[wp-hackers] Rethinking check_admin_referer()
Owen Winkler
ringmaster at midnightcircus.com
Wed Apr 19 13:33:17 GMT 2006
Mark Jaquith wrote:
> And there are places that people should be able to go without a key...
> idempotent requests shouldn't require a key... as "tricking" someone
> into going there shouldn't **do** anything but show them that screen.
> If it **does** do something, you're talking about <script> injection,
> which is a separate issue.
I thought of that soon after I wrote the last message, but hadn't come
up with a good solution for it that still jived with the global checking
I was suggesting.
> I was thinking that it could fall back on the referer check for plugins
> that haven't been updated, but your idea sounds good too. Maybe they
> could be combined:
>
> 1) check key/nonce
> 2) if not provided, check HTTP referer
> 3) if HTTP referer isn't from the admin, present "are you sure" dialog
Yeah, this sounds good. ;)
Owen
More information about the wp-hackers
mailing list