Security Error

  • moongear

    (@moongear)


    8 years ago

    With certain other third party plugins, the Better YOURLS plugin causes a “Security Error” on save_post and/or transition_post_status. This errors results due to an issue in class-better-yourls-actions.php.

    Starting at line #127, the evaluation of $_POST['better_yourls_nonce'] begins. The first part tests if $_POST['better_yourls_nonce'] is set but at the same time validates the nonce while being dependent on $_POST['better_yourls_nonce'].

    Because some third party plugins do not paint the YOURLS Meta Box, the better_yourls_nonce INPUT does not exist on those edit pages. When submitted, $_POST['better_yourls_nonce'] does not exist. Therefore, evaluating the nonce is futile. 

    // Make sure we are originating from the right place.
if (
! isset( $_POST['better_yourls_nonce'] ) || // WPCS: input var ok.
! wp_verify_nonce( $_POST['better_yourls_nonce'], 'better_yourls_save_post' ) // WPCS: input var ok. Sanitization ok.
) {
wp_die( esc_html__( 'Security Error', 'better-yourls' ) );
}

    What should happen is a test that $_POST['better_yourls_nonce'] is good then if it is evaluate the nonce (not both at the same time).

    Line #131 (wp_die( esc_html__( 'Security Error', 'better-yourls' ) );) should never be realized if the variable is simply not defined. Instead, it should gracefully return and do nothing else.

    • This topic was modified 8 years ago by moongear.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Andrew Norcross

    (@norcross)

    are we talking about the same plugin? mine isn’t called “Better YOURLS” and shouldn’t contain those strings.

    Thread Starter moongear

    (@moongear)

    Oh, you are correct. My apologies.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Security Error’ is closed to new replies.