WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/23/2015 04:45:10 AM (6 years ago)
Author:
dd32
Message:

XMLRPC: Prevent authentication from occuring after a failed authentication attmept in any single XML-RPC call.

This hardens WordPress against a common vector which uses multiple user identifiers in a single system.multicall call. In the event that authentication fails, all following authentication attempts in that call will also fail.

Props dd32, johnbillion.
Fixes #34336

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/includes/testcase-xmlrpc.php

    r35242 r35366  
    1212        add_filter( 'pre_option_enable_xmlrpc', '__return_true' );
    1313
    14         $this->myxmlrpcserver = new wp_xmlrpc_server();
     14        $this->myxmlrpcserver = new WP_XMLRPC_Server_UnitTestable();
    1515    }
    1616
    1717    function tearDown() {
    1818        remove_filter( 'pre_option_enable_xmlrpc', '__return_true' );
     19
     20         $this->myxmlrpcserver->reset_failed_auth();
     21
    1922        $this->remove_added_uploads();
    2023
     
    3033    }
    3134}
     35
     36class WP_XMLRPC_Server_UnitTestable extends wp_xmlrpc_server {
     37    public function reset_failed_auth() {
     38        $this->auth_failed = false;
     39    }
     40}
Note: See TracChangeset for help on using the changeset viewer.