Ticket #4422 (closed defect (bug): fixed)
Anyone can delete attachments
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | high | Milestone: | 2.2.1 |
| Component: | Security | Version: | 2.2 |
| Severity: | critical | Keywords: | has-patch commit |
| Cc: |
Description
An unregistered user can delete attachments through xmlrpc request:
<methodCall>
<methodName>wp.uploadFile</methodName>
<params>
<param><value>1</value></param>
<param><value>1</value></param>
<param><value>1</value></param>
<struct>
<member><name>name</name><value>attachement_name</value></member>
<member><name>overwrite</name><value>1</value></member>
</struct>
</params>
</methodCall>
I'll submit a partial fix -- I think that an user should only delete their own uploaded files.
Attachments
-
xmlrpc.php.patch
(773 bytes) -
added by xknown 5 years ago.
- Move user validation before attachment deletion
-
4422.diff
(1.4 KB) -
added by rob1n 5 years ago.
-
xmlrpc.php-diff
(1.7 KB) -
added by josephscott 5 years ago.
Change History
-
attachment
xmlrpc.php.patch
added
- Keywords has-patch added
Looks good to me, but I'm not an XML-RPC guru.
comment:2
foolswisdom — 5 years ago
- Owner changed from anonymous to josephscott
- Priority changed from normal to high
- Severity changed from normal to critical
comment:3
josephscott — 5 years ago
My diff pushes the overwrite feature even further down, to just before the upload gets saved.
- Keywords commit added
- Owner changed from josephscott to rob1n
- Status changed from new to assigned
- Status changed from assigned to closed
- Resolution set to fixed
Note: See
TracTickets for help on using
tickets.
Move user validation before attachment deletion