[wp-hackers] Moved from BlogWare to WordPress - Need Help
Sean Hickey
seanhickey at gmail.com
Sat May 20 10:23:36 GMT 2006
> There is no referer check that I can see. Your plugin directly UPDATEs
> the database instead of calling wp_update_post().
Paul,
I stopped doing referer checks a long time ago because they are
pretty much pointless. :) The refering URL is so easily faked that
it's not even worth checking. Especially with Firefox extentions like
RefControl.
Not using wp_update_post() doesn't seem like a *security* risk to
me, it's just avoiding some code the makes sure the post is well
formatted. I chose not to use it because it seems a bit like using a
sledge hammer to kill a fly. I want to keep the plugin as "peppy" has
possible, which means as little code as possible.
Anyway, I'm always open to suggestions. Security is certainly
something I've given thought to with this plugin, since it has the
potential to expose the internals of a person's blog right there on
the front page.
BTW: Does WP even check for referers in it's own code? I've submitted
comments to people's blogs using telnet from my home computer.
- Sean
--
http://www.headzoo.com
More information about the wp-hackers
mailing list