[wp-hackers] Security at Wordpress

[David Chait]

Brian Layman wrote:
|
| David Chait
| >Is it allowed to require a AYS (i.e. POST-ed form) to validate the
| >approval?
| You're mixing apples and oranges.   AYS does not mean "post" and posts
| doesn't fix everything.

Ummm... First, I was specifically asking whether an "AYS" POSTed form would 
be 'allowable', not confusing apples and oranges.  Second, I didn't ever say 
POST "fixed everything".  It doesn't.  But, it does a bunch of things 
'better' potentially.  Again, I'm not on one side or the other -- and in 
fact trying to clarify Owen's opinion, given he basically has said he's open 
to POST if it doesn't 'violate' a few things dear to him. ;)

| The discussion at this point is largely academic.

It is certainly not.  So far as I can tell the discussion is still ongoing, 
and still getting some 'important people' to weigh in, despite a few 
naysayers basically claiming the discussion is over.

|Switching over to posting would mean rewriting a lot more code and require 
a
|lot more testing and would delay any release.
|That's good enough reason not to do it right now, IMHO.

If someone else is willing to put forth code, and testers are willing to 
test, IMHO that's good enough reason to do it (AGAIN, if agreed it makes a 
difference!).  Whether 'right now' or not is a different question -- but I 
don't know a thing about release schedules, features being worked on, and 
whether this would in fact truly 'delay' things.

Further IMHO, if enough 'important people' chime in and agree, then delaying 
a release in order to further enhance security or otherwise improve the core 
would seem both fine and prudent. ;)

Whether or not POSTing is needed, whether or not Nonces and prompts have 
secured things 'good enough for now', I'll let 'important people' vote on --  
when it comes to security, I don't feel I have enough knowledge to vote. ;)

-d