 8, true ); self::$wp_hasher = new PasswordHash( 8, true );
} }
@ -165,6 +165,16 @@ class Tests_Auth extends WP_UnitTestCase {
unset( $_REQUEST['_wpnonce'] ); unset( $_REQUEST['_wpnonce'] );
} }
public function test_check_admin_referer_with_default_action_as_string_not_doing_it_wrong() {
$this->setExpectedIncorrectUsage( 'check_admin_referer' );
// A valid nonce needs to be set so the check doesn't die()
$_REQUEST['_wpnonce'] = wp_create_nonce( '-1' );
$result = check_admin_referer( '-1' );
$this->assertSame( 1, $result );
unset( $_REQUEST['_wpnonce'] );
}
/** /**
* @ticket 36361 * @ticket 36361
*/ */