[wp-trac] [WordPress Trac] #41617: wp_verify_nonce() check fails on several websites because of filter possibility in wp_nonce_tick()

Sat Aug 12 08:44:57 UTC 2017

#41617: wp_verify_nonce() check fails on several websites because of filter
possibility in wp_nonce_tick()
--------------------------+-----------------------------
 Reporter:  ReneHermi     |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  4.8.1
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 wp_nonce_tick() is an essential part of the hash which is used as the
 nonce for creating and checking if a request is authenticated.
 Unfortunately wp_nonce_tick()  is filterable by third party developers!

 So it happens occasionally that other plugins hook in there and are
 changing the nonce life time. Usually not a big deal if these filters
 would always be running globally and with highest priority BUT as every
 plugin developer is baking their own cake and ever plugin is loaded with
 another priority, these filters get overwritten inconsistently over time
 and over load order, depending on in which hook the nonce is created and
 where it is checked.

 I experienced this issue on two different customer websites this week.

 Example to reproduce it:

 - Create a nonce with wp_create_nonce() in hook admin_enqueue_scripts().
 Use a plugin to do this
 - Populate the nonce there with wp_localize_script(). just as you would
 like to access it with js.
 - Create a filter and overwrite the life span in wp_nonce_tick()
 - Put this filter into ANOTHER plugin:

 {{{
 function overwrite($seconds){
          return 10600;
  }
  add_filter('nonce_life', 'overwrite', 1);
 }}}

 Now check the wp_nonce_tick() in the first plugin from another hook like
 admin_init and you will notice that the results differ. This is not
 unusual and unexpected in the way these filters are working but as
 wp_nonce_tick() is part of the nonce hash, the whole nonce will differ as
 well and as a result the wp_nonce_check fails completely than.

 In my opinion, this filter should be removed entirely to ensure that the
 nonce is always consistent and can not be changed by third parties. There
 should be no way to change the value of a hash by filters.

 This is not such a rare possible issue if you look how many plugins are
 changing the value of the nonce_life value
 https://github.com/search?utf8=%E2%9C%93&q=nonce_life&type=Code

 To make my plugin working for all users i also need to play the same game
 and need to use a filter to change the nonce_life value to ensure it is
 everytime the same in my plugin instance. The alternative would be to
 remove the nonce check at all. Not really something i like to do.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/41617>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform