[wp-hackers] Any other way to do it? (or,
do we really need Nonces?)
Elliotte Harold
elharo at metalab.unc.edu
Fri Mar 2 21:15:40 GMT 2007
Robert Deaton wrote:
> For GET vs. POST and safe following of links, nowhere is it stated
> that GETs in links are intended to not have side effects.
Have you really not seen any of the numerous places where this has been
stated? See for example, section 9.1 of the HTTP 1.1 specification:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1
Also see section 3.4 of Architecture of the World Wide Web, Volume One:
http://www.w3.org/TR/webarch/#safe-interaction
and
URIs, Addressability, and the use of HTTP GET and POST
http://www.w3.org/2001/tag/doc/whenToUseGet.html
> There is a
> recommendation that they do not, but it is not a requirement, nor
> would it be enforceable if it was. There is no reason that a link that
> is clearly labeled in the administration panel to point to an action
> that is intended to delete something should not be allowed.
Please review the above references which explain in detail why "a link
that is clearly labeled in the administration panel to point to an
action that is intended to delete something should not be allowed."
> If we're
> not sending the right caching headers to comply with the
> recommendations of the HTTP specification, then I suggest we change
> that. Otherwise, I see absolutely no problem with using links to
> perform operations.
>
You mean like the security holes that are being exposed every week or
two? Sooner or later, you have to realize that they're not isolated
incidents. There's an architectural problem here.
--
Elliotte Rusty Harold elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
More information about the wp-hackers
mailing list