#2273 closed defect (bug) (fixed)
Cookies override user specified in XML-RPC post data
Reported by: | skeltoac | Owned by: | ryan |
---|---|---|---|
Milestone: | Priority: | high | |
Severity: | major | Version: | 2.0 |
Component: | Security | Keywords: | bg|has-patch bg|2nd-opinion bg|dev-feedback |
Focuses: | Cc: |
Description
Working on #2241, I tested XMLRPC using Performancing/Firefox. I set up the XMLRPC client to use a login with Author caps (no unfiltered_html). My posts showed under the correct author. My HTML was unfiltered when I posted, but it should have been filtered. My browser was still logged in as admin (unfiltered_html) and Performancing was sending those cookies with the XMLRPC requests. Result: post saved under correct user but assuming caps due to cookie.
Wordpress should not authenticate with cookies when handling an XMLRPC request. i also sent a message to the Performancing dev (Jed Brown) but we should fix the core as well.
I'm working on the patch.
Attachments (2)
Change History (16)
#2
@
19 years ago
- Keywords bg|has-patch bg|reporter-feedback bg|2nd-opinion added
How does XMLRPC authenticate if its not through cookies? IMO this is a performancing bug, or you shouldn't be trying to run two users off one browser (so it would be invalid).
#3
@
19 years ago
- Keywords bg|has-patch removed
Removing bg|has-patch as your patch doesn't fix the problem in its entirety, as you've stated.
#4
@
19 years ago
- Keywords bg|has-patch added; bg|reporter-feedback bg|2nd-opinion removed
- Owner changed from skeltoac to ryan
Sorry David :-) This one's done.
#6
@
19 years ago
- Keywords bg|2nd-opinion bg|dev-feedback added
- Milestone changed from 2.0.1 to 2.1
Probably too much new code here for 2.0.1. Discuss.
#7
@
19 years ago
- Milestone changed from 2.1 to 2.0.1
I think this needs to be fixed, even if it is a non-trivial amount of code. This bug has been reported many, many times. Let's commit and test the hell out of it.
#9
@
19 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
Leftover error_log() call.
#10
@
19 years ago
I tested this with Performancing, using metaweblog API and Blogger API, while the browser was logged in as admin. It honored the user's caps regardless of the cookies. Other clients should be tested as well.
#11
@
19 years ago
- Milestone changed from 2.0.1 to 2.1
Probably too much new code here for 2.0.1. Discuss.
#12
@
19 years ago
- Milestone changed from 2.1 to 2.0.1
Woah. I totally didn't post that last comment.
no-cookies.diff defines a contant before anything else is done by xmlrpc.php, and checks that constant before using the cookies to log the user in. There is much more to be done.