[wp-hackers] Rethinking check_admin_referer()
ringmaster at midnightcircus.com
Mon Apr 17 16:04:05 GMT 2006
Brian Layman wrote:
> My first reply suggested building that into the user profile because:
> 1. I'm not sure that the nonce suggestion can be made completely foolproof.
> Just in this thread, a few objections were raised. It doesn't look like its
> been completely worked out yet.
It can be made completely foolproof, it's just inconvenient to plugins
that use admin pages until they are modified to use the nonces. I'm not
sure what other objections you're talking about.
> 2. I thought Mark was suggesting using AYS prompts as the only security. I
> see now that he was suggesting that only for plugins that haven't added the
> nonce. That's a much better approach than putting AYSs everywhere by
> default. It could probably be enhanced one step further. If the referrer
> check passes, why should the users deal with that extra prompt? Again,
> another reason not to dismiss the referrer check entirely.
Realistically, AYS prompts *are* the only necessary security to prevent
CSRF attacks, because the only time they work is when there is no
confirmation on the action that is executed.
Assuming you don't want to confirm every action every time, you'll need
another method to verify that you're coming from somewhere where it's
permitted to initiate that action. This can be done with the nonces, as
Why not include both methods? Because the referer check doesn't work in
all clients, and the nonce does. The nonce is also more flexible, since
it produces a confirmation message when the nonce is required but not
present, which you can't do with just the referer check. You can also
include valid nonces in URLs in email, which you can't do with a referer
check. Including both methods would require them both to be present in
the code, which requires more testing and support.
More information about the wp-hackers