[wp-hackers] Nonce happy?

Mon Aug 12 17:47:54 UTC 2013

On Aug 12, 2013, at 11:01 AM, Thomas Belknap <dragonfly at dragonflyeye.net> wrote:

> Reading over a lot of documentation and example code concerning the
> addition of custom fields to the Write Post screen, almost every single one
> includes the requirement to include a nonce field with your data. An
> abundance of caution isn't necessarily a bad thing, but does this not
> strike anyone as a little too much caution?
Nah, it turns out that using a wpnonce to identify your fields is easier then the alternatives, so for me, it's less about caution and more about pragmatism.

> 
> In terms of what WordPress is using nonces for, the only goal is to make
> sure the data is coming from the correct origin: your website and your
> admin form. Once this task is out of the way, the rest of the POST data
> should be trusted. Yet the convention, at least in terms of example code,
> seems to be to include a nonce for every single custom field.
wpnonces are (supposed) to be tied to a unique action string-key. Every action deserves it's own wpnonce. 
If a user uses the bulk edit feature on the post list screen, then for each post edited, the wpnonce for bulkedit will pass, and yet your fields aren't present and your handle shouldn't run.
Further, there's no guarantee that 'save_posts' (which is where your action is hooked) was even triggered by an edit form submission (upgrades and unistalls update posts sometimes) and there's no guarantee that a related nonce check was performed at all (unless you do it yourself).

> 
> If WP is making it's own checks on the "Write Post" screen data, don't the
> additional nonces seem superfluous, or am I missing something?
This wpnonce is tied to an action that does not necessarily cover your fields' purpose.
Your nonce is supposed to indicate an action such as 'user_wants_to_update_my_metafields_for_book_cpts' (overlong because it's contrived).
It's a way of assuring you are only taking action when the user intends for that action to occur.

> 
> I perfectly understand their value in the context of a custom plugin
> configuration page. But when extending the Write Post screen to incorporate
> all the additional data a custom post type might require, this additional
> nonce data seems like a bit of a headache with very little value.
I find that using a unique nonce actually has quite a bit of utility, and it's only two lines of code: a line printing the nonce with your fields, and a line checking it's value.

The most evident utility is that if my unique nonce is valid, my fields should at least be present. User actions involving the posting form on the dashboard, the bulk edit form, pressthis, among others, won't contain my fields, since I add them via metabox calls typically. Checking the nonce saves me the hassle of detecting the screen type and inspecting the $_POST object and detecting my fields.

You should always use a unique string that describes the custom action you are handling, and specify a unique field name for the nonce (otherwise someone's _wpnonce is going to get trampled). 

I think of this system as effectively having multiple forms that are transmitted via the same html form. If I use my own unique nonces, I don't have to worry about what any other actions are doing. 

> 
> -- 
> Tom Belknap
> Owner/Editor, DragonFlyEye.Net
> Join me:
> 
>   - *Inbox:* http://dragonflyeye.net/subscribe
>   - *Web*: http://dragonflyeye.net/
>   - *Facebook*: https://www.facebook.com/DragonFlyEye.Net
>   - *Twitter*: https://twitter.com/dragonflyeye
>   - *Google*: https://plus.google.com/u/1/103251482414903117843/posts
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers