[wp-hackers] Rethinking check_admin_referer()
thunderlove at gmail.com
Thu Apr 20 07:40:57 GMT 2006
On 4/19/06, Robert Deaton <false.hopes at gmail.com> wrote:
> > When a request is made of an admin, along with (instead of, before) the
> > refer check, simply compare the cookie to the key embedded in the link.
> I open a new tab, browse some other page in my admin which overwrites
> said cookie, come back and try to submit that form (maybe I want to
> double check something on one of the manage pages before making my
> choice). The cookie has been overwritten and now no longer matches,
> and your system has caused an inconvinience for no [good] reason.
And I mentioned that ;) Either you would need to hit refresh prior
to saving it (replace the 'enable referers' message with 'Go back and
hit refresh first'), or have a AYS. Preferably an AYS.
Perhaps we merely have a difference of opinion -- for me, the
occassional AYS is hardly a show-stopper!
>> The database strategy seems overkill to me....
> This is why we'd like computational hashes that automatically expire
> within a certain time period.
Yes, and? A random cookie is nothing but a computational hash that
expires with the next page view...
Of course, non-random hashes have their own problems (admittedly
minor, but so are the problems with a random key):
For starters, with a non-random hash, a constant string unique to each
site or element would be needed. This should probably be stored in
the db (a constant in wp-config would also be possible, but then there
would be the convincing/explaining to people that 'no, you should not
use your site's name...')
Another, there would need to be overlapping hashes. If a given key is
valid for a week, for example, there would need to be one for each day
(or whatever). Otherwise, if Sunday is the first day of the week, a
hash generated late Saterday evening would soon expire.
Not that these are big problems. But if the only objection to random
cookies is 'if I open a tab, I am inconvenienced by a AYS....'
[which, by the way, would only be necessary if you've disabled
> > Another advantage of the random cookie idea: automation with curl et al,
> > would be easy.
Not sure if that is a 'what is curl?' or 'what automation?' cURL is
an http library. Using it (or a similar library) as an
supplement/alternative to the XML-RPC api.
More information about the wp-hackers