[wp-trac] [WordPress Trac] #25939: add_options_page(..., 'options.php') and 1000 vars limit
WordPress Trac
noreply at wordpress.org
Sat Dec 10 11:38:28 UTC 2022
#25939: add_options_page(..., 'options.php') and 1000 vars limit
------------------------------------------------+--------------------------
Reporter: tivnet | Owner:
| SergeyBiryukov
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: Awaiting
| Review
Component: Administration | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion dev-feedback | Focuses:
------------------------------------------------+--------------------------
Changes (by ramon fincken):
* keywords: has-patch 2nd-opinion => has-patch 2nd-opinion dev-feedback
* version: => trunk
Comment:
Ok so I found this ticket in search of something that appears quite
similar.
To be precise =>
In the current setup op options.php
A) It is possible to modify the DOM for serialized data. The POST server
check is non-present upon processing of a POST request
B) It is possible that you modify a single value whilst the site has
updated another option due to normal site ( or plugin ) behavior.
Note that the patch provided here would fix this.
C) In the current setup the POST server will update ALL options it is
presented by the form. Why not check what is changed in the form ? Yes it
is a minor performance improvement and yes only on the admin option pages,
but I like this.
Note that the patch provided here would fix this.
D) It might be worth commenting in code that the nonce is actually
verified using check_admin_referer
So, now what? @SergeyBiryukov , @bordoni (thanks for your patch!)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/25939#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list