[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Robert Deaton false.hopes at gmail.com
Sat Mar 3 01:13:45 GMT 2007

On 3/2/07, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> Robert Deaton wrote:
> > For GET vs. POST and safe following of links, nowhere is it stated
> > that GETs in links are intended to not have side effects.
> Have you really not seen any of the numerous places where this has been
> stated? See for example, section 9.1 of the HTTP 1.1 specification:
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1

I think there is a clear difference between SHOULD NOT and MUST NOT.
You seem to imply that it must not be done. I said it isn't intended
that they are not to have side-effects, which is quite clear by the
fact that GET is a method used for form data submission, if there were
supposed to be no side-effects, it would have never been designed that
way. The idempotence bit is, to me, clear admission that non-safe
interactions can and will happen.

> Also see section 3.4 of Architecture of the World Wide Web, Volume One:
> http://www.w3.org/TR/webarch/#safe-interaction

This I have admittedly never seen. Never even knew that this
recommendation existed. I'll rethink all this, but in the mean time

> You mean like the security holes that are being exposed every week or
> two? Sooner or later, you have to realize that they're not isolated
> incidents. There's an architectural problem here.

Sooner or later, you'll look at what the vulnerabilities actually are
and realize that this whole discussion really has nothing to do with
the vulnerabilities at hand. Regardless of POST or GET, these
vulnerabilities would have existed. POST is NOT a form of protection
against XSS, CSRF, etc. in any way, and more importantly these
vulnerabilities can be exploited through POST, for example when
writing a new post/page, the same lack of sanitization exists.

I can see an argument for moving on a strictly "we must comply with
every standard and recommendation that is written" standpoint, that I
am fine with. But don't try to pass off the need for a strict
interpretation of everything as a security must. That's completely

--Robert Deaton

More information about the wp-hackers mailing list