Ticket #2273 (closed defect: fixed)

Opened 3 years ago

Last modified 2 years ago

Cookies override user specified in XML-RPC post data

Reported by: skeltoac Assigned to: ryan
Priority: high Milestone:
Component: Security Version: 2.0
Severity: major Keywords: bg|has-patch bg|2nd-opinion bg|dev-feedback
Cc:

Description

Working on #2241, I tested XMLRPC using Performancing/Firefox. I set up the XMLRPC client to use a login with Author caps (no unfiltered_html). My posts showed under the correct author. My HTML was unfiltered when I posted, but it should have been filtered. My browser was still logged in as admin (unfiltered_html) and Performancing was sending those cookies with the XMLRPC requests. Result: post saved under correct user but assuming caps due to cookie.

Wordpress should not authenticate with cookies when handling an XMLRPC request. i also sent a message to the Performancing dev (Jed Brown) but we should fix the core as well.

I'm working on the patch.

Attachments

xmlrpc-auth.diff (6.3 kB) - added by skeltoac on 01/13/06 07:58:09.
oops.diff (329 bytes) - added by skeltoac on 01/13/06 21:29:20.

Change History

01/12/06 10:37:01 changed by skeltoac

no-cookies.diff defines a contant before anything else is done by xmlrpc.php, and checks that constant before using the cookies to log the user in. There is much more to be done.

01/12/06 16:38:11 changed by davidhouse

  • keywords set to bg|has-patch bg|reporter-feedback bg|2nd-opinion.

How does XMLRPC authenticate if its not through cookies? IMO this is a performancing bug, or you shouldn't be trying to run two users off one browser (so it would be invalid).

01/12/06 16:39:51 changed by davidhouse

  • keywords changed from bg|has-patch bg|reporter-feedback bg|2nd-opinion to bg|reporter-feedback bg|2nd-opinion.

Removing bg|has-patch as your patch doesn't fix the problem in its entirety, as you've stated.

01/13/06 07:46:36 changed by skeltoac

  • keywords changed from bg|reporter-feedback bg|2nd-opinion to bg|has-patch.
  • owner changed from skeltoac to ryan.

Sorry David :-) This one's done.

01/13/06 07:58:09 changed by skeltoac

  • attachment xmlrpc-auth.diff added.

01/13/06 16:54:32 changed by davidhouse

Hehe, that was my mistake :P I accidentally added bg|has-patch, not you.

01/13/06 17:29:09 changed by davidhouse

  • keywords changed from bg|has-patch to bg|has-patch bg|2nd-opinion bg|dev-feedback.
  • milestone changed from 2.0.1 to 2.1.

Probably too much new code here for 2.0.1. Discuss.

01/13/06 19:18:53 changed by ryan

  • milestone changed from 2.1 to 2.0.1.

I think this needs to be fixed, even if it is a non-trivial amount of code. This bug has been reported many, many times. Let's commit and test the hell out of it.

01/13/06 19:19:12 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [3430]) Make the xmlrpc user the current user. fixes #2273

01/13/06 21:28:51 changed by skeltoac

  • status changed from closed to reopened.
  • resolution deleted.

Leftover error_log() call.

01/13/06 21:29:20 changed by skeltoac

  • attachment oops.diff added.

01/13/06 21:31:16 changed by skeltoac

I tested this with Performancing, using metaweblog API and Blogger API, while the browser was logged in as admin. It honored the user's caps regardless of the cookies. Other clients should be tested as well.

01/13/06 22:01:22 changed by davidhouse

  • milestone changed from 2.0.1 to 2.1.

Probably too much new code here for 2.0.1. Discuss.

01/13/06 22:03:31 changed by davidhouse

  • milestone changed from 2.1 to 2.0.1.

Woah. I totally didn't post that last comment.

01/13/06 22:08:03 changed by ryan

  • status changed from reopened to closed.
  • resolution set to fixed.

(In [3431]) Remove debug cruft. fixes #2273

11/30/06 19:41:49 changed by

  • milestone deleted.

Milestone 2.0.1 deleted