Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Extra protection in check_ajax_referer from mdawaffe. fixes #4939

git-svn-id: http://svn.automattic.com/wordpress/trunk@6138 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information...
commit 9eb6351d244417d89990809001221e09816dcbfd 1 parent 3ac0df5
ryan authored
Showing with 8 additions and 1 deletion.
  1. +8 −1 wp-includes/pluggable.php
View
9 wp-includes/pluggable.php
@@ -349,6 +349,12 @@ function check_admin_referer($action = -1) {
if ( !function_exists('check_ajax_referer') ) :
function check_ajax_referer() {
+ $current_name = '';
+ if ( ( $current = wp_get_current_user() ) && $current->ID )
+ $current_name = $current->data->user_login;
+ if ( !$current_name )
+ die('-1');
+
$cookie = explode('; ', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie
foreach ( $cookie as $tasty ) {
if ( false !== strpos($tasty, USER_COOKIE) )
@@ -356,7 +362,8 @@ function check_ajax_referer() {
if ( false !== strpos($tasty, PASS_COOKIE) )
$pass = substr(strstr($tasty, '='), 1);
}
- if ( !wp_login( $user, $pass, true ) )
+
+ if ( $current_name != $user || !wp_login( $user, $pass, true ) )
die('-1');
do_action('check_ajax_referer');
}

0 comments on commit 9eb6351

Please sign in to comment.
Something went wrong with that request. Please try again.