[wp-hackers] Rethinking check_admin_referer()

[Mark Jaquith]

Protecting the WordPress admin from CSF attacks with  
check_admin_referer() is getting really old for me.  Many mobile  
browsing devices go through a proxy that strips them, and more and  
more people at home are getting "Internet security" suites that are  
stripping them.  I had a client ask me "why is this happening?  I  
never had problems like this with Movable Type."  Yeah, I could give  
him the whole reason for it, but from his perspective it is just  
"this is annoying, and I've only had this problem with WordPress."   
And seeing that there is a way around this that, I don't see why we  
shouldn't pursue it.

Here's my suggestion:

1) function wp_secure_form($key='') { }

This function would echo out a hidden from input with an md5 hash  
computed on (a) the database password, (b) the userid, and (c) the  
optional key.  This would give us a hash that is unique to the  
specific WP user on that install, and optionally, specific to the  
particular task being performed.  For example, for deleting a post,  
you could do wp_secure_form('delete_post_' . $post_id); and it would  
be locked down to the install, the user, the "delete" action, and  
that specific post.

2) function wp_check_form($key='') { }

This would just compare the computed hash against $_POST 
['wp_secure_form_key']; or something.

We could take this opportunity to do a thorough check for unsecured  
forms, as well as recommend that plugin authors use this method.  I'm  
willing to write the patch, but it's not going to be a 15-minute  
affair, and my time is increasingly scarce, so I'd like to get some  
positive feedback (especially from someone with commit access) before  
spending time on it.

--
Mark Jaquith
http://txfx.net/