Stripping certain $_GET vars

  • Resolved Jared Atchison

    (@jaredatch)


    8 years ago

    After much debugging, here is what I have found.

    Hooking into admin_init and dumping $_GET, everything is correct. I believe because when I did this it was before the LS plugin was loaded.

    If I dump $_GET anywhere after that, say in the middle of the page, any variable that begins with an underscore is missing.

    This is problematic because that means the _wpnonce holder is gone, causing nonce verification/security check to fail. The variable still exists if checking $_REQUEST.

    It’s not exclusive to _wpnonce though.

    For example, this link https://domain.com/wp-admin/admin.php?page=wpforms-overview&action=duplicate&_foo=bar&form_id=625&_wpnonce=2a192a0d1b

    Checking $_GET during admin page output both _wpnonce and _foo do not exist. Checking $_GET on admin_init everything is correct. Deactivating the LiteSpeed Cache plugin resolves the issue.

    I also tried adding /wp-admin/admin.php to the Do Not Cache Rules but that didn’t seem to help.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author LiteSpeed Technologies

    (@litespeedtech)

    Hi Jared,

    I am not sure about the other _GET members, but I think I have an idea as to where _wpnonce is removed.

    In litespeed-cache/admin/class-litespeed-ccache-admin.php, there is a function add_quick_purge(). Try replacing $_GET with a new variable.

    Chunk to replace and the replacement are listed below.

    Kevin

    Original bit:

    
		if (!empty($_GET)) {
			if (isset($_GET['LSCWP_CTRL'])) {
				unset($_GET['LSCWP_CTRL']);
			}
			if (isset($_GET['_wpnonce'])) {
				unset($_GET['_wpnonce']);
			}
			if (!empty($_GET)) {
				$prefix .= http_build_query($_GET) . '&';
			}
		}

    Replacement bit:

    
		if (!empty($_GET)) {
			if (isset($_GET['LSCWP_CTRL'])) {
				unset($_GET['LSCWP_CTRL']);
			}
			if (isset($_GET['_wpnonce'])) {
				unset($_GET['_wpnonce']);
			}
			if (!empty($_GET)) {
				$prefix .= http_build_query($_GET) . '&';
			}
		}
    Plugin Author LiteSpeed Technologies

    (@litespeedtech)

    Apologies, apparently my replacement bit did not actually contain the replacement bit ??
    Replacement bit:

    
		$params = $_GET;

		if (!empty($params)) {
			if (isset($params['LSCWP_CTRL'])) {
				unset($params['LSCWP_CTRL']);
			}
			if (isset($params['_wpnonce'])) {
				unset($params['_wpnonce']);
			}
			if (!empty($params)) {
				$prefix .= http_build_query($params) . '&';
			}
		}
    Thread Starter Jared Atchison

    (@jaredatch)

    Appreciate the quick response.

    Changing it so that $_GET is not directly modified fixes the issue ??

    So should be go to include in the next update!

    Plugin Author LiteSpeed Technologies

    (@litespeedtech)

    Good to know that it works!

    Yes, it will be in the next release, thank you ??

    Cheers,
    Kevin

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Stripping certain $_GET vars’ is closed to new replies.