[wp-trac] [WordPress Trac] #56475: Nonce not verify
WordPress Trac
noreply at wordpress.org
Sun Sep 4 23:45:16 UTC 2022
#56475: Nonce not verify
-----------------------------+-------------------------------
Reporter: hiren1094 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.1
Component: Security | Version: 6.0
Severity: normal | Resolution:
Keywords: has-patch close | Focuses: coding-standards
-----------------------------+-------------------------------
Changes (by peterwilsoncc):
* keywords: has-patch => has-patch close
Comment:
To follow up @SergeyBiryukov's comment: I don't think a nonce serves are
purpose on this screen. As the form presented to a logged out user, the
nonce won't protect against CSRF attacks.
If a site wishes to fool someone it to submitting the form, it can get the
nonce in the background as a logged out user. Once it has the value, it
can use it in the form for another logged out user to submit.
> As per coding standards If you are using any HTML or HTTP-based form
submissions, use a nonce to guarantee a user intends to perform an action.
This is absolutely true when there is a user, but for logged out accounts
there isn't a user to check against. As mentioned above, the original
installation screen runs without a user account.
I understand it's a subtle distinction so I hope the explanation helps.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56475#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list