Changeset 35366 for trunk/src/wp-includes/class-wp-xmlrpc-server.php

Timestamp:

10/23/2015 04:45:10 AM (10 years ago)

Author:

dd32

Message:

XMLRPC: Prevent authentication from occuring after a failed authentication attmept in any single XML-RPC call.

This hardens WordPress against a common vector which uses multiple user identifiers in a single system.multicall call. In the event that authentication fails, all following authentication attempts in that call will also fail.

Props dd32, johnbillion.
Fixes #34336

File:

• trunk/src/wp-includes/class-wp-xmlrpc-server.php (modified) (2 diffs)

trunk/src/wp-includes/class-wp-xmlrpc-server.php

@@ -45 +45 @@
      */
     public $error;
+
+    /**
+     * Flags that the user authentication has failed in this instance of wp_xmlrpc_server.
+     *
+     * @access protected
+     * @var bool
+     */
+    protected $auth_failed = false;
 
     /**
@@ -252 +260 @@
         }
 
-        $user = wp_authenticate($username, $password);
-
-        if (is_wp_error($user)) {
+        if ( $this->auth_failed ) {
+            $user = new WP_Error( 'login_prevented' );
+        } else {
+            $user = wp_authenticate( $username, $password );
+        }
+
+        if ( is_wp_error( $user ) ) {
             $this->error = new IXR_Error( 403, __( 'Incorrect username or password.' ) );
+
+            // Flag that authentication has failed once on this wp_xmlrpc_server instance
+            $this->auth_failed = true;
 
             /**