WordPress.org

Make WordPress Core

Opened 16 years ago

Closed 16 years ago

Last modified 15 years ago

#2273 closed defect (bug) (fixed)

Cookies override user specified in XML-RPC post data

Reported by: skeltoac Owned by: ryan
Milestone: Priority: high
Severity: major Version: 2.0
Component: Security Keywords: bg|has-patch bg|2nd-opinion bg|dev-feedback
Focuses: Cc:

Description

Working on #2241, I tested XMLRPC using Performancing/Firefox. I set up the XMLRPC client to use a login with Author caps (no unfiltered_html). My posts showed under the correct author. My HTML was unfiltered when I posted, but it should have been filtered. My browser was still logged in as admin (unfiltered_html) and Performancing was sending those cookies with the XMLRPC requests. Result: post saved under correct user but assuming caps due to cookie.

Wordpress should not authenticate with cookies when handling an XMLRPC request. i also sent a message to the Performancing dev (Jed Brown) but we should fix the core as well.

I'm working on the patch.

Attachments (2)

xmlrpc-auth.diff (6.3 KB) - added by skeltoac 16 years ago.
oops.diff (329 bytes) - added by skeltoac 16 years ago.

Download all attachments as: .zip

Change History (16)

#1 @skeltoac
16 years ago

no-cookies.diff defines a contant before anything else is done by xmlrpc.php, and checks that constant before using the cookies to log the user in. There is much more to be done.

#2 @davidhouse
16 years ago

  • Keywords bg|has-patch bg|reporter-feedback bg|2nd-opinion added

How does XMLRPC authenticate if its not through cookies? IMO this is a performancing bug, or you shouldn't be trying to run two users off one browser (so it would be invalid).

#3 @davidhouse
16 years ago

  • Keywords bg|has-patch removed

Removing bg|has-patch as your patch doesn't fix the problem in its entirety, as you've stated.

#4 @skeltoac
16 years ago

  • Keywords bg|has-patch added; bg|reporter-feedback bg|2nd-opinion removed
  • Owner changed from skeltoac to ryan

Sorry David :-) This one's done.

#5 @davidhouse
16 years ago

Hehe, that was my mistake :P I accidentally added bg|has-patch, not you.

#6 @davidhouse
16 years ago

  • Keywords bg|2nd-opinion bg|dev-feedback added
  • Milestone changed from 2.0.1 to 2.1

Probably too much new code here for 2.0.1. Discuss.

#7 @ryan
16 years ago

  • Milestone changed from 2.1 to 2.0.1

I think this needs to be fixed, even if it is a non-trivial amount of code. This bug has been reported many, many times. Let's commit and test the hell out of it.

#8 @ryan
16 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [3430]) Make the xmlrpc user the current user. fixes #2273

#9 @skeltoac
16 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Leftover error_log() call.

@skeltoac
16 years ago

#10 @skeltoac
16 years ago

I tested this with Performancing, using metaweblog API and Blogger API, while the browser was logged in as admin. It honored the user's caps regardless of the cookies. Other clients should be tested as well.

#11 @davidhouse
16 years ago

  • Milestone changed from 2.0.1 to 2.1

Probably too much new code here for 2.0.1. Discuss.

#12 @davidhouse
16 years ago

  • Milestone changed from 2.1 to 2.0.1

Woah. I totally didn't post that last comment.

#13 @ryan
16 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [3431]) Remove debug cruft. fixes #2273

#14 @(none)
15 years ago

  • Milestone 2.0.1 deleted

Milestone 2.0.1 deleted

Note: See TracTickets for help on using tickets.