[wp-hackers] Rethinking check_admin_referer()

Owen Winkler ringmaster at midnightcircus.com
Wed Apr 19 13:33:17 GMT 2006

Mark Jaquith wrote:
> And there are places that people should be able to go without a key... 
> idempotent requests shouldn't require a key... as "tricking" someone 
> into going there shouldn't **do** anything but show them that screen.  
> If it **does** do something, you're talking about <script> injection, 
> which is a separate issue.

I thought of that soon after I wrote the last message, but hadn't come 
up with a good solution for it that still jived with the global checking 
I was suggesting.

> I was thinking that it could fall back on the referer check for plugins 
> that haven't been updated, but your idea sounds good too.  Maybe they 
> could be combined:
> 1) check key/nonce
> 2) if not provided, check HTTP referer
> 3) if HTTP referer isn't from the admin, present "are you sure" dialog

Yeah, this sounds good.  ;)


More information about the wp-hackers mailing list