[wp-hackers] Rethinking check_admin_referer()

Owen Winkler ringmaster at midnightcircus.com
Tue Apr 18 11:18:09 GMT 2006


Mark Jaquith wrote:
> Okay, so more than just an annoyance for people who aren't sending HTTP 
> referrers.  Using a key solves this, by locking things down to the 
> blog/user/action/object level.  I don't see the point of using a 
> nonce... if you can intercept the key, you have already compromised the 
> blog.  In addition, the use of nonces would create a DB write on every 
> access of a wp-admin <form>... not  exactly ideal.

When I use the term "nonce" before, it's not necessarily the true 
meaning.  I meant what you're saying here: One key per user per action.

The main idea is that you *don't* want to store the generated key 
anywhere, because that requires an expensive write operation.

It might also be possible to cause these keys to time out, so even if 
they were obtained once, there would be a limited opportunity to use them.

Owen



More information about the wp-hackers mailing list