Make WordPress Core


Ignore:
Timestamp:
09/17/2024 10:17:41 PM (3 months ago)
Author:
kadamwhite
Message:

REST API: Only check password value in query parameters while checking post permissions.

The password property which gets sent as part of a request POST body while setting a post's password should not be checked when calculating post visibility permissions.

That value in the request body is intended to update the post, not to authenticate, and may be malformed or an invalid non-string type which would cause a fatal when checking against the hashed post password value.

Query parameter ?password= values are the correct interface to check, and are also guaranteed to be strings.

Props mlf20, devansh016, antonvlasenko, TimothyBlynJacobs, kadamwhite.
Fixes #61837.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/rest-api/rest-posts-controller.php

    r59034 r59036  
    22312231        $this->assertSame( '', $data['excerpt']['rendered'] );
    22322232        $this->assertTrue( $data['excerpt']['protected'] );
     2233    }
     2234
     2235    /**
     2236     * @ticket 61837
     2237     */
     2238    public function test_get_item_permissions_check_while_updating_password() {
     2239        $endpoint = new WP_REST_Posts_Controller( 'post' );
     2240
     2241        $request = new WP_REST_Request( 'POST', sprintf( '/wp/v2/posts/%d', self::$post_id ) );
     2242        $request->set_url_params( array( 'id' => self::$post_id ) );
     2243        $request->set_body_params(
     2244            $this->set_post_data(
     2245                array(
     2246                    'id'       => self::$post_id,
     2247                    'password' => '123',
     2248                )
     2249            )
     2250        );
     2251        $permission = $endpoint->get_item_permissions_check( $request );
     2252
     2253        // Password provided in POST data, should not be used as authentication.
     2254        $this->assertNotWPError( $permission, 'Password in post body should be ignored by permissions check.' );
     2255        $this->assertTrue( $permission );
     2256    }
     2257
     2258    /**
     2259     * @ticket 61837
     2260     */
     2261    public function test_get_item_permissions_check_while_updating_password_with_invalid_type() {
     2262        $endpoint = new WP_REST_Posts_Controller( 'post' );
     2263
     2264        $request = new WP_REST_Request( 'POST', sprintf( '/wp/v2/posts/%d', self::$post_id ) );
     2265        $request->set_url_params( array( 'id' => self::$post_id ) );
     2266        $request->set_body_params(
     2267            $this->set_post_data(
     2268                array(
     2269                    'id'       => self::$post_id,
     2270                    'password' => 123,
     2271                )
     2272            )
     2273        );
     2274        $permission = $endpoint->get_item_permissions_check( $request );
     2275
     2276        $this->assertNotWPError( $permission, 'Password in post body should be ignored by permissions check even when it is an invalid type.' );
     2277        $this->assertTrue( $permission );
    22332278    }
    22342279
Note: See TracChangeset for help on using the changeset viewer.