(no subject)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

(no subject)

Michael D Adams
Mark Jaquith's interesting "Rethinking check_admin_referer()" thread  
[1] has generated some POST v. GET debate.  This debate seems to crop  
up once or twice a year, so while people are thinking about it, allow  
me to needlessly fan the flames :)

Of particular interest to me was Bryan Layman's reply [2] suggesting  
that GETs be met with an approval screen and POSTs be checked by  
check_admin_referer() (or whatever security system) before going on  
their merry state changing way.

Though GETs can probably be made just as secure as POSTs, I see no  
harm in changing many of WP's requests to POST.

Here's what I suggest:

1. If non indempotent operations are called by GETs, produce a  
confirmation screen (similar to mailapprovecomment) per [2].

2. If non indempotent operations are called by POSTs, if  
( check_admin_referer() ) go.

3. Change many of WP's admin requests to POSTs.  I may have missed  
some, and some of those listed below are a little silly; I just made  
a cursory glance through wp-admin/.  Some CSS magic would be needed  
in order to keep the admin pages not hideous (this is beyond me).
  a. Delete Post/Page
  b. Delete Comment
  c. (Un)Approve Comment
  d. Delete Category
  e. Delete Link
  f. Move Link
  g. (De)Activate Plugins
  h. Change Themes

4. Add do_action( 'wp_admin_form', what, id ) to all FORMs in the  
admin section.  This allows people to create a plugin that castrates  
check_admin_referer() wherever deemed necessary and to include nonces  
(or anything else) in specific FORMs.


Mark and Owen Winkler proposed a similar idea [3]:
  1. Switch to nonces
  2. Switch to POSTs
  3. if nonce fails, check_admin_referer()
  4. if that fails, present confirmation dialogue.

My proposal is similar, but keeps the referer as the main check and  
allows other checks to be optionally plugged in.  It would not allow  
a complete replacement of check_admin_referer() by nonces, but  
perhaps it's good enough?  Maybe I'm just being lazy and skirting the  
"check_admin_referer() really needs to be rethought" issue.

Michael

[1] http://comox.textdrive.com/pipermail/wp-hackers/2006-April/ 
005666.html
[2] http://comox.textdrive.com/pipermail/wp-hackers/2006-April/ 
005753.html
[3] http://comox.textdrive.com/pipermail/wp-hackers/2006-April/ 
005730.html
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: (no subject)

Brian Layman
Michael said something like:
>Of particular interest to me was Bryan Layman's reply [2] suggesting  
>that GETs be met with an approval screen and POSTs be checked by  
>check_admin_referer() (or whatever security system) before going on  
>their merry state changing way.
>[2] http://comox.textdrive.com/pipermail/wp-hackers/2006-April/ 
>005753.html
Actually, that was Paul Mitchell :) but I agree that it is a interesting
idea especially if the post required a nonce to succeed where as the Get
would not need it.  It provides a handy solution for book marking and
emailing destructive links.  It's a lot more code and testing  but it is a
very interesting idea...

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: (no subject)

Michael D Adams
On Apr 19, 2006, at 2:36 PM, Brian Layman wrote:
> Michael said something like:
>> Of particular interest to me was Bryan Layman's reply [2] suggesting
> Actually, that was Paul Mitchell :)

Oops!  Sorry for the misquote, Paul.
(And for the empty subject line, everyone.)

Michael
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: (no subject)

Paul Mitchell-3
Michael D Adams wrote:
> Oops!  Sorry for the misquote, Paul.
> (And for the empty subject line, everyone.)
No worries Michael, and thanks Brian. I can be quite soft-spoken at
times. :)

However, I'm running out of patience. My blog is vulnerable. I need a
simple, tactical fix so I'll contribute up to a couple of days overall
effort to that end.

I like empty subject lines - they have potential. I propose we change
this one to "Repairing forgery bug" and get on with the planning,
analysis and coding. I further propose that the repair is applied to
trunk, 2.0.2 and 1.5.2. Any objections? Any volunteers? :D

--
Paul Mitchell, Coding and Crafting Quality Software
http://www.libertini.net/libertus/category/software/


_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Loading...