[wp-trac] [WordPress Trac] #2678: Nonces instead of referers

WordPress Trac wp-trac at lists.automattic.com
Fri Apr 21 16:09:38 GMT 2006

#2678: Nonces instead of referers
       Id:  2678            |      Status:  new                     
Component:  Administration  |    Modified:  Fri Apr 21 16:09:37 2006
 Severity:  normal          |   Milestone:                          
 Priority:  normal          |     Version:  2.1                     
    Owner:  anonymous       |    Reporter:  ringmaster              
 The WordPress admin should use nonces instead of checking referers to
 prevent CSRF attacks because of the improved usabililty provided by

 Patch includes replacement check_admin_referer() function that uses nonces
 instead of verifying referers.  check_admin_referer() now accepts a nonce
 action as an optional parameter, which is used to verify the incoming

 Several new functions in functions.php create and verify nonces and
 facilitate their use.  For example, to modify a url to add a nonce, call
 wp_nonce_url($url, $action), where $action is the action to be verified by
 the nonce.

 The patch makes modifications only to employ a nonce for deletion of posts
 when js is disabled on the Manage Posts page.  Also, the inline-upload.php
 has been modified slightly so that urls it generates are more nonce-
 friendly.  (inline-upload.php calls check_admin_referer() even when no
 input is expected!)

 Plugins should not be affected by this change unless they call
 check_admin_referer(), in which case they will need to add nonces to the
 URLs that they generate so that they can be verified.

 Note that not including a nonce does not automatically fail as with the
 prior code.  Instead, an "Are you sure?" message appears with Yes and No
 options that forward the original request with a nonce attached.

 Thanks to mdawaffe for the initial run at the new check_admin_referer()
 and masquerade for the time-based nonce code.

 Please test.

Ticket URL: <http://trac.wordpress.org/ticket/2678>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list