Headline
CVE-2019-17675: Changeset 46477 – WordPress Trac
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.
Timestamp:
10/14/2019 03:38:14 PM (3 years ago)
whyisjake
Message:
Administration: Ensure that admin referer nonce is valid.
Coding standards, ensure that nonce is valid with identical, rather then equal operator.
Props vortfu, xknown, whyisjake.
Location:
trunk
Files:
- src/wp-includes/pluggable.php (2 diffs)
- tests/phpunit/tests/auth.php (2 diffs)
Legend:
Unmodified
Added
Removed
trunk/src/wp-includes/pluggable.php
r46472
r46477
1107
1107
\*/
1108
1108
function check\_admin\_referer( $action = -1, $query\_arg = '\_wpnonce' ) {
1109
if ( -1 == $action ) {
1109
if ( -1 ==\= $action ) {
1110
1110
\_doing\_it\_wrong( \_\_FUNCTION\_\_, \_\_( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
1111
1111
}
…
…
1126
1126
do\_action( 'check\_admin\_referer', $action, $result );
1127
1127
1128
if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
1128
if ( ! $result && ! ( -1 ==\= $action && strpos( $referer, $adminurl ) === 0 ) ) {
1129
1129
wp\_nonce\_ays( $action );
1130
1130
die();
trunk/tests/phpunit/tests/auth.php
r45717
r46477
25
25
self::$user\_id = self::$\_user->ID;
26
26
27
require\_once( ABSPATH . WPINC . '/class-phpass.php' );
27
require\_once ABSPATH . WPINC . '/class-phpass.php';
28
28
self::$wp\_hasher = new PasswordHash( 8, true );
29
29
}
…
…
166
166
}
167
167
168
public function test\_check\_admin\_referer\_with\_default\_action\_as\_string\_not\_doing\_it\_wrong() {
169
$this->setExpectedIncorrectUsage( 'check\_admin\_referer' );
170
// A valid nonce needs to be set so the check doesn't die()
171
$\_REQUEST\['\_wpnonce'\] = wp\_create\_nonce( '-1' );
172
$result = check\_admin\_referer( '-1' );
173
$this->assertSame( 1, $result );
174
175
unset( $\_REQUEST\['\_wpnonce'\] );
176
}
177
168
178
/\*\*
169
179
\* @ticket 36361
Note: See TracChangeset for help on using the changeset viewer.