Mark Jaquith's interesting "Rethinking check_admin_referer()" thread
 has generated some POST v. GET debate. This debate seems to crop
up once or twice a year, so while people are thinking about it, allow
me to needlessly fan the flames :)
Of particular interest to me was Bryan Layman's reply  suggesting
that GETs be met with an approval screen and POSTs be checked by
check_admin_referer() (or whatever security system) before going on
their merry state changing way.
Though GETs can probably be made just as secure as POSTs, I see no
harm in changing many of WP's requests to POST.
Here's what I suggest:
1. If non indempotent operations are called by GETs, produce a
confirmation screen (similar to mailapprovecomment) per .
2. If non indempotent operations are called by POSTs, if
( check_admin_referer() ) go.
3. Change many of WP's admin requests to POSTs. I may have missed
some, and some of those listed below are a little silly; I just made
a cursory glance through wp-admin/. Some CSS magic would be needed
in order to keep the admin pages not hideous (this is beyond me).
a. Delete Post/Page
b. Delete Comment
c. (Un)Approve Comment
d. Delete Category
e. Delete Link
f. Move Link
g. (De)Activate Plugins
h. Change Themes
4. Add do_action( 'wp_admin_form', what, id ) to all FORMs in the
admin section. This allows people to create a plugin that castrates
check_admin_referer() wherever deemed necessary and to include nonces
(or anything else) in specific FORMs.
Mark and Owen Winkler proposed a similar idea :
1. Switch to nonces
2. Switch to POSTs
3. if nonce fails, check_admin_referer()
4. if that fails, present confirmation dialogue.
My proposal is similar, but keeps the referer as the main check and
allows other checks to be optionally plugged in. It would not allow
a complete replacement of check_admin_referer() by nonces, but
perhaps it's good enough? Maybe I'm just being lazy and skirting the
"check_admin_referer() really needs to be rethought" issue.
Michael said something like:
>Of particular interest to me was Bryan Layman's reply  suggesting
>that GETs be met with an approval screen and POSTs be checked by
>check_admin_referer() (or whatever security system) before going on
>their merry state changing way.
> http://comox.textdrive.com/pipermail/wp-hackers/2006-April/ >005753.html
Actually, that was Paul Mitchell :) but I agree that it is a interesting
idea especially if the post required a nonce to succeed where as the Get
would not need it. It provides a handy solution for book marking and
emailing destructive links. It's a lot more code and testing but it is a
very interesting idea...
Michael D Adams wrote:
> Oops! Sorry for the misquote, Paul.
> (And for the empty subject line, everyone.)
No worries Michael, and thanks Brian. I can be quite soft-spoken at
However, I'm running out of patience. My blog is vulnerable. I need a
simple, tactical fix so I'll contribute up to a couple of days overall
effort to that end.
I like empty subject lines - they have potential. I propose we change
this one to "Repairing forgery bug" and get on with the planning,
analysis and coding. I further propose that the repair is applied to
trunk, 2.0.2 and 1.5.2. Any objections? Any volunteers? :D