[wp-hackers] Security at Wordpress

[Robert Deaton]

\On 4/22/06, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> Robert Deaton wrote:
> There's a very good reason to make the DELETE action look different. It
> is not side-effect free, unlike a lot of the other actions. The user
> should see a visual distinction that clues them in that something is
> different about this action they're abut to take. Having delete look
> different is a feature, not a bug.

The delete action does look different, in its text, that's how I
distinguish it, and that's how every other user distinguishes it.
Ruining a beautiful UI is a bug, not a feature. To a user, does a
submit form button alert you of something? To me, it makes me wonder
which form I'm submitting in the absence of any input fields. For my
grandma, which do you think will make her come ask me a question? Why
we're disregarding a paragraph of the HTTP standard, or why some of
these buttons look like form submits?

> > As far as I'm concerned, until there is a solution that makes sense
> > for this problem, I'm fine with abusing the HTTP standard.
>
> It sounds like you're happy living in a house that will fall down when
> someone leans on the wrong corner as long as you get to paint the
> molding in just the right shade of puce. Frankly I find that attitude
> incomprehensible, though lord knows I've seen enough of it over the last
> ten years, even before JavaScript and CSS were invented. Perhaps it's
> just how we're wired. Some people focus on the external appearance and
> some focus on the internal architecture, and neither will ever
> understand or comprehend the other.

I think you need to come down off the high and mighty horse here for a
second and look around you. I am not a UI artist, its probably one of
the worst things I do, I write code. I find it hard to believe someone
finds an attitude of ignoring a little part of a standard
"incomprehensible," because if everyone lived by every little
standard, where would we be today? I'm happy living in a house that I
have personally helped code the refortifications for, knowing that the
house is not going to fall down just because we're making changes on a
GET request, when there is no other way to do it properly and maintain
our interface.

> The best you can hope for is a decoupling of the internal architecture
> from the external appearance so that one can be changed without
> affecting or limiting the other. To a large extent that's what CSS and
> XForms attempt to provide on the Web. Unfortunately we're not all the
> way there yet.

And like every standard we wish was adopted in its entirety for the
web, its going to be another 3-6 years before everything is ready and
works.

>
> For me at least, until we are, I'm much more concerned about getting the
> architecture right to provide the security, scalability, and robustness
> I want out of a web app. I can live with a site where the delete link
> looks a tad funky. I can't live with a site where any contributor or
> commenter can delete a post they don't like.

And with the code that Owen, mdawaffe, and I put together in the nice
nonces patch you see on trac, they won't be able to. Just because the
action is GET, doesn't mean it can't be secured, and this is part of
my reasoning for helping. You might be able to look with a god ugly
admin panel, but the hundreds of thousands of users who moved to WP
from some other blogging software would quickly move right back the
moment the admin interface looks like someone smeered a forms all over
where they don't belong. Normally, I'd agree with you, I'm an
architecture designer, I hate UI, but this is common sense.

If you're concerned about the security, I suggest you have a take at
the nonces patch on trac (and the forthcoming patches to change a few
things around). If you're concerned about the scalability, we've
already thought about that, thus the idea of computational nonces.

--
--Robert Deaton
http://somethingunpredictable.com