-
-
Notifications
You must be signed in to change notification settings - Fork 461
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Processing nonce data without verification when checking $_GET #1878
Comments
Not sure why you cannot check for nonce before checking for that Have you checked wiki about this: https://github.com/WordPress/WordPress-Coding-Standards/wiki/Fixing-errors-for-input-data#nonces ? |
Because I am checking if it is EMPTY, which indicates that it is not bound to a specific submit action. Also there is no increase in security whatsoever by always checking for a nonce, when the $_GET data isn't used, it's just annoying. |
You can then just silence this by placing What is the context in which you are using the |
Ok, the issue is that the nonce check is way too broad. A nonce is only required if $_GET or $_POST data are used. When doing The reverse case I describe initially, there we can keep the nonce rule as it is, as I realised there are some possible cases where devs abuse this incorrectly, so we should still require nonce for !empty. |
I'm going to mark this issue as a duplicate of #737. I think this is the most relevant response in that ticket and it explains why the ticket is stagnant:
Ref: #737 (comment) |
Replied there #737 (comment) now to make it clear that these are 2 (actually 3) different things.
|
I get Processing form data without nonce verification error for code like:
For obvious reasons it is impossible to use a nonce here as I am checking if something does NOT exist.
Also for the reverse:No processing of the $_GET happens whatsoever, so there is no need to add a nonce here.The nonce requirement should be changed to NOT trigger if $_GET is checked with empty/isset
EDIT: the striked text is potentially unsafe, see #2217
The text was updated successfully, but these errors were encountered: