[wp-hackers] Security at Wordpress

Elliotte Harold elharo at metalab.unc.edu
Sat Apr 22 19:04:23 GMT 2006

Robert Deaton wrote:

> I think you need to come down off the high and mighty horse here for a
> second and look around you. I am not a UI artist, its probably one of
> the worst things I do, I write code. I find it hard to believe someone
> finds an attitude of ignoring a little part of a standard
> "incomprehensible," because if everyone lived by every little
> standard, where would we be today? 

This is a not a little part of the HTTP standard. It is a major part of 
the foundation. Throwing away the side-effect free nature of GET is like 
  throwing away natural selection in biology. It's that critical.

> I'm happy living in a house that I
> have personally helped code the refortifications for, knowing that the
> house is not going to fall down just because we're making changes on a
> GET request, when there is no other way to do it properly and maintain
> our interface.

I am not at all convinced that the proposed fix will work. I think there 
are more problems waiting to be found, and you're going to find them 
sooner rather than later. Even if you get lucky and paper over the 
problems with band-aids as they arise, you'll eventually be left with a 
confusing mess of unmaintainable kludges that no one really understands. 
There's no other possible result when you deliberately work against the 
nature of your underlying protocol (HTTP).

> And with the code that Owen, mdawaffe, and I put together in the nice
> nonces patch you see on trac, they won't be able to. Just because the
> action is GET, doesn't mean it can't be secured, and this is part of
> my reasoning for helping. 

It's not simply a question of security. There are other bugs and 
problems waiting to bite. Caches, load balancers, web accelerators, and 
more all depend on the side-effect free nature of GET. Even if you get 
security right (and I'm not sure you have) there's a lot more to worry 

> You might be able to look with a god ugly
> admin panel, but the hundreds of thousands of users who moved to WP
> from some other blogging software would quickly move right back the
> moment the admin interface looks like someone smeered a forms all over
> where they don't belong. Normally, I'd agree with you, I'm an
> architecture designer, I hate UI, but this is common sense.

It's a lot easier to repaint a house than to rebuild its framework. I'm 
not in the least bit convinced that a proper system that used POST for 
non-idempotent side effect causing operations has to look bad. In fact, 
I believe it can look perfectly dine. It might look different, but there 
are many existence proofs that such sites are readable and usable. Web 
surfers are not in the least bit confused by the metaphor of pressing a 
button to take an action.

Oh, one more thing: there is one major development barreling down the 
road getting ready to smack WordPress's current architecture upside the 
head. Within a year, APP is going to be a sine qua non for blog 
publishing; and that's totally dependent on a proper implementation of 
GET, POST, PUT, and DELETE. The more right WordPress gets with HTTP now 
the easier it's going to be to support APP in the near future. Of course 
WordPress doesn't have to support APP. It doesn't even support Atom 1.0 
yet. But if that's the road it takes, users are going to jump ship no 
matter how pretty the UI looks. They won't even see the UI most of the 
time, because they'll be editing in a rich client application that 
requires APP on the server.

Elliotte Rusty Harold  elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!

More information about the wp-hackers mailing list