XMLRPC: Prevent authentication from occuring after a failed authentication attmept in any single XML-RPC call.

This hardens WordPress against a common vector which uses multiple user identifiers in a single `system.multicall` call. In the event that authentication fails, all following authentication attempts ''in that call'' will also fail.

Props dd32, johnbillion.
Fixes #34336


git-svn-id: https://develop.svn.wordpress.org/trunk@35366 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Dion Hulse
2015-10-23 04:45:10 +00:00
parent 3a992e266f
commit 75ab50c70e
3 changed files with 98 additions and 6 deletions

View File

@@ -11,11 +11,14 @@ class WP_XMLRPC_UnitTestCase extends WP_UnitTestCase {
add_filter( 'pre_option_enable_xmlrpc', '__return_true' );
$this->myxmlrpcserver = new wp_xmlrpc_server();
$this->myxmlrpcserver = new WP_XMLRPC_Server_UnitTestable();
}
function tearDown() {
remove_filter( 'pre_option_enable_xmlrpc', '__return_true' );
$this->myxmlrpcserver->reset_failed_auth();
$this->remove_added_uploads();
parent::tearDown();
@@ -29,3 +32,9 @@ class WP_XMLRPC_UnitTestCase extends WP_UnitTestCase {
));
}
}
class WP_XMLRPC_Server_UnitTestable extends wp_xmlrpc_server {
public function reset_failed_auth() {
$this->auth_failed = false;
}
}