Skip to content

Commit

Permalink
Make the screenshot delete action require a per-image specific nonce …
Browse files Browse the repository at this point in the history 
…value to avoid passing a generic non-screenshot post ID.

See #465
  • Loading branch information
@Clorith
Clorith committed Jul 25, 2024
1 parent 89ccf6e commit ac8d8e1
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 2 deletions.
5 changes: 4 additions & 1 deletion HealthCheck/class-health-check-screenshots.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,10 @@ public function delete_screenshot() {
}

// Validate nonces.
if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( $_GET['_wpnonce'], 'health-check-delete-screenshot' ) ) {
if ( ! isset( $_GET['_wpnonce'] ) ) {
return;
}
if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'health-check-delete-screenshot-' . absint( $_GET['health-check-delete-screenshot'] ) ) ) {
return;
}

Expand Down
5 changes: 4 additions & 1 deletion pages/screenshots.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,10 @@
),
admin_url( 'site-health.php' )
),
'health-check-delete-screenshot'
sprintf(
'health-check-delete-screenshot-%d',
$screenshot->ID
)
)
),
esc_html__( 'Delete screenshot', 'health-check' )
Expand Down

0 comments on commit ac8d8e1

Please sign in to comment.