[wp-trac] [WordPress Trac] #25369: Adding custom fields is broken since [25433]
WordPress Trac
noreply at wordpress.org
Sat Sep 21 09:49:55 UTC 2013
#25369: Adding custom fields is broken since [25433]
-----------------------------+-----------------
Reporter: ocean90 | Owner:
Type: defect (bug) | Status: new
Priority: highest omg bbq | Milestone: 3.7
Component: General | Version:
Severity: blocker | Keywords:
-----------------------------+-----------------
In 3.6:
{{{
function check_ajax_referer( $action = -1, $query_arg = false, $die = true
) {
if ( $query_arg )
$nonce = $_REQUEST[$query_arg];
else
$nonce = isset($_REQUEST['_ajax_nonce']) ?
$_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce'];
$result = wp_verify_nonce( $nonce, $action );
if ( $die && false == $result ) {
if ( defined( 'DOING_AJAX' ) && DOING_AJAX )
wp_die( -1 );
else
die( '-1' );
}
do_action('check_ajax_referer', $action, $result);
return $result;
}
}}}
in Trunk:
{{{
function check_ajax_referer( $action = -1, $query_arg = false, $die = true
) {
$nonce = '';
if ( $query_arg && isset( $_REQUEST[$query_arg] ) )
$nonce = $_REQUEST[$query_arg];
if ( isset( $_REQUEST['_ajax_nonce'] ) )
$nonce = $_REQUEST['_ajax_nonce'];
if ( isset( $_REQUEST['_wpnonce'] ) )
$nonce = $_REQUEST['_wpnonce'];
$result = wp_verify_nonce( $nonce, $action );
if ( $die && false == $result ) {
if ( defined( 'DOING_AJAX' ) && DOING_AJAX )
wp_die( -1 );
else
die( '-1' );
}
do_action('check_ajax_referer', $action, $result);
return $result;
}
}}}
When adding a custom field the following data is send:
{{{
_ajax_nonce:0
action:add-meta
metakeyselect:#NONE#
metakeyinput:foo
metavalue:bar
_ajax_nonce-add-meta:ca03740878
post_id:1
}}}
As you can see, we have two nonces here, one is 0. Through the change in
[25433], the real nonce will be overwritten.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25369>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list