[wp-trac] [WordPress Trac] #51951: nonce_user_logged_out filter not consistent with $user->exists()

WordPress Trac noreply at wordpress.org
Mon Dec 7 00:42:53 UTC 2020 

#51951: nonce_user_logged_out filter not consistent with $user->exists()
-----------------------------+-----------------------------
 Reporter:  chamois_blanc    |      Owner:  (none)
     Type:  feature request  |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Security         |    Version:  5.6
 Severity:  minor            |   Keywords:  2nd-opinion
  Focuses:                   |
-----------------------------+-----------------------------
 The nonce_user_logged_out name seems to suggest that it takes effect when
 a user is logged out. But in the code, it only takes effect when the user
 ID is zero, which is not quite the same thing:

 {{{
     $user->ID != 0 is not equivalent to $user->exists()
 }}}

 Some plugins assign a user ID to distinguish non-logged in users.
 WooCommerce, for instance, assigns a user ID when an item is added to the
 cart.

 I'm not sure how important the inconsistency is but I thought it was worth
 mentioning. On the flip side, I can see how calling $user->exists() may be
 slower and therefore undesirable.

 It would be useful to add another filter on $uid in both wp_create_nonce
 and wp_verify_nonce, so that it can be changed if $user->exists() returns
 false (i.e. the user is not logged in). The code would look something like
 this:

 {{{
     $user = wp_get_current_user();
     $uid  = (int) $user->ID;
     if ( ! $uid ) {
         /**
          * Filters whether the user who generated the nonce is logged out.
          *
          * @since 3.5.0
          *
          * @param int    $uid    ID of the nonce-owning user.
          * @param string $action The nonce action.
          */
         $uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
     }

     /**
      * Filters the user ID. [ADDED]
      *
      * @since ???
      *
      * @param int    $uid    ID of the nonce-owning user.
      * @param string $action The nonce action.
      */
     $uid = apply_filters( 'nonce_user_id', $uid, $action );
 }}}

 This would allow to set $uid to zero (or some other value) for non-logged
 in users and avoid issues with nonce in such cases. Another solution is
 obviously not to check nonce for non-logged in users in each ajax action
 function, but that is probably less safe.

 Thoughts?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/51951>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list