[wp-hackers] Security at Wordpress
davebytes at comcast.net
Mon Apr 24 21:23:54 GMT 2006
Brian Layman wrote:
| David Chait
| >Is it allowed to require a AYS (i.e. POST-ed form) to validate the
| You're mixing apples and oranges. AYS does not mean "post" and posts
| doesn't fix everything.
Ummm... First, I was specifically asking whether an "AYS" POSTed form would
be 'allowable', not confusing apples and oranges. Second, I didn't ever say
POST "fixed everything". It doesn't. But, it does a bunch of things
'better' potentially. Again, I'm not on one side or the other -- and in
fact trying to clarify Owen's opinion, given he basically has said he's open
to POST if it doesn't 'violate' a few things dear to him. ;)
| The discussion at this point is largely academic.
It is certainly not. So far as I can tell the discussion is still ongoing,
and still getting some 'important people' to weigh in, despite a few
naysayers basically claiming the discussion is over.
|Switching over to posting would mean rewriting a lot more code and require
|lot more testing and would delay any release.
|That's good enough reason not to do it right now, IMHO.
If someone else is willing to put forth code, and testers are willing to
test, IMHO that's good enough reason to do it (AGAIN, if agreed it makes a
difference!). Whether 'right now' or not is a different question -- but I
don't know a thing about release schedules, features being worked on, and
whether this would in fact truly 'delay' things.
Further IMHO, if enough 'important people' chime in and agree, then delaying
a release in order to further enhance security or otherwise improve the core
would seem both fine and prudent. ;)
Whether or not POSTing is needed, whether or not Nonces and prompts have
secured things 'good enough for now', I'll let 'important people' vote on --
when it comes to security, I don't feel I have enough knowledge to vote. ;)
More information about the wp-hackers