WordPress-Coding-Standards icon indicating copy to clipboard operation
WordPress-Coding-Standards copied to clipboard

Published 20 hours ago verified publisher icon WordPress

NonceVerification overzealous ?

Open jrfnl opened this issue 8 years ago • 4 comments

The following snippet of code triggers the WordPress.CSRF.NonceVerification sniff.

if ( ! isset( $_POST['field'] ) ) {
	// Do something (not using the post variable).
}

As this is checking whether a variable is not set, I believe that the error is thrown erroneously.

Opinions ?

jrfnl avatar Dec 23 '16 01:12 jrfnl

Related #572

jrfnl avatar Dec 23 '16 03:12 jrfnl

Yeah, I agree. We should only start flagging accessing input vars once the value is being used. An isset() or empty() call shouldn't qualify as “using”.

westonruter avatar Dec 23 '16 05:12 westonruter

In this case, because you are checking that the value is not set, the sniff may be a bit overzealous. However, I wouldn't favor making it ignore all isset() and empty() checks. Even if no submitted values are being used, the fact that user input is being checked at all indicates that a user action is being reacted to, and thus CSRF protection is likely still needed.

JDGrimes avatar Dec 23 '16 16:12 JDGrimes

Even if no submitted values are being used, the fact that user input is being checked at all indicates that a user action is being reacted to

This is only true if you check that something exists. When checking that something does NOT exist, it makes no sense:

if ( empty( $_GET['author'] ) ) {    
    echo 'This is not an author page';
    exit;
}

In fact it's impossible to check for a nonce on something that does NOT exist.

kkmuffme avatar Jul 11 '23 13:07 kkmuffme