mirror of
https://github.com/gosticks/wordpress-develop.git
synced 2025-10-16 12:05:38 +00:00
75ab50c70e
This hardens WordPress against a common vector which uses multiple user identifiers in a single `system.multicall` call. In the event that authentication fails, all following authentication attempts ''in that call'' will also fail. Props dd32, johnbillion. Fixes #34336 git-svn-id: https://develop.svn.wordpress.org/trunk@35366 602fd350-edb4-49c9-b593-d223f7449a82
96 lines
2.4 KiB
PHP
96 lines
2.4 KiB
PHP
<?php
|
|
|
|
require_once ABSPATH . 'wp-admin/includes/admin.php';
|
|
require_once ABSPATH . WPINC . '/class-IXR.php';
|
|
require_once ABSPATH . WPINC . '/class-wp-xmlrpc-server.php';
|
|
|
|
/**
|
|
* @group xmlrpc
|
|
*/
|
|
class Tests_XMLRPC_Basic extends WP_XMLRPC_UnitTestCase {
|
|
function test_enabled() {
|
|
$result = $this->myxmlrpcserver->wp_getOptions( array( 1, 'username', 'password' ) );
|
|
|
|
$this->assertInstanceOf( 'IXR_Error', $result );
|
|
// If disabled, 405 would result.
|
|
$this->assertEquals( 403, $result->code );
|
|
}
|
|
|
|
function test_login_pass_ok() {
|
|
$user_id = $this->make_user_by_role( 'subscriber' );
|
|
|
|
$this->assertTrue( $this->myxmlrpcserver->login_pass_ok( 'subscriber', 'subscriber' ) );
|
|
$this->assertInstanceOf( 'WP_User', $this->myxmlrpcserver->login( 'subscriber', 'subscriber' ) );
|
|
}
|
|
|
|
function test_login_pass_bad() {
|
|
$user_id = $this->make_user_by_role( 'subscriber' );
|
|
|
|
$this->assertFalse( $this->myxmlrpcserver->login_pass_ok( 'username', 'password' ) );
|
|
$this->assertFalse( $this->myxmlrpcserver->login( 'username', 'password' ) );
|
|
|
|
// The auth will still fail due to authentication blocking after the first failed attempt
|
|
$this->assertFalse( $this->myxmlrpcserver->login_pass_ok( 'subscriber', 'subscriber' ) );
|
|
}
|
|
|
|
/**
|
|
* @ticket 34336
|
|
*/
|
|
function test_multicall_invalidates_all_calls_after_invalid_call() {
|
|
$editor_id = $this->make_user_by_role( 'editor' );
|
|
$post_id = self::factory()->post->create( array(
|
|
'post_author' => $editor_id,
|
|
) );
|
|
|
|
$method_calls = array(
|
|
// Valid login
|
|
array(
|
|
'methodName' => 'wp.editPost',
|
|
'params' => array(
|
|
0,
|
|
'editor',
|
|
'editor',
|
|
$post_id,
|
|
array(
|
|
'title' => 'Title 1',
|
|
),
|
|
),
|
|
),
|
|
// *Invalid* login
|
|
array(
|
|
'methodName' => 'wp.editPost',
|
|
'params' => array(
|
|
0,
|
|
'editor',
|
|
'password',
|
|
$post_id,
|
|
array(
|
|
'title' => 'Title 2',
|
|
),
|
|
),
|
|
),
|
|
// Valid login
|
|
array(
|
|
'methodName' => 'wp.editPost',
|
|
'params' => array(
|
|
0,
|
|
'editor',
|
|
'editor',
|
|
$post_id,
|
|
array(
|
|
'title' => 'Title 3',
|
|
),
|
|
),
|
|
),
|
|
);
|
|
|
|
$this->myxmlrpcserver->callbacks = $this->myxmlrpcserver->methods;
|
|
|
|
$result = $this->myxmlrpcserver->multiCall( $method_calls );
|
|
|
|
$this->assertArrayNotHasKey( 'faultCode', $result[0] );
|
|
$this->assertArrayHasKey( 'faultCode', $result[1] );
|
|
$this->assertArrayHasKey( 'faultCode', $result[2] );
|
|
|
|
}
|
|
} |