[wp-hackers] Rethinking check_admin_referer()

Owen Winkler ringmaster at midnightcircus.com
Tue Apr 18 13:06:12 GMT 2006

Mark Jaquith wrote:
> It could even be more 
> permissive for certain screens than others (pass another variable to the 
> function that checks).  

Eh.  I'm still not crazy about the idea of having the individual admin 
pages validate themselves by calling this checking function.  For one, 
it implies that there is someplace in the admin that people should be 
able to go without a key, and I can't think of anyplace like that.  For 
another, any place accidentally missing the check becomes an instant 

And finally, by adding it to a generic "in the admin" script, it allows 
the keys to be used when accessing plugin option pages without 
necessarily modifying any existing plugins.  (In the case of 
options.php?page=X, by doing the verification in the options.php page, 
which indirectly handles the inclusion of the plugin.)  It will simply 
require plugin authors who want their option pages to circumvent the 
"Are you sure?" messages to add the nonce generator as part of their 
form submission.  Without the key, an "Are you sure?" form should appear 
that when submitted forwards the request on in the same manner as the 
original form, but with the appropriate key.

That's just an idea.  I'm thinking of all of the plugins that people 
have written with options pages that will have to be modified to support 
this, and am trying to devise a way to ease the pain AND get more 
security everywhere.


More information about the wp-hackers mailing list