vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-04-15 18:14:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

XMLRPC: Prevent authentication from occuring after a failed authentication attmept in any single XML-RPC call.

Browse Source 
This hardens WordPress against a common vector which uses multiple user identifiers in a single `system.multicall` call. In the event that authentication fails, all following authentication attempts ''in that call'' will also fail.

Props dd32, johnbillion.
Fixes #34336


git-svn-id: https://develop.svn.wordpress.org/trunk@35366 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Dion Hulse
2015-10-23 04:45:10 +00:00
parent 3a992e266f
commit 75ab50c70e
3 changed files with 98 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
tests/phpunit/tests/xmlrpc/basic.php
View File

@@ -19,10 +19,78 @@ class Tests_XMLRPC_Basic extends WP_XMLRPC_UnitTestCase {
function test_login_pass_ok() {
$user_id = $this->make_user_by_role( 'subscriber' );
$this->assertFalse( $this->myxmlrpcserver->login_pass_ok( 'username', 'password' ) );
$this->assertFalse( $this->myxmlrpcserver->login( 'username', 'password' ) );
$this->assertTrue( $this->myxmlrpcserver->login_pass_ok( 'subscriber', 'subscriber' ) );
$this->assertInstanceOf( 'WP_User', $this->myxmlrpcserver->login( 'subscriber', 'subscriber' ) );
}
function test_login_pass_bad() {
$user_id = $this->make_user_by_role( 'subscriber' );
$this->assertFalse( $this->myxmlrpcserver->login_pass_ok( 'username', 'password' ) );
$this->assertFalse( $this->myxmlrpcserver->login( 'username', 'password' ) );
// The auth will still fail due to authentication blocking after the first failed attempt
$this->assertFalse( $this->myxmlrpcserver->login_pass_ok( 'subscriber', 'subscriber' ) );
}
/**
* @ticket 34336
*/
function test_multicall_invalidates_all_calls_after_invalid_call() {
$editor_id = $this->make_user_by_role( 'editor' );
$post_id = self::factory()->post->create( array(
'post_author' => $editor_id,
) );
$method_calls = array(
// Valid login
array(
'methodName' => 'wp.editPost',
'params' => array(
0,
'editor',
'editor',
$post_id,
array(
'title' => 'Title 1',
),
),
),
// *Invalid* login
array(
'methodName' => 'wp.editPost',
'params' => array(
0,
'editor',
'password',
$post_id,
array(
'title' => 'Title 2',
),
),
),
// Valid login
array(
'methodName' => 'wp.editPost',
'params' => array(
0,
'editor',
'editor',
$post_id,
array(
'title' => 'Title 3',
),
),
),
);
$this->myxmlrpcserver->callbacks = $this->myxmlrpcserver->methods;
$result = $this->myxmlrpcserver->multiCall( $method_calls );
$this->assertArrayNotHasKey( 'faultCode', $result[0] );
$this->assertArrayHasKey( 'faultCode', $result[1] );
$this->assertArrayHasKey( 'faultCode', $result[2] );
}
}