Authorization and intention/origination verification when using the edit_post hook
There have been reports of plugins that have started erasing their managed Custom Fields upon actions like comment submission. UTW was bitten, as was Jerome’s Keywords and some other plugins that use custom fields.
The problem was brought to light with the release of WordPress 2.1, but circumstances exist in older WP versions that would trigger these issues in some plugins.
The plugins are doing this:
edit_post When the form value is empty or doesn’t exist, the plugin assumes the user deleted what was in it, and procedes to delete all the custom values the plugin had stored for that postThe issue occurs because the plugins assume that every time edit_post is triggered, their inserted form field will be included in $_POST. This isn’t the case. edit_post is called for requests that do not originate from the post edit form and for requests that are not initiated by a privileged user. Comment submission in WordPress 2.1 is one of these cases. Editing of a post in 2.1 (and earlier versions) via XML-RPC is another case.
Plugins cannot assume that the absence of a POST field means that POST field existed in an empty state, and plugins cannot assume that all calls to edit_post are performed by privileged users.
Here are the two things that plugins must do:
current_user_can() function or its siblings. Verify intention of the user and the origination of the request by embedding a hidden form field with a nonce value, along with your usual custom field.Here is an example:
function your_form_hook() {
echo '<input type="text" name="your-plugin" id="your-plugin"
value="' . your_get_value() . '" />
<input type="hidden" name="your-plugin-verify-key" id="your-plugin-verify-key"
value="' . wp_create_nonce('your-plugin') . '" />';
}
add_action('edit_form_advanced', 'your_form_hook');
function your_edit_post_hook($post_id) {
// authorization
if ( !current_user_can('edit_post', $post_id) )
return $post_id;
// origination and intention
if ( !wp_verify_nonce($_POST['your-plugin-verify-key'], 'your-plugin') )
return $post_id;
your_update($post_id); // do the actual update here
return $post_id;
}
add_action('edit_post', 'your_edit_post_hook');
This is a post aimed at plugin authors, so I’d appreciate it if we could save the comment space below for plugin authors who have questions about this topic. If a particular plugin you’re using is erasing Custom Fields, please contact its author directly.
Note: I’ve mentioned the edit_post hook, but there are other similar hooks that the above also applies to. publish_post and save_post are two that come to mind.
[...] Mark 在他的 Blog ä¸Šè§£é‡Šäº†åŽŸå› ã€‚å…¶å®žè¿™ä¸ªé—®é¢˜å¹¶ä¸å•æ˜¯ WordPress 2.1 [...]
Wow, well presented complex scenario!
[...] 5. Ultimate Tag Warrior - There apparently is a bug with this plugin and WP 2.1. Adding a comment and approving it removes any tags from a post. I have not attempted to fix this, but it looks like Mark Jaquith has already found the issue. [...]
What’s your_get_value() supposed to return?
OK, I guess your_get_value() was just an example of the plugin functionality. I thought it was part of the verification model.
Joshua,
Yes, all
your_*()functions are user functions. For security reasons, when presenting a value in an HTMLvalueattribute, you’d do something like runningattribute_escape()on a postmeta value.Hi Mark,
So is there no way to pass extra form data using the XML-RPC API? I’m the author of Gengo, a multilingual plugin, and a number of people have expressed a wish to blog in multiple languages using the remote API. At the moment, because of the situation you describe above, the best I can do is set each remotely posted article as being written in the default language… Not a disaster, but not awesome… Though come to think of it, do you know of any remote authoring editors that can even send custom fields?
Anyway, nice to get official confirmation of this - thought I was going nuts!
Cheers,
[...] where some other people also were facing the same problem. With a little more digging I found an excellent explanation by Mark, where he describes the exact problem and also the solution. I am not going to explain the problem [...]
[...] these old versions suffer from the empties custom fields problem. Don’t use them with [...]
[...] beschreibt in seinem Artikel “Authorization and intention/origination verification when using the edit_post hook” was PlugIn-Autoren bei der Anpassung und Programmierung neuer PlugIns für WordPress 2.1 [...]
[...] (e non solo, in alcuni casi) release di WordPress causano il fastidioso problema dei campi personalizzati vuoti, in pratica l’effetto sopra descritto. Per eliminare il bug, è bastato scaricare dal sito di [...]
