WordPress Snippet

ワードプレスをカスタマイズしよう

本当に実行していいですか ?  もう一度お試しください。

WordPressの管理画面での操作で

「本当に実行していいですか ?
 もう一度お試しください。」

 

という、なにかやらかしてしまいそうなメッセージが出る事があります。

このメッセージは、$_REQUEST[‘_wp_http_referer’]または、$_SERVER[‘HTTP_REFERER’]が、取得できなかった時に、表示されます。

現在のページに遷移する前にユーザーエージェントが参照していた ページのアドレス(もしあれば)。これはユーザーエージェントに よってセットされます。全てのユーザーエージェントが これをセットしているわけではなく、また、HTTP_REFERER を変更する機能を持つものもあります。 要するに、信頼するべきものではありません。

_wp_http_referer は、nones_field をセットした時に、$_SERVER['REQUEST_URI']を元に、セットされます。
通常は、この値が利用されますが、この値が空だと、$_SERVER[‘HTTP_REFERER’]を使うようになっています。


/**
 * Display "Are You Sure" message to confirm the action being taken.
 *
 * If the action has the nonce explain message, then it will be displayed along
 * with the "Are you sure?" message.
 *
 * @package WordPress
 * @subpackage Security
 * @since 2.0.4
 *
 * @param string $action The nonce action.
 */
function wp_nonce_ays( $action ) {
	$title= __( 'WordPress Failure Notice' );
	if ( 'log-out'== $action ) {
		$html= sprintf( __( 'You are attempting to log out of %s' ), get_bloginfo( 'name' ) ) . '<p>';
		$html .= sprintf( __( "Do you really want to <a href='%s'>log out</a>?"), wp_logout_url() );
	} else {
		$html= __( 'Are you sure you want to do this?' );
		if ( wp_get_referer() )
			$html .= "</p><p><a href='" . esc_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
	}

	wp_die( $html, $title, array('response'=> 403) );
}

if ( !function_exists('check_admin_referer') ) :
/**
 * Makes sure that a user was referred from another admin page.
 *
 * To avoid security exploits.
 *
 * @since 1.2.0
 * @uses do_action() Calls 'check_admin_referer' on $action.
 *
 * @param string $action Action nonce
 * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
 */
function check_admin_referer($action= -1, $query_arg= '_wpnonce') {
	if ( -1== $action )
		_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2' );

	$adminurl= strtolower(admin_url());
	$referer= strtolower(wp_get_referer());
	$result= isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
	if ( !$result &amp;&amp; !(-1== $action &amp;&amp; strpos($referer, $adminurl)=== 0) ) {
		wp_nonce_ays($action);
		die();
	}
	do_action('check_admin_referer', $action, $result);
	return $result;
}endif;

/**
 * Retrieve referer from '_wp_http_referer' or HTTP referer. If it's the same
 * as the current request URL, will return false.
 *
 * @package WordPress
 * @subpackage Security
 * @since 2.0.4
 *
 * @return string |bool False on failure. Referer URL on success.
 */
function wp_get_referer() {
	$ref= false;
	if ( ! empty( $_REQUEST['_wp_http_referer'] ) )
		$ref= $_REQUEST['_wp_http_referer'];
	else if ( ! empty( $_SERVER['HTTP_REFERER'] ) )
		$ref= $_SERVER['HTTP_REFERER'];

	if ( $ref &amp;&amp; $ref !== $_SERVER['REQUEST_URI'] )
		return $ref;
	return false;
}

/**
 * Retrieve or display nonce hidden field for forms.
 *
 * The nonce field is used to validate that the contents of the form came from
 * the location on the current site and not somewhere else. The nonce does not
 * offer absolute protection, but should protect against most cases. It is very
 * important to use nonce field in forms.
 *
 * The $action and $name are optional, but if you want to have better security,
 * it is strongly suggested to set those two parameters. It is easier to just
 * call the function without any parameters, because validation of the nonce
 * doesn't require any parameters, but since crackers know what the default is
 * it won't be difficult for them to find a way around your nonce and cause
 * damage.
 *
 * The input name will be whatever $name value you gave. The input value will be
 * the nonce creation value.
 *
 * @package WordPress
 * @subpackage Security
 * @since 2.0.4
 *
 * @param string $action Optional. Action name.
 * @param string $name Optional. Nonce name.
 * @param bool $referer Optional, default true. Whether to set the referer field for validation.
 * @param bool $echo Optional, default true. Whether to display or return hidden form field.
 * @return string Nonce field.
 */
function wp_nonce_field( $action= -1, $name= "_wpnonce", $referer= true , $echo= true ) {
	$name= esc_attr( $name );
	$nonce_field= '<input type="hidden" id="' . $name . '" name="' . $name . '" value="' . wp_create_nonce( $action ) . '" />';

	if ( $referer )
		$nonce_field .= wp_referer_field( false );

	if ( $echo )
		echo $nonce_field;

	return $nonce_field;
}

/**
 * Retrieve or display referer hidden field for forms.
 *
 * The referer link is the current Request URI from the server super global. The
 * input name is '_wp_http_referer', in case you wanted to check manually.
 *
 * @package WordPress
 * @subpackage Security
 * @since 2.0.4
 *
 * @param bool $echo Whether to echo or return the referer field.
 * @return string Referer field.
 */
function wp_referer_field( $echo= true ) {
	$ref= esc_attr( $_SERVER['REQUEST_URI'] );
	$referer_field= '<input type="hidden" name="_wp_http_referer" value="'. $ref . '" />';

	if ( $echo )
		echo $referer_field;
	return $referer_field;
}