[wp-hackers] Rethinking check_admin_referer()
ryan at boren.nu
Wed Apr 19 03:32:17 GMT 2006
Mark Jaquith wrote:
> And there are places that people should be able to go without a key...
> idempotent requests shouldn't require a key... as "tricking" someone
> into going there shouldn't **do** anything but show them that screen.
> If it **does** do something, you're talking about <script> injection,
> which is a separate issue.
Maybe whitelist the idempotent actions and check referer for everything
else. Code like this perhaps:
$idempotent_actions = array('confirmdeletecomment',
if ( ! in_array($action, $idempotent_actions) )
Using comment.php as an example, we'd do that check at the top of
comment.php instead of having to remember to do the referer check for
every non-idempotent action.
More information about the wp-hackers