[wp-hackers] Security at Wordpress

Robert Deaton false.hopes at gmail.com
Mon Apr 24 15:13:57 GMT 2006


On 4/24/06, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> Doug Stewart wrote:
> The core team seems to want to implement a complex nonce based solution.
> I suspect there's a simpler, more robust solution using POST instead of
> GET. Whether I write the code to implement that solution depends on a
> variety of factors. However when the core team has been quite clear that
> they do not intend to accept a POST solution no matter what, then
> patches are not an option. There's no point in wasting my time and
> theirs cluttering TRAC with patches they've already said they'll reject.
> If they change their minds, I'll submit what I write; but given the
> current situation, the question is not patch or don't patch. The
> question is fork or do nothing.

If there's a more robust solution, we're still waiting to hear it. All
we've heard is some pedantry about the HTTP standard. Matt has
dismissed the idea because, as he sees it (and I must agree), a
solution using POST still needs nonces, and has detrimental
side-effects (can't approve comments from e-mails et al). If you want
to gain approval, write a patch proving him wrong, and if it does what
you say it will, it will most likely be committed, however, if you sit
back while the rest of us patch up with nonces and wait, there will be
no point at all.

>
> --
> Elliotte Rusty Harold  elharo at metalab.unc.edu
> XML in a Nutshell 3rd Edition Just Published!
> http://www.cafeconleche.org/books/xian3/
> http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


--
--Robert Deaton
http://somethingunpredictable.com


More information about the wp-hackers mailing list