[wp-trac] [WordPress Trac] #10739: Pass logged_in cookie to async-upload

WordPress Trac wp-trac at lists.automattic.com
Wed Sep 9 09:27:56 UTC 2009


#10739: Pass logged_in cookie to async-upload
-------------------------------+--------------------------------------------
 Reporter:  nbachiyski         |        Owner:            
     Type:  defect (bug)       |       Status:  reopened  
 Priority:  normal             |    Milestone:  Unassigned
Component:  Upload             |      Version:            
 Severity:  normal             |   Resolution:            
 Keywords:  reporter-feedback  |  
-------------------------------+--------------------------------------------
Changes (by azaozz):

  * keywords:  has-patch => reporter-feedback
  * status:  closed => reopened
  * resolution:  fixed =>


Comment:

 This doesn't look good... We make the cookies not accessible by JS and at
 the same time put them in plain view and accept them in the GET request.

 Perhaps we could look at making a short-lived (30 min?) nonce for the
 flash uploader, would be way more secure.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/10739#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list