[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Elliotte Harold elharo at metalab.unc.edu
Fri Mar 2 21:15:40 GMT 2007


Robert Deaton wrote:

> For GET vs. POST and safe following of links, nowhere is it stated
> that GETs in links are intended to not have side effects. 

Have you really not seen any of the numerous places where this has been 
stated? See for example, section 9.1 of the HTTP 1.1 specification:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1

Also see section 3.4 of Architecture of the World Wide Web, Volume One:

http://www.w3.org/TR/webarch/#safe-interaction

and

URIs, Addressability, and the use of HTTP GET and POST
http://www.w3.org/2001/tag/doc/whenToUseGet.html

> There is a
> recommendation that they do not, but it is not a requirement, nor
> would it be enforceable if it was. There is no reason that a link that
> is clearly labeled in the administration panel to point to an action
> that is intended to delete something should not be allowed. 

Please review the above references which explain in detail why "a link 
that is clearly labeled in the administration panel to point to an 
action that is intended to delete something should not be allowed."


> If we're
> not sending the right caching headers to comply with the
> recommendations of the HTTP specification, then I suggest we change
> that. Otherwise, I see absolutely no problem with using links to
> perform operations.
> 

You mean like the security holes that are being exposed every week or 
two? Sooner or later, you have to realize that they're not isolated 
incidents. There's an architectural problem here.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


More information about the wp-hackers mailing list