WordPress.org
Get WordPress

Make WordPress Core

Opened 14 years ago

Closed 14 years ago

Last modified 14 years ago

#15276 closed defect (bug) (fixed)

Ability to change/delete any post's meta if current user can edit any post.

Reported by: karevn's profile karevn Owned by: ryan's profile ryan
Milestone: 3.1 Priority: normal
Severity: normal Version: 3.0.1
Component: Security Keywords: has-patch
Focuses: Cc:

Description

There is a flaw in the logic responsible for saving custom fields - if the current user can edit any post, he can pass a meta values for the posts which he is not allowed to edit.

Steps to reproduce:

  1. Open post editor
  2. Add some meta
  3. Change some meta field's ID value to some another existing meta ID.
  4. Click save - meta will be updated.

The cause of the problem is that when saving meta values, WP does not check if meta really belongs to the post being saved. The related code is inside the function update_meta

Attachments (1)

15276.diff (945 bytes) - added by kawauso 14 years ago.
Validation modelled after AJAX handler

Download all attachments as: .zip

Change History (7)

#1 @Denis-de-Bernardy
14 years ago

  • Component changed from General to Security

@kawauso
14 years ago

Validation modelled after AJAX handler

#2 @kawauso
14 years ago

  • Cc otterish@… added
  • Keywords has-patch added; vulnerability removed

#3 @ryan
14 years ago

  • Milestone changed from Awaiting Review to 3.1

#4 @nacin
14 years ago

  • Owner set to ryan
  • Status changed from new to assigned

#5 @ryan
14 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [17078]) Restrict meta update/delete to the current post. Props kawauso. fixes #15276

#6 @ryan
14 years ago

I changed the patch slightly to restrict to the post ID rather than doing a capability check. The edit_post check done at the top of the function suffices.

Note: See TracTickets for help on using tickets.