[wp-trac] [WordPress Trac] #44047: The link you followed has expired. - Export / Erasure admin screens

WordPress Trac noreply at wordpress.org
Sat Mar 23 10:02:36 UTC 2019 

#44047: The link you followed has expired.  - Export / Erasure admin screens
-------------------------------------------------+-------------------------
 Reporter:  xkon                                 |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  assigned
 Priority:  normal                               |   Milestone:  5.2
Component:  Privacy                              |     Version:  4.9.6
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch 2nd-opinion needs-testing  |     Focuses:  ui,
                                                 |  administration
-------------------------------------------------+-------------------------
Changes (by garrett-eclipse):

 * keywords:  needs-patch => has-patch 2nd-opinion needs-testing
 * focuses:   => ui, administration
 * milestone:  Future Release => 5.2


Comment:

 Hello all,

 Thank you for raising the issue @xkon and for the discussion and
 investigation @birgire and @subrataemfluence, as well I appreciate the
 javascript based approach @saimonh

 After reviewing and testing I found the issue is the forms themselves have
 no action and so take the entire url including the expired nonce. The
 forms only need the `?page=` param applied as the action. By specifying an
 action we strip the expired nonce from the submission.

 I've provided two working patchs to address this issue.
 [https://core.trac.wordpress.org/attachment/ticket/44047/44047.clean.diff
 44047.clean.diff] - Which just places the
 `action="?page=remove_personal_data"` and
 `action="?page=remove_personal_data"` onto the forms.
 [https://core.trac.wordpress.org/attachment/ticket/44047/44047.getpage.diff
 44047.getpage.diff] - Which checks `$_GET['page']` to populate the form
 actions.

 In all honesty, the second one using `$_GET` is probably overkill as the
 page name is unlikely to change, and if it does the entirety of core would
 have to be swept anyway. So I would suggest going with the clean version.

 Moving into 5.2 as an easy fix. Would love some additional testing to
 confirm the fix as well as thoughts on which option makes sense.

 All the best

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44047#comment:29>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list