FTP_USER Fails "Security fix for save status via Ajax" introduced in 1.8.8

[toddkittredge]

See the details on the WP forum... http://wordpress.org/support/topic/ftp_user-fails-security-fix-for-save-status-via-ajax-introduced-in-188

[cfoellmann]

I am running into a problem using wp-config.php upgrade constants and the “Security fix for save status via Ajax” introduced in 1.8.8 (06/05/2013) in the following two methods...

public function save_active() {
        public function save_config() {

            //check_ajax_referer( 'wm_config-update', 'wp-maintenance-mode-nonce' );
            $nonce = $_POST['nonce'];
            if ( ! wp_verify_nonce( $nonce, 'wp-maintenance-mode-nonce' ) )
                wp_die( __( 'You are not authorised to perform this operation.' ) );

            if ( ! current_user_can( 'manage_options' ) )
                wp_die( __( 'You are not authorised to perform this operation.' ) );

Logged in as ‘administrator’, installs and upgrades succeed, but saving configuration settings fail; wp-maintenance-mode records are not created/updated in the wp-options table.

The configuration uses SSH with public/private keys and wp-config.php upgrade constants, where ‘FTP_USER’ is not defined as a user in WP...

/**
 * Upgrade constants (SSH connection information for 'automatic' updates/installs)
 */
define('FS_METHOD', 'ssh2');
define('FTP_PUBKEY','/home/user/.ssh/wordpress/id_rsa.pub');
define('FTP_PRIKEY','/home/user/.ssh/wordpress/id_rsa');
define('FTP_USER','user');
define('FTP_HOST','subdomain.domain.tld:port');

Not a problem in 1.8.7, fails in 1.8.8 and later.

For reference... https://www.serverstack.com/blog/2013/02/11/automatic-wordpress-updates-using-ftpftps-or-ssh/