WordPress.org

Make WordPress Core

Opened 6 months ago

Last modified 6 months ago

#53242 new defect (bug)

Potential private information leak in REST API doing it wrong

Reported by: anubisthejackle Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: REST API Keywords: reporter-feedback
Focuses: rest-api Cc:

Description

In the REST API, when I set show_in_index to false, I expect that endpoint to not be shown to people without knowledge of it.

The problem is, if that endpoint does not have permission_callback setup, then \rest_handle_doing_it_wrong can leak the existence of that endpoint in the header if WP_DEBUG has been set.

I would expect one of two things to happen, either:

A) I only receive the X-WP-DoingItWrong header for the endpoint that I'm accessing; or
B) I only receive the X-WP-DoingItWrong header for endpoints that are visible in show_in_index, or accessed directly.

I'm partial to the former.

Attachments (1)

example-rest-api-leak.zip (727 bytes) - added by anubisthejackle 6 months ago.
Example plugin

Download all attachments as: .zip

Change History (3)

#1 @johnbillion
6 months ago

  • Keywords reporter-feedback added

Thanks for the report @anubisthejackle! Can you provide a code example and a URL example which reproduces this problem please?

@anubisthejackle
6 months ago

Example plugin

#2 @anubisthejackle
6 months ago

Here are the links:

http://dev.travisweston.com/wp-json/example/v1
http://dev.travisweston.com/wp-json/example/v1/public
http://dev.travisweston.com/wp-json/example/v1/hidden

You can see the hidden endpoint in the headers, but it does not display in the listing--as intended.

Note: See TracTickets for help on using tickets.