WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
WordPress/wp-includes/rest-api
History
K. Adam White c418ba0205 REST API: Only check password value in query parameters while checking post permissions. 
The `password` property which gets sent as part of a request POST body while setting a post's password should not be checked when calculating post visibility permissions.

That value in the request body is intended to update the post, not to authenticate, and may be malformed or an invalid non-string type which would cause a fatal when checking against the hashed post password value.

Query parameter `?password=` values are the correct interface to check, and are also guaranteed to be strings.

Props mlf20, devansh016, antonvlasenko, TimothyBlynJacobs, kadamwhite.
Fixes #61837.


Built from https://develop.svn.wordpress.org/trunk@59036


git-svn-id: http://core.svn.wordpress.org/trunk@58432 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 		2024-09-17 22:19:14 +00:00
..
endpoints REST API: Only check password value in query parameters while checking post permissions. 2024-09-17 22:19:14 +00:00
fields Meta: Add label argument to register_meta function 2024-09-16 11:33:38 +00:00
search REST API: Remove post status prefix from REST API responses. 2024-07-23 07:51:12 +00:00
class-wp-rest-request.php Docs: Fix typos in various REST API DocBlocks and comments. 2024-07-11 06:24:17 +00:00
class-wp-rest-response.php Coding Standards: Always use parentheses when instantiating an object. 2022-11-29 15:51:14 +00:00
class-wp-rest-server.php REST API: Automatically populate targetHints for the Allow header. 2024-09-17 21:52:20 +00:00