XMLRPC: Prevent authentication from occuring after a failed authentication attmept in any single XML-RPC call.

This hardens WordPress against a common vector which uses multiple user identifiers in a single `system.multicall` call. In the event that authentication fails, all following authentication attempts ''in that call'' will also fail. Props dd32, johnbillion. Fixes #34336 Built from https://develop.svn.wordpress.org/trunk@35366 git-svn-id: http://core.svn.wordpress.org/trunk@35331 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-23 04:46:24 +00:00 · 2015-10-23 04:46:24 +00:00 · a579aad05b
parent 53afc72ab7
commit a579aad05b
1 changed files with 17 additions and 2 deletions
--- a/wp-includes/class-wp-xmlrpc-server.php
+++ b/wp-includes/class-wp-xmlrpc-server.php
@ -45,6 +45,14 @@ class wp_xmlrpc_server extends IXR_Server {
 	 */
 	public $error;

+	/**
+	 * Flags that the user authentication has failed in this instance of wp_xmlrpc_server.
+	 *
+	 * @access protected
+	 * @var bool
+	 */
+	protected $auth_failed = false;
+
 	/**
 	 * Register all of the XMLRPC methods that XMLRPC server understands.
 	 *
@ -251,11 +259,18 @@ class wp_xmlrpc_server extends IXR_Server {
 			return false;
 		}

+		if ( $this->auth_failed ) {
+			$user = new WP_Error( 'login_prevented' );
+		} else {
 			$user = wp_authenticate( $username, $password );
+		}

 		if ( is_wp_error( $user ) ) {
 			$this->error = new IXR_Error( 403, __( 'Incorrect username or password.' ) );

+			// Flag that authentication has failed once on this wp_xmlrpc_server instance
+			$this->auth_failed = true;
+
 			/**
 			 * Filter the XML-RPC user login error message.
 			 *