Many thanks for this post! Yesterday I’ve released a tagging plugin which is based on Jerome’s Keywords (see Simple Tagging Plugin) and a user has reported about the issue of removing all tags when editing comments under WP 2.1. Now I’ve implemented your suggestion and it works like a charm
[...] WordPress Plugins Need to Fix Custom Fields: Mark Jaquith announced a problem with older WordPress Plugins regarding the edit_post hook. This causes a conflict with WordPress Plugins which use the Custom [...]
[...] Mark Jaquith sposta la questione sui problemi che alcuni plugin come Ultimate Tag Warrior e Jerome’s Keywords possono creare con la nuova versione. [...]
[...] Técnica en inglés y solución con ejemplos—–>>>>AquíPor suerte Sudar resolvió el problema para el plugin específico Bunny’s [...]
[...] Since the edit_post hook is called from all over the place, I’ve associated a nonce1 with the checkbox that the user fills out for the miniposts. That allows the plugin to tell the difference between a legitimate change request, and a random one triggered by the promiscuous edit_post hook. That approach was suggested by Mark Jaquith. [...]
[...] when used in WordPress 2.1 - posting comments caused a post’s avatar to disappear. Thanks to Mark Jaquith’s post, I’ve identified and fixed (yay!) the [...]
[...] il plugin Jerome’s Keywords 2.0-beta3 presenta dei problemi che portano alla perdita dei tag impostati per gli articoli se viene utilizzato in combinazione con [...]
[...] da quanto avevo scritto in precedenza, il plugin Jerome’s Keywords 2.0-beta3 presenta dei noti problemi che portano alla perdita dei tag impostati per gli articoli se viene utilizzato in [...]
[...] problem but today I noticed it hasd happened again so I went searching and, thanks to Mark Jaquith, have now got the answer The issue occurs because the plugins assume that every time edit_post is triggered, their inserted [...]
Sorry for an off-topic question, but can you please let me know which technique did you use to post the code snippet in this post? I’ve been struggling with WordPress.com’s posting thing which kills indentation, converts brackets, and does all sorts of other nasty things to code.
TIA.
Leonid,
I used <pre> and then manually encoded my entities, like &< for < and > for > See also " for " There are probably online tools that can do this for you.
Mark,
thanks. I think I’ll stay with editor screenshots for my WordPress Bits for a little while longer. It’s ugly, but it works.
[...] (or maybe will never) here’s the fix. Took me around a half hour of hacking. Thanks to this excellent guide. [The problem was every time somebody commented I lost the ‘mini-postiness’ of the [...]
Привет.
Продаю перÑональный Ñертификат WebMoney за $99.
Ð’ÑÑ‘ чиÑто, не одной жалоб. Сделан на утерÑнные документы. Ð’ÑÑ‘ законно.
ЕÑли нужно, то еÑÑ‚ÑŒ Ñертификаты ещё.
Стучацо в личную почту на Вебмани. Можете проверить: WMID 322973398779 Redfern
Ðто не Ñпам. Ðе пишите на мой WMID жалобы в арбитраж Вебмани.
Привет.
Продаю перÑональный Ñертификат WebMoney за $99.
Можете проверить: WMID 322973398779 Redfern
Ð’ÑÑ‘ чиÑто, не одной жалоб. Сделан на утерÑнные документы. Ð’ÑÑ‘ законно.
ЕÑли нужно, то еÑÑ‚ÑŒ Ñертификаты ещё.
Стучацо в личную почту на Вебмани.
Ðто не Ñпам. Ðе пишите на мой WMID жалобы в арбитраж Вебмани.
First touch with the girlfriend in a live, after a while, through ICQ. Today met, and I felt the inability to talk with her on all topics, be open. Like komok in the throat, once tried to have intimate relations on the subject, immediately zamolkal. Yes, and she could not say anything wing.
Why, Internet communication allows more freedom than the real one? Perhaps some blame my fear, or the ability to label themselves in the Internet masks, I do not know. What do you think about this?
P.S. Please administrator markjaquith.wordpress.com. If the thread is not to be in category this, I ask you to move my thread to the correct category.
interesting
Sorry
Useful indeed, I’ll check this out…
Thanks for the tip
[...] il plugin Jerome’s Keywords 2.0-beta3 presenta dei problemi che portano alla perdita dei tag impostati per gli articoli se viene utilizzato in combinazione con [...]
[...] da quanto avevo scritto in precedenza, il plugin Jerome’s Keywords 2.0-beta3 presenta dei noti problemi che portano alla perdita dei tag impostati per gli articoli se viene utilizzato in [...]