[wp-trac] Re: [WordPress Trac] #2678: Nonces instead of referers
WordPress Trac
wp-trac at lists.automattic.com
Fri May 5 22:52:39 GMT 2006
#2678: Nonces instead of referers
----------------------------+-----------------------------------------------
Id: 2678 | Status: new
Component: Administration | Modified: Fri May 5 22:52:39 2006
Severity: normal | Milestone:
Priority: normal | Version: 2.1
Owner: anonymous | Reporter: ringmaster
----------------------------+-----------------------------------------------
Comment (by mdawaffe):
Currently, file uploading and deleting is not possible with inline
uploading. check_admin_referer() is used universally in inline-
uploading.php, but the important actions don't send the nonce. Deleting
is technically possible with the confirmation, but uploading is impossible
since the confirmation does not preserve $_FILES.
2678inline.diff
1. check_admin_referer() only on actions that need it (delete and save).
1. Remove some unnecessary wp_nonce_url()s
1. Add nonces to file deletion and upload.
1. (Clean up some echos as a side effect of poking around.)
--
Ticket URL: <http://trac.wordpress.org/ticket/2678>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list