[wp-hackers] Rethinking check_admin_referer()
ringmaster at midnightcircus.com
Mon Apr 17 13:44:14 GMT 2006
Mark Jaquith wrote:
> Sorry for the double post, but please see this thread from last year
> that died on the vine:
> Several developers seemed to be in favor of the idea, including Matt and
> Owen, so with a couple of +1s to let me know that your opinion on the
> matter hasn't changed, and I'll proceed with the patch as soon as I have
I still think this is a good idea, but...
This is going to kill a lot of plugins; pretty much anything that uses
an options page. So what can be done to mitigate that?
My first thought is that the real problem around which all of this is
base is executing actions in the admin without performing a
confirmation. For example, you click on an unobtrusive link on a
foreign site that sends you back to your own site's admin to delete post
#327. If there is no confirmation for this action, then your site is
So the first thing we should be doing is confirming every action that
could be accessed externally. This is really freaking annoying, as I've
noticed with deleting moderated comments from email in 2.1, since I
didn't have to confirm those in < 2.1 and now I do.
Supposing we could add the action-based nonces to URLs as Mark
describes, we could avoid some of that pain.
Perhaps a generic check could be performed in admin.php that looks for
the nonce, and if not found, redirects to a generic confirmation page.
The confirmation page could build a $_POST/$_GET form (based on the
original request) that uses the originally submitted values. It would
simply ask, "Are you sure you want to do this?" And if the user clicks
"OK" then it submits the form on to the originally intended script with
an appropriate nonce.
That would mitigate some of the plugin breakage, since any plugin that
didn't build the nonce into its own requests would pass through this
confirmation. It also saves from having to immediately add the nonce
building code to every admin page. And if this check is centralized,
then the admin pages and plugins need only worry about appending it to
their form input, not necessarily checking for it themselves. (Although
exposing the function that does so would be useful for plugins with Ajax
requests that wouldn't pass through that verification code.)
I don't see a way that external sites can scrape the nonces from the
admin pages, since you would need to be logged in to do that. It would
be especially difficult if the nonces were encoded by user id, because
using someone else's "delete all posts" link would force a confirmation
on you. So even if someone else scraped their nonce from your site's
admin pages, their links would still require a confirmation from you,
since you're not using your own unique nonce.
More information about the wp-hackers