mirror of
https://github.com/gosticks/wordpress-develop.git
synced 2026-07-04 09:10:06 +00:00
XMLRPC: Prevent authentication from occuring after a failed authentication attmept in any single XML-RPC call.
This hardens WordPress against a common vector which uses multiple user identifiers in a single `system.multicall` call. In the event that authentication fails, all following authentication attempts ''in that call'' will also fail. Props dd32, johnbillion. Fixes #34336 git-svn-id: https://develop.svn.wordpress.org/trunk@35366 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
@@ -11,11 +11,14 @@ class WP_XMLRPC_UnitTestCase extends WP_UnitTestCase {
|
||||
|
||||
add_filter( 'pre_option_enable_xmlrpc', '__return_true' );
|
||||
|
||||
$this->myxmlrpcserver = new wp_xmlrpc_server();
|
||||
$this->myxmlrpcserver = new WP_XMLRPC_Server_UnitTestable();
|
||||
}
|
||||
|
||||
function tearDown() {
|
||||
remove_filter( 'pre_option_enable_xmlrpc', '__return_true' );
|
||||
|
||||
$this->myxmlrpcserver->reset_failed_auth();
|
||||
|
||||
$this->remove_added_uploads();
|
||||
|
||||
parent::tearDown();
|
||||
@@ -29,3 +32,9 @@ class WP_XMLRPC_UnitTestCase extends WP_UnitTestCase {
|
||||
));
|
||||
}
|
||||
}
|
||||
|
||||
class WP_XMLRPC_Server_UnitTestable extends wp_xmlrpc_server {
|
||||
public function reset_failed_auth() {
|
||||
$this->auth_failed = false;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user