Ticket #4884 (closed defect: fixed)

Opened 1 year ago

Last modified 1 year ago

wp_nonce_url() is generating broken URLs

Reported by: Viper007Bond Assigned to: markjaquith
Priority: highest omg bbq Milestone: 2.3
Component: General Version: 2.3
Severity: blocker Keywords:
Cc:

Description

wp_nonce_url() is generating bad URLs. For example, here is the activation URL for the "Hello Dolly" plugin: 

plugins.php?action=activate&amp%3Bplugin=hello.php&_wpnonce=fbb5d56d32

Clicking that link takes you to a nonce confirmation screen which after clicking "Yes", leaves you without the action being taken (in this case, the plugin being activated).

PHP v5.2.1
Latest WP SVN ([6001])
WAMP environment All plugins disabled

Attachments

http_build_query.php (2.9 kB) - added by Viper007Bond on 09/01/07 12:12:19.
PHP_Compat version

Change History

09/01/07 09:16:41 changed by Viper007Bond

[5999] probably is the cause.

09/01/07 12:12:19 changed by Viper007Bond

  • attachment http_build_query.php added.

PHP_Compat version

09/01/07 12:14:32 changed by Viper007Bond

If the _http_build_query() we currently is the problem, I just attached a version from the PHP_Compat project at php.net. It should replicate the PHP5 function perfectly.

09/01/07 19:41:01 changed by ryan

  • owner changed from anonymous to markjaquith.

(follow-up: ↓ 5 ) 09/01/07 23:14:21 changed by markjaquith

  • status changed from new to assigned.

The PEAR one has issues (don't remember what -- just remember that it give different results than PHP5's function). [6005] should have fixed this, although I might end up moving that fix up the line to wp_nonce_url()

And this issue happens on PHP5 hosts, so it's not an issue with the compat function, but with http_build_query()'s handling of &

At any rate, & doesn't belong in a URL until we're ready to output it to HTML. I wouldn't expect http_build_query() to handle that. I'm going to leave this ticket open and track the issue here, as most of the instances I've found are using wp_nonce_url()

(in reply to: ↑ 4 ) 09/01/07 23:42:28 changed by Viper007Bond

Replying to markjaquith:

And this issue happens on PHP5 hosts, so it's not an issue with the compat function

Oh, dur. lol

09/01/07 23:46:51 changed by Viper007Bond

Still broken for plugins in subdirectories due to the slash. 

plugins.php?action=deactivate&plugin=templatedia%252Ftemplatedia.php&_wpnonce=a1dd0b09dd

09/02/07 05:49:54 changed by markjaquith

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [6008]) Eliminate double urlencode()ing in add_query_arg(). Move &-to-& conversion to wp_nonce_url(). fixes #4884

09/02/07 05:51:12 changed by markjaquith

  • keywords deleted.

Problem was that we were doing urlencode_deep(), but http_build_query() also does that -- so we were double-encoding. The &-to-& conversion needs to stay -- but I moved it to wp_nonce_url().

09/02/07 06:48:44 changed by Viper007Bond

Confirmed fixed. Thanks. :)