[wp-hackers] Rethinking check_admin_referer()

Sam Angove sam at rephrase.net
Tue Apr 18 13:57:32 GMT 2006

On 4/18/06, Owen Winkler <ringmaster at midnightcircus.com> wrote:
> And finally, by adding it to a generic "in the admin" script, it allows
> the keys to be used when accessing plugin option pages without
> necessarily modifying any existing plugins.  (In the case of
> options.php?page=X, by doing the verification in the options.php page,
> which indirectly handles the inclusion of the plugin.)  It will simply
> require plugin authors who want their option pages to circumvent the
> "Are you sure?" messages to add the nonce generator as part of their
> form submission.  Without the key, an "Are you sure?" form should appear
> that when submitted forwards the request on in the same manner as the
> original form, but with the appropriate key.

IAWTP, but if a "good" key is something like `hash(action . item id .
time . user secret . server secret)`, how is it possible to guess what
a plugin might require as `action` or `item id`? The generic "Are you
sure?" form would need some mechanism for finding out the appropriate
key, too.

Standardize on $_REQUEST['action'], maybe, with a generic action-less
(but still user-specific) key if it's missing?

More information about the wp-hackers mailing list