nonce functions. #2678

git-svn-id: http://svn.automattic.com/wordpress/trunk@3758 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2006-05-02 22:08:34 +00:00
parent 1008282133
commit 89fe7ce543
3 changed files with 71 additions and 5 deletions

View File

@ -98,4 +98,17 @@ if (!function_exists('array_change_key_case')) {
} }
} }
// From php.net
if(!function_exists('http_build_query')) {
function http_build_query( $formdata, $numeric_prefix = null, $key = null ) {
$res = array();
foreach ((array)$formdata as $k=>$v) {
$tmp_key = urlencode(is_int($k) ? $numeric_prefix.$k : $k);
if ($key) $tmp_key = $key.'['.$tmp_key.']';
$res[] = ( ( is_array($v) || is_object($v) ) ? http_build_query($v, null, $tmp_key) : $tmp_key."=".urlencode($v) );
}
$separator = ini_get('arg_separator.output');
return implode($separator, $res);
}
}
?> ?>

View File

@ -1663,4 +1663,12 @@ function is_blog_installed() {
return $installed; return $installed;
} }
function wp_nonce_url($actionurl, $action = -1) {
return add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl);
}
function wp_nonce_field($action = -1) {
echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />';
}
?> ?>

View File

@ -228,14 +228,34 @@ function auth_redirect() {
endif; endif;
if ( !function_exists('check_admin_referer') ) : if ( !function_exists('check_admin_referer') ) :
function check_admin_referer() { function check_admin_referer($action = -1) {
global $pagenow;
$adminurl = strtolower(get_settings('siteurl')).'/wp-admin'; $adminurl = strtolower(get_settings('siteurl')).'/wp-admin';
$referer = strtolower($_SERVER['HTTP_REFERER']); $referer = strtolower($_SERVER['HTTP_REFERER']);
if (!strstr($referer, $adminurl)) if ( !wp_verify_nonce($_REQUEST['_wpnonce'], $action) ) {
die(__('Sorry, you need to <a href="http://codex.wordpress.org/Enable_Sending_Referrers">enable sending referrers</a> for this feature to work.')); $html = "<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>\n<html xmlns='http://www.w3.org/1999/xhtml' lang='en' xml:lang='en'>\n\n";
do_action('check_admin_referer'); $html .= "<head>\n\t<title>" . __('WordPress Confirmation') . "</title>\n";
$html .= "</head>\n<body>\n";
if ( $_POST ) {
$q = http_build_query($_POST);
$q = explode( ini_get('arg_separator.output'), $q);
$html .= "\t<form method='post' action='$pagenow'>\n";
foreach ( (array) $q as $a ) {
$v = substr(strstr($a, '='), 1);
$k = substr($a, 0, -(strlen($v)+1));
$html .= "\t\t<input type='hidden' name='" . wp_specialchars( urldecode($k), 1 ) . "' value='" . wp_specialchars( urldecode($v), 1 ) . "' />\n";
} }
endif; $html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n";
$html .= "\t\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t</form>\n";
} else {
$html .= "\t<p>" . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>No</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n";
}
$html .= "</body>\n</html>";
die($html);
}
do_action('check_admin_referer');
}endif;
if ( !function_exists('check_ajax_referer') ) : if ( !function_exists('check_ajax_referer') ) :
function check_ajax_referer() { function check_ajax_referer() {
@ -460,4 +480,29 @@ function wp_new_user_notification($user_id, $plaintext_pass = '') {
} }
endif; endif;
if ( !function_exists('wp_verify_nonce') ) :
function wp_verify_nonce($nonce, $action = -1) {
$user = wp_get_current_user();
$uid = $user->id;
$i = ceil(time() / 43200);
//Allow for expanding range, but only do one check if we can
if( substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10) == $nonce || substr(md5(($i - 1) . DB_PASSWORD . $action . $uid), -12, 10) == $nonce )
return true;
return false;
}
endif;
if ( !function_exists('wp_create_nonce') ) :
function wp_create_nonce($action = -1) {
$user = wp_get_current_user();
$uid = $user->id;
$i = ceil(time() / 43200);
return substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10);
}
endif;
?> ?>