[wp-trac] [WordPress Trac] #2678: Nonces instead of referers

WordPress Trac wp-trac at lists.automattic.com
Fri Apr 21 16:09:38 GMT 2006


#2678: Nonces instead of referers
----------------------------+-----------------------------------------------
       Id:  2678            |      Status:  new                     
Component:  Administration  |    Modified:  Fri Apr 21 16:09:37 2006
 Severity:  normal          |   Milestone:                          
 Priority:  normal          |     Version:  2.1                     
    Owner:  anonymous       |    Reporter:  ringmaster              
----------------------------+-----------------------------------------------
 The WordPress admin should use nonces instead of checking referers to
 prevent CSRF attacks because of the improved usabililty provided by
 nonces.

 Patch includes replacement check_admin_referer() function that uses nonces
 instead of verifying referers.  check_admin_referer() now accepts a nonce
 action as an optional parameter, which is used to verify the incoming
 nonce.

 Several new functions in functions.php create and verify nonces and
 facilitate their use.  For example, to modify a url to add a nonce, call
 wp_nonce_url($url, $action), where $action is the action to be verified by
 the nonce.

 The patch makes modifications only to employ a nonce for deletion of posts
 when js is disabled on the Manage Posts page.  Also, the inline-upload.php
 has been modified slightly so that urls it generates are more nonce-
 friendly.  (inline-upload.php calls check_admin_referer() even when no
 input is expected!)

 Plugins should not be affected by this change unless they call
 check_admin_referer(), in which case they will need to add nonces to the
 URLs that they generate so that they can be verified.

 Note that not including a nonce does not automatically fail as with the
 prior code.  Instead, an "Are you sure?" message appears with Yes and No
 options that forward the original request with a nonce attached.

 Thanks to mdawaffe for the initial run at the new check_admin_referer()
 and masquerade for the time-based nonce code.

 Please test.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/2678>
WordPress Trac <http://wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list