[wp-trac] [WordPress Trac] #44449: WP_REST_Users_Controller->get_item_permissions_check() should return permission error even if user does not exist
WordPress Trac
noreply at wordpress.org
Mon Jun 25 05:47:53 UTC 2018
#44449: WP_REST_Users_Controller->get_item_permissions_check() should return
permission error even if user does not exist
--------------------------+-----------------------------
Reporter: Ste_95 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
Focuses: rest-api |
--------------------------+-----------------------------
Right now, `WP_REST_Users_Controller->get_item_permissions_check()`
returns a different error depending on whether the request user does not
exist or the requester does not have permission to list_users.
This is due to an early check on `$user`:
{{{#!php
if ( is_wp_error( $user ) ) {
return $user;
}
}}}
This is not a real security vulnerability, but it may give away
information to an attacker. We probably shouldn't want to give away the
fact that a user exists (or not), if the requester does not have
permission to pull a list of existing users. Otherwise we are allowing
them to (slowly) build a users list by making a multitude of wrong
requests. The check above should thus probably go at the bottom of the
function, just before the `return true;`.
https://core.trac.wordpress.org/browser/tags/4.8.1/src/wp-includes/rest-
api/endpoints/class-wp-rest-users-controller.php#L365
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44449>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list