[wp-trac] [WordPress Trac] #36231: Nonce validation fails if JSON body contains "_wpnonce"

WordPress Trac noreply at wordpress.org
Mon Mar 14 07:16:29 UTC 2016

#36231: Nonce validation fails if JSON body contains "_wpnonce"
 Reporter:  rmccue        |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  4.5
Component:  REST API      |    Version:  4.4
 Severity:  normal        |   Keywords:  needs-patch
  Focuses:                |
 PHP parses the request body into `$_POST` regardless of content type. When
 sending JSON data that includes `&_wpnonce=` in the data (e.g. data
 containing a URL), PHP will parse the nonce out, but will include a bunch
 of garbage data due to the JSON data after it.

 We should 1) check `$_GET` and `$_POST` separately instead of via
 `$_REQUEST`, and 2) only check `$_POST` if the content-type matches
 `application/x-www-url-formencoded` or `multipart/form-data`.

Ticket URL: <https://core.trac.wordpress.org/ticket/36231>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list