[wp-trac] [WordPress Trac] #11922: Pages Hooked by add_menu_page() Have No Security
WordPress Trac
wp-trac at lists.automattic.com
Sat Jan 16 22:42:27 UTC 2010
#11922: Pages Hooked by add_menu_page() Have No Security
-----------------------------+----------------------------------------------
Reporter: miqrogroove | Owner: westi
Type: defect (bug) | Status: accepted
Priority: high | Milestone: 2.9.2
Component: Role/Capability | Version:
Severity: critical | Keywords: has-patch
-----------------------------+----------------------------------------------
Comment(by westi):
Replying to [comment:5 miqrogroove]:
> At step 2 one of the tests must pass. So if you changed your first
submenu $access_level to 'read' then any user would be able to trigger the
parent hook, even though it's still set to 'manage_options'. Also test
the page= query on different php files to see how $pagenow is ignored.
I have done this although this and still can't reproduce the issue.
As far as I can tell this is the same as the third example in my tests but
you have to be a non-admin to test.
The test case you have is Parent Menu requires a cap we don't have but
child requires one we do.
This is the first piece of code which runs after plugins add menus:
http://core.trac.wordpress.org/browser/branches/2.9/wp-admin/menu.php#L200
This strips out Top Level menus which are not accessible and have no
accessible children.
So for a Lowest level user this strips out the 2nd and 3rd menus in my
updated example where I have changed the first submenu to 'read' and
leaves only the first.
Ok reading back carefully through the referenced ticket the missing clue
is how the page is accessed index.php rather than admin.php
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11922#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list