Nonces instead of referers
|Reported by:||ringmaster||Owned by:||anonymous|
The WordPress admin should use nonces instead of checking referers to prevent CSRF attacks because of the improved usabililty provided by nonces.
Patch includes replacement check_admin_referer() function that uses nonces instead of verifying referers. check_admin_referer() now accepts a nonce action as an optional parameter, which is used to verify the incoming nonce.
Several new functions in functions.php create and verify nonces and facilitate their use. For example, to modify a url to add a nonce, call wp_nonce_url($url, $action), where $action is the action to be verified by the nonce.
The patch makes modifications only to employ a nonce for deletion of posts when js is disabled on the Manage Posts page. Also, the inline-upload.php has been modified slightly so that urls it generates are more nonce-friendly. (inline-upload.php calls check_admin_referer() even when no input is expected!)
Plugins should not be affected by this change unless they call check_admin_referer(), in which case they will need to add nonces to the URLs that they generate so that they can be verified.
Note that not including a nonce does not automatically fail as with the prior code. Instead, an "Are you sure?" message appears with Yes and No options that forward the original request with a nonce attached.
Thanks to mdawaffe for the initial run at the new check_admin_referer() and masquerade for the time-based nonce code.