[wp-hackers] Nonce confirmation: what am I missing ?

[Ozh]

Hello there

I'm currently revisiting my most popular plugins to harden a few things 
with nonces, and I'm stuck at how the "Are you sure" confirmation screen 
is supposed to work.

I've set up a minimalistic plugin example as following

// add the page
add_action('admin_menu', 'noncex_add_page');
function noncex_add_page() {
  add_options_page('Nonce Example', 'Nonce', 8, 'noncexample', 
'noncex_options_page');
}

// print form, check POST if applicable
function noncex_options_page() {
  if (@$_POST) {
        check_admin_referer('noncex-example');
        $value = $_POST['value'];
        echo "<p>You entered: $value</p>";
  }

  echo "
  <form method='post' action=''>
  Enter value: <input type='text' name='value' value='$value' />
  <input type='submit' value='Update &raquo;' />
  </form>";
}

(actual functionnal source at http://planetozh.com/temp/nonce.phps)

I've *not included* the wp_nonce_field in the form in purpose, to simulate 
someone posting from another page or domain, not from within the admin 
area, in order to always trigger the "Are you sure" confirmation screen.

So, the plugin page and the "Are you sure" page are at 
/wp-admin/options-general.php?page=noncexample

What I don't get is how the next step is supposed to work: while the "No" 
link effectively points to the referring page, the "Yes" button belongs to 
a <form> for which action is "options-general.php", not 
"options-general.php?page=noncexample". How could it work, then ? Posting 
the value to options-general.php has, obviously, no effect.

Same things happen to every plugin I've tried, for example with Akismet 
which AYS form POSTs to plugins.php, hence not working.

In function wp_nonce_ays() (in functions.php, line 1287), the form action 
for the "Yes" button is set to $pagenow : why is it not set to 
$_SERVER['REQUEST_URI'] ?

Any enlightnment mucho appreciated.

Cheers

Ozh
-- 
http://planetozh.com/