[wp-trac] Re: [WordPress Trac] #2678: Nonces instead of referers

WordPress Trac wp-trac at lists.automattic.com
Fri May 5 22:52:39 GMT 2006

#2678: Nonces instead of referers
       Id:  2678            |      Status:  new                     
Component:  Administration  |    Modified:  Fri May  5 22:52:39 2006
 Severity:  normal          |   Milestone:                          
 Priority:  normal          |     Version:  2.1                     
    Owner:  anonymous       |    Reporter:  ringmaster              
Comment (by mdawaffe):

 Currently, file uploading and deleting is not possible with inline
 uploading.  check_admin_referer() is used universally in inline-
 uploading.php, but the important actions don't send the nonce.  Deleting
 is technically possible with the confirmation, but uploading is impossible
 since the confirmation does not preserve $_FILES.


  1. check_admin_referer() only on actions that need it (delete and save).
  1. Remove some unnecessary wp_nonce_url()s
  1. Add nonces to file deletion and upload.
  1. (Clean up some echos as a side effect of poking around.)

Ticket URL: <http://trac.wordpress.org/ticket/2678>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list