[wp-trac] Re: [WordPress Trac] #3807: Admin Functions Denying
Access with "You don't have permission to do that"
WordPress Trac
wp-trac at lists.automattic.com
Mon Jun 4 20:18:44 GMT 2007
#3807: Admin Functions Denying Access with "You don't have permission to do that"
-----------------------------------------------+----------------------------
Reporter: seanwedig | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.4 (future)
Component: Administration | Version: 2.1
Severity: major | Resolution:
Keywords: permissions has-patch 2nd-opinion |
-----------------------------------------------+----------------------------
Comment (by mdawaffe):
It's one level of protecting against forged requests that come from the
same domain. Other levels include using POSTs and kses.
If we had any GET based AJAX requests, for example, someone could write a
link that when clicked would add something to the blogroll (or whatever)
since the admin cookie would be there in $_COOKIE.
Requiring that the cookie also be found in $_REQUEST and only handling
POST AJAX requests ensures that all requests come either from a form or
from JS, both of which are removed by kses.
That's why. What you mention is the why not :)
I think we can shift to using nonces now that we have them. In fact, most
of the AJAX stuff we do is parallel to normal form POSTs and so a nonce is
already available for most things. Also, I think autosave has a JS
function which could be mooshed into requesting fresh nonces for whatever
we need. It should get a security review and be included as a method in
the wpAjax JS object.
--
Ticket URL: <http://trac.wordpress.org/ticket/3807#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list