Skip to:
Content

BuddyPress.org

Changeset 11507


Ignore:
Timestamp:
03/09/2017 06:58:18 PM (8 years ago)
Author:
boonebgorges
Message:

Improve nonce checks for activity favoriting/unfavoriting.

[11449] introduced a case where inconsistent nonces could be sent in
subsequent AJAX requests.

Merge of [11498] to the 2.0 branch.

Props sbrajesh.

Location:
branches/2.0
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0

    • Property svn:mergeinfo changed
      /trunk (added)merged: 11498
  • branches/2.0/bp-templates/bp-legacy/buddypress-functions.php

    r11458 r11507  
    924924        return;
    925925
    926     if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( wp_unslash( $_POST['nonce'] ), 'mark_favorite' ) ) {
     926    // Either the 'mark' or 'unmark' nonce is accepted, for backward compatibility.
     927    $nonce = wp_unslash( $_POST['nonce'] );
     928    if ( ! wp_verify_nonce( $nonce, 'mark_favorite' ) && ! wp_verify_nonce( $nonce, 'unmark_favorite' ) ) {
    927929        return;
    928930    }
     
    947949        return;
    948950
    949     if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( wp_unslash( $_POST['nonce'] ), 'unmark_favorite' ) ) {
     951    // Either the 'mark' or 'unmark' nonce is accepted, for backward compatibility.
     952    $nonce = wp_unslash( $_POST['nonce'] );
     953    if ( ! wp_verify_nonce( $nonce, 'mark_favorite' ) && ! wp_verify_nonce( $nonce, 'unmark_favorite' ) ) {
    950954        return;
    951955    }
Note: See TracChangeset for help on using the changeset viewer.