Cookies override user specified in XML-RPC post data
|Reported by:||skeltoac||Owned by:||ryan|
|Severity:||major||Keywords:||bg|has-patch bg|2nd-opinion bg|dev-feedback|
Working on #2241, I tested XMLRPC using Performancing/Firefox. I set up the XMLRPC client to use a login with Author caps (no unfiltered_html). My posts showed under the correct author. My HTML was unfiltered when I posted, but it should have been filtered. My browser was still logged in as admin (unfiltered_html) and Performancing was sending those cookies with the XMLRPC requests. Result: post saved under correct user but assuming caps due to cookie.
Wordpress should not authenticate with cookies when handling an XMLRPC request. i also sent a message to the Performancing dev (Jed Brown) but we should fix the core as well.
I'm working on the patch.
Change History (16)
- Keywords bg|has-patch added; bg|reporter-feedback bg|2nd-opinion removed
- Owner changed from skeltoac to ryan
comment:6 davidhouse — 8 years ago
- Keywords bg|2nd-opinion bg|dev-feedback added
- Milestone changed from 2.0.1 to 2.1