[wp-trac] Re: [WordPress Trac] #2678: Nonces instead of referers
WordPress Trac
wp-trac at lists.automattic.com
Fri Apr 21 22:42:10 GMT 2006
#2678: Nonces instead of referers
----------------------------+-----------------------------------------------
Id: 2678 | Status: new
Component: Administration | Modified: Fri Apr 21 22:42:10 2006
Severity: normal | Milestone:
Priority: normal | Version: 2.1
Owner: anonymous | Reporter: ringmaster
----------------------------+-----------------------------------------------
Comment (by mdawaffe):
{{{
-check_admin_referer( 'deletepost' );
+check_admin_referer( 'deletepost' . $post_id );
}}}
Otherwise, if someone intercepts a nonce, that nonce is good for deleting
mulitple arbitrary posts within a certain time interval.
We should restrict each nonce such that it can only authenticate one
specific action.
--
Ticket URL: <http://trac.wordpress.org/ticket/2678>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list