XMLRPC: Prevent authentication from occuring after a failed authentication attmept in any single XML-RPC call.

This hardens WordPress against a common vector which uses multiple user identifiers in a single `system.multicall` call. In the event that authentication fails, all following authentication attempts ''in that call'' will also fail.

Props dd32, johnbillion.
Fixes #34336

Built from https://develop.svn.wordpress.org/trunk@35366


git-svn-id: http://core.svn.wordpress.org/trunk@35331 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Dion Hulse 2015-10-23 04:46:24 +00:00
parent 53afc72ab7
commit a579aad05b
1 changed files with 17 additions and 2 deletions

View File

@ -45,6 +45,14 @@ class wp_xmlrpc_server extends IXR_Server {
*/
public $error;
/**
* Flags that the user authentication has failed in this instance of wp_xmlrpc_server.
*
* @access protected
* @var bool
*/
protected $auth_failed = false;
/**
* Register all of the XMLRPC methods that XMLRPC server understands.
*
@ -251,11 +259,18 @@ class wp_xmlrpc_server extends IXR_Server {
return false;
}
$user = wp_authenticate($username, $password);
if ( $this->auth_failed ) {
$user = new WP_Error( 'login_prevented' );
} else {
$user = wp_authenticate( $username, $password );
}
if (is_wp_error($user)) {
if ( is_wp_error( $user ) ) {
$this->error = new IXR_Error( 403, __( 'Incorrect username or password.' ) );
// Flag that authentication has failed once on this wp_xmlrpc_server instance
$this->auth_failed = true;
/**
* Filter the XML-RPC user login error message.
*