[wpmu-trac] [WordPress MU Trac] #685: Nonce design incompatibility
breaks plugins
WordPress MU Trac
wpmu-trac at lists.automattic.com
Sat Jul 19 11:44:59 GMT 2008
#685: Nonce design incompatibility breaks plugins
------------------------+---------------------------------------------------
Reporter: mrpeteh | Owner: somebody
Type: defect | Status: new
Priority: normal | Milestone:
Component: component1 | Version:
Severity: major | Keywords:
------------------------+---------------------------------------------------
(See http://trac.wordpress.org/ticket/7277 for original report on WP)
The nonce designs in WP and WPMU are incompatible. This breaks any plugin
attempting to provide better security.
WP passes option list through parameter "page_options" and requires param
option_page and the nonce_field param to be specific values ("option" and
"update-options") for all plugins.
WPMU passes option list through global table $whitelist_options, and
requires param option_page and the nonce-field param to be unique values
with suffix "-options", where the unique value matches the
$whitelist_options key.
'''The two designs conflict in the required option_page and nonce_field
values.''' Without writing MU-specific code, plugins WILL break. (And, is
there any official is_mu() function???)
WP:
<input type="hidden" name="page_options" value="myplug_opt1,myplug_opt2"
/>
<input type='hidden' name='option_page' value='update' />
<?php if (function_exists('wp_nonce_field')) wp_nonce_field('update-
options'); ?>
WPMU:
<input type='hidden' name='option_page' value='myplug-update' />
<?php if (function_exists('wp_nonce_field')) wp_nonce_field('myplug-
update-options'); ?>
add_filter('whitelist_options', 'myplug_addOptions');
function myplug_addOptions() {
global $whitelist_options;
$whitelist_options['myplug-update'] = array(
'myplug_opt1','myplug_opt2');
}
--
Ticket URL: <http://trac.mu.wordpress.org/ticket/685>
WordPress MU Trac <http://mu.wordpress.org/>
WordPress Multiuser
More information about the wpmu-trac
mailing list