WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#16619 closed defect (bug) (invalid)

XMLRPC authentication bypasses plugins?

Reported by: kojix Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: XML-RPC Keywords:
Focuses: Cc:

Description

I'm using the plugin Simple LDAP Authentication to authenticate to my blog network. The plugin is runing ok on the web authentication, but when trying the Android App, it fails with the User/password wrong message.

I've set a password for my user into the wp_users table (by default the plugin sets it as a random value), and using this pwd i can authenticate, so I think that xmlrpc bypasses the plugin authentication (I've checked it putting error messages on log on the plugin process, and nothing appears when accessing via xmlrpc).

In the xmlrpc.php doc, there is the wp_xmlrpc_server::login function, which performs this call:

$user = wp_authenticate($username, $password);

And on the plugin class definition we have:

function LdapAuthenticationPlugin() {

...

add_action('wp_authenticate', array(&$this, 'authenticate'), 10, 2);
add_filter('check_password', array(&$this, 'override_password_check'), 10, 4);

...

So, I think all should be ok, what makes me think that there could be an error on xmlrpc

Change History (3)

comment:1 @dd324 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

It looks like the plugin isn't hooking into enough places. It'll probably have to hook into 'check_password' or 'authenticate' filters.

Try using wp_authenticate($username, $password); directly in code, you'll probably find it fail there too.

Report it to the plugin author, Please feel free to direct the plugin author to this ticket to re-open it if they have a reason to believe that there's a bug in core.

comment:2 @dd324 years ago

See also, This: http://core.trac.wordpress.org/browser/trunk/wp-includes/user.php#L40

40	        // TODO do we deprecate the wp_authentication action?
41	        do_action_ref_array('wp_authenticate', array(&$credentials['user_login'], &$credentials['user_password']));

It seems that that filter is not the ideal one, 'authenticate' is the better filter for this.

comment:3 @tianon4 years ago

  • Cc tianon added

It's not pretty, but the following minimal patch should do the trick (working fine here -- obviously YMMV):

  • simple-ldap-authentication.php

    diff --git a/simple-ldap-authentication.php b/simple-ldap-authentication.php
    index 52e0fe2..373ae79 100644
    a b if ( !class_exists('LdapAuthenticationPlugin') ) { 
    3535                       if ( isset($_GET['activate']) && $_GET['activate'] == 'true' ) 
    3636                               add_action('init', array(&$this, 'initialize_options')); 
    3737                       add_action('network_admin_menu', array(&$this, 'add_options_page')); 
    38                        add_action('wp_authenticate', array(&$this, 'authenticate'), 10, 2); 
     38                       add_filter('authenticate', array(&$this, 'authenticate'), 10, 3); 
    3939                       add_filter('check_password', array(&$this, 'override_password_check'), 10, 4); 
    4040                       add_action('lost_password', array(&$this, 'disable_function')); 
    4141                       add_action('retrieve_password', array(&$this, 'disable_function')); 
    if ( !class_exists('LdapAuthenticationPlugin') ) { 
    8484                       } 
    8585               } 
    8686 
    87                function authenticate( $username, $password ) { 
     87               function authenticate( $user, $username, $password ) { 
     88                       if (is_a($user, 'WP_User')) { 
     89                               return $user; 
     90                       } 
     91                        
    8892                       $this->authenticated = false; 
    8993                       $use_ssl = (bool) get_site_option('LDAP_authentication_use_ssl'); 
    9094                       $ldap_server = get_site_option('LDAP_authentication_server'); 
    if ( !class_exists('LdapAuthenticationPlugin') ) { 
    205209                       } 
    206210                        
    207211                       @ldap_unbind($ldap); 
     212                        
     213                       if ($this->authenticated && ($userdata = get_user_by('login', $username))) { 
     214                               return new WP_User($userdata->ID); 
     215                       } 
     216                        
     217                       return false; 
    208218               } 
    209219 
    210220               /* 
Note: See TracTickets for help on using tickets.