#4422 closed defect (bug) (fixed)
Anyone can delete attachments
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 2.2.1 | Priority: | high |
| Severity: | critical | Version: | 2.2 |
| Component: | Security | Keywords: | has-patch commit |
| Focuses: | Cc: |
Description
An unregistered user can delete attachments through xmlrpc request:
<methodCall>
<methodName>wp.uploadFile</methodName>
<params>
<param><value>1</value></param>
<param><value>1</value></param>
<param><value>1</value></param>
<struct>
<member><name>name</name><value>attachement_name</value></member>
<member><name>overwrite</name><value>1</value></member>
</struct>
</params>
</methodCall>
I'll submit a partial fix -- I think that an user should only delete their own uploaded files.
Attachments (3)
Change History (10)
#2
@
19 years ago
- Owner changed from anonymous to josephscott
- Priority changed from normal to high
- Severity changed from normal to critical
#3
@
19 years ago
My diff pushes the overwrite feature even further down, to just before the upload gets saved.
#4
@
19 years ago
- Keywords commit added
- Owner changed from josephscott to rob1n
- Status changed from new to assigned
Note: See
TracTickets for help on using
tickets.
Move user validation before attachment deletion