[wp-trac] [WordPress Trac] #2678: Nonces instead of referers
WordPress Trac
wp-trac at lists.automattic.com
Fri Apr 21 16:09:38 GMT 2006
#2678: Nonces instead of referers
----------------------------+-----------------------------------------------
Id: 2678 | Status: new
Component: Administration | Modified: Fri Apr 21 16:09:37 2006
Severity: normal | Milestone:
Priority: normal | Version: 2.1
Owner: anonymous | Reporter: ringmaster
----------------------------+-----------------------------------------------
The WordPress admin should use nonces instead of checking referers to
prevent CSRF attacks because of the improved usabililty provided by
nonces.
Patch includes replacement check_admin_referer() function that uses nonces
instead of verifying referers. check_admin_referer() now accepts a nonce
action as an optional parameter, which is used to verify the incoming
nonce.
Several new functions in functions.php create and verify nonces and
facilitate their use. For example, to modify a url to add a nonce, call
wp_nonce_url($url, $action), where $action is the action to be verified by
the nonce.
The patch makes modifications only to employ a nonce for deletion of posts
when js is disabled on the Manage Posts page. Also, the inline-upload.php
has been modified slightly so that urls it generates are more nonce-
friendly. (inline-upload.php calls check_admin_referer() even when no
input is expected!)
Plugins should not be affected by this change unless they call
check_admin_referer(), in which case they will need to add nonces to the
URLs that they generate so that they can be verified.
Note that not including a nonce does not automatically fail as with the
prior code. Instead, an "Are you sure?" message appears with Yes and No
options that forward the original request with a nonce attached.
Thanks to mdawaffe for the initial run at the new check_admin_referer()
and masquerade for the time-based nonce code.
Please test.
--
Ticket URL: <http://trac.wordpress.org/ticket/2678>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list