WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#32703 closed defect (bug) (fixed)

XMLRPC: wp_editPage doesn't work if username or password contains special characters

Reported by: redsweater Owned by: dd32
Milestone: 4.3 Priority: normal
Severity: normal Version: 4.3
Component: XML-RPC Keywords: has-patch
Focuses: Cc:
PR Number:

Description

If a user's password contains a special character that would be escaped by the XMLRPC class's escape() method, then it ends up being doubly-escaped and thus prevents authentication from succeeding when calling through to mw_editPost().

Although far less likely, a similar problem will cause an escaped character in either the page ID parameter or the username parameter to also end up being doubly-escaped, causing either authentication error or a page lookup failure.

A canonical example of this bug would be to create a user 'admin' with password 'abc"123'. Efforts to edit a page via wp_editPage will result in the password being first escaped in wp_editPage to 'abc\"123' and then escaped a second time in mw_editPost to 'abc
\"123', at which time it will fail to authenticate the user.

wp_editPage is the only method among the WP page methods that calls through to an underlying method in a problematic way. Other methods either pass through the $args directly to an underlying method, or else handle the database lookup independently of other methods that would escape the parameters on their own.

The attached patch addresses the problem by escaping parameters for the purposes of wp_editPage's own authentication/validation, but passing through the original parameters unescaped so that they may be escaped in mw_editPost to obtain the expected value.

I realize it is preferable to switch clients to the post-based wp API methods, but since this fix is limited in scope to the wp_editPage method, and is a clear improvement, I hope you will accept it as a fix for clients who have not yet updated or may never update to the newer API methods.

Attachments (1)

FixEditPage.patch (1.7 KB) - added by redsweater 4 years ago.
Patch to correct behavior of wp_editPage and avoid double-escaping arguments

Download all attachments as: .zip

Change History (6)

@redsweater
4 years ago

Patch to correct behavior of wp_editPage and avoid double-escaping arguments

#1 @redsweater
4 years ago

  • Keywords has-patch added

#2 @dd32
4 years ago

  • Milestone changed from Awaiting Review to 4.3

#3 @dd32
4 years ago

  • Owner set to dd32
  • Resolution set to fixed
  • Status changed from new to closed

In 32993:

XML-RPC: Only escape what we need to in wp.editPage, this allows for passwords with the special characters "' to work in a request.
Props redsweater for initial Patch.
Fixes #32703

#4 @dd32
4 years ago

Switched it up a little bit, as there was no need to escape the page ID since it's forced to an integer.

This ticket was mentioned in Slack in #core by redsweater. View the logs.


4 years ago

Note: See TracTickets for help on using tickets.