[wp-trac] [WordPress Trac] #52378: Network admin site action confirmation leads to expired link screen when referer not available
WordPress Trac
noreply at wordpress.org
Tue Jan 26 17:30:40 UTC 2021
#52378: Network admin site action confirmation leads to expired link screen when
referer not available
--------------------------+-----------------------------
Reporter: sanchothefat | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Sorry for the wordy summary.
In the network admin on a multisite installation the sites list shows
links for actions like "Archive", "Deactivate" etc. that take you to an
interstitial page to confirm the action.
This interstitial page outputs a simple form with the action being
confirmed, nonce values and so on filled in, including a field for
`_wp_http_referer` which is then used in the `check_admin_referer()` call.
The referrer field is built using the following code:
{{{#!php
<?php
<input type="hidden" name="_wp_http_referer" value="<?php echo esc_attr(
wp_get_referer() ); ?>" />
}}}
In infrastructure where WordPress is behind a load balancer and for
caching reasons the referer header is not passed to the web server this
breaks because the output from `wp_get_referer()` is empty. Clicking
confirm will result in a `wp_die()` screen from `wp_nonce_ays()` saying
the link has expired.
This can be worked around by filtering `network_admin_url` where the link
contains `action=confirm` to add `_wp_http_referer` as a query parameter
but ideally the referer should be passed in the query string by default.
Given there is a workaround this is low priority, and I can't see anywhere
else in WP affected by this currently either.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52378>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list