Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
07/27/2012 07:40:00 AM (12 years ago)
Author:
johnjamesjacoby
Message:

Port theme-side nonce-check function from bbPress.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-core/bp-core-functions.php

    r6179 r6209  
    11731173}
    11741174
     1175/** Nonces ********************************************************************/
     1176
     1177/**
     1178 * Makes sure the user requested an action from another page on this site.
     1179 *
     1180 * To avoid security exploits within the theme.
     1181 *
     1182 * @since BuddyPress (1.6)
     1183 *
     1184 * @uses do_action() Calls 'bp_verify_nonce_request' on $action.
     1185 * @param string $action Action nonce
     1186 * @param string $query_arg where to look for nonce in $_REQUEST
     1187 */
     1188function bp_verify_nonce_request( $action = '', $query_arg = '_wpnonce' ) {
     1189
     1190    // Get the home URL
     1191    $home_url = strtolower( home_url() );
     1192
     1193    // Build the currently requested URL
     1194    $scheme        = is_ssl() ? 'https://' : 'http://';
     1195    $requested_url = strtolower( $scheme . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
     1196
     1197    // Check the nonce
     1198    $result = isset( $_REQUEST[$query_arg] ) ? wp_verify_nonce( $_REQUEST[$query_arg], $action ) : false;
     1199
     1200    // Nonce check failed
     1201    if ( empty( $result ) || empty( $action ) || ( strpos( $requested_url, $home_url ) !== 0 ) )
     1202        $result = false;
     1203
     1204    // Do extra things
     1205    do_action( 'bp_verify_nonce_request', $action, $result );
     1206
     1207    return $result;
     1208}
     1209
    11751210?>
Note: See TracChangeset for help on using the changeset viewer.