Ticket #5782 (closed enhancement: fixed)

Opened 10 months ago

Last modified 10 months ago

check_*_referer should be able to look for nonce in any query parameter

Reported by: mdawaffe Assigned to: anonymous
Priority: normal Milestone: 2.5
Component: General Version:
Severity: normal Keywords: has-patch needs-testing
Cc:

Description

Adding an optional parameter to check_admin_referer() and check_ajax_referer() allows more than nonce to be generated on one page, increasing the flexibility of nonce checking.

It also allows us to get rid of the problematic cookie code in check_ajax_referer() and to rely solely on nonces.

Attached:

  1. Adds parameter.
  2. Converts autosave to use nonces for verification (the last holdout?).
  3. Removes cookie code from check_ajax_referer(). Good for core (we can make sure all of our other ajax actions use nonces). May break some plugins.

Attachments

5782.diff (6.0 kB) - added by mdawaffe on 02/06/08 20:56:10.

Change History

02/06/08 20:56:10 changed by mdawaffe

  • attachment 5782.diff added.

02/06/08 20:58:37 changed by mdawaffe

s/more than nonce/more than one nonce/

02/06/08 21:19:47 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [6739]) Remove cookie checking from check_ajax_referer(). Check nonces instead. Props mdawaffe. fixes #5782