From 7b946b9007bb7302865e99aaf9c10932444a83a7 Mon Sep 17 00:00:00 2001
From: ryan <ryan@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Wed, 6 Feb 2008 21:19:47 +0000
Subject: [PATCH] Remove cookie checking from check_ajax_referer(). Check
 nonces instead. Props mdawaffe. fixes #5782

git-svn-id: http://svn.automattic.com/wordpress/trunk@6739 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/admin-ajax.php         |  4 ++--
 wp-admin/edit-form-advanced.php |  1 +
 wp-admin/edit-form.php          |  1 +
 wp-admin/edit-page-form.php     |  1 +
 wp-includes/js/autosave.js      |  6 +++---
 wp-includes/pluggable.php       | 38 ++++++++++-----------------------
 wp-includes/script-loader.php   |  2 +-
 7 files changed, 20 insertions(+), 33 deletions(-)

diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php
index 91294846ff..12800d2d89 100644
--- a/wp-admin/admin-ajax.php
+++ b/wp-admin/admin-ajax.php
@@ -467,7 +467,7 @@ case 'add-user' :
 	$x->send();
 	break;
 case 'autosave' : // The name of this action is hardcoded in edit_post()
-	check_ajax_referer( $action );
+	check_ajax_referer( 'autosave', 'autosavenonce' );
 	$_POST['post_content'] = $_POST['content'];
 	$_POST['post_excerpt'] = $_POST['excerpt'];
 	$_POST['post_status'] = 'draft';
@@ -499,7 +499,7 @@ case 'autosave' : // The name of this action is hardcoded in edit_post()
 	die('0');
 break;
 case 'autosave-generate-nonces' :
-	check_ajax_referer( $action );
+	check_ajax_referer( 'autosave', 'autosavenonce' );
 	$ID = (int) $_POST['post_ID'];
 	if($_POST['post_type'] == 'post') {
 		if(current_user_can('edit_post', $ID))
diff --git a/wp-admin/edit-form-advanced.php b/wp-admin/edit-form-advanced.php
index 5b25ef8547..64da6730f4 100644
--- a/wp-admin/edit-form-advanced.php
+++ b/wp-admin/edit-form-advanced.php
@@ -88,6 +88,7 @@ addLoadEvent(focusit);
 <div id="<?php echo user_can_richedit() ? 'postdivrich' : 'postdiv'; ?>" class="postarea">
 <h3><?php _e('Post') ?></h3>
 <?php the_editor($post->post_content); ?>
+<?php wp_nonce_field( 'autosave', 'autosavenonce', false ); ?>
 </div>
 
 <?php echo $form_pingback ?>
diff --git a/wp-admin/edit-form.php b/wp-admin/edit-form.php
index df37430086..87979bc3db 100644
--- a/wp-admin/edit-form.php
+++ b/wp-admin/edit-form.php
@@ -39,6 +39,7 @@ addLoadEvent(focusit);
  }
 ?>
 <div><textarea rows="<?php echo $rows; ?>" cols="40" name="content" tabindex="4" id="content"><?php echo $post->post_content ?></textarea></div>
+<?php wp_nonce_field( 'autosave', 'autosavenonce', false ); ?>
 </fieldset>
 
 
diff --git a/wp-admin/edit-page-form.php b/wp-admin/edit-page-form.php
index eb9653f628..a41dd0d262 100644
--- a/wp-admin/edit-page-form.php
+++ b/wp-admin/edit-page-form.php
@@ -56,6 +56,7 @@ addLoadEvent(focusit);
 <div id="<?php echo user_can_richedit() ? 'postdivrich' : 'postdiv'; ?>" class="postarea">
 <h3><?php _e('Page') ?></h3>
 <?php the_editor($post->post_content); ?>
+<?php wp_nonce_field( 'autosave', 'autosavenonce', false ); ?>
 </div>
 
 <div id="submitpost">
diff --git a/wp-includes/js/autosave.js b/wp-includes/js/autosave.js
index 3e18b6c9a9..b45e9dae4a 100644
--- a/wp-includes/js/autosave.js
+++ b/wp-includes/js/autosave.js
@@ -36,7 +36,7 @@ function autosave_update_post_ID(response) {
 		jQuery.post(autosaveL10n.requestFile, {
 			action: "autosave-generate-nonces",
 			post_ID: res,
-			cookie: document.cookie,
+			autosavenonce: jQuery('#autosavenonce').val(),
 			post_type: jQuery('#post_type').val()
 		}, function(html) {
 			jQuery('#_wpnonce').val(html);
@@ -87,7 +87,7 @@ function autosave() {
 			action: "autosave",
 			post_ID:  jQuery("#post_ID").val() || 0,
 			post_title: jQuery("#title").val() || "",
-			cookie: document.cookie,
+			autosavenonce: jQuery('#autosavenonce').val(),
 			tags_input: jQuery("#tags-input").val() || "",
 			post_type: jQuery('#post_type').val() || ""
 		};
@@ -99,7 +99,7 @@ function autosave() {
 		tinyMCE.triggerSave();
 	} 
 	
-    post_data["content"] = jQuery("#content").val();
+	post_data["content"] = jQuery("#content").val();
 
 	if(post_data["post_title"].length==0 || post_data["content"].length==0 || post_data["post_title"] + post_data["content"] == autosaveLast) {
 		return;
diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index f906eb3493..6c33824802 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -635,11 +635,12 @@ if ( !function_exists('check_admin_referer') ) :
  * @uses do_action() Calls 'check_admin_referer' on $action.
  *
  * @param string $action Action nonce
+ * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
  */
-function check_admin_referer($action = -1) {
+function check_admin_referer($action = -1, $query_arg = '_wpnonce' ) {
 	$adminurl = strtolower(get_option('siteurl')).'/wp-admin';
 	$referer = strtolower(wp_get_referer());
-	if ( !wp_verify_nonce($_REQUEST['_wpnonce'], $action) &&
+	if ( !wp_verify_nonce($_REQUEST[$query_arg], $action) &&
 		!(-1 == $action && strpos($referer, $adminurl) !== false)) {
 		wp_nonce_ays($action);
 		die();
@@ -654,34 +655,17 @@ if ( !function_exists('check_ajax_referer') ) :
  * @since 2.0.4
  *
  * @param string $action Action nonce
+ * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
  */
-function check_ajax_referer( $action = -1 ) {
-	$nonce = $_REQUEST['_ajax_nonce'] ? $_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce'];
-	if ( !wp_verify_nonce( $nonce, $action ) ) {
-		$current_id = '';
-		if ( ( $current = wp_get_current_user() ) && $current->ID )
-			$current_id = $current->ID;
-		if ( !$current_id )
-			die('-1');
+function check_ajax_referer( $action = -1, $query_arg = false ) {
+	if ( $query_arg )
+		$nonce = $_REQUEST[$query_arg];
+	else
+		$nonce = $_REQUEST['_ajax_nonce'] ? $_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce'];
 
-		$auth_cookie = '';
-		$cookie = explode('; ', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie
-		foreach ( $cookie as $tasty ) {
-			if ( false !== strpos($tasty, AUTH_COOKIE . '=') ) {
-				$auth_cookie = substr(strstr($tasty, '='), 1);
-				break;
-			}
-		}
+	if ( !wp_verify_nonce( $nonce, $action ) ) 
+		die('-1');
 
-		if ( empty($auth_cookie) )
-			die('-1');
-
-		if ( ! $user_id = wp_validate_auth_cookie( $auth_cookie ) )
-			die('-1');
-
-		if ( $current_id != $user_id )
-			die('-1');
-	}
 	do_action('check_ajax_referer');
 }
 endif;
diff --git a/wp-includes/script-loader.php b/wp-includes/script-loader.php
index a0081a7dec..e8520bb4e2 100644
--- a/wp-includes/script-loader.php
+++ b/wp-includes/script-loader.php
@@ -37,7 +37,7 @@ class WP_Scripts {
 
 		$this->add( 'prototype', '/wp-includes/js/prototype.js', false, '1.6');
 
-		$this->add( 'autosave', '/wp-includes/js/autosave.js', array('jquery', 'schedule'), '20080104');
+		$this->add( 'autosave', '/wp-includes/js/autosave.js', array('jquery', 'schedule'), '20080206');
 		$this->localize( 'autosave', 'autosaveL10n', array(
 			'autosaveInterval' => apply_filters('autosave_interval', '120'),
 			'errorText' => __('Error: %response%'),