Changeset 3758

Show
Ignore:
Timestamp:
05/02/06 22:08:34 (2 years ago)
Author:
ryan
Message:

nonce functions. #2678

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/wp-includes/functions-compat.php

    r3689 r3758  
    9999} 
    100100 
     101// From php.net 
     102if(!function_exists('http_build_query')) { 
     103   function http_build_query( $formdata, $numeric_prefix = null, $key = null ) { 
     104       $res = array(); 
     105       foreach ((array)$formdata as $k=>$v) { 
     106           $tmp_key = urlencode(is_int($k) ? $numeric_prefix.$k : $k); 
     107           if ($key) $tmp_key = $key.'['.$tmp_key.']'; 
     108           $res[] = ( ( is_array($v) || is_object($v) ) ? http_build_query($v, null, $tmp_key) : $tmp_key."=".urlencode($v) ); 
     109       } 
     110       $separator = ini_get('arg_separator.output'); 
     111       return implode($separator, $res); 
     112   } 
     113} 
    101114?> 

  • trunk/wp-includes/functions.php

    r3717 r3758  
    16641664} 
    16651665 
     1666function wp_nonce_url($actionurl, $action = -1) { 
     1667    return add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl); 
     1668} 
     1669 
     1670function wp_nonce_field($action = -1) { 
     1671    echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />'; 
     1672} 
     1673 
    16661674?> 

  • trunk/wp-includes/pluggable-functions.php

    r3702 r3758  
    229229 
    230230if ( !function_exists('check_admin_referer') ) : 
    231 function check_admin_referer() { 
     231function check_admin_referer($action = -1) { 
     232    global $pagenow; 
    232233    $adminurl = strtolower(get_settings('siteurl')).'/wp-admin'; 
    233234    $referer = strtolower($_SERVER['HTTP_REFERER']); 
    234     if (!strstr($referer, $adminurl)) 
    235         die(__('Sorry, you need to <a href="http://codex.wordpress.org/Enable_Sending_Referrers">enable sending referrers</a> for this feature to work.')); 
     235    if ( !wp_verify_nonce($_REQUEST['_wpnonce'], $action) ) { 
     236        $html  = "<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>\n<html xmlns='http://www.w3.org/1999/xhtml' lang='en' xml:lang='en'>\n\n"; 
     237        $html .= "<head>\n\t<title>" . __('WordPress Confirmation') . "</title>\n"; 
     238        $html .= "</head>\n<body>\n"; 
     239        if ( $_POST ) { 
     240            $q = http_build_query($_POST); 
     241            $q = explode( ini_get('arg_separator.output'), $q); 
     242            $html .= "\t<form method='post' action='$pagenow'>\n"; 
     243            foreach ( (array) $q as $a ) { 
     244                $v = substr(strstr($a, '='), 1); 
     245                $k = substr($a, 0, -(strlen($v)+1)); 
     246                $html .= "\t\t<input type='hidden' name='" . wp_specialchars( urldecode($k), 1 ) . "' value='" . wp_specialchars( urldecode($v), 1 ) . "' />\n"; 
     247            } 
     248            $html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n"; 
     249            $html .= "\t\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t</form>\n"; 
     250        } else { 
     251            $html .= "\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n"; 
     252        } 
     253        $html .= "</body>\n</html>"; 
     254 
     255        die($html); 
     256    } 
    236257    do_action('check_admin_referer'); 
    237 
    238 endif; 
     258}endif; 
    239259 
    240260if ( !function_exists('check_ajax_referer') ) : 
     
    461481endif; 
    462482 
     483if ( !function_exists('wp_verify_nonce') ) : 
     484function wp_verify_nonce($nonce, $action = -1) { 
     485    $user = wp_get_current_user(); 
     486    $uid = $user->id; 
     487 
     488    $i = ceil(time() / 43200); 
     489 
     490    //Allow for expanding range, but only do one check if we can 
     491    if( substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10) == $nonce || substr(md5(($i - 1) . DB_PASSWORD . $action . $uid), -12, 10) == $nonce ) 
     492        return true; 
     493    return false; 
     494} 
     495endif; 
     496 
     497if ( !function_exists('wp_create_nonce') ) : 
     498function wp_create_nonce($action = -1) { 
     499    $user = wp_get_current_user(); 
     500    $uid = $user->id; 
     501 
     502    $i = ceil(time() / 43200); 
     503     
     504    return substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10); 
     505} 
     506endif; 
     507 
    463508?>