[wp-trac] Re: [WordPress Trac] #2678: Nonces instead of referers

WordPress Trac wp-trac at lists.automattic.com
Wed Apr 26 17:50:01 GMT 2006


#2678: Nonces instead of referers
----------------------------+-----------------------------------------------
       Id:  2678            |      Status:  new                     
Component:  Administration  |    Modified:  Wed Apr 26 17:50:01 2006
 Severity:  normal          |   Milestone:                          
 Priority:  normal          |     Version:  2.1                     
    Owner:  anonymous       |    Reporter:  ringmaster              
----------------------------+-----------------------------------------------
Comment (by SilverPaladin):

 This solution tries to use a time check, but the logic doesn't work.

 This code here is the problem:
 >$i = ceil(time() / 43200);

 That takes the number of seconds since January 1 1970 00:00:00 GMT and
 counts how many 30 day chunks there have been.  The nonce evaluation
 simply checks to see if you are in the same 30 day chunk of time.

 It does not say "this nonce is valid for 30 days."  In fact, if you visit
 this site with only one second left in the 30 day chunk, you will have 1
 second in which to do all of your work.

 Additionally, all days within that thirty day chunk evaluate as being the
 same chunk.  So, as salt, $i really does nothing.

 In security applications, Nonces should be valid for as short a time as
 possible.  When used as a session key, this normally means a nonce is
 valid for minutes, not days.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/2678>
WordPress Trac <http://wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list