Opened 3 years ago
Last modified 3 years ago
#53242 new defect (bug)
Potential private information leak in REST API doing it wrong
Reported by: | anubisthejackle | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | REST API | Keywords: | reporter-feedback |
Focuses: | rest-api | Cc: |
Description
In the REST API, when I set show_in_index
to false, I expect that endpoint to not be shown to people without knowledge of it.
The problem is, if that endpoint does not have permission_callback
setup, then \rest_handle_doing_it_wrong
can leak the existence of that endpoint in the header if WP_DEBUG has been set.
I would expect one of two things to happen, either:
A) I only receive the X-WP-DoingItWrong
header for the endpoint that I'm accessing; or
B) I only receive the X-WP-DoingItWrong
header for endpoints that are visible in show_in_index
, or accessed directly.
I'm partial to the former.
Attachments (1)
Change History (3)
#2
@
3 years ago
Here are the links:
http://dev.travisweston.com/wp-json/example/v1
http://dev.travisweston.com/wp-json/example/v1/public
http://dev.travisweston.com/wp-json/example/v1/hidden
You can see the hidden endpoint in the headers, but it does not display in the listing--as intended.
Thanks for the report @anubisthejackle! Can you provide a code example and a URL example which reproduces this problem please?