thomasbf (@thomasbf)

Forum Replies Created

Viewing 2 replies - 1 through 2 (of 2 total)

  • thomasbf


    Was offline for a week and finally found some time to give it a try. I used the coding below to use HTTP_X_FORWARDED_HOST if it’s provided for function bhp_verify_nonce_request, so I do not skip any checks this way.

    function bbp_verify_nonce_request( $action = '', $query_arg = '_wpnonce' ) {

    // Get the home URL
    $home_url = strtolower( home_url() );

    // Build the currently requested URL
    $scheme = is_ssl() ? 'https://' : 'http://';
    $requested_url = strtolower( $scheme . $request_host . $_SERVER['REQUEST_URI'] );

    // Check the nonce
    $result = isset( $_REQUEST[$query_arg] ) ? wp_verify_nonce( $_REQUEST[$query_arg], $action ) : false;

    // Nonce check failed
    if ( empty( $result ) || empty( $action ) || ( strpos( $requested_url, $home_url ) !== 0 ) )
    $result = false;

    // Do extra things
    do_action( 'bbp_verify_nonce_request', $action, $result );

    return $result;



    Thanks so much for your kind advice.
    Solving it on the proxy host as proposed by @zaerl is most likely the best way, however reverse proxy is running on a shared web hoster system, and I just have a web-Interface to enter the forward address. I’ll check, but maybe it’s not possible to apply the parameters suggested by @zaerl.
    Maybe there is a chance HTTP_X_FORWARDED_HOST is set, then I could use
    something like this(??):


    (sorry if this is wrong syntax, but I don’t know PHP)
    I’ll have a look at 2.2 once it ‘s released. Maybe this also helpful.
    BTW: Is a nonce check not usually using a cryptographic hash (token). I wonder here you just check HTTP-Header attributes?Is this a strong check?

Viewing 2 replies - 1 through 2 (of 2 total)