WordPress.org

Ready to get started?Download WordPress

Forums

WP-Members
[resolved] New nonce checks broke my site (2.8.1) (3 posts)

  1. David Anderson
    Member
    Posted 1 year ago #

    Hi,

    I updated to 2.8.1, and the nonce check on line 48 of wp-members/wp-members-register.php broke my site:

    check_admin_referer( 'wpmem-register' );

    This was being called by registrations invoked by the shortcode:

    [wp-members page="register"]

    This was on an ordinary page (of course!). But when visitors tried to register using it, they ended up having check_admin_referer called, and that check of course failed; see the comment upon check_admin_referer in wp-includes/pluggable.php:

    * Makes sure that a user was referred from another admin page

    David

    http://wordpress.org/extend/plugins/wp-members/

  2. Chad Butler
    Member
    Plugin Author

    Posted 1 year ago #

    I would start by asking if you are using a cache plugin? It is much more likely that would cause the problem with the nonce. Regardless of what the comment says in wp-includes/pluggable.php, a cursory review of the function's code would indicate that check_admin_referer (unless you are using an old version of WP) rarely would the referrer but focuses on if the nonce itself is valid (which if you are serving a cached version of the page probably is not). It only checks the referring page if there is no result from wp_verify_nonce, and since a non-cached page would have valid nonce, it would not check the referrer. See this post for more info.

    Now, that being said, yes check_admin_referer wasn't the right choice for this location and while I'm not sure how that slipped by the beta testing phase, it has been changed twofold in 2.8.2 (which is currently available as a beta release, release candidate 4).

    First, front-side nonces just use wp_verify_nonce to verify the nonce directly.

    Second, front-side nonces are an optional feature defaulting to not being used. The reason for the addition of nonces was to combat form spam. But this is something that doesn't effect the entire universe of users, so rather than use it by default, it can be optionally used in 2.8.2+ by defining the constant WPMEM_USE_NONCE as equal to 1. Otherwise, no nonce (on the front-side).

  3. David Anderson
    Member
    Posted 1 year ago #

    Ah yes - it was the cacheing. Thank you!

    Thank you,
    David

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.