#38293 closed defect (bug) (fixed)
A connected user can delete a protected post meta
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 4.7 | Priority: | normal |
Severity: | normal | Version: | 3.3 |
Component: | Posts, Post Types | Keywords: | has-patch has-unit-tests commit |
Focuses: | administration | Cc: |
Description
Hi,
I discovered that an user can rename (and so delete) a protected post meta if he knows its id.
Example :
I send the normal meta name with the protected meta id (24) :
The problem comes from https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/post.php#L291
<?php // Meta Stuff if ( isset($post_data['meta']) && $post_data['meta'] ) { foreach ( $post_data['meta'] as $key => $value ) { if ( !$meta = get_post_meta_by_id( $key ) ) continue; if ( $meta->post_id != $post_ID ) continue; if ( is_protected_meta( $value['key'], 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) ) continue; update_meta( $key, $value['key'], $value['value'] ); } }
The is_protected_meta function is used only on the new name and not on the old name :
$meta->meta_key
Attachments (3)
Change History (14)
#1
@
8 years ago
- Summary changed from An connected user can delete a protected post meta to A connected user can delete a protected post meta
#2
@
8 years ago
- Keywords needs-patch needs-unit-tests added
- Milestone changed from Awaiting Review to Future Release
- Version changed from 4.6.1 to 3.3
#6
@
8 years ago
Unit test added in 38293.diff, it hits the db a few times so is a little slow.
#9
@
8 years ago
- Keywords commit added
- Milestone changed from Future Release to 4.7
Thanks @peterwilsoncc. 38293.2.diff tweaks the test a bit. The condition doesn't rely on a separate user updating the post -- any user cannot alter a protected meta field via edit_post()
.
Note: See
TracTickets for help on using
tickets.
Thanks for the report, @ajoah. Confirmed this is a valid bug.