[wp-hackers] Rethinking check_admin_referer()
Owen Winkler
ringmaster at midnightcircus.com
Tue Apr 18 13:06:12 GMT 2006
Mark Jaquith wrote:
> It could even be more
> permissive for certain screens than others (pass another variable to the
> function that checks).
Eh. I'm still not crazy about the idea of having the individual admin
pages validate themselves by calling this checking function. For one,
it implies that there is someplace in the admin that people should be
able to go without a key, and I can't think of anyplace like that. For
another, any place accidentally missing the check becomes an instant
vulnerability.
And finally, by adding it to a generic "in the admin" script, it allows
the keys to be used when accessing plugin option pages without
necessarily modifying any existing plugins. (In the case of
options.php?page=X, by doing the verification in the options.php page,
which indirectly handles the inclusion of the plugin.) It will simply
require plugin authors who want their option pages to circumvent the
"Are you sure?" messages to add the nonce generator as part of their
form submission. Without the key, an "Are you sure?" form should appear
that when submitted forwards the request on in the same manner as the
original form, but with the appropriate key.
That's just an idea. I'm thinking of all of the plugins that people
have written with options pages that will have to be modified to support
this, and am trying to devise a way to ease the pain AND get more
security everywhere.
Owen
More information about the wp-hackers
mailing list