check for correct admin referer on delete entry (see #64)

2022-12-30 12:46:35 +01:00 · 2022-12-30 12:46:35 +01:00 · 516bdc173a
commit 516bdc173a
parent b6a185f90f
2 changed files with 18 additions and 4 deletions
--- a/admin/panels/entry/admin.entry.delete.php
+++ b/admin/panels/entry/admin.entry.delete.php
@ -45,6 +45,9 @@ class admin_entry_delete extends AdminPanelAction {
 	}

 	function ondelete() {
+		// at first: check if nonce was given correctly
+		check_admin_referer('admin_entry_delete');
+
 		$id = $_REQUEST ['entry'];
 		$ok = draft_delete($id) || entry_delete($id);

--- a/fp-includes/core/core.wp-pluggable-funcs.php
+++ b/fp-includes/core/core.wp-pluggable-funcs.php
@ -327,6 +327,15 @@ endif;

 if (!function_exists('wp_verify_nonce')) :

+	/**
+	 * Verifies the given nonce for the given action string.
+	 *
+	 * @param string $nonce
+	 *        	the nonce to verify
+	 * @param string $action
+	 *        	the action
+	 * @return boolean <code>true</code> if the nonce is valid; <code>false</code> otherwise
+	 */
 	function wp_verify_nonce($nonce, $action = -1) {
 		$user = user_get();
 		$uid = $user ['userid'];
@ -334,11 +343,13 @@ if (!function_exists('wp_verify_nonce')) :
 		// new nonce each 12 hours
 		$i = ceil(time() / (60 * 60 * 12));

-		// Allow for expanding range, but only do one check if we can
+		// The nonce we expect for the given action at the current time
 		$expectedNonce = substr(wp_hash($i . $action . $uid), -12, 10);
-		if ($expectedNonce == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce)
-			return true;
-		return false;
+		// The nonce we expect for the given action in the previous time period
+		$expectedPreviousNonce = substr(wp_hash(($i - 1) . $action . $uid), -12, 10);
+
+		// given nonce must match the current or the previous nonce
+		return $nonce == $expectedNonce || $nonce == $expectedPreviousNonce;
 	}
 endif;