[wp-trac] [WordPress Trac] #10057: wp_nonce_field() calls wp_referer_field() with too many args

WordPress Trac wp-trac at lists.automattic.com
Wed Dec 9 04:23:45 UTC 2009 

#10057: wp_nonce_field() calls wp_referer_field() with too many args
-----------------------------+----------------------------------------------
 Reporter:  coffee2code      |        Owner:  MarkJaquith
     Type:  defect (bug)     |       Status:  reopened   
 Priority:  normal           |    Milestone:  2.9        
Component:  General          |      Version:  2.8        
 Severity:  minor            |   Resolution:             
 Keywords:  has-patch early  |  
-----------------------------+----------------------------------------------
Changes (by vladimir_kolesnikov):

 * cc: vladimir@… (added)
  * status:  closed => reopened
  * resolution:  fixed =>


Comment:

 What is the reason to call wp_original_referer_field($echo,
 >>>'previous'<<<)?

 It inserts the field with the address the user came from to the page with
 the form.

 Say, we have a form on a page admin.php?page=some/file.php which submits
 to wp-admin/admin-posts.php. If the user comes to
 admin.php?page=some/file.php from, say, Google, the generated fields will
 be:

 {{{
 <input type="hidden" value="ef08c8f103" name="_wpnonce" id="_wpnonce"/>
 <input type="hidden" value="http://www.google.ru/"
 name="_wp_original_http_referer"/>
 }}}

 In this case _wp_original_http_referer field will be meaningless.

 Moreover, check_admin_referer() function calls wp_get_referer() to get the
 referring page. wp_get_referer() checks $_REQUEST['_wp_http_referer']
 (which wp_nonce_field() '''used to''' generate) which is not there since
 wp_original_referer_field() inserts a different field
 _wp_original_http_referer.

 Now the code (plugins, I mean) that relies upon wp_get_referer() is less
 reliable because wp_get_referer() will use only $_SERVER['HTTP_REFERER']
 which is often empty (blocked by the firewall, browser etc, esp. when
 FORCE_SSL_ADMIN constnt is set).

 In brief:
   1. The patch breaks backward compatibility
   2. wp_get_referer() is now less reliable
   3. If you need to use _wp_http_referer, you have to add a call to
 wp_referer_field() in addition to wp_nonce_field().

 Is this the intended behavior?

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/10057#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list