Changeset 59036

Timestamp:

09/17/2024 10:17:41 PM (6 months ago)

Author:

kadamwhite

Message:

REST API: Only check password value in query parameters while checking post permissions.

The password property which gets sent as part of a request POST body while setting a post's password should not be checked when calculating post visibility permissions.

That value in the request body is intended to update the post, not to authenticate, and may be malformed or an invalid non-string type which would cause a fatal when checking against the hashed post password value.

Query parameter ?password= values are the correct interface to check, and are also guaranteed to be strings.

Props mlf20, devansh016, antonvlasenko, TimothyBlynJacobs, kadamwhite.
Fixes #61837.

Location:

trunk

Files:

• src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php (modified) (1 diff)
• tests/phpunit/tests/rest-api/rest-posts-controller.php (modified) (1 diff)

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

@@ -505 +505 @@
         }
 
-        if ( $post && ! empty( $request['password'] ) ) {
+        if ( $post && ! empty( $request->get_query_params()['password'] ) ) {
             // Check post password, and return error if invalid.
-            if ( ! hash_equals( $post->post_password, $request['password'] ) ) {
+            if ( ! hash_equals( $post->post_password, $request->get_query_params()['password'] ) ) {
                 return new WP_Error(
                     'rest_post_incorrect_password',

trunk/tests/phpunit/tests/rest-api/rest-posts-controller.php

@@ -2231 +2231 @@
         $this->assertSame( '', $data['excerpt']['rendered'] );
         $this->assertTrue( $data['excerpt']['protected'] );
+    }
+
+    /**
+     * @ticket 61837
+     */
+    public function test_get_item_permissions_check_while_updating_password() {
+        $endpoint = new WP_REST_Posts_Controller( 'post' );
+
+        $request = new WP_REST_Request( 'POST', sprintf( '/wp/v2/posts/%d', self::$post_id ) );
+        $request->set_url_params( array( 'id' => self::$post_id ) );
+        $request->set_body_params(
+            $this->set_post_data(
+                array(
+                    'id'       => self::$post_id,
+                    'password' => '123',
+                )
+            )
+        );
+        $permission = $endpoint->get_item_permissions_check( $request );
+
+        // Password provided in POST data, should not be used as authentication.
+        $this->assertNotWPError( $permission, 'Password in post body should be ignored by permissions check.' );
+        $this->assertTrue( $permission );
+    }
+
+    /**
+     * @ticket 61837
+     */
+    public function test_get_item_permissions_check_while_updating_password_with_invalid_type() {
+        $endpoint = new WP_REST_Posts_Controller( 'post' );
+
+        $request = new WP_REST_Request( 'POST', sprintf( '/wp/v2/posts/%d', self::$post_id ) );
+        $request->set_url_params( array( 'id' => self::$post_id ) );
+        $request->set_body_params(
+            $this->set_post_data(
+                array(
+                    'id'       => self::$post_id,
+                    'password' => 123,
+                )
+            )
+        );
+        $permission = $endpoint->get_item_permissions_check( $request );
+
+        $this->assertNotWPError( $permission, 'Password in post body should be ignored by permissions check even when it is an invalid type.' );
+        $this->assertTrue( $permission );
     }