[wp-hackers] Rethinking check_admin_referer()

Ryan Boren ryan at boren.nu
Wed Apr 19 03:32:17 GMT 2006


Mark Jaquith wrote:
> And there are places that people should be able to go without a  key... 
> idempotent requests shouldn't require a key... as "tricking"  someone 
> into going there shouldn't **do** anything but show them that  screen.  
> If it **does** do something, you're talking about <script>  injection, 
> which is a separate issue.

Maybe whitelist the idempotent actions and check referer for everything 
else.  Code like this perhaps:

$idempotent_actions = array('confirmdeletecomment', 
'mailapprovecomment', 'editcomment');
if ( ! in_array($action, $idempotent_actions) )
	check_admin_referer();

Using comment.php as an example, we'd do that check at the top of 
comment.php instead of having to remember to do the referer check for 
every non-idempotent action.

Ryan


More information about the wp-hackers mailing